Feeds

Parliament to unleash barrage of criticism on Snoopers' Charter

Unseen spook Farr back again with plan to tap the UK net

Top three mobile application threats

Real government achievement: A 40,000-word bill on a national database managed to avoid the word 'database'

Throughout the hearings in July and October, the Home Office team and Home Secretary Teresa May struggled vainly to stay on message, repeatedly reciting mantras about “catching criminals and saving lives”. Other mantras included: “there will be no central database” and “we only want communications data, not content”.

Desperate to avoid comparisons with Farr’s first failed attempt at the same new law under the previous Labour government in 2008, the language of this year’s bill and explanations was tortuously written around an obscurely defined “Request Filter” agency, which would receive validated orders to extract communications data – “who is in contact with whom” - from the police and other public bodies.

The Request Filter scheme was constructed as a way of avoiding referring to the feared and loathed “central database” of the original Farr plan. But the Home Office team faced well-briefed MPs who soon extracted admissions that data for the “request filter” required fitting remotely controlled DPI equipment at “six or seven major ISPs”.

Farr told that joint committee that “DPI black boxes … come into play in certain circumstances when an overseas provider or the state from which an overseas provider comes, or both together, tell us that they are not prepared to provide data regarding a service which is being offered in this country". The system would therefore put DPI boxes on the “UK network across which the data from the overseas provider must move, with the purpose of sucking off that data”.

The distributed DPI network would therefore have to read the contents of data packets automatically, interpret internet applications and protocols, and then analyse the contents to find the identity of who was communicating with whom, on any type of web service. To do this, “fragmented communications data” gathered from DPI access points would be assembled into a national database, by GCHQ, Detica, or both. But the word “database” was taboo at every point.

Perhaps the most spectacular achievement of the Home Office team was to write an entire 40,000-word draft Communications Data Bill designed to construct a national database derived from data mining, without letting the word “database” creep in even once.

No one has any idea what traffic inspection kit will be fitted

The legal power to require ISPs to fit DPI gear to their networks is contained in Clause One of the bill, but gives no description of the equipment to be fitted or what it might be required to do. This would be defined later in orders that the Home Secretary would then make, which would not be checked by Parliament and might be secret.

The harshest criticism the bill will face in both reports, according to parliamentary sources, is for the Home Office’s inability and unwillingness to explain what equipment ISPs would have to install, and its lack of response to security questions about how the DPI net could be defended against damaging cyber-attacks.

The Home Office claimed that it had briefed and consulted key industry organisations. A stream of industry witnesses told the committee the opposite, revealing that in some cases “consultation” had amounted to sending them a copy of the bill the day before it was published.

MPs and peers were also sceptical about the ability of GCHQ’s chosen contractor, BAE Detica, to deliver an ill-defined and unspecified complex computer project on time and in working order.

BAE’s last major government flop was the planned Nimrod MRA4 maritime surveillance aircraft, whose cost per plane had more than quadrupled by the time the disastrous project was axed in 2010, to the point where the UK could actually have acquired two or more space shuttles for the same money. Incoming coalition ministers ordered the half-rebuilt planes to be bulldozed into wrecks to stop BAE and air chiefs conspiring to push the project back into the defence budget.

BAE Detica’s 2011 report for the Cabinet Office on the “cost of cyber-crime” was widely criticised by experts for its claim that Britain annually loses £27bn though crime. Cyber expert Peter Sommer of the London School of Economics described the Detica report as "inflated British Aerospace puffery".

The data-mining plan Farr has been promoting appears at first to have been devised in the years after attacks on 11 September 2001, when former GCHQ chief and Cabinet Secretary Sir David Omand put forward proposals that British intelligence agencies should start harvesting and collecting “PROTINT”, or the “electronic exhaust” that we all now leave behind in everything we do online.

Even now, Google has hardly heard of PROTINT.

PROTINT, as described by Omand in his 2010 book Securing the State, “is personal information about an individual that resides in databases, such as advance passenger information, airline bookings and other travel data, passport and biometric data, immigration, identity and border records, criminal records, and other governmental and private sector data, including financial and telephone and other communications records … Access to such information, and in some cases the ability to apply data mining and pattern recognition software to databases, might well be the key to effective pre-emption in future terrorist cases”.

Farr's next top job lined up

Farr now appears to want to follow in Omand’s footsteps. He has applied for the recently vacant post of Home Office Permanent Under Secretary, shortly to be supersized as “Chief Executive”. He has been shortlisted for the post, according to political sources.

Parliamentary committee member and Lib Dem MP Dr Julian Huppert led many detailed enquiries into the case for the bill. Last week, he described it as “a seriously botched document, unfit in principle and in detail … thrown together without evidence to support the need for such wide-ranging powers".

“This is a bill that should not and will not get support in Parliament”, he told the Spectator magazine.

At the same time, the Home Office misfired again. The two committees had originally decided to publish their reports last Tuesday. They later announced that they would wait a week for the Leveson report to emerge and be debated.

Farr’s Home Office team tried to strike first, placing an “exclusive interview” with Home Secretary Teresa May in The Sun, attacking Deputy Prime Minister Nick Clegg and claiming hysterically that if opponents of the bill succeeded in having it changed or delayed “we could see people dying”.

“The people who say they’re against this bill need to look victims of serious crime, terrorism and child sex offences in the eye and tell them why they’re not prepared to give the police the powers they need to protect the public. Anybody who is against this bill is putting politics before people’s lives,” May was quoted as saying.

But the attack looked stupid and flopped because its timing was wrong. As one privacy campaigner commented “it seems the Home Office can’t even manage to listen to their own telephone messages”.

Members of the joint committee are determined to not allow the Home Office to surf tomorrow’s avalanche of criticism and carry on as though nothing had happened. Liberal Democrat sources have said that Nick Clegg will use the report – which he demanded – to force a complete new review of surveillance measures. He should not fail, unless the Labour Party wishes to win back their former reputation for control freakery and intrusion by backing the spooks. ®

Duncan Campbell gave evidence to the Joint Select Committee on the Communications Data Bill.

3 Big data security analytics techniques

More from The Register

next story
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Edward Snowden on his Putin TV appearance: 'Why all the criticism?'
Denies Q&A cameo was meant to slam US, big-up Russia
Banks slap Olympus with £160 MEEELLION lawsuit
Scandal hit camera maker just can't shake off its past
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.