Feeds

Parliament to unleash barrage of criticism on Snoopers' Charter

Unseen spook Farr back again with plan to tap the UK net

Securing Web Applications Made Simple and Scalable

Real government achievement: A 40,000-word bill on a national database managed to avoid the word 'database'

Throughout the hearings in July and October, the Home Office team and Home Secretary Teresa May struggled vainly to stay on message, repeatedly reciting mantras about “catching criminals and saving lives”. Other mantras included: “there will be no central database” and “we only want communications data, not content”.

Desperate to avoid comparisons with Farr’s first failed attempt at the same new law under the previous Labour government in 2008, the language of this year’s bill and explanations was tortuously written around an obscurely defined “Request Filter” agency, which would receive validated orders to extract communications data – “who is in contact with whom” - from the police and other public bodies.

The Request Filter scheme was constructed as a way of avoiding referring to the feared and loathed “central database” of the original Farr plan. But the Home Office team faced well-briefed MPs who soon extracted admissions that data for the “request filter” required fitting remotely controlled DPI equipment at “six or seven major ISPs”.

Farr told that joint committee that “DPI black boxes … come into play in certain circumstances when an overseas provider or the state from which an overseas provider comes, or both together, tell us that they are not prepared to provide data regarding a service which is being offered in this country". The system would therefore put DPI boxes on the “UK network across which the data from the overseas provider must move, with the purpose of sucking off that data”.

The distributed DPI network would therefore have to read the contents of data packets automatically, interpret internet applications and protocols, and then analyse the contents to find the identity of who was communicating with whom, on any type of web service. To do this, “fragmented communications data” gathered from DPI access points would be assembled into a national database, by GCHQ, Detica, or both. But the word “database” was taboo at every point.

Perhaps the most spectacular achievement of the Home Office team was to write an entire 40,000-word draft Communications Data Bill designed to construct a national database derived from data mining, without letting the word “database” creep in even once.

No one has any idea what traffic inspection kit will be fitted

The legal power to require ISPs to fit DPI gear to their networks is contained in Clause One of the bill, but gives no description of the equipment to be fitted or what it might be required to do. This would be defined later in orders that the Home Secretary would then make, which would not be checked by Parliament and might be secret.

The harshest criticism the bill will face in both reports, according to parliamentary sources, is for the Home Office’s inability and unwillingness to explain what equipment ISPs would have to install, and its lack of response to security questions about how the DPI net could be defended against damaging cyber-attacks.

The Home Office claimed that it had briefed and consulted key industry organisations. A stream of industry witnesses told the committee the opposite, revealing that in some cases “consultation” had amounted to sending them a copy of the bill the day before it was published.

MPs and peers were also sceptical about the ability of GCHQ’s chosen contractor, BAE Detica, to deliver an ill-defined and unspecified complex computer project on time and in working order.

BAE’s last major government flop was the planned Nimrod MRA4 maritime surveillance aircraft, whose cost per plane had more than quadrupled by the time the disastrous project was axed in 2010, to the point where the UK could actually have acquired two or more space shuttles for the same money. Incoming coalition ministers ordered the half-rebuilt planes to be bulldozed into wrecks to stop BAE and air chiefs conspiring to push the project back into the defence budget.

BAE Detica’s 2011 report for the Cabinet Office on the “cost of cyber-crime” was widely criticised by experts for its claim that Britain annually loses £27bn though crime. Cyber expert Peter Sommer of the London School of Economics described the Detica report as "inflated British Aerospace puffery".

The data-mining plan Farr has been promoting appears at first to have been devised in the years after attacks on 11 September 2001, when former GCHQ chief and Cabinet Secretary Sir David Omand put forward proposals that British intelligence agencies should start harvesting and collecting “PROTINT”, or the “electronic exhaust” that we all now leave behind in everything we do online.

Even now, Google has hardly heard of PROTINT.

PROTINT, as described by Omand in his 2010 book Securing the State, “is personal information about an individual that resides in databases, such as advance passenger information, airline bookings and other travel data, passport and biometric data, immigration, identity and border records, criminal records, and other governmental and private sector data, including financial and telephone and other communications records … Access to such information, and in some cases the ability to apply data mining and pattern recognition software to databases, might well be the key to effective pre-emption in future terrorist cases”.

Farr's next top job lined up

Farr now appears to want to follow in Omand’s footsteps. He has applied for the recently vacant post of Home Office Permanent Under Secretary, shortly to be supersized as “Chief Executive”. He has been shortlisted for the post, according to political sources.

Parliamentary committee member and Lib Dem MP Dr Julian Huppert led many detailed enquiries into the case for the bill. Last week, he described it as “a seriously botched document, unfit in principle and in detail … thrown together without evidence to support the need for such wide-ranging powers".

“This is a bill that should not and will not get support in Parliament”, he told the Spectator magazine.

At the same time, the Home Office misfired again. The two committees had originally decided to publish their reports last Tuesday. They later announced that they would wait a week for the Leveson report to emerge and be debated.

Farr’s Home Office team tried to strike first, placing an “exclusive interview” with Home Secretary Teresa May in The Sun, attacking Deputy Prime Minister Nick Clegg and claiming hysterically that if opponents of the bill succeeded in having it changed or delayed “we could see people dying”.

“The people who say they’re against this bill need to look victims of serious crime, terrorism and child sex offences in the eye and tell them why they’re not prepared to give the police the powers they need to protect the public. Anybody who is against this bill is putting politics before people’s lives,” May was quoted as saying.

But the attack looked stupid and flopped because its timing was wrong. As one privacy campaigner commented “it seems the Home Office can’t even manage to listen to their own telephone messages”.

Members of the joint committee are determined to not allow the Home Office to surf tomorrow’s avalanche of criticism and carry on as though nothing had happened. Liberal Democrat sources have said that Nick Clegg will use the report – which he demanded – to force a complete new review of surveillance measures. He should not fail, unless the Labour Party wishes to win back their former reputation for control freakery and intrusion by backing the spooks. ®

Duncan Campbell gave evidence to the Joint Select Committee on the Communications Data Bill.

Application security programs and practises

More from The Register

next story
ONE EMAIL costs mining company $300 MEEELION
Environmental activist walks free after hoax sent share price over a cliff
HP, Microsoft prove it again: Big Business doesn't create jobs
SMEs get lip service - what they need is dinner at the Club
Arrr: Freetard-bothering Digital Economy Act tied up, thrown in the hold
Ministry of Fun confirms: Yes, we're busy doing nothing
Help yourself to anyone's photos FOR FREE, suggests UK.gov
Copyright law reforms will keep m'learned friends busy
Apple smacked with privacy sueball over Location Services
Class action launched on behalf of 100 million iPhone owners
EU's top data cops to meet Google, Microsoft et al over 'right to be forgotten'
Plan to hammer out 'coherent' guidelines. Good luck chaps!
US judge: YES, cops or feds so can slurp an ENTIRE Gmail account
Crooks don't have folders labelled 'drug records', opines NY beak
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.