It was reported yesterday that the Home Office are now saying that they’re not worried about encryption, because they can look inside HTTPS. Most people’s reaction is that this isn’t possible, or at least isn’t easy unless you’re going to throw huge resources at the problem. (Edit: Privacy International have reported this in more detail)

Sadly, it’s not that hard – but it has worrying implications.

The technical bit

There’s been a trick used by large corporate IT departments for a while to check on what employees are doing, which they often need to do for regulatory compliance. It works because the IT department controls your PC and the can tell it what Certificate Authorities (CAs) to trust to authenticate remote sites. The proxy you use to access the internet has a root CA on it that your PC has been told to trust, so it can create apparently legitimate looking certificates on-the-fly for any web site on the internet you visit.

This is known as a “Man-in-the-Middle” attack, because you’re sitting between A and B and altering the communications, rather than just listening to it passively. It’s also out there and used today – here’s an example of a commercial device that uses this technique.

That’s fine for corporates, because they control the end devices. However, things became a little scarier earlier this year when one of the real root Certificate Authorities broke the trust of the community.

CAs don’t use their highest level certificates for day-to-day signing. Those certificates are installed in every web browser out there and they have to negotiate with browser manufacturers individually if they’re to change them, so if they’re compromised it’s game over for them. Instead, they generate an “intermediate root” certificate and use that, so it can be revoked if someone leaks it. The real root key stays locked in a safe somewhere. One root CA, Trustwave, didn’t just generate intermediate roots for it’s own use, however: It also generated one for use in one of these snooping devices.

Unsurprisingly, the shit hit the proverbial fan, Mozilla threatened to revoke their CA status (Which would have ended them as a company) and they apologised and promised never to do it again.

Back to where we are today

It seems likely that if the Home Office think they can break HTTPS, they’ve spoken to someone with one of these magic SSL snooping boxes and also spoken with a root CA willing to let them have a certificate. If that’s the case, it’s concerning because they think it’s acceptable not just to listen in on traffic but to alter it in transit in order to glean the contents. We’ve seen the unintended consequences of such actions before, when the Internet Watch Foundation listed Wikipedia as a child porn hosting site.

I can see nothing in the proposed Bill that would act as a safeguard against the Home Office mandating the ISPs engage in such behaviour.

Luckily, it probably won’t work. The moment a CA is caught giving the Home Office a root certificate, Mozilla would likely revoke it. They can lean on Apple, Google and Microsoft as corporate entities to play along but Mozilla is run by the community and it’s going to be hard to pull the wool over everyone’s eyes there.

You wouldn’t be able to get on a site without being snooped on, but at least your browser will pop up lots of warnings letting you know that Big Brother is watching.

P.S. If you’re worried about this sort of attack being used on you, I can recommend Certificate Patrol for Firefox. It pops up quite a few false-positives, but will give a pretty good clue if something suddenly causes all your certificates to change.

Featured on Liberal Democrat VoiceThe draft Communications Data Bill has, at last, been published. We can finally debate what has been written down, rather than what the Home Office have been telling people in off-the-record briefings. Julian Huppert MP has an excellent post on safeguards which might be worth a look first, as those are the principles I would like to see in the Bill. Sadly, the draft bill falls down on several counts.

Firstly, we did point out quite forcefully in early debate that the police and security services were asking for powers that they did not have over the postal service. They’ve fixed that in the draft… by granting themselves powers over post too. Under the draft bill, the Royal Mail would need to scan and store the outside of every envelope that goes through the postal system if the Secretary of State asked them to.

Secondly, the vast majority of requests would still not require any form of judicial warrant. Instead, the police would still retain the ability to authorised themselves to go after communications data.

Finally, (for the major concerns), clause 1 which places the obligations on ISPs to collect data is still far too broad. “Interception” is not allowed, but that would seem to only rule out real-time monitoring as it uses the previous RIPA definition. ISPs could still be mandated to look at the content of all traffic to try to drag out “communications data”.

Internet traffic is not like the post, with the addressee neatly written on the outside. Instead, the outer envelope (IP) contains another envelope (TCP). You need to collect together all the IP envelopes in order to make sense of the TCP conversation. Once you have that, you need to open the TCP envelopes to see if they contain little Instant Message, Club Penguin, World of Warcraft or Facebook envelopes. Then, we need to read the data off that envelope, no mean feat given that World of Warcraft envelopes will be written in whatever language makes sense to them, not to us as service providers.

By the time you’ve built this system, even assuming you figure out how, you have something that is required to read the entire content of everyone’s communication to figure out where the envelopes stop and the letters start.

All this is before anyone puts wax seals on their envelopes encrypts their data, which I suspect will start happening quite widely should this bill pass.

How are the Home Office going to do this anyway? Black Boxes. Clause 1(2) allows the Home Office to impose “requirements for telecommunications operators… to acquire, use or maintain specified equipment or systems“. The Home Office might not operate the black boxes, but by mandating the supplier they’re not far off having complete control. I rather suspect ISPs will have very limited information on or access to any mandated systems, which will limit technical oversight.

Even then, Labour’s original “central database” idea isn’t far off, courtesy of clauses 14 to 16 which talk about “filtering” systems operated not by service providers but by the Home Office. There are no safeguards proposed to stop the Home Office from simply demanding all data held by an ISP as part of a trawl for interesting information.

There are a few other holes that need addressing too, but I would expect them to be tightened up in the usual course of events. For example, if you’re given a notice saying your data might be needed for a court case, you have to keep it until you are told it is no longer needed. However, there is no provision, requirement or obligation for the scope of the retention to be limited. Given how long court cases can take, this could mean that an ISP ends up storing all of it’s communications data for years.

It still needs a little more scrutiny. I notice they’ve slipped in powers to allow snooping to collect unpaid fines and taxes, but I forget if that’s still in RIPA. No doubt as people pour over this more, we’ll get better and better breakdowns of what it all means.

Writing in The Times today, the comissioner for the Metropolitan Police defends forthcoming legislation to allow the police to intercept emails by saying that for him, “policing… is about a Total War on crime”. (£)

According to Wikipedia, Total War involves “less differentiation between combatants and civilians than in other conflicts, and sometimes no such differentiation at all“.

So it seems, in comissioner Hogan-Howe’s view, a bit of collateral damage with civilians getting caught up in the conflict is OK. To me, if that’s the case then the police have failed: they are supposed to be protecting the general population, not dragging us into their conflicit with the criminals.

If Hogan-Howe needs to use the failure of his own police force to justify draconian new powers for the police, then something has gone very wrong with policing in this country. We do not yet know the contents of the snoopers bill, to be revealed later today, but so far these are worrying noises.

Featured on Liberal Democrat VoiceFollowing the confirmation in today’s Queen’s Speech that something that might look like the Communications Capability Development Programme is going ahead, a conference call had been (pre-)arranged with the cast of the earlier, somewhat more confrontational call. The main difference this time is that instead of being lead by a handful of Senior Political Advisors, the main speaker was none other than Cambridge’s own Dr Julian Huppert MP, who Nick Clegg has publicly deferred to on the issue of Communications Interception.

First of all, I shall start with the LibDem Win: As reported by the Guardian today, if the Tories were left to their own devices, this would probably be rammed through as part of a larger bill.

Whilst we’re not there yet, we (And I mean all campaigners here!) are already making a difference and I’m told some of the plans the Home Office had are already being torn us in the face of opposition. They have been careful not to put anything in writing so far and the full details of the most draconian measures that were in the works will probably never be publicly known, but it seems likely that any plan to put compulsory black boxes on service providers networks to snoop on traffic are already out the window, which is excellent news. Also out is apparently any suggestion that the police would simply be able to pull data from service providers directly over the Internet, without needing to request it specifically from a human.

As to the conference call itself, there was much less technical content than last time. This was partly because we know Julian Huppert very much Gets It, and if he doesn’t he’ll ask those of us that do. But also, it’s because we’re worrying about how we get where we want to be and not the unannounced detail.

As it stands, we’re waiting for the Home Office to say what they want, in writing. They may ask only for entirely reasonable things that we can agree to, but that is unlikely. Instead, it should go through a similar committee process the Libel Reform Bill that was also announced today to allow experts to pick it apart. Some of what the Home Office propose will probably be unacceptable, and we’ll kick it out. Some might be a little awkward, but a genuine attempt by the Home Office to come up with something workable towards a specific goal. We should help them on that if we think it’s a worthy goal.

I’ll sound a note of caution here: As I said above, the civil service may – hell, probably will announce draft clauses that are very illiberal. I’ve no doubt some will react with alarm if that happens. That doesn’t mean that LibDem MPs have “gone native”. It means they’ll discuss them in public and kill them there, and not in private. Secondly, don’t let it become a campaign of misinformation. I’ve heard there are already one or two organisations have put out some inaccurate information based on outdated plans, which won’t help discussions further down the line if they become the focus of discussion when they’re already dead and buried.

(On the flip side, if there are MPs being illiberal: It’s open season. Regardless of party)

In terms of next steps, the Home Affairs Select Committee has written to the Home Secretary, Theresa May, asking for more detail of what’s proposed. She should have responded today and hopefully the committee will publish both their questions and the response on Tuesday, before a full session to question her on the topic.

In parallel to this, some draft clauses will be forthcoming over the next few weeks which is the first time we’ll have something concrete to critique properly. It may be the Home Affairs Select Committee that works on this, or it might be another committee specificity formed to discuss this bill, but the key is the MPs working on it should have the chance to be fully educated on it. One memorable quote from this evening was that “any group that knows what they’re talking about won’t make daft decisions“. I hope that’s true.

Once the draft clauses are in the open, we can finally decide if what they’re thinking of doing is acceptable and call down upon them the wrath of the community if they’ve got it wrong.

From the Queen’s Speech today, there will be “measures to maintain the ability of the law enforcement and intelligence agencies to access vital communications data under strict safeguards to protect the public, subject to scrutiny of draft clauses“.

More information has been released by the Home Office, which I’ve included below, (Edited to add: This isn’t a draft bill, it’s just vague background notes on what they might like) but it’s not particularly helpful: It just refers to “an updated framework for the collection, retention and acquisition of communications data”. Which, frankly, could mean anything from minor fiddles with the way ISPs provide information we already hold all the way to full-blown and widespread interception.

I am pretty sure they intend the more Orwellian scenario, but do not want to admit this in writing yet.

There is a section on “appropriate independent oversight”, but the interception of communications commissioner does not appear to have done much good to date so I cannot see this as a positive contribution. (See Mark Pack’s post giving six reasons why the post is a failure for a good discussion on this)

And a “Technical Advisory Board” mentioned, but the role of that body seems to be just someone for the ISPs to talk to in order to figure out the impact of the proposals. My experience of these things is that the industry will have a much better idea of what it’s doing than any government-appointed body!

There is another conference call for LibDem bloggers tonight which I shall report back on, but I doubt we will see much clarification on the above.


Draft Communications Data Bill
“My Government intends to bring forward measures to maintain the ability of the law enforcement and intelligence agencies to access vital communications data under strict safeguards to protect the public, subject to scrutiny of draft clauses.”

The purpose of the draft Bill is to:

  • The draft Bill would protect the public by ensuring that law enforcement agencies and others continue to have access to communications data so that they can bring offenders to justice.

What is communications data:

  • Communications data is information about a communication, not the communication itself.
  • Communication data is NOT the content of any communication – the text of an email, or conversation on a telephone.
  • Communications data includes the time and duration of the communication, the telephone number or email address which has been contacted and sometimes the location of the originator of the communication.

The main benefits of the draft Bill would be:

  • The ability of the police and intelligence agencies to continue to access communications data which is vital in supporting their work in protecting the public.
  • An updated framework for the collection, retention and acquisition of communications data which enables a flexible response to technological change.

The main elements of the draft Bill are:

  • Establishing an updated framework for the collection and retention of communications data by communication service providers (CSPs) to ensure communications data remains available to law enforcement and other authorised public authorities.
  • Establishing an updated framework to facilitate the lawful, efficient and effective obtaining of communications data by authorised public authorities including law enforcement and intelligence agencies.
  • Establishing strict safeguards including: a 12 month limit of the length of time for which communications data may be retained by CSPs and measures to protect the data from unauthorised access or disclosure. (It will continue to be the role of the Information Commissioner to keep under review the operation of the provisions relating to the security of retained communications data and their destruction at the end of the 12 month retention period)
  • Providing for appropriate independent oversight including: extending the role of the Interception of Communications Commissioner to oversee the collection of communications data by communications service providers; providing a communications. service provider with the ability to consult an independent Government/ Industry body (the Technical Advisory Board) to consider the impact of obligations placed upon them; extending the role of the independent investigatory Powers Tribunal (made up of senior judicial figures) to ensure that individuals have proper avenue of complaint and independent investigation if they think the powers have been used unlawfully.
  • Removing other statutory powers with weaker safeguards to acquire communications data.

Existing legislation in this area is:

  • Regulation of Investigatory Powers Act 2000
  • The Data Retention (EC Directive) Regulations 2009

Devolution:
The Bill would apply to England, Wales, Scotland and Northern Ireland and relates to non-transferred matters.

Blog posts relating to Tuesday night’s conference call: (In no particular order)

A few prior to that call, or not related to it:

Later additions to this list:

Mainstream press, firstly prior to the call:

And a couple from after: (Note the difference in tone!)

Last night there was a conference call between policy advisors within the LibDem party and the more vocal grass-roots, such as myself, on current proposals to extent interception powers. It was more than a little enlightening and certainly heated at times. It included the Senior Policy Advisors, (SPAds) special advisors and policy unit staff who are Liberal Democrats, but work alongside the Civil Service. Much of the job of a SPAd for example is to tell a Civil Servant that they’re proposing something the minister won’t stand for, without having to worry the minister too much about it. It’s also confidential so the minister doesn’t have to worry about negative press coverage because a Bernard Woolley civil servant has had a dumb idea.

That system has broken down here. The Civil Service have resurrected their nice plans from under the Labour Government, tweaked them a bit and put them under the noses of the new crop of advisors. But the Civil Servants don’t understand this either, so the briefings they have been giving are rather one-sided. (That’s not me being charitable by the way – they are not being all Sir Humphrey. I’ve met some of these people and they really don’t understand it.)

Miss S B has also written about the call on her blog and that’s worth a read too, along with the comments, for more on the political rather than technical/policy side.

Here is what the policy bods think is being proposed

The current situation is that the security services and police can request information from service providers that they already hold. I’ll skip the detail, but depending on the service provider they can get some idea about some phone calls made or received and emails from at least the last few days, potentially up to two years worth.

They can’t do this in all cases, for example Skype, World of Warcraft chat (Apparently this has been used by drug dealers) or similar. Even Disney’s Club Penguin for young kids could be used in this way, as the Three Lions film demonstrated.

So they want to “normalise” the situation and catch up with technology with the new programme so they retain the ability they already have.

On the call, someone from the policy/SPAd side actually used the phrase “terrorists and paedophiles” to justify increasing powers. This is the 21st Century equivalent of Godwin – any law not involving actual abuse of kids that requires “OMG PAEDOPHILES!” to justify probably should never be enacted or even ever discussed again.

Here is what is actually being proposed

The briefings have been one-sided, as I’ve noted. As a result, claims of “scaremongering” by Nick Clegg and that the coverage is “complete nonsense” by Lynne Featherstone is probably in line with what they are being told by the Civil Service and what they genuinely believe they are discussing.

It is also wrong.

We had to explain it several times, but it was clear that the policy folks did not understand they were shifting the balance between retaining and obtaining. At the moment, service providers can hand over information they already retain in the course of normal business and require an interception warrant from the Secretary of State to obtain anything more than this.

The new proposals would oblige service providers to obtain information that they currently don’t – basically, to dive into the contents of the traffic we’re carrying to figure out not only that you’re sending traffic to a Google mail server or World of Warcraft, but what that traffic really does.

One analogy that has been used is asking Royal Mail to record all mail, with details of who sends mail to whom, which is already pretty bad from a civil liberties perspective. But it is actually worse than that, because we are being asked to open all the mail and check to see if the envelope actually contains another letter inside to be forwarded on to someone else. Or not just record that you rang a voicemail service, but listen in on the call to see who left you messages.

And they think we can create a system to open these letters and listen in on these calls without risking also creating a system that might be able to read or listen to the content. And that we’re able to guarantee keeping the data secure – on a system that by necessity has to be connected to the internet – once collected.

To give them credit, the policy folk did say that this was a red line they were not willing to cross. However, they do not yet accept (Because Civil Servants tell them otherwise) that this is what is actually being proposed. If we can can convince them of this, by convincing them that the party grass roots does know what it is talking about on technological issues, I would expect the plans would get dropped pretty quick.

The situation now

There has been a degree of back-tracking from the top in response to a level of grass-roots reaction that has surprised them. Initially, it seems there were plans to announce legislation (Without consultation?) in the Queen’s speech. That’s now been watered down to “draft legislation” and vague noises about “consultation”, but it is not clear what the form of that draft legislation or consultation would be.

So it’s not hopeless. But we do still need to keep the pressure on those at the top to make sure they can’t change surveillance powers without being held properly accountable not to the civil service, but to the wider party.

Sadly, I don’t have time to write at length (again) about the leaked plans to keep a database of everyone’s communications. Ironically this is becase I’m busy today running the very thing the spooks want to snoop on, the internet. My own views are on record anyway, as my first speech at LibDem conference was in favour of this amendment on the topic and I’ve blogged about it before.

Here’s a quick summary of the plans: They’re ill-conceived and illiberal. I have yet to see one good argument for the proposals as they all seem to boil down to TERRORISTS EXIST or once this morning PEDOPHILES EXIST. There is little evidence that these plans will help, as my personal experience has shown – plod came to me asking for communications information under existing legislation several months after kicking in the doors of some terrorists. No snooping, no interception warrants under existing powers, just “good old fashioned policing”.

I didn’t have the data after that long, unsurprisingly. Perhaps we could spend some of the money on currently leaked plans to train police better in dealing with online crime instead?

But I am worried, even if Mark Pack isn’t. Yet.

Not that worried, as I’m always skeptical as every time plans like these come up, it’s always “confidential briefings” and assurances from journalists that they have a “reliable source”, so we don’t really know what’s going on.

But it’s pretty obvious someone wants more power than they currently have. Did someone on “our side” leak the plans to try to kill them as Jennie suggests? If so, good on them. I don’t even mind if the LibDems take some flack for it if it means we kill it.

But they didn’t tell the rest of us and caught many off guard, which might explain the rabbit-in-headlights response from the top of the Liberal Democrat party.

Or did someone on “the other side” leak it test the waters and soften us up for what is to come in advance of the Queen’s speech? I would hope that the reaction has made them see the error of their ways, but I know that is a misplaced hope.

I’ll close with a message to anyone at or near the top of the LibDem party reading this: We’re a broad church, with people from both the left and right, so topics like the economy are bound to cause splits.

But this one shouldn’t be difficult. To make it easy, we put the clue in the name of the party: Liberal Democrats. Please let’s not go all “People’s Democratic Republic”, a code phrase for a communist dictatorship, where we dispose of ideas we like least in the title.

I’m starting to think that some of the folks over at The Register are permanantly wearing tin foil hats, based on yesterday’s latest post on the Interception Modernisation Programme. They tell us that “Government measures to massively increase surveillance of the internet will be in place within five years” and quote quite selectively from a Home Office document, specifically “key proposals [will be] implemented for the storage and acquisition of internet and e-mail records“.

They link to the Home Office business plan, but I’m guessing they didn’t expect people to actually read the source. Here’s the bit they quoted from in more detail…

5. Protect people’s freedoms and civil liberties – Reverse state interference to ensure there is not disproportionate intrusion into people’s lives

5.2 Introduce safeguards against the misuse of counter-terrorism and security legislation

  • i. Undertake and publish a review of counter-terrorism and security legislation, working with the Department for Communities and Local Government on the Regulation of Investigatory Powers Act
  • ii. Implement key recommendations

5.3 End the storage of internet and email records without good reason

  • i. Develop and publish proposals for the storage and acquisition of internet and e-mail records
  • ii. Implement key proposals, including introducing legislation if necessary

It starts looking a little less like there’s a real story there when you look at the source in full and we’re back to the same situation as before. Whilst I’m slightly concerned about what’s to come based on the not entirely definitive answer from David Cameron in PMQs, If there is some more information that they’re privy to that indicates the IMP is back, they’re not sharing it with us, the public. Of course, some people are so invested into the “IMP is back” culture by now that they’re forced into attacking anything that’s announced as actually being the IMP, even if it isn’t, thus detracting from any reasonable debate on how to improve the current, less than ideal, situation.

Dr Huppert MP is attempting to find out more (Questions 214 and 215) so hopefully we should find out for sure soon.

On the topic of the not-Interception Modernisation Programme, which I shall geekily call the Pling-Imp from now on, Dr. Julian Huppert MP asked a question in Prime Ministers Questions on Wednesday on this topic:

Can the Prime Minister reassure the House that the Government have no plans to revive Labour’s intercept modernisation programme, whether in name or in function, and that he remains fully committed to the pledge in the coalition agreement to reverse the substantial erosion of civil liberties and to roll back state intrusion?

The response from the Prime Minister was somewhat more equivocal than I would have liked and didn’t really address the point:

I would argue that we have made good progress on rolling back state intrusion in terms of getting rid of ID cards and in terms of the right to enter a person’s home. We are not considering a central Government database to store all communications information, and we shall be working with the Information Commissioner’s Office on anything we do in that area.

Even Labour only briefly considered the centralised database and it had been dropped by May 2009, so this isn’t really news. I understand that Dr.Huppert has submitted followup written questions, which he referred to on Twitter and also in yesterday’s debate on the Internet and Privacy. Unfortunately it seems that questions are not published until the answers are submitted so we do not yet know what has been asked.

Edited to add: Since I put up this post, I’ve been contacted by the Open Rights Group in relation to the below paragraphs saying that they didn’t intend to suggest we were spreading misinformation, but that we were being supplied with misinformation.

So, does it sound like the Pling-IMP is back? The Open Rights Group are “convinced” that this is the case. Following republication of parts of my blog posts on Lib Dem Voice, they went on to quite publicly suggest we were spreading misinformation. This annoys me for two reasons. Firstly, the ORG are guilty of spinning the facts to the point of misinformation themselves. Their original petition, which they are still advertising widely, mentions a two billion bound price tag which we now know is inaccurate. The wording of the petition also suggests government interception, when of course we all know that was ruled out back in 2009 in favour of mandating ISPs to perform the interception.

Secondly, and more importantly, although I expect random and unsubstantiated attacks from the more tribal members of the opposition I would regard the Open Rights Group as being on the same side. I can understand their suspicion of anything that comes of Government given we did have over a decade of increasingly illiberal measures, but there’s no indication that the current crop of ministers have gone native.

For anyone from the Open Rights Group that’s reading this: Right now, you are annoying members of the party in power most likely to be sympathetic to your cause and you’re annoying the technical staff at ISPs. We are on your side and we would like your help. Please quit with the hyperbole aimed at us, because if we give up and go home you’ll be dealing with the Conservatives and Business leaders instead.

Yesterday’s debate in Parliament gives you a clue to the Conservative view on this. Although not as keen on state control in general as the last government, they are inclined to care more about Google Streetview because no business relationship exists between the public being photographed and Google. As soon as you have a business relationship – customer and ISP – they really don’t seem quite so interested. After all, shouldn’t competition within the market should deal with any issues?

Back to the Pling-IMP. I am a fan of evidence-based policy but if there is any evidence that it’s back, it is not being shared it with us. All we have to go on so far is that there is some sort of wide-ranging consultation afoot, with no price tag either high or low attached. It’s being conducted by the same Home Office communications group that undertook the original IMP study, but that’s hardly surprising as I would not have expected the Milk Marketing Board to have been given this task.

The Prime Minister’s answer definitely concerns me. I would have preferred a statement that they are not currently planning on asking ISPs to capture any more information or store what they have for any longer. But it’s not worrying enough that I’m going to get all righteous before the consultation is even out.

After all, it’s still just as impractical to achieve now as it was last year.

I have no doubt that whatever consultation is released, there will be those that seize upon any little word in it that suggests interception of any sort might perhaps be changed in some way other than completely getting rid of it. I do hope that does not happen too much because it detracts from making changes for the better and what is going on now is bad and needs to be changed. We should not be locking up teenagers for possibly forgetting passwords. Nor should the Regulation of Investigatory Powers Act give City and Borough Councils the same powers as police and the security services to access information held by service providers.

The problems in this area stem in part from misunderstanding about what is possible. “Making better use of data we already have” is one item I’m told is definitely within scope of the upcoming consultation, but it’s hard to be constructive when one is rabidly denouncing any attempt to discuss the matter before we even know the questions.

We have a new government in power and should be encouraging debate on existing laws, not stifling it.