End User Regs surveillance & privacy

PRISM and the currently shelved Draft Communications Data Bill

PortcullisThere’s been a lot of noise about the PRISM surveillance program (American spelling because it’s American). There’s a ton of stuff about it on Wikipedia.

A few people asked whether I was going to write a blog post about it. I wasn’t. Lots of people earn their living just looking at this kind of stuff.

There is one thing worth considering though that particularly springs to the forefront of my mind and that relates to the Draft Communications Data Bill that was recently dropped by the Government from the Queen’s Speech.

Without understanding fully what PRISM actually does and what data it accesses I imagine that the capability is pretty similar to what might have been demanded of the ISP industry by the Comms Data Bill.

My biggest objection to that Bill was that it was a serious threat to the personal privacy of every individual in the country because of all the data that would have been gathered. Availability of the data = inevitability that the data would have been leaked. The only way to not have that data leaked would be by not gathering it in the first place.

History shows that the most likely source of such a leak is internal to an organisation, be that within the ISP storing the data or from the negligence (laptop left in taxi etc) of the civil servant or member of the security forces looking after said data.

Well the fuss about PRISM has demonstrated that this is exactly so. Important information was leaked from within the US security establishment by an insider, Edward Snowden. The same can be said of Bradley Manning and Wikileaks.

The only way of not having the data in the public domain is not to keep it in the first place.  I’m not going into a lengthy debate re the rights or wrongs of what the USA is actually doing with PRISM. Just that we should bear that in mind whenever the next attempt to introduce the Draft Communications Data Bill comes along, as it inevitably will.

Business Regs security surveillance & privacy

The Report of the Joint Select Committee on the Draft Communications Data Bill

Report on Draft Communications data BillThe Report of the Joint Select Committee on the Draft communications Data Bill was issued this morning at one minute past midnight. It’s been in the news this morning with the deputy Prime Minister Nick Clegg calling on ministers to rip up their plans and go to “back to the drawing board“.

The 105 page Report concludes that “there is a case for legislation which will provide the law enforcement authorities with some further access to communications data, but that the current draft Bill is too sweeping, and goes further than it need or should.”

I have always said that the right balance between our personal security and our personal privacy needs to be maintained when considering this subject area and this is the tenet of the Joint Select Committee’s recommendations.

Unfortunately some of the basic conclusions of the report do not put the Home Office in a good light. There would appear to be a widespread failure to consult with many of the stakeholders involved, notably on the costs of the project and what might reasonably be achievable in terms of Communications Data capture and storage. In particular it is recommended that the HO will have to carry out a careful cost/benefit analysis and obtain advice and assurances from a wider body of experts than the companies that stand to earn money from devising secure storage solutions.

The committee recommends that the scope of the Bill be significantly reduced to cover only the retention of IP address data and “web logs” although regarding the latter they also “acknowledge that storing web log data, however securely, carries the possible risk that it may be hacked into or may fall accidentally into the wrong hands, and that, if this were to happen, potentially damaging inferences about people’s interests or activities could be drawn. Parliament will have to decide where the balance between these opposing considerations should be struck.

There is also a concern that web log data also contains content, which due to privacy concerns was specifically excluded from the Draft Bill. The committee has asked the Home Office to review whether it is operationally and technically feasible to only retain web logs of certain types of service where those services enable communications between individuals.

Regarding the storage of third party data traversing a CSP’s network it is recommended that the requirement to store such data only after attempts to retrieve the data from the third party be given statutory force. The effectiveness of this considering the overall objective must be questionable historical data is unlikely to be available in a timely manner for specific crime stopping targets.

The recommendations continue with the suggestion that the Home secretary should not have the power to extend the scope of “permitted purposes” of the bill and that indeed this list of purposes should be examined with a view to shortening it.

It is also recommended that the definitions for communications data under RIPA should be reviewed following consultation with industry with a particular focus on what is subscriber data (ie info on me and you) and what is traffic data.

A specialised SPoC (Single Point of Contact) team should be established that provides a central expertise for the approval of RIPA requests. This in theory should prevent misuse of the system – although Local Authorities are not specifically mentioned amongst the authorities that should be able to access the data under discussion here the committee recommends that bodies over and above the six in the Draft Bill should be considered for inclusion based on their case – notably the Financial Services Authority  and the UK Border Agency. Local Authorities, although representing a fairly small proportion of the nearly half a million RIPA requests each year and 20 times more likely to put in a non-compliant request.

Coming back to costs the committee is being polite when it says “that the Home Office’s cost estimates are not robust. They were prepared without consultation with the telecommunications industry on which they largely depend, and they project forward 10 years to a time where the communications landscape may be very different. Given successive governments’ poor records of bringing IT projects in on budget, and the general lack of detail about how the powers under the Bill will be used, there is a reasonable fear that this legislation will cost considerably more than the current estimates.”

It was nice to get a mention myself in para 276 regarding the effect on small CSPs of having to meet the requirements of this Bill.

The commitment to reimburse CPs the necessary cost of complying with the requirements of legislation should also be written into law and not left in any doubt.

Finally  “the figure for estimated benefits is even less reliable than that for costs, and the estimated net benefit figure is fanciful and misleading. It ought not to be used to influence Parliament in deciding on the relative advantages and disadvantages of this legislation. Whatever the benefits of the Bill, they are unlikely to be financial.”

The cost aspects of the recommendations are pretty damning. It would be nice to think that as much effort is put into all legislation as this committee has put into the Draft Communications Data Bill. I’m thinking specifically of the Digital Economy Act but I’m sure there must be others.

I’m not totally comfortable that any safeguards built into the Bill will really work, especially when it is noted that nobody can 100% guarantee the security of the storage of the data. At least on this occasion  the Government is being sent away and told to get their homework right and the subject of security versus proportionality is highlighted as being central to the debate.

That’s all for now. You can read the whole report here. I’m sure I will have missed something. You can also read my other stuff on this subject – use the search box at the top right hand corner of this page. There is a lot of material.

Business Regs surveillance & privacy

Draft Comms Data Bill Select Committee appearance for oral evidence #ccdp

portcullisYesterday I gave oral evidence to the Draft Communications Data Bill Joint Select Committee1. It’s the first time I have been asked to give evidence like this and something one has to take very seriously.

I was with three others: Caspar Bowden who is a colleague on the ICO Technology Reference Panel, Dr Gus Hosein of Privacy International and David Walker, a security consultant. The committee has been seeing groups according to their rough views on the draft Bill and readers of this blog will not be surprised to hear2 that this cohort was one that had concerns.

The afternoon’s evidence sessions were reported by the Beeb.

I’m sure that I will already have mentioned that the potential consequences of this Bill becoming Law are so great that it merits the most comprehensive discussion before hand. Today is the last day of evidence sessions with the Home secretary Theresa May being up before the committee.

I don’t have access to the inner thoughts of the committee but I did get a sense of the following:

  1. the fact that many communications use encrypted traffic and that this is likely to cause problems is recognised
  2. the issue of dealing with overseas providers is not likely to be an easy one
  3. the process of oversight of the RIPA system notices needs overhauling, especially if the Bill proceeds
I’m also hoping that the message got  through that nothing can ever be totally secure and that any data gathered under this Bill/Act would eventually make its way into the public domain with disastrous consequences.
I don’t have a handle of the timetable for the rest of this process (enlightenment anyone?) but it wouldn’t surprise me to see the Bill move forward in some reduced form. In the meantime we have to keep up the pressure. More in the fullness of time, a week is a long time in politics etc etc etc.

1 bit of a mouthful/oral evidence/geddit?

2 some previous posts include this one

Business online safety Regs

More Draft Comms Data Bill analysis & Gary McKinnon

blogspot broken link landing pageGary McKinnon has been in the news this week. Unless you have just surfaced for internet air you will remember that he is the guy with Aspergers who hacked into the Pentagon computer and who the marshalls Feds in US of A wanted to extradite so that they could extract revenge.

This post is not about Gary McKinnon or the rights and wrongs of his case. It is about the fact that he was able to hack into what must surely be one of the most secure computer systems in the world (wide web).

Next up is the breach of Google’s webmail service in December 2009.

End User Regs surveillance & privacy

Draft Communications Data Bill – a summing up of why it is wrong

Home Secretary Theresa May launched the draft Communications Data Bill yesterday with an interview on the Radio 4 Today programme. She has also written a foreword to the Bill arguing why we need it.

I have already written arguments against why we should implement this act. All of my previous points remain and I will restate the two most important aspects here.

  • Firstly what is being proposed represents a serious threat to our privacy as a nation. The government wants to collect personal information about our private web browsing, phoning, email, tweeting, Facebook and all other internet related communications. They then want to store this information “securely” for one year so that it can be accessed buy anyone granted permission by senior police officers.

I refer you to last week’s LinkedIn password debacle where 6.5 million passwords being securely held on a server were stolen and published on a Russian website. The next time this could be details of websites you visit. It would happen if this Bill moved into law. Guaranteed.

  • Secondly the proposed measures will not catch those who the police et al are trying to catch. If you are hell bent on crime you will easily find ways of going undetected on the web.

Here I refer you to the recent court orders for ISPs to block access to Pirate Bay. One of my most visited blog posts this year and certainly high up on the list of search terms  covers how to bypass these blocks. The same will be true with criminals looking for anonymity.

I’ve been thinking of whether there is a middle ground here where ISPs collect data on specified targets rather than everyone and subject to court orders. This could work though opponents will argue that once the capability has been put in place it will be abused. My second point above would also apply so the effort might be futile and money spent wasted (it would probably cost almost the same as if we were collecting all the data).

On balance we all need to oppose this Bill. Email your MP with a link to this post.

Previous posts on this subject here and here.

Business Regs surveillance & privacy

Legislation encourages tidal wave of new ISPA members – life jackets at the ready

It’s a funny old world. A judge orders ISPs to cut off access to Pirate Bay and visitor numbers to the site increase by 12 million. A government says it wants to increase the amount of regulation on the internet and the membership of the trade association shoots up.

The membership of ISPA normally hovers just under the 200 mark. The nature of our industry is that companies are bought out or merge with others to get scale. So in any given year the we get perhaps 10 or 15 new members but 10 or 15 disappear off the UK internet map and on the whole the number stays the same – ish.

Things are changing. The threat to the  industry stemming from potentially onerous new regulations placed upon service providers, such as the upcoming Communications Bill Green Paper, has prompted six new service providers to join ISPA in the space of one month. This is a veritable tidal wave in the scheme of things.

ISPs are

Business online safety

I could never be a politician – The Queen hath spoken

I could never be a politician. The Queen’s Speech today included a Lords Reform Bill, Draft Communications Data Bill, Banking Reform Bill, Energy Bill, Enterprise and Regulatory Reform Bill, Children and Families Bill, Pensions and Public Service Pensions Bill, Crime and Courts Bill, Croatia Accession Bill, Electoral Registration and Administration Bill, Defamation Bill, European Union (Approval of Treaty Amendment Decision) Bill, Groceries Code Adjudicator Bill, Justice and Security Bill,  Small Donations Bill together with Draft Draft Care and Support, Local Audit and Water Bills and Carry Over Bills on Civil Aviation, Financial Services,  Finance (No. 4), Local Government Finance and Trusts (Capital and Income).

I’ve listed them in one long string for effect. I guess I must be interested in the outcomes of some of them as they affect me – comms data for one. It has to take a very particular sort of person to want to become a politician. We pay politicians to sort this stuff out but do have to keep an eye on them because as we all know they can get a bit out of control.

The Communications Data Bill which caused such a lot of fuss a few weeks ago when it was leaked to the Sunday Times that it would include surveillance seems to not be getting any attention in the media today with things like Lords Reform hitting the headlines.

This must be remedied. We must rally the troops, man the battlements. In fact I think Shakespeare foresaw all this as you will see from this early version of another monarch’s speech:

Scene 1. France. Before Harfleur (Life of King Henry 5th)

Once more unto the breach, dear friends, once more;
Or close the web up with our English censorship.
In peace there’s nothing so becomes a man
As modest browsing in the privacy of his own home: