Feeds

ConLibs leave open question over net surveillance

Not saying who's looking at what

The Power of One Infographic

As ministers settle in to their offices this week, the fate of arguably the most significant domestic security policy of the previous government has gone largely undiscussed.

The mostly-nebulous £2bn Interception Modernisation Programme (IMP) must be a tempting cut to make, but it would be a brave politician who would take on the massed ranks of intelligence and police agencies.

It seems our dicephalous new government is cogniscent of this (doubly so, even?). The brief, vague ConLib agreement published on Wednesday contrived to be especially vague on the question of whether ISPs and mobile operators should be forced to intercept and store details of who their customers communicate with via web, email, VoIP, SMS and whatever else.

The seven-page accord pledged the "ending of storage of internet and email records without good reason".

To the civil libertarian this call for proportionality probably sounds great. Meanwhile, to surveillance advocates, the acceptance that there is a good reason to store internet and email records probably sounds great.

So, thus far the new government has told us nil about its policy on IMP.

Perhaps the team of civil servants in the Home Office that has been working on the project for more than two years is for now in a similar position of ignorance. It held one of its IMP regular meetings for ISP and mobile operator government relations staff last week, and by all accounts it was a pointless affair: no progress to report, and none likely for several months.

We can reasonably discount the possibility that existing communications data retention obligations will be rolled back. The UK was the diplomatic architect of the EU Data Retention Directive - which mandates storage of only basic first party session data and came into full force last year - and is legally obliged to continue to comply with it.

Both David Cameron and Nick Clegg are also surely minded to avoid clashes with the European Commission for fear of stirring their parties' Europhobe/phile tendency.

Future plans are much less certain. The main aim of IMP is to allow the security services to find out who, when and where their targets communicate online, via third party services such as Facebook, webmail, instant messenger, online games and Skype.

As we saw in responses to the Home Office's consultation on IMP, the plan to have ISPs and mobile operators intercept and store this information is causing web firms serious discomfort, for an array of privacy and competitive reasons. If IMP were to get the green light from the new government, simple encryption countermeasures are available to them that would deal a heavy blow to project. The Register understands that implementation of SSL for all traffic is accordingly under serious consideration by at least one very significant web player.

This would not hobble communications data surveillance for peer-to-peer services. However for social networks it would be crippling, because details of users they are communicating would be hidden in encrypted payloads.

For GCHQ, the intelligence agency with most invested in IMP, cracking such encryption on a case-by-case basis is everyday work. For the ISPs and mobile operators it wants to do the initial interception and storage of communications data, it's completely infeasible. Likewise, intercepting and storing everything to be decrypted as required would cost much, much more than £2bn over 10 years.

Thus even if IMP goes ahead, its chances of success are outside its own control. In the current climate £2bn is a big gamble for a government.

If the idea of intercepting retaining vast quantities of online communications in case they are needed is binned instead, a problem remains for authorities. Assuming they accept that "maintaining capability" to find out who contacts whom simply may not be possible, they will have to rely on and develop other capabilities.

Such work is already underway in the form of "remote searches" of computer equipment - or hacking to the man in the Clapham cyber cafe. Reports of the development of Trojans and likely more exotic techniques by police and intelligence agencies continue to surface across the world (see, for example, legal concern over such techniques in Germany).

A diversion of funds from IMP to this area would have several advantages for authorities: it would require surveillance to be more targeted, under warrant it would allow authorities to gather the content of communications as well as communications data, it is done under absolute government secrecy and away from the harsh criticism that greeted the industry-dependent IMP. For the innocent public it would mean their privacy would be much less likely to be intruded upon.

In this scenario there would of course still be large quantities of communications data available from existing data retention arrangements. Deep Packet Inspection boxes would probably still be widely installed at ISPs, to allow warranted intercept of communications content.

We've heard this idea suggested more than once in recent weeks, by well-informed industry and political sources. It would mean that intelligence analysts would have somewhat smaller databases of internet and phone records to play connect-the-dots with, and is therefore probably unlikely. It might be a more useful way to blow £2bn, or less, however. ®

HP ProLiant Gen8: Integrated lifecycle automation

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
UK government officially adopts Open Document Format
Microsoft insurgency fails, earns snarky remark from UK digital services head
Major problems beset UK ISP filth filters: But it's OK, nobody uses them
It's almost as though pr0n was actually rather popular
HP, Microsoft prove it again: Big Business doesn't create jobs
SMEs get lip service - what they need is dinner at the Club
ITC: Seagate and LSI can infringe Realtek patents because Realtek isn't in the US
Land of the (get off scot) free, when it's a foreign owner
MPs wave through Blighty's 'EMERGENCY' surveillance laws
Only 49 politcos voted against DRIP bill
Help yourself to anyone's photos FOR FREE, suggests UK.gov
Copyright law reforms will keep m'learned friends busy
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.