Feeds

ConLibs leave open question over net surveillance

Not saying who's looking at what

High performance access to file storage

As ministers settle in to their offices this week, the fate of arguably the most significant domestic security policy of the previous government has gone largely undiscussed.

The mostly-nebulous £2bn Interception Modernisation Programme (IMP) must be a tempting cut to make, but it would be a brave politician who would take on the massed ranks of intelligence and police agencies.

It seems our dicephalous new government is cogniscent of this (doubly so, even?). The brief, vague ConLib agreement published on Wednesday contrived to be especially vague on the question of whether ISPs and mobile operators should be forced to intercept and store details of who their customers communicate with via web, email, VoIP, SMS and whatever else.

The seven-page accord pledged the "ending of storage of internet and email records without good reason".

To the civil libertarian this call for proportionality probably sounds great. Meanwhile, to surveillance advocates, the acceptance that there is a good reason to store internet and email records probably sounds great.

So, thus far the new government has told us nil about its policy on IMP.

Perhaps the team of civil servants in the Home Office that has been working on the project for more than two years is for now in a similar position of ignorance. It held one of its IMP regular meetings for ISP and mobile operator government relations staff last week, and by all accounts it was a pointless affair: no progress to report, and none likely for several months.

We can reasonably discount the possibility that existing communications data retention obligations will be rolled back. The UK was the diplomatic architect of the EU Data Retention Directive - which mandates storage of only basic first party session data and came into full force last year - and is legally obliged to continue to comply with it.

Both David Cameron and Nick Clegg are also surely minded to avoid clashes with the European Commission for fear of stirring their parties' Europhobe/phile tendency.

Future plans are much less certain. The main aim of IMP is to allow the security services to find out who, when and where their targets communicate online, via third party services such as Facebook, webmail, instant messenger, online games and Skype.

As we saw in responses to the Home Office's consultation on IMP, the plan to have ISPs and mobile operators intercept and store this information is causing web firms serious discomfort, for an array of privacy and competitive reasons. If IMP were to get the green light from the new government, simple encryption countermeasures are available to them that would deal a heavy blow to project. The Register understands that implementation of SSL for all traffic is accordingly under serious consideration by at least one very significant web player.

This would not hobble communications data surveillance for peer-to-peer services. However for social networks it would be crippling, because details of users they are communicating would be hidden in encrypted payloads.

For GCHQ, the intelligence agency with most invested in IMP, cracking such encryption on a case-by-case basis is everyday work. For the ISPs and mobile operators it wants to do the initial interception and storage of communications data, it's completely infeasible. Likewise, intercepting and storing everything to be decrypted as required would cost much, much more than £2bn over 10 years.

Thus even if IMP goes ahead, its chances of success are outside its own control. In the current climate £2bn is a big gamble for a government.

If the idea of intercepting retaining vast quantities of online communications in case they are needed is binned instead, a problem remains for authorities. Assuming they accept that "maintaining capability" to find out who contacts whom simply may not be possible, they will have to rely on and develop other capabilities.

Such work is already underway in the form of "remote searches" of computer equipment - or hacking to the man in the Clapham cyber cafe. Reports of the development of Trojans and likely more exotic techniques by police and intelligence agencies continue to surface across the world (see, for example, legal concern over such techniques in Germany).

A diversion of funds from IMP to this area would have several advantages for authorities: it would require surveillance to be more targeted, under warrant it would allow authorities to gather the content of communications as well as communications data, it is done under absolute government secrecy and away from the harsh criticism that greeted the industry-dependent IMP. For the innocent public it would mean their privacy would be much less likely to be intruded upon.

In this scenario there would of course still be large quantities of communications data available from existing data retention arrangements. Deep Packet Inspection boxes would probably still be widely installed at ISPs, to allow warranted intercept of communications content.

We've heard this idea suggested more than once in recent weeks, by well-informed industry and political sources. It would mean that intelligence analysts would have somewhat smaller databases of internet and phone records to play connect-the-dots with, and is therefore probably unlikely. It might be a more useful way to blow £2bn, or less, however. ®

High performance access to file storage

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Big Content goes after Kim Dotcom
Six studios sling sueballs at dead download destination
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
Jack the RIPA: Blighty cops ignore law, retain innocents' comms data
Prime minister: Nothing to see here, go about your business
Singapore decides 'three strikes' laws are too intrusive
When even a prurient island nation thinks an idea is dodgy it has problems
Banks slap Olympus with £160 MEEELLION lawsuit
Scandal hit camera maker just can't shake off its past
France bans managers from contacting workers outside business hours
«Email? Mais non ... il est plus tard que six heures du soir!»
Reprieve for Weev: Court disowns AT&T hacker's conviction
Appeals court strikes down landmark sentence
US taxman blows Win XP deadline, must now spend millions on custom support
Gov't IT likened to 'a Model T with a lot of things on top of it'
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.