Feeds

ConLibs leave open question over net surveillance

Not saying who's looking at what

Top three mobile application threats

As ministers settle in to their offices this week, the fate of arguably the most significant domestic security policy of the previous government has gone largely undiscussed.

The mostly-nebulous £2bn Interception Modernisation Programme (IMP) must be a tempting cut to make, but it would be a brave politician who would take on the massed ranks of intelligence and police agencies.

It seems our dicephalous new government is cogniscent of this (doubly so, even?). The brief, vague ConLib agreement published on Wednesday contrived to be especially vague on the question of whether ISPs and mobile operators should be forced to intercept and store details of who their customers communicate with via web, email, VoIP, SMS and whatever else.

The seven-page accord pledged the "ending of storage of internet and email records without good reason".

To the civil libertarian this call for proportionality probably sounds great. Meanwhile, to surveillance advocates, the acceptance that there is a good reason to store internet and email records probably sounds great.

So, thus far the new government has told us nil about its policy on IMP.

Perhaps the team of civil servants in the Home Office that has been working on the project for more than two years is for now in a similar position of ignorance. It held one of its IMP regular meetings for ISP and mobile operator government relations staff last week, and by all accounts it was a pointless affair: no progress to report, and none likely for several months.

We can reasonably discount the possibility that existing communications data retention obligations will be rolled back. The UK was the diplomatic architect of the EU Data Retention Directive - which mandates storage of only basic first party session data and came into full force last year - and is legally obliged to continue to comply with it.

Both David Cameron and Nick Clegg are also surely minded to avoid clashes with the European Commission for fear of stirring their parties' Europhobe/phile tendency.

Future plans are much less certain. The main aim of IMP is to allow the security services to find out who, when and where their targets communicate online, via third party services such as Facebook, webmail, instant messenger, online games and Skype.

As we saw in responses to the Home Office's consultation on IMP, the plan to have ISPs and mobile operators intercept and store this information is causing web firms serious discomfort, for an array of privacy and competitive reasons. If IMP were to get the green light from the new government, simple encryption countermeasures are available to them that would deal a heavy blow to project. The Register understands that implementation of SSL for all traffic is accordingly under serious consideration by at least one very significant web player.

This would not hobble communications data surveillance for peer-to-peer services. However for social networks it would be crippling, because details of users they are communicating would be hidden in encrypted payloads.

For GCHQ, the intelligence agency with most invested in IMP, cracking such encryption on a case-by-case basis is everyday work. For the ISPs and mobile operators it wants to do the initial interception and storage of communications data, it's completely infeasible. Likewise, intercepting and storing everything to be decrypted as required would cost much, much more than £2bn over 10 years.

Thus even if IMP goes ahead, its chances of success are outside its own control. In the current climate £2bn is a big gamble for a government.

If the idea of intercepting retaining vast quantities of online communications in case they are needed is binned instead, a problem remains for authorities. Assuming they accept that "maintaining capability" to find out who contacts whom simply may not be possible, they will have to rely on and develop other capabilities.

Such work is already underway in the form of "remote searches" of computer equipment - or hacking to the man in the Clapham cyber cafe. Reports of the development of Trojans and likely more exotic techniques by police and intelligence agencies continue to surface across the world (see, for example, legal concern over such techniques in Germany).

A diversion of funds from IMP to this area would have several advantages for authorities: it would require surveillance to be more targeted, under warrant it would allow authorities to gather the content of communications as well as communications data, it is done under absolute government secrecy and away from the harsh criticism that greeted the industry-dependent IMP. For the innocent public it would mean their privacy would be much less likely to be intruded upon.

In this scenario there would of course still be large quantities of communications data available from existing data retention arrangements. Deep Packet Inspection boxes would probably still be widely installed at ISPs, to allow warranted intercept of communications content.

We've heard this idea suggested more than once in recent weeks, by well-informed industry and political sources. It would mean that intelligence analysts would have somewhat smaller databases of internet and phone records to play connect-the-dots with, and is therefore probably unlikely. It might be a more useful way to blow £2bn, or less, however. ®

3 Big data security analytics techniques

More from The Register

next story
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
Edward Snowden on his Putin TV appearance: 'Why all the criticism?'
Denies Q&A cameo was meant to slam US, big-up Russia
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Judge halts spread of zombie Nortel patents to Texas in Google trial
Epic Rockstar patent war to be waged in California
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.