Interception Modernisation: The Technical Reality

It is in the news yesterday – courtesy of The Telegraph – that the innocent sounding “Interception Modernisation Programme” is apparently to be revived. I for one am skeptical that the revival of the programme is really happening as the source does not specifically say it is the Interception Modernisation Programme that’s back – it just nebulously mentions a “programme to preserve the ability of the security, intelligence and law enforcement agencies to obtain communication data and to intercept communications“.

Certainly I hope it really is not the Orwellian IMP. This was envisaged under the last government and I sat through a Home Office presentation on the issue back in May 2009 in which we did go some way, I believe, to ensuring the IMP was shelved.

Firstly, to correct some of the reporting I’ve seen: No reliable source I have seen has suggested that the content of every mail is to be stored and certainly it did not feature in the Home Office presentation. It is only the envelope – the to, the from and the subject line – that they’re interested in. OK, so technically this doesn’t sound too hard to do and in fact I, with my ISP hat on, do this today. If a customer rings up and has a problem with sending or receiving mail, I can look at the logs and see what they have tried to send and receive for the last few days. Scaling that to a year’s worth of data just becomes a matter of adding more disk space, but these days your average home PC could store the data for a year for a good sized ISP without too much trouble.

The reality of what the Home Office intended with the IMP is far worse however. What it set out to do is record the detail of every email, every internet phone call, every Facebook message, every Twitter direct message, every Instant Message and so on so that if Law Enforcement want information on a user they can build up a pretty good picture of who someone has been talking to. Because these services are not run from the UK, the Home Office can’t make them do anything so they’re asking the Service Providers sitting in the middle to do the work instead. Only this isn’t possible in the way they think it is.

I rather suspect the Home Office have been spending too much time watching reruns of “Spooks” rather than researching the issue properly.

Before I go on, I should explain the type of people that the Home Office were presenting to back in May 2009. Typically, when government goes to talk to service providers it seems to talk to “Compliance Managers” and directors at large corporations, who are likely not interested front-line technical reality of running a Service Provider. This was not such an audience. There were probably fifty to a hundred people in that room. Without even leaving our seats, the number of people there who did not possess the very real knowledge and capability to cripple large portions of the internet in less than sixty seconds was quite possibly two. Specifically, the two people from the Home Office who stood up on the stage.

The explanation of how this would work presented by the Home Office largely boils down to handwave-handwave big magic box handwave-handwave. They didn’t really have a solution to the problem that all the data and everything else is in a proprietary format that some programmer thought was a good idea while hyped up on Mountain Dew at 3am. As long as it works for whatever application they’re developing, it’s not supposed to be easy to snoop on and they’re likely to change it at any moment. That’s before we get into the problems of all the little Facebook applications and one-off custom bulletin boards.

The Home Office think that Service Providers can do this. The question I asked them was this: Why do you think we can do this. Because, basically, we can’t. The technical Home Office presenter seemed to believe he’d seen this capability. We had a show of hands: How many people in the room – and these are the people that run the Internet, not the managers – can do this. Nobody raised their hands.

The debate elaborated on the detail of this, but boiled down to one thing: the Home Office thought that we already had the ability to get this data for “Network Planning purposes” and had seen the likes of Phorm and Cleanfeed which look vaguely similar, if you ignore all the inconvenient technical data. On the “Network Planning” front, I do need to know how much data people are using so that I can make sure the pipes are big enough. However, I don’t care if that 5 Gigabytes of data you just downloaded are the detailed technical schematics of a nuclear reactor from one Mr.B.Laden or a video of your grandkids in the back garden last summer. 5 Gigabytes is just 5 Gigabytes.

Sure, to some extent I care where it goes. UK traffic is easier (By which, of course, I mean cheaper) to handle than US traffic for example. So we’ll get really into the detail of the data and sample one packet in a thousand. Or one in ten thousand. Or one in a million – we just don’t need the ability to look at every packet to get a pretty good feed for what’s going on. As one attendee put it, if you want to know if an email was sent, you have about the same odds of catching the right packet as you do from buying a lottery ticket. And even then we just know you talked to a server that happened to be owned by Google, or by Facebook, or by Skype. It might host some dodgy terrorist bulletin board but on the same server are quite possibly knitting patterns for woollen jumpers and photos of the 19:47 Express from Dundee.

We don’t know and, frankly, with a technical hat on we Just Don’t Care.

Lets have a look at the obvious counter-arguments that suggest we can do this:

  • Cleanfeed – the system BT invented to try to filter out kiddy porn. For a start because you just need to visit an encrypted web site and it’s not filtered. It also functions by only diverting and examining traffic to addresses known to contain bad content and leaving the rest well alone so it doesn’t have to scale to every piece of data that flows across the network. And finally, it just looks at the URL you type into your browser and that’s predictable and easy to do – no digging around in the internals of the data to find out who Facebook messaged who.
  • Phorm – the user behaviour tracking and advertising system. Somewhat bigger in scale in that it attempts to intercept a bigger proportion of traffic. But you still don’t need every detail in a useful, loggable form to do this. Just the fact that the phrase “woolly jumper patterns” pops up reasonably often in the streams from a user that you did get around to sampling is enough to pop up advertisements for subscriptions to Knitting Weekly.
  • Your Employer – really, they probably can’t do most of what they claim to do as the fear of redundancy keeps most people in line. Some have the resources to do quite a bit, most notably those regulated by organisations such as the Financial Services Authority. But as well as quite a lot of money for a relatively small user base, it’s because they have one big advantage that they control your PC and can install extra software on there to allow monitoring of even encrypted web sites and they can also just block you from doing things they can’t monitor.
  • The Great Firewall of China – Huge numbers of staff involved, all sorts of legal implications if you break through it. And yet people still manage

It all starts looking a bit bleak for IMP and a few months after that meeting, it was abandoned.

If this really is the IMP resurrected, the Home Office have solved some pretty major technical hurdles and I look forward to their announcement of some magic hardware in the not too distant future. In the mean time, I suspect that the likes of Facebook will be checking out the costs of rolling out encryption hardware for anyone accessing their services from the UK.

Update: I have a couple of old addresses from the Home Office dating back to this consultation – I have dropped them an email to ask if this really is the IMP resurrected. It occurred to me as I did that the Strategic Defence and Security Review is Ministry-of-Defence driven whereas the original IMP was via the Home Office. I don’t know if there is anything in that.

13 comments

  1. And of course even if you could do what the government wishes. Its all easily circumvented by anyone with a modicum of admin knowledge. Can anyone say “ssh”?

    1. The way the minds of the police work, you’ll automatically be regarded as suspicious if you go out of your way to encrypt things. Far better to push for widespread encryption.

      The paradox is, that will make the security forces job harder because they then can’t even do what they do now with targeted interception so it’s potentially regressive.

      If this really is IMP resurrected, it won’t be able to do most of what they want anyway so I’m not actually too worried.

  2. I’m reminded of the “Lords of the Internet” gag from The IT Crowd. Also the scenes from Four Lions where the terrorists are chatting over a penguin-sim game for children.

    Incidentally, do you know how in-game messaging’s handled for FPSes and the like?

    BTW: when I first tried to post this comment, I misread one of the characters in the CAPTCHA, and so my comment was rejected. But when I fixed that and resubmitted, it was rejected again because I was posting comments too fast. It would be nice if rejected comments didn’t count towards the ratelimit.

    1. In general, anything like Call of Duty, World of Warcraft, even Club Penguingeneric kids penguin-based game, it’s just part of the ad-hoc protocol between the server and the client – there’s no separate out-of-band channel you can snoop on. (Which is exactly why it’s so hard to figure out which human is talking to which)

    2. Forgot to reply to the CAPTCHA point first time round!

      It’s an off-the-shelf WordPress plugin and it seems not to work very well – I do get unapproved comments in the Trash so I can dig them out from amongst the spam but I don’t find them all. But really, I need to overhaul the site totally now I’m more familiar with WordPress.

      1. I find that the desire for a total overhaul usually just stops me from doing anything, and making incremental improvements is more successful, but it’s your site and you’ve probably got a better work ethic than me 🙂

        While you’re on it: the “double opt-in” email looked like spam to me until I realised it was coming from you. A “you commented on this post” introductory line would fix that.

        1. you’ve probably got a better work ethic than me

          I wish. 🙂

          While you’re on it: the “double opt-in” email looked like spam to me until I realised it was coming from you. A “you commented on this post” introductory line would fix that.

          Now that should be one I can fix easily by editing the WordPress module…

Leave a Reply