Agentless Backup is Not a Myth

The Coalition's plans to hugely step up surveillance of the internet aren't new - indeed they date from well before the Coalition - but readers could be forgiven for thinking it's all brand new this morning after a quick look at the national newspapers today.

David Cameron's government first published its intentions to snoop on the net back in November 2010, about six months after his Tory party formed a coalition with the Lib Dems, but in fact these plans represented no more than a rebranding of New Labour's "Interception Modernisation Programme".

Then last July, Home Secretary Theresa May signalled more clearly that the previous Labour government's shelved £2bn Interception Modernisation Programme (IMP) was definitely coming back to life.

At that point May outlined a new, or at least newly named, counter-terrorism strategy - dubbed CONTEST - and added that it would include a resurrected IMP.

The CONTEST document released by the Home Office made it clear that legislation would "be brought forward" to address what it described as a "technology challenge". That challenge relates to how terrorists use the internet.

IMP was supposed to be stood up at spook headquarters GCHQ in Cheltenham, to help security services monitor difficult-to-tap tech such as peer-to-peer communications.

The proposed government-snooping plan was stalled until after the 2010 General Election, however, following criticism from civil liberties groups in the UK.

Labour of course lost that election, but the idea of IMP never went away. It was instead effectively rebranded by May's department as the "Communications Capabilities Development Programme [CCDP]", which was squarely aimed at tackling perceived threats from rapidly-evolving encryption and other technologies which have increasingly made it difficult even for government agencies to intercept voice and text mobile communications.

The Sunday Telegraph ran a story about CCDP in February, which appeared to us to show that the broadsheet was simply catching up on old news. Now The Sunday Times has added to that coverage by running a story yesterday that was leaked to the Murdoch paper from a "senior civil servant" at the Home Office.

It would appear that the story is being managed: the government is looking to make sure that CCDP is an old news story well ahead of the Queen's Speech to Parliament on 9 May. Sundays - especially Sunday April the 1st - are good days to have potentially unpopular news reach the population at large.

The only nugget of information that a Home Office spokesman was willing to toss to The Register last month was to confirm that CCDP would be in the Queen's Speech and that the government planned to "legislate on it as soon as possible."

Last month, Tory MP David Davis - who heavily criticised Labour's IMP proposal when in opposition - asked Home Office undersecretary James Brokenshire if his department had been in talks with the Internet Service Providers' Association over consultation on CCDP.

"Home Office officials have met with the main industry associations representing internet service providers and communications service providers to discuss the cross-Government Communication Capabilities Development programme," the minister said on 8 March.

"These meetings have included the Internet Service Providers' Association whose advice has been sought on how and when to engage with all interested internet service providers, as part of the department's ongoing engagement strategy with industry."

As for yesterday's Sunday Times story, we now know that under the new proposed laws spooks will not need a warrant to know who communicates with whom and when they do so - this allows large scale data-mining and analysis. Such hands-off interception can tell spooks a lot, without ever requiring them to read an email or listen to a call: one of the things it can uncover, in fact, is which among millions of conversations, messages, webpages etc etc might be worth looking at or listening to. This kind of monitoring has been a grey area until now, with some saying it's illegal without a warrant and others - including various large commercial concerns, as well as government agencies - arguing that it isn't unless and until individuals are specifically targeted.

Actually looking and listening to the content of communications (as opposed to just the headers and addresses) currently requires a warrant under the existing Regulation of Investigatory Powers legislation. However readers should note that even today this would typically be a secret warrant signed within the relevant ministry by the relevant minister, not one obtained from a judge: and as these ministers (who also have many other calls on their time) must already sign large numbers of interception warrants - often covering many people, phone numbers or other identifiers which realistically they must assume are listed justifiably - it's questionable just how much supervision the spooks are under here. They certainly won't be under more once the new kit and plans are in place.

Quite apart from legal powers, it's expected that such an ambitious project will cost billions of pounds to implement, in part because of the large amount of kit that will need to be installed throughout the UK's communications infrastructure to allow GCHQ to copy "on demand" any internet traffic sent in the UK in "real time". It's still unclear how much of the burden will be borne by private-sector entities such as ISPs - who are already required to keep extensive records - and how much by the taxpayer.

Social networks like Facebook and Twitter - being, after all, just another means of handling packets in the end - as well as online video games could all be tapped by spooks under the new plans, according to the ST report.

Such capabilities would require thousands of Deep Packet Inspection probes to be inserted throughout the country's net infrastructure that would need to be regularly configured to keep up with the changes to how services exchange comms data. Part of the problem with IMP was that the £2bn price tag for implementing such a project over 10 years was simply too low.

Civil liberties campaigner Guy Herbert labelled the CCDP plan "an astonishing waste of money."

He said: "It is not very far from a bug in every living room that can be turned on and turned off at official whim. Whatever you are doing online, whoever you are in contact with, you will never know when you are being watched. And nobody else will either, because none of it will need a warrant." ®

Steps to Take Before Choosing a Business Continuity Partner