Feeds

Top spook: ISP black boxes NOT key to UK's web-snoop plan

We fully expect Google, Facebook and Twitter to hand over your data

The Essential Guide to IT Transformation

Government-funded black boxes that monitor the UK's internet traffic are not "the cornerstone" of the Home Office's web super-snoop plan, a top spook has told MPs and peers.

Ex-MI6 man Charles Farr, who heads up the Office for Security and Counter-Terrorism, dismissed claims that Deep Packet Inspection (DPI) probes are the "central plank" of the government's Communications Data Bill currently being scrutinised by Parliament.

Instead, he insisted that cooperation with communications service providers (CSPs) such as Google and Facebook was key to the proposed surveillance legislation.

Police, spooks and the taxman - among other authorities - would need to use packet-capturing black boxes when CSPs declined to provide access to communications data where it is suspected that criminal activity has taken place, said Farr.

"We could in theory accept that there is a communication service used by criminals where we cannot access any data. But that is not the view of this government," he said, speaking at a committee meeting of the politicos on Tuesday afternoon.

If CSPs refuse to provide those authorities with access to such data, a black box would be placed on a network where such information could be hoovered up.

Farr [pictured centre]: 'I dunno. A black box is about this big, I guess'

Farr added that in those instances the security services would work with ISPs to develop the technology and the telco would store the data.

Interestingly, the government's Director of Communications Capability Directorate Richard Alcock appeared to indicate that the likes of Google, Twitter and Facebook would be expected to retain unencrypted data on their systems.

All of those CSPs - whose cooperation Farr had earlier described as a "patchwork quilt" - are not only headquartered overseas but have also each implemented the Secure Sockets Layer (SSL) protocol on their services.

Up until yesterday, it was unclear how spooks could intercept traffic when such websites transmit individual user sessions over encrypted SSL channels.

"Through the bill we'll only be able to access communications data. CSPs will hold unencrypted data on their systems, we'll need to work with them," Alcock said.

"It's very easy to separate content from communications data," he added before offering reassurance to the committee of politicos by saying "we won't be applying systems that cannot reliably do that".

Peter Hill - the Head of Unit for Pursue Policy and Strategy Unit at the Home Office - stressed at the meeting that many CSPs were only too happy to cooperate. The reason for the new legislation, he added, was that "the data that we need is not available rather than that it's not being shared with us".

Farr described the discussions his office has had with CSPs as "constructive". He said: "Those providers understand there is an issue, they want to help to address it but they want a legal process to support it."

On the issue of DPI, Alcock said black boxes were already "used as a matter of course" by ISPs.

"It's possible to use that existing kit to establish the who, where and when," he said before repeating that "if we cannot reliably extract comms data by that route then we won't do it".

Farr had earlier defended Home Secretary Theresa May's draft communications bill - dubbed a snoopers' charter - by saying that clarity was needed about what data providers should retain. He said a "technical problem" existed with the current Data Retention Directive (DRD) and the Regulation of Investigatory Powers Act (RIPA).

"The lack of data is then compounded by a legal problem because the DRD is not clear about what information should be retained," he said.

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.