Feeds

ConLibs leave open question over net surveillance

Not saying who's looking at what

The essential guide to IT transformation

As ministers settle in to their offices this week, the fate of arguably the most significant domestic security policy of the previous government has gone largely undiscussed.

The mostly-nebulous £2bn Interception Modernisation Programme (IMP) must be a tempting cut to make, but it would be a brave politician who would take on the massed ranks of intelligence and police agencies.

It seems our dicephalous new government is cogniscent of this (doubly so, even?). The brief, vague ConLib agreement published on Wednesday contrived to be especially vague on the question of whether ISPs and mobile operators should be forced to intercept and store details of who their customers communicate with via web, email, VoIP, SMS and whatever else.

The seven-page accord pledged the "ending of storage of internet and email records without good reason".

To the civil libertarian this call for proportionality probably sounds great. Meanwhile, to surveillance advocates, the acceptance that there is a good reason to store internet and email records probably sounds great.

So, thus far the new government has told us nil about its policy on IMP.

Perhaps the team of civil servants in the Home Office that has been working on the project for more than two years is for now in a similar position of ignorance. It held one of its IMP regular meetings for ISP and mobile operator government relations staff last week, and by all accounts it was a pointless affair: no progress to report, and none likely for several months.

We can reasonably discount the possibility that existing communications data retention obligations will be rolled back. The UK was the diplomatic architect of the EU Data Retention Directive - which mandates storage of only basic first party session data and came into full force last year - and is legally obliged to continue to comply with it.

Both David Cameron and Nick Clegg are also surely minded to avoid clashes with the European Commission for fear of stirring their parties' Europhobe/phile tendency.

Future plans are much less certain. The main aim of IMP is to allow the security services to find out who, when and where their targets communicate online, via third party services such as Facebook, webmail, instant messenger, online games and Skype.

As we saw in responses to the Home Office's consultation on IMP, the plan to have ISPs and mobile operators intercept and store this information is causing web firms serious discomfort, for an array of privacy and competitive reasons. If IMP were to get the green light from the new government, simple encryption countermeasures are available to them that would deal a heavy blow to project. The Register understands that implementation of SSL for all traffic is accordingly under serious consideration by at least one very significant web player.

This would not hobble communications data surveillance for peer-to-peer services. However for social networks it would be crippling, because details of users they are communicating would be hidden in encrypted payloads.

For GCHQ, the intelligence agency with most invested in IMP, cracking such encryption on a case-by-case basis is everyday work. For the ISPs and mobile operators it wants to do the initial interception and storage of communications data, it's completely infeasible. Likewise, intercepting and storing everything to be decrypted as required would cost much, much more than £2bn over 10 years.

Thus even if IMP goes ahead, its chances of success are outside its own control. In the current climate £2bn is a big gamble for a government.

If the idea of intercepting retaining vast quantities of online communications in case they are needed is binned instead, a problem remains for authorities. Assuming they accept that "maintaining capability" to find out who contacts whom simply may not be possible, they will have to rely on and develop other capabilities.

Such work is already underway in the form of "remote searches" of computer equipment - or hacking to the man in the Clapham cyber cafe. Reports of the development of Trojans and likely more exotic techniques by police and intelligence agencies continue to surface across the world (see, for example, legal concern over such techniques in Germany).

A diversion of funds from IMP to this area would have several advantages for authorities: it would require surveillance to be more targeted, under warrant it would allow authorities to gather the content of communications as well as communications data, it is done under absolute government secrecy and away from the harsh criticism that greeted the industry-dependent IMP. For the innocent public it would mean their privacy would be much less likely to be intruded upon.

In this scenario there would of course still be large quantities of communications data available from existing data retention arrangements. Deep Packet Inspection boxes would probably still be widely installed at ISPs, to allow warranted intercept of communications content.

We've heard this idea suggested more than once in recent weeks, by well-informed industry and political sources. It would mean that intelligence analysts would have somewhat smaller databases of internet and phone records to play connect-the-dots with, and is therefore probably unlikely. It might be a more useful way to blow £2bn, or less, however. ®

5 things you didn’t know about cloud backup

More from The Register

next story
Munich considers dumping Linux for ... GULP ... Windows!
Give a penguinista a hug, the Outlook's not good for open source's poster child
UK fuzz want PINCODES on ALL mobile phones
Met Police calls for mandatory passwords on all new mobes
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
EU justice chief blasts Google on 'right to be forgotten'
Don't pretend it's a freedom of speech issue – interim commish
Yes, but what are your plans if a DRAGON attacks?
Local UK gov outs most ridiculous FoI requests...
Detroit losing MILLIONS because it buys CHEAP BATTERIES – report
Man at hardware store was right: name brands DO last longer
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
UK government accused of hiding TRUTH about Universal Credit fiasco
'Reset rating keeps secrets on one-dole-to-rule-them-all plan', say MPs
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.