Feeds

ConLibs leave open question over net surveillance

Not saying who's looking at what

Website security in corporate America

As ministers settle in to their offices this week, the fate of arguably the most significant domestic security policy of the previous government has gone largely undiscussed.

The mostly-nebulous £2bn Interception Modernisation Programme (IMP) must be a tempting cut to make, but it would be a brave politician who would take on the massed ranks of intelligence and police agencies.

It seems our dicephalous new government is cogniscent of this (doubly so, even?). The brief, vague ConLib agreement published on Wednesday contrived to be especially vague on the question of whether ISPs and mobile operators should be forced to intercept and store details of who their customers communicate with via web, email, VoIP, SMS and whatever else.

The seven-page accord pledged the "ending of storage of internet and email records without good reason".

To the civil libertarian this call for proportionality probably sounds great. Meanwhile, to surveillance advocates, the acceptance that there is a good reason to store internet and email records probably sounds great.

So, thus far the new government has told us nil about its policy on IMP.

Perhaps the team of civil servants in the Home Office that has been working on the project for more than two years is for now in a similar position of ignorance. It held one of its IMP regular meetings for ISP and mobile operator government relations staff last week, and by all accounts it was a pointless affair: no progress to report, and none likely for several months.

We can reasonably discount the possibility that existing communications data retention obligations will be rolled back. The UK was the diplomatic architect of the EU Data Retention Directive - which mandates storage of only basic first party session data and came into full force last year - and is legally obliged to continue to comply with it.

Both David Cameron and Nick Clegg are also surely minded to avoid clashes with the European Commission for fear of stirring their parties' Europhobe/phile tendency.

Future plans are much less certain. The main aim of IMP is to allow the security services to find out who, when and where their targets communicate online, via third party services such as Facebook, webmail, instant messenger, online games and Skype.

As we saw in responses to the Home Office's consultation on IMP, the plan to have ISPs and mobile operators intercept and store this information is causing web firms serious discomfort, for an array of privacy and competitive reasons. If IMP were to get the green light from the new government, simple encryption countermeasures are available to them that would deal a heavy blow to project. The Register understands that implementation of SSL for all traffic is accordingly under serious consideration by at least one very significant web player.

This would not hobble communications data surveillance for peer-to-peer services. However for social networks it would be crippling, because details of users they are communicating would be hidden in encrypted payloads.

For GCHQ, the intelligence agency with most invested in IMP, cracking such encryption on a case-by-case basis is everyday work. For the ISPs and mobile operators it wants to do the initial interception and storage of communications data, it's completely infeasible. Likewise, intercepting and storing everything to be decrypted as required would cost much, much more than £2bn over 10 years.

Thus even if IMP goes ahead, its chances of success are outside its own control. In the current climate £2bn is a big gamble for a government.

If the idea of intercepting retaining vast quantities of online communications in case they are needed is binned instead, a problem remains for authorities. Assuming they accept that "maintaining capability" to find out who contacts whom simply may not be possible, they will have to rely on and develop other capabilities.

Such work is already underway in the form of "remote searches" of computer equipment - or hacking to the man in the Clapham cyber cafe. Reports of the development of Trojans and likely more exotic techniques by police and intelligence agencies continue to surface across the world (see, for example, legal concern over such techniques in Germany).

A diversion of funds from IMP to this area would have several advantages for authorities: it would require surveillance to be more targeted, under warrant it would allow authorities to gather the content of communications as well as communications data, it is done under absolute government secrecy and away from the harsh criticism that greeted the industry-dependent IMP. For the innocent public it would mean their privacy would be much less likely to be intruded upon.

In this scenario there would of course still be large quantities of communications data available from existing data retention arrangements. Deep Packet Inspection boxes would probably still be widely installed at ISPs, to allow warranted intercept of communications content.

We've heard this idea suggested more than once in recent weeks, by well-informed industry and political sources. It would mean that intelligence analysts would have somewhat smaller databases of internet and phone records to play connect-the-dots with, and is therefore probably unlikely. It might be a more useful way to blow £2bn, or less, however. ®

Internet Security Threat Report 2014

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
JINGS! Microsoft Bing called Scots indyref RIGHT!
Redmond sporran metrics get one in the ten ring
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Murdoch to Europe: Inflict MORE PAIN on Google, please
'Platform for piracy' must be punished, or it'll kill us in FIVE YEARS
Bono: Apple will sort out monetising music where the labels failed
Remastered so hard it would be difficult or impossible to master it again
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Sony says year's losses will be FOUR TIMES DEEPER than thought
Losses of more than $2 BILLION loom over troubled Japanese corp
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.