IP address matching: Just Communications Data by another name?

According to the Open Rights Group, (ORG) who are often right on soon-to-be-published legislation, the forthcoming bill on “IP Address Matching” is about mobile networks performing NAT.

There are probably a few reading this whose eyes have already started to glaze over, given the first paragraph mentions a three letter acronym. It is likely that a few civil servants and ministers suffered from the same. That is worrying because it is entirely possible that this bill may, if ORG are correct, involve collection of communications data – here’s why:

Network Address Translation (NAT) is a way of hiding many computers behind a single Internet address. It was invented because under the system of addressing currently in use in much of the world, there are not enough addresses for every computer to connect at once. Using the analogy of a telephone system, it is like a company having a few well-publicised phone numbers for their major services but hiding all their other staff behind a single generic phone number whenever they make an outbound call.

If someone is making nuisance calls that you are trying to trace, being told that the call came from your generic phone number is not much use. As with IP addresses hidden behind NAT, there could have been tens of thousands of phone calls being made outbound from that phone number at any point in time. You can only trace who made the call if you also logged which number each handset dialed.

Now, the internet also uses port numbers. They are fixed for servers (web servers typically run on port 80 or 443) but randomly assigned for outbound connections, so that the address and port will be unique for anyone talking to a particular service. This makes it theoretically possible to trace a user using both the address and port if you already know which service they were talking to.

Unfortunately for that approach, servers in the internet generally only record source addresses and not source ports.

If the Home Office want the data they are collecting to be useful, this means they will likely also be asking service providers to be storing destination addresses, which brings us back to having to store communications data. It would allow security services, police or even an anti-piracy company with a court order to ask a service provider questions such as “tell me everyone who accessed www.aljazeera.com in the last 12 months”.

Hopefully I’m wrong.

(Some further reading for the more technically inclined is over at ISPReview. The comments are also worth a read.)

Was the Communications Data Bill just a cover for Prism Data?

It’s been hard to miss the coverage of revelations that the US government has been scooping up data from tech giants such as Apple and Facebook – you’ve probably already seen newspaper reporting on the Prism project slides.

What’s surprising is that people think this is cause for renewed concern. Data in the cloud really should not be considered secure. The Americans have some sort of quasi-legel process for handling this, but I doubt other foreign intelligence is And if you are a big corporate, your data – blueprints, designs, release and pricing information – is probably of more interest to them too, as they can then give it to their own companies to produce cheap knockoffs.

And it’s not like the media in this country are any better behaved either. Personally, I regard all data on Facebook as near-enough public. Privacy settings stop my neighbours snooping but little else.

Rather more concerning is the UK involvement in this. According to the Guardian, “Prism would appear to allow GCHQ to circumvent the formal legal process required to seek personal material such as emails, photos and videos from an internet company based outside the UK.”

This is interesting in light of the recently proposed Communications Data Bill. If the security services already have access to the data, what was the bill for? One option is that it would have allowed open use of Prism data in UK courts, without raising questions as to it’s origin.

Another is rather more concerning: In exchange for Prism data we were expected to be able to generate similar data for the US on data travelling through UK-based servers and networks, building a global network of surveillance by states on each other’s citizens.

Communications data privacy and the Queen’s Speech

As we expected, the Queen’s Speech yesterday did not include a revised “snooper’s charter“. Well, mostly – the Guardian thinks otherwise, but whilst there are areas where the Civil Service are still pushing for better tools to tackle the war-on-terrorists-and-paedophiles they’ve chosen a different tack this time.

The general impression I’ve received from the briefing notes is that whoever prepared them has no idea what they are asking for.

Here is the except from the Queen’s Speech Briefing Notes (PDF link, page 74). I am quoting this at length because the language is important to the following discussion.

When communicating over the Internet, people are allocated an Internet Protocol (IP) address. However, these addresses are generally shared between a number of people. In order to know who has actually sent an email or made a Skype call, the police need to know who used a certain IP address at a given point in time. Without this, if a suspect used the internet to communicate instead of making a phone call, it may not be possible for the police to identify them.

The Government is looking at ways of addressing this issue with CSPs. It may involve legislation

Firstly, let’s look at the notion that a network can associate an IP address with a person. This is fairly easy to refute, because you just have to consider most households have shared computers. So, what about at a computer levels? Well, many households have a single account on a computer and many devices (e.g. iPads, phones, Gaming Consoles) and older operating systems do not have the ability to handle multiple users at all.

This problem is relatively easily solvable, technically. Simply require service providers to operate gateways that end users must log into individually using centrally-issued ID prior to accessing the internet. The technology is there because many large companies run such systems to track abuse and this is certainly a much simpler challenge to solve than previous suggestions around logging everything that happens on the internet. Politically however, such measures would be suicidal. I don’t believe this what is being proposed.

Rather more likely it seems, is the ability to identify an end device, rather than end user. The current generation of IP addressing – IPv4 – does not have enough address space to do this, hence the deployment of Network Address Translation (NAT) to share an IP address between multiple users. Your home broadband probably uses a single public IP for everyone in the house, and large organisations will also use one or a very few public IP addresses for all of their corporate traffic. This is necessary because there are just over 4 billion addresses theoretically available and significantly less than that by the time all the overheads have been taken into account. Ignoring that organisations like Facebook, Twitter and so on need IP addresses themselves to host their content, that’s still less than the number of people on the planet. And many of us have more than one device needing an address.

The next generation of IP, IPv6, has rather more addresses. (Just over three hundred trillion trillion trillion) But IPv6 is not ready yet, and mandating that everyone in the UK use it and could not ever use the older version again would cut us off from large portions of the internet. Economic suicide this time. Even if we could do this, privacy concerns with IPv6 have already been of concern to the technical community. Originally, under a system called EUI-64, the last part of your address was the hardware MAC address of your computer, a unique number rather like a serial number. People realised this allowed devices and users to be tracked rather easily, so they came up with a simple solution – every time your computer connects to an IPv6 network, the last bit of the address is random and changes each time.

As a result, if IPv6 is the solution the mandarins are thinking of, they’ll need to have a specific UK version of computers with this privacy feature disabled. Possible, but difficult to enforce even if they find a way of forcing IPv6 deployment.

There is only one interpretation of the briefing notes that remains that makes sense and the clue is in the last line regarding legislation and service providers. What they are concerned about is large scale address sharing, referred to as Carrier Grade NAT. (CGN) With this, millions of users, such as on Vodaphone or O2, are behind a single IP address. As old-school IPv4 addresses run out, big broadband operators may roll this out for those on fixed lines too. (BT are currently trialling this, for example) The police and security services want to make sure the providers not only log all the technical information for these so they can identify a single household or mobile device, but that they keep the data for long enough to be useful. Where such data is logged by service providers, it is typically only kept for long enough to generate capacity planning reports and handle network abuse – hours or days. Law enforcement works on a much longer timescale, typically weeks or months by which time the data has been thrown away.

However, it would appear the powers required to do all this are already enshrined in the existing Data Retention Directive. So it’s still a little unclear why all this needs to appear in the Queen’s Speech.

As is typical with internet policy matters coming from the government, it’s all a bit vague.

Dear Nick, please shut up

Dear Nick,

We love you really. Particularly after “I’m sorry”.

We were good boys and girls and folk of no particular gender and didn’t make noises about unseating you at conference, because we don’t believe that’s a good idea. (Even if the press would love it)

But you really, really need to learn to stop talking sometimes.

At conference during your Question and Answer session, you were asked about the draft Communications Data Bill. As you probably know this does not make headlines in the Guardian every day but is still something that worries many liberals. When Mark Pack asked you a question on it, you initially responded well with some spot on phrases:

It’s a draft bill“.

Unprecedented levels of scrutiny“.

Julian Huppert“. (Julian’s mention being enough for a round of applause)

And finally, you confirmed what’s become known as “the Huppert Veto“. Despite the name, this is not the latest Tom Clancy thriller.

Well done.

But after about three minutes of not particularly intense questioning, it started falling apart. George Potter asked you if you’d taken any advice on the bill, or even read it before initially endorsing it. It’s fine to say the Home Office misled you. Really, we won’t mind. It happens, and we’re there to catch that sort of thing before it makes it into law. That’s the nice thing about the Liberal Democrats: We can do that, when other parties can’t.

Parroting out the lines that the “principles of the bill are extending existing powers” just makes you sound like you’re reading from a Home Office press release. It’s not just about “extending [existing] powers to other forms of communication, particularly Voice, Skype or whatever“. It’s far more than that, and we know it.

At least when the third questioner challenged you, the response was a reference to “Nasty people”. I’m pleased that we’ve dropped the tired old “paedophiles and terrorists” line. But the “Yeah, yeah” as if you understood what a VPN was didn’t make you look clever.

This is really, really technical.

If I was having to defend a highly technical motion related to the safety of nuclear reactors, or use of certain drugs in hospitals, I’d not even try. I’d get people in who understood the stuff, liberals I trusted, and let them get on with it. Please don’t pretend to understand it because we’re completely OK with the idea that it’s really not that easy.

Frankly, you’ve got other things to do. A country to run. We, lead by Julian, can handle this one.

Instead, just remember these simple four words when questioned on the Communications Data Bill:

I agree with Julian“.



Communications Data Bill: Police think it’s not worth the money

Last week, in the Home Affairs Select Committee, Dr Julian Huppert quizzed the Metropolitan Police commissioner on what he might spend £1.8bn of cash on. Those familiar with the draft Communications Data Bill will probably recognise that number: It’s the Home Office estimate of the total cost of implementing the Bill.

Q403 Dr Huppert: Commissioner, if for all of policing, including counter-terrorism and all the other things that you do, you found you had an extra £1.8 billion over the next 10 years, what would be your number one priority for how you choose to spend that money?

One would expect Mr Hogan-Howe to be “on message” when it comes to this as he was quite vocal when the draft bill was announced, describing the powers as necessary to wage a draconian-sounding Total War on Crime. This guy is one of the leading voices asking for the bill. Surely he must think it is good value for money?

Surprisingly, Communications Data would not be a priority. He’d rather spend the cash on other things such community policing and general IT.

In fact, Communications Data didn’t even get a mention.

Bernard Hogan-Howe: It is a good question, and I would need a bit of time to think about it, but there are probably two main things. One would be to enhance the neighbourhood and community policing response. I think there is an opportunity there for us to do more. The second thing is I want to invest more in technology, not to replace the people necessarily, but we in the Met spend about £220 million a years on IT. Across the country policing generally spends £1.2 billion on IT. My point would be that it is more green screen than it is iPad, I am afraid, and it does not seem to catch criminals. Lots of lists, but ANPR catches criminals, facial recognition helps, fingerprints, DNA quick turnaround. These are things that I think over time can make a real difference, and of course it links us into the community and the victims in a far better way in which you see business deliver a service. I don’t think we are anywhere near that yet. So that is the two big areas that I would probably invest in. Probably the other one would be training. We have embarked on a quality programme and I think in the past probably the police service has seen training as a cost not an investment. For me it is an investment provided it is done properly and it is invested towards crime-fighting, which I think is vital.

(You can view this exchange on Parliament TV, starting from 11:02:23)

We already know that the proposals are incredibly expensive compared to the existing system and now even the police force primarily responsible for anti-terrorism don’t believe it’s good value for money.

So why are we doing it?

Evidence to the Communications Data Bill committee

I’ve already put it online as a PDF, but here’s my submission to the committee on the draft Communications Data Bill in a slightly easier to read format.

QUESTION 1: Has the Home Office made it clear what it hopes to achieve through the draft Bill?

  1. Considering the draft bill itself, there is no apparent restriction on the powers that are granted by it, which does not give any way of assessing exactly what the intentions are. The powers could be used for deployment of “black boxes” en mass throughout the UK, could be used to just to target known hotspots, or could just be used to attempt to intercept information to and from non-cooperative web site owners. They may even be no deployment of interception, with the bill just being used to retain. additional information.

  2. In it’s publicity surrounding the bill, the Home Office (HO) stated legislation was needed because “New communications technologies are generating communications data in different ways and communications data is no longer always retained by communications service providers.” (Emphasis added) In oral evidence to the committee, Charles Farr and Richard Alcock also concentrated on the “data retention” aspect of the bill as being primary, rather than obtaining data via interception. (This is discussed further in answer to question 2)

  3. It would therefore seem that the HO are publicly trying to state that the bill is about retention. However, the powers being asked for include obtaining data via interception, and the use of these powers has not been made clear or publicly discussed in any detail by the HO.

  4. The Home Office (HO) has also stated that it has spoken to a number of service providers who do understand their aims here. However, it is certainly not clear to myself or to anyone else I have spoken to in the industry what the aims are. It may be that those who have been spoken to are not themselves technical, but instead managers in effect bidding for a slice of the £1.8bn on offer. As a result, without knowing who the HO have been communicating with, one should be wary of accepting assurance that the concerned service providers are happy (technically or otherwise) with the HO proposals. Even if the HO genuinely believes the assurances given to it by service providers, the assurances it has received may not be entirely have been made in good faith and from a disinterested position.

  5. Multiple Freedom of Information requests have been made to the Home Office on the topic of who they have spoken to, both for the draft bill and existing data retention regimes, and also enquiring as how they arrived at the costs stated. All have been entirely or mostly refused (1, 2, 3, 4, 5) so there is no clarification available via that route as to either the value of any assurances apparently given by service providers or the aspirations of the bill in general.

  6. Other potentially useful information on the bill has also been suppressed by the HO. For example, they attended a conference run by the London Internet Exchange (LINX) and presented a half hour slot to Internet Service Providers (ISPs) on the bill. The conference attendees were not security cleared and include foreign nationals, but despite this the HO refused permission to allow LINX to release the video for download to members who were not present at the meeting and additionally stated that they would never disclose who in the industry they had talked top in order to stop people simply switching ISPs.

  7. The above facts combined – overly broad content in the bill, concentration on “data retention” in evidence to the committee, refusal to answer Freedom of Information requests and limiting circulation of information would suggest that the HO simply does not want more than vague details of it’s aims to be public knowledge for security reasons. That approach makes any useful, democratic assessment of their request a practical impossibility and also seriously damages any prospect of meaningful oversight.

QUESTION 2: Has the Government made a convincing case for the need for the new powers proposed in the draft Bill?

  1. In evidence given orally to the committee by Charles Farr, Director General of the Office for Security and Counter-Terrorism, states that much of the current problem is down to “ambiguity” in the Data Retention Directive (Q7) and also goes on (Q9) to state that he believes the draft bill will increase the proportion of successful requests for data from 75% to 85%. This concentration on data retention (Versus data acquisition) is further reiterated, including in a response to Question 74 by Richard Alcock (Director of Communications Capability Directorate) in his answer to Q74, who states that the costs are around data retention.

  2. What is not addressed is why simply updating the UK implementation of the data retention directive would not be sufficient to achieve the stated 10% uplift if this is simply a data retention issue.

  3. There is mention in the same session of cooperating with European, not UK, providers in retaining this data and that differences in the implementation of the Data Retention Directive (DRD) across Europe were part of the problem. It is not explained how a bill passed in the United Kingdom could be used to require European providers to retain data: Either the providers somehow fall under UK law by virtue of doing business here (In which case they would be subject to a UK “clarification” or update of the Data Retention Regulations 2009) or they are not subject to UK law, in which case any agreement with them would not be influenced by new legislation.

  4. Although effort has been made to justify retention of additional data, no serious attempt appears to have been made by the Home Office for additional powers of interception and obtaining additional data.

QUESTION 3. How do the proposals in the draft Bill fit within the wider landscape on intrusion into individuals’ privacy?


QUESTION 4. What lessons can be learnt from the approach of other countries to the collection of communications data?

  1. Based on an analysis of data released by Google, the UK has per capita the population most investigated via data communications in the world. Other countries may engage in snooping directly on their citizens, rather than requesting data from companies such as Google, but the UK would be unique amongst western democracies should it engage in such practices and this would largely be uncharted territory.

QUESTION 5. Are there any alternative proposals with regard to the technique and cost of obtaining communications data that the Government could consider?

  1. As discussed previously, updating the Data Retention (EC Directive) Regulations 2009 to cover more data should be considered. However, the HO have been reluctant to release enough information on what they hope to achieve which makes proper consideration of any alternatives difficult.

QUESTION 6. The draft Bill sits alongside the Data Retention Regulations. How will these two pieces of legislation interrelate? Would it be preferable to have one overarching piece of legislation that governs the retention of communications data?

  1. It would appear that, as written, the bill would supersede the Data Retention Regulations in all respects. There would appear to be no circumstances under which it would be worthwhile for the Secretary of State to issue further notices to service providers under section 10 of the regulations should the bill be passed. As a result, the regulations would cease to have any real world effect once all current providers are notified of their new obligations under the proposed bill.

QUESTION 7. If it is concluded that the provisions of the draft Bill are essential, are there any other measures that could be scrapped as a quid pro quo to rebalance civil liberties?

  1. The draft bill gives the potential for near-total omniscience to the state within the communications world. Given that people’s lives are increasingly integrated with electronic devices and the Internet, the scale of any scrapping of existing powers outside of the bill itself to rebalance liberties would have to be staggering in it’s scope.

QUESTION 9. Is the estimated cost of £1.8bn over 10 years realistic?

  1. Despite multiple Freedom of Information requests, as noted in the answer to Question 1, the HO has yet to produce any breakdown of it’s costs beyond simply stating around half the cost is retention. As it has also not been made clear what the aims and objectives of the bill is, it is not possible to determine if this is realistic.

QUESTION 10. The Home Office suggests the benefits that could be delivered by the enactment of the draft Bill could be worth between £5‐6bn. Is this figure realistic?

  1. The HO have not released any breakdown of this benefit, so it is hard to analyse. It would appear some of these benefits, based on evidence given orally by Charles Farr, is based on notional values of human life etc, for which we do not have numbers.

  2. However, a basic sanity check can be performed. There were 414,400 successful requests in 2010 (75% of 552,550) and the HO have stated in oral evidence to the committee that they hope for a 10% increase in successful requests as a result of the bill, meaning an additional 55,255 requests. This would mean that the current Data Retention regime is delivering a value of £3.75bn per year, or £9k per request. That number seems large and I would have expected to see more publicity surrounding the benefits of the existing system, but is a feasible figure given that the HO aims to“prevent revenue loss through tax fraud and facilitating the seizure of criminal assets”.

QUESTION 13. How robust are the plans to place requirements on communications service providers based overseas? How realistic is it that overseas providers could be pursued for breach of duty?

  1. The UK would appear to have no legal recourse against foreign service providers who do not, entirely voluntarily, comply with the proposed bill. If the HO did attempt to find a way to pursue foreign service providers with no UK base, this would set a very unwelcome precedent. UK service providers may then have the burden of complying with laws and regulations in every other country connected to the Internet, in case a user from that country visits their site.

QUESTION 16. Applications for accessing communications data will be subject to a series of safeguards including approval by a designated senior officer within the public authority making the request. How should “designated senior officer” be defined? Is this system satisfactory? Are there concerns about compliance with Article 8 ECHR?


QUESTION 17. Would a warrant system be more appropriate? If you favour a warrant system should this apply to all public authorities including law enforcement agencies? Should a warrant be necessary in all circumstances? And what would the resource implications be?

  1. Independent oversight of requests is certainly desirable, but a “warrant” could be granted by the Secretary of State or their nominated representative, which lacks sufficient independence. It would be more appropriate to specify that a judicial warrant is required.

  2. The main objection to requiring warrants by the HO has been time, in critical cases, and cost. On the topic of time, there is no reason why the vast majority of non-time-critical (Priority Grade 3, under the current RIPA system) should not require warrants. Such a system must mandate retrospective judicial approval of any high priority (Grade 1) requests to prevent abuse, with automatic reporting of any failed retrospective requests and investigation by the commissioner. The commissioner has already identified “serious non-compliance” by a number police forces under the current oral approval system which is a major cause for concern if not addressed. (2011 Annual Report of the Interception of Communications Commissioner, Page 35)

    1. For cost, the overall cost of the proposed system amounts to £3,257 per successful request. The cost of applying for a warrant does not appear to constitute a major additional burden in light of this.

    QUESTION 18. Is the role of the Interception of Communications Commissioner and the Information Commissioner sensible?

    1. The roles in theory are welcome, but the commissioners have proven themselves to be relatively toothless and do not properly investigate problems. A much stronger system of oversight is required.

    QUESTION 19. Are the arrangements for parliamentary oversight of the powers within the draft Bill satisfactory?

    1. As noted previously the HO have been extremely reluctant to provide any information to the committee in evidence to support the bill. There is no reason at this stage to believe they would be any more cooperative when it comes to future oversight. The draft bill should enforce tough, thorough and public reporting by the HO and all organisations granted powers or obligations under the bill.

    2. It is notable that the proposed system of interception involves the secretary of state mandating the equipment and configuration to be used by service providers, meaning it is unlikely that service providers will have any meaningful insight into the operation of the system. This will mean that the only organisations who really know what is going on are the HO and the (So far unidentified) suppliers of the equipment. This potentially means that no independent oversight of the technical implementation of the bill will exist at any level.

    QUESTION 21. Are the penalties appropriate for those public authorities that inappropriately request access to communications data? Should failure to adhere to the Code of Practice which is provided for in the draft Bill amount to an offence?

    1. It should be a criminal offence to wilfully disregard any communications data provisions, to prevent managers and staff refusing to take responsibility for the significant powers granted to them, in a similar way to the driver of a vehicle – and not his employer – being liable for offences committed behind the wheel. However, history has shown that prosecutions for such offences rarely take place as they are deemed not to in the public interest and this is as critical a problem as the penalties themselves. Mandating investigation by the commissioner with a strong presumption of prosecution on behalf of the CPS would go some way to solving this issue.

    QUESTION 22. Does the technology exist to enable communications service providers to capture communications data reliably, store it safely and separate it from communications content?

    1. On the scale required by the HO, no. No evidence has been presented by the HO to suggest otherwise, or how they would handle non-standard and ever-evolving protocols used by many sites.

    2. As an example, in the 2010 film “Four Lions”, the jihadists converse over a web site that appears to be based on Disney’s “Club Penguin”, an online game for children. The protocol used for communication between such sites and the client software running on the users computer will be completely proprietary and change entirely at the whim of the developers.

    QUESTION 23. How safely can communications data be stored?

    1. Security is a trade-off between usability and accessibility of the data versus it’s value and the impact if it is compromised. The value of the data held by Service Providers will be huge, representing a valuable asset in corporate espionage potentially funded by foreign governments.

    2. Such a high-value asset needs to be protected very robustly and although service providers generally have a good track record in keeping critical data secure, breaches do happen. This is a significant risk, the impact of which should be properly and fully investigated and reported on by the HO and accepted as being necessary prior to the bill being passed.

    QUESTION 25. How easy will it be for individuals or organisations to circumvent the measures in the draft Bill ?

    1. It would seem to be trivial to circumvent, unless the HO has some mechanism of decrypting all traffic that is not known to the rest of the world. (See discussion in answer to Q26 for more on this)

    2. The government of China, which has thrown significant resources at it’s “Great Firewall of China” project, has been trying to simply block – not even intercept – unapproved internet sites. Despite this, it remains the case today that people are able to bypass this system using technologies such as “tor”. There is no reason to believe the HO would be significantly more successful at interception than other governments would be at the simpler task of blocking.

    QUESTION 26. Are there concerns about the consequences of decryption?

    1. Potentially, yes, as we do not know how the HO intends to break decryption other than a simple statement that they can. There is a real danger that “man-in-the-middle” attacks on encryption might expose UK users to additional security risks or generally destabilise the internet in unwelcome ways. To avoid security and stability problems created by interception, it should be a requirement of the bill that interception may only be passive and not alter the contents of the communication in transit.

    2. Worse, in a nightmare scenario, whatever technology is deployed at the service provider level by the HO to decrypt traffic is stolen from a data centre by criminals or members of foreign intelligence agencies, potentially exposing very large number of users to security risks and huge financial implications.

Comparative costs of CCDP requests

There was some mention of costs in the recent Communications Data Bill committee hearings and I also ran across an interesting Freedom of Information request on the costs of the current system, so I thought I’d take a look at them side by side. Which system gives better value for money, the existing Data Retention or the proposed Communications Data Bill?

Cost-per-request under the Data Retention Directive

There are three pieces of useful information here. Firstly is the evidence of Charles Farr, Director General of the Office for Security and Counter-Terrorism. From his answer to Question 6 in oral evidence to the Communications Data Bill Committee: “As you know, we have put, based on our survey of the relevant organisations, a figure of 25% of data that organisations would like to get access to but cannot.” (In other words, 75% of the data is available)

Secondly is Question 10 from Michael Ellis MP: “in 2010 there were over half a million requests for communications data: 552,550.” In combination with the above 75%, that gives around 414,400 successful requests in 2010.

And finally, we have a Freedom of Information response to Caspar Bowden from which we have the yearly cost of running the Data Retention programme. Taking an average for 2009-10 and 2010-11 (Presumably Fiscal years) we find an average for 2010 of £13.15 million.

That’s quite a simple calculation to do: Each successful data request has a data retention cost of £31.76.

Cost-per-request under the Communications Data Bill

Again, Charles Farr has given us some useful information here. In response to question 9, he believes they will “improve our coverage to a figure of what we think should be in the region of 85%, as opposed to 75%, which is where we are now”.

I’ll be generous here and assume they actually get an immediate 10% increase, although even Mr. Farr admit that’s not likely and they won’t see the 85% figure until 2018. That means an extra 55,255 requests for data would be successful based on their figures.

As for the cost, Dr Julian Hupperts Question 73 states “The Home Office estimate is that the cost of this Bill as it currently is would be £1.8 billion over the next 10 years.”

So that’s £180 million a year for 55,255 more successful requests – or £3258 per request, over 100 times more expensive than under the current data retention regime.

So this additional cost is all the “black boxes” snooping on people, right?

Not according to Richard Alcock, Director of the Communications Capabilities Development Programme. From question 73: “The majority of the costs are around data retention. Over 50% are associated with working with communications service providers in the UK, to establish data retention stores.” It would seem that despite their claims that the new bill is mostly about improving data retention, their idea of data retention is significant more expensive (And thus much more extensive?) than the current system.

This discrepancy presumably explains why, despite complaints that much of the existing problem is that the Data Retention Directive is “ambiguous” and does not go far enough

But what about the benefits? There is a claim (Question 76) that this will have a benefit of £600 million per year. When asked to justify this by Dr Julian Huppert MP, Charles Farr included the phrase “We then attached a monetary value to lives saved”. In other words, it’s not a saving, just an analysis of the benefits. We do not have the raw numbers as the Home Office have not released them, so we can not assess if that “value” of lives saved is actually better spent not snooping on people, but in hospitals.

If we assuming the Home Office are being honest in response to Freedom of Information requests, it may simply be that the £1.6 billion figure is made up. (This would not be the first time we have caught someone making up such figures) When I requested a breakdown of the costs of the proposed system, they claimed it would take in excess of 100 hours to compile the information. Which rather sounds like “We do not have this”.

What we’ve learnt about CCDP plans

Featured on Liberal Democrat VoiceYesterday, the first set of evidence into the Home Office’s controversial interception plans was heard in front of the special committee established to look at the draft bill and you can watch the Video on Parliament’s web site. (More is scheduled for this afternoon).

We learnt a few things about what’s being planned as a result of the evidence given, which was predominantly given by Charles Farr, ex-MI6 man and Director of the Office for Security & Counter-Terrorism.

Firstly, the existing Regulation of Investigatory Powers Act and Data Retention Directive are allowing police and security services to get access to around 75% of the data they are after. It’s envisaged that the wide-scale interception of communications data would increase that to 85% – so by only 10%, which seems a huge cost in both monetary and civil liberties terms for a relatively small increase. The existing shortfall was attributed in part to “ambiguities” in the EU Data Retention Directive as it’s implemented in the UK.

Secondly, when asked about their ability to break cryptography they Home Office mandarins ducked the question, instead saying that their preferred method was to “co-operate” with (I.e. coerce) service providers. This would be the likes of Google, Facebook and Twitter, both UK-based and foreign, so that they stored the communications data themselves.

They were quite clear on this point when asked about “black boxes” too and not just crypto – even though interception is the very first clause in the draft bill, they claim the main thrust is retaining data at the service provider.

A big hole in their argument as a result is that they have not made clear why altering the existing Data Retention Directive to allow this isn’t enough. There is a big difference in liberal terms between being asked to retain data you already have and actually listening in to obtain data.

The issue that remains is foreign non-cooperative service providers who cannot be coerced and the Home Office seems to imagine only intercepting communications as it enters and leaves the UK, and not widespread interception within the UK. This approach will cut the number of boxes they need. They may not even need to talk to big household-name service providers to do this, instead targeting the lesser-known (To the public) fibre providers who offer the bits of glass that go under the oceans, seas and English Channel.

This has the side effect of also intercepting private (Non-internet) traffic and communications transiting the UK from, say, the US to Germany. I’m sure this point hasn’t been lost on those pushing for it.

In terms of capability, the spooks believe it will be nearly impossible to remain anonymous with the volume of data they are able to collect, something that has sinister overtones for anyone with a genuine need to speak out against the establishment or against the police. You don’t even need to look as far as China to see this in action, as it would be the police justifying the use of interception and there is far from universal trust of the police to regulate themselves in this country.

On the topic of the police self-justifying their use of powers, requiring warrants to obtain data for lesser needs (e.g. Harassment and Non-payment of fines) was discussed and the Home Office did not seem to have a good reason why this shouldn’t be the case. Their argument in favour of allowing minor offences to be included is that they might escalate into more serious offences, and that’s OK because they don’t (ab)use these powers much. (Yet…)

Finally, they were asked by one MP if they could rule out “fishing” expeditions where they would obtain the data from hundreds of users but they were not able to do this. The example given was if they know a suspect was at a certain place, they might pull the communications data for everyone in that area at that time.

For those interested in this, there is also an ongoing consultation where you can submit evidence direct to the committee.

Spooks in the Middle: How the Home Office might break HTTPS

It was reported yesterday that the Home Office are now saying that they’re not worried about encryption, because they can look inside HTTPS. Most people’s reaction is that this isn’t possible, or at least isn’t easy unless you’re going to throw huge resources at the problem. (Edit: Privacy International have reported this in more detail)

Sadly, it’s not that hard – but it has worrying implications.

The technical bit

There’s been a trick used by large corporate IT departments for a while to check on what employees are doing, which they often need to do for regulatory compliance. It works because the IT department controls your PC and the can tell it what Certificate Authorities (CAs) to trust to authenticate remote sites. The proxy you use to access the internet has a root CA on it that your PC has been told to trust, so it can create apparently legitimate looking certificates on-the-fly for any web site on the internet you visit.

This is known as a “Man-in-the-Middle” attack, because you’re sitting between A and B and altering the communications, rather than just listening to it passively. It’s also out there and used today – here’s an example of a commercial device that uses this technique.

That’s fine for corporates, because they control the end devices. However, things became a little scarier earlier this year when one of the real root Certificate Authorities broke the trust of the community.

CAs don’t use their highest level certificates for day-to-day signing. Those certificates are installed in every web browser out there and they have to negotiate with browser manufacturers individually if they’re to change them, so if they’re compromised it’s game over for them. Instead, they generate an “intermediate root” certificate and use that, so it can be revoked if someone leaks it. The real root key stays locked in a safe somewhere. One root CA, Trustwave, didn’t just generate intermediate roots for it’s own use, however: It also generated one for use in one of these snooping devices.

Unsurprisingly, the shit hit the proverbial fan, Mozilla threatened to revoke their CA status (Which would have ended them as a company) and they apologised and promised never to do it again.

Back to where we are today

It seems likely that if the Home Office think they can break HTTPS, they’ve spoken to someone with one of these magic SSL snooping boxes and also spoken with a root CA willing to let them have a certificate. If that’s the case, it’s concerning because they think it’s acceptable not just to listen in on traffic but to alter it in transit in order to glean the contents. We’ve seen the unintended consequences of such actions before, when the Internet Watch Foundation listed Wikipedia as a child porn hosting site.

I can see nothing in the proposed Bill that would act as a safeguard against the Home Office mandating the ISPs engage in such behaviour.

Luckily, it probably won’t work. The moment a CA is caught giving the Home Office a root certificate, Mozilla would likely revoke it. They can lean on Apple, Google and Microsoft as corporate entities to play along but Mozilla is run by the community and it’s going to be hard to pull the wool over everyone’s eyes there.

You wouldn’t be able to get on a site without being snooped on, but at least your browser will pop up lots of warnings letting you know that Big Brother is watching.

P.S. If you’re worried about this sort of attack being used on you, I can recommend Certificate Patrol for Firefox. It pops up quite a few false-positives, but will give a pretty good clue if something suddenly causes all your certificates to change.

CCDP First impressions: A bill with too few safeguards

Featured on Liberal Democrat VoiceThe draft Communications Data Bill has, at last, been published. We can finally debate what has been written down, rather than what the Home Office have been telling people in off-the-record briefings. Julian Huppert MP has an excellent post on safeguards which might be worth a look first, as those are the principles I would like to see in the Bill. Sadly, the draft bill falls down on several counts.

Firstly, we did point out quite forcefully in early debate that the police and security services were asking for powers that they did not have over the postal service. They’ve fixed that in the draft… by granting themselves powers over post too. Under the draft bill, the Royal Mail would need to scan and store the outside of every envelope that goes through the postal system if the Secretary of State asked them to.

Secondly, the vast majority of requests would still not require any form of judicial warrant. Instead, the police would still retain the ability to authorised themselves to go after communications data.

Finally, (for the major concerns), clause 1 which places the obligations on ISPs to collect data is still far too broad. “Interception” is not allowed, but that would seem to only rule out real-time monitoring as it uses the previous RIPA definition. ISPs could still be mandated to look at the content of all traffic to try to drag out “communications data”.

Internet traffic is not like the post, with the addressee neatly written on the outside. Instead, the outer envelope (IP) contains another envelope (TCP). You need to collect together all the IP envelopes in order to make sense of the TCP conversation. Once you have that, you need to open the TCP envelopes to see if they contain little Instant Message, Club Penguin, World of Warcraft or Facebook envelopes. Then, we need to read the data off that envelope, no mean feat given that World of Warcraft envelopes will be written in whatever language makes sense to them, not to us as service providers.

By the time you’ve built this system, even assuming you figure out how, you have something that is required to read the entire content of everyone’s communication to figure out where the envelopes stop and the letters start.

All this is before anyone puts wax seals on their envelopes encrypts their data, which I suspect will start happening quite widely should this bill pass.

How are the Home Office going to do this anyway? Black Boxes. Clause 1(2) allows the Home Office to impose “requirements for telecommunications operators… to acquire, use or maintain specified equipment or systems“. The Home Office might not operate the black boxes, but by mandating the supplier they’re not far off having complete control. I rather suspect ISPs will have very limited information on or access to any mandated systems, which will limit technical oversight.

Even then, Labour’s original “central database” idea isn’t far off, courtesy of clauses 14 to 16 which talk about “filtering” systems operated not by service providers but by the Home Office. There are no safeguards proposed to stop the Home Office from simply demanding all data held by an ISP as part of a trawl for interesting information.

There are a few other holes that need addressing too, but I would expect them to be tightened up in the usual course of events. For example, if you’re given a notice saying your data might be needed for a court case, you have to keep it until you are told it is no longer needed. However, there is no provision, requirement or obligation for the scope of the retention to be limited. Given how long court cases can take, this could mean that an ISP ends up storing all of it’s communications data for years.

It still needs a little more scrutiny. I notice they’ve slipped in powers to allow snooping to collect unpaid fines and taxes, but I forget if that’s still in RIPA. No doubt as people pour over this more, we’ll get better and better breakdowns of what it all means.