Monthly Archives: March 2015

The ISC report on “Security and Privacy”: loose thoughts

A lot of activity this week around the ISC report on “Security and Privacy” a.k.a. the first time UK politics takes Snowden seriously (with the exception of some actions of the Home Affairs Committee).

Gave some comments to James Temperton of Wired which ended up in his piece “Minimal Oversight of GCHQ Hacking is a Scandal“.

Then I wrote up my thoughts specifically on the Bulk Personal Datasets described for the first time in this report – this appeared in The Conversation yesterday, reblogged by phys.org.

I was contacted by Will Yong of Al Jazeera, would I be interested in coming to London to do an interview – even easier to say yes as I was travelling through anyway. Some discussion on Snowden media responses, metadata, and more, led to two comments broadcast on Listening Post on Saturday morning.

Having read through the whole report on the morning it came out, I tweeted some thoughts then and you will understand I read it through once more on the way to London! Collected loose thoughts on the topics not published on are below, includes some repeats from the initial tweets and more.

  • The “individual right to privacy and the collective right to security” already in the 2nd sentence. False dichotomy, and making privacy seem selfish.
  • in vii.a and ix. it talks about “an individual” – but the concept of a thematic 8.1 warrant means it’s wider than that.
  • xii. shows clearly the contradiction: communications data is a “critical capability”, so how can it be non-intrusive? It’s either full of information or it isn’t.
  • xviii. The IPT judgements are “noted” but they stated that GCHQ had acted unlawfully. How come the ISC does not wonder how this could happen on their watch, or how to prevent that happening in the future?
  • footnote 3: Hedging about it, but the idea that the dark web is much larger than the visible web confuses the deep web (i.e. not indexed by Google) and the dark web (i.e. accessible only through Tor).
  • 4. That encryption puts things “beyond the reach of the court” completely ignores RIPA Section 3, on forced disclosure of keys (& or else …)
  • 7. This is basic stuff for my computing ethics course. Electronic surveillance is intrinsically different from steaming open letters in a post office because it can be done on a large scale so much more easily. That’s computers for you!
  • 9. Given that IPT judged GCHQ actions unlawful twice, ISC might think twice about uncritically reporting their July 2013 “nothing to see here” conclusion.
  • 12. ISC were told everything – but nothing in the report corresponds to the Tempora “full take”.
  • Footnote 12: reports the HASC enquiry into police use of RIPA, but conveniently omits the government’s response to that which was extremely dismissive.
  • 21. I have listened to Paul Bernal, and he made a submission too, so I find it disappointing that they haven’t looked at other ECHR articles.
  • 31. Interesting that the extra powers regarding overseas Communication Services Providers as required in the DRIP emergency legislation are apparently felt to be unenforcable.
  • 39. An 8.1 warrant may not be used for data sent prior to the date of signing, footnote: In certain circumstances [redacted]
  • 42. Coming back to the ECHR point. “Thematic” is not defined in statute, but the Home Secretary or another Secretary of State decides how a person gets redefined as a group according to RIPA 81(1). Now if using that for “a high profile event attended by a large group of people” doesn’t have freedom of association impact!?
  • 45. Seems rather arbitrary to consider surveillance that is outside NTAC to be outside RIPA because of that.
  • M. “the point of view that it is acceptable to let some terrorist attacks happen in order to uphold the individual right to privacy” is a sick perversion:
    1. “let” assumes tolerance or even approval;
    2. “in order to” reverses the causality;
    3. (and anyway, it turned out later the quotes given here were taken out of the context, which was: we still don’t believe mass surveillance works, and you still haven’t given us the evidence to change our minds, so …)
  • 107. Note the confusion between “internal” and “external”. Facebook even between UK residents becomes “external” and then there’s a scramble to fix that later when it becomes clear as between UK residents. No plans to do the sensible thing and remove the distinction.
  • Footnote 88 seems to say that 8(4) warrants cause indirect discrimination against any ethnic minority, but that that is okay because terrorism.
  • 118. Caspar Bowden’s point: special rights for UK citizens outside the EU are illegal under ECHR, do they really not realise that?
  • 134.ii. An entire source of communications data is redacted out here. Is this the CD from Tempora full take then?
  • 134.iii. Related communications data from interception is getting retained at this point; I’m pretty sure I saw it getting deleted at a different point in the report.
  • 141. Confusion is caused by commentators using the term “metadata”!
  • 200. “The robustness of the application process means that any applications she receives will already have been rigorously tested, and she told the Committee that as a result she did not refuse many warrantry requests.” !
  • 257.i They really shouldn’t have redacted one of the two subsections on Deliberate interception of lawyer-client communications

Don’t tell me it’s safe!

Guest post by Oliver Florence (final year undergraduate student)

David Cameron has said that a change to legislation concerning encryption is required.

They would like a means of accessing the content of any communication between citizens of the UK. Cameron’s view is that unless they’re able to have a method of encryption with a ‘back door’ that gives them access, his government will make it illegal for civilians to use encryption.

Prior to the digital age, law enforcement agencies were able to have a look through your post or listen in to your telephone calls as a means of keeping you safe. While they do still do this, Cameron has said there is currently no way of accessing the content of encrypted digital information.

The argument presented is that there are situations in which law enforcement ‘need’ access to the communications or data held on an individual’s phone, and are now unable to get that access as a result of modern encryption. Adding to this problem is that an increasing amount of mobile handsets are being sold with data encrypted enabled as a standard feature

Cameron is proposing a Government backdoor into encrypted communication, which is not an unfamiliar concept, both the director of the FBI and President Obama have made mention of this type of encryption. It’s important to be clear here, referring to any proposed backdoor inclusive encryption method as secure is misleading and dangerous.

Understanding encryption in terms of its function is simple; it’s either secure, and no one other than the intended recipient can decrypt and read it, or it’s not. The problem that arises when you start leaving backdoors in encryption is that someone will find and exploit them.

If citizens of the UK are told they must use a new standard of encryption that has a backdoor, but is safe, the majority of users may continue as though they are still safe, which simply will not be true. Whether the problem is a lack of understanding on the part of our representatives, or a purposeful distribution of misinformation is unclear. In either case though, the resulting landscape would leave residents of the UK far more vulnerable to cybercrime.

This change will of course be presented to the public in some complementary ‘anti-terror’ wrapping paper to make it more palatable.

The threat of outlawing encryption is an absurd proposal and a scare tactic. The UK has an ecommerce industry that had a turnover of 44 billion in 2014. Without a safe form of encryption consumer confidence in the industry would erode and have profound effects on the economy. Also any transaction carried out using https (your bank, amazon, any login information) would no longer be encrypted as securely. It is clear that the threat of removing encryption is in no way viable and its suggestion is a way of whipping up election attention.

I am not suggesting that there isn’t discussion to be had around how agencies can effectively retain their ability to police in the digital world. Banning or breaking encryption is not how this will be achieved though, and having this back and forth is detracting from real progression in the discussion.

This is a guest post by Oliver Florence, final year undergraduate student in Computer Science. Oliver’s research project was “Cyber security current affairs”, relating technical knowledge in cyber security to current affairs and producing stories for a wider audience on that basis.