The Draft Communications Data Bill - why it's posiibly evil

The Government is proposing a new Act of Parliament, currently known as the Draft Communications Data Bill or DCDB, which will effectively give them access to all your Internet activity. The premise behind this is that they want to be able to fight the war against terrorism and other "crimes enabled by Email and the Internet" as Theresa May put it. There are already measures in place allowing the Goverment to get hold of data from ISPs. The most recent piece of legislation follows on from a European directive known as the Data Retention Directive 2002/24/EC which ensures Internet Service Providers (ISPs) or telecommunication providers (telcos) maintain logs for 12 months (of data they already collect). This generally relates to such things as billing records or call records (i.e. who made a call to whom and for how long), but the important but is that ISPs/Telcos only need to retain what they already store and aren't required to log anything new. The Regulation of Investigatory Powers (RIPA) allows the authorities (and this is where it gets nasty) to ask an ISP to store specific data about a customer (without letting the customer know or anyone else know as that's an offence under RIPA too). The 'authorities' covers a wide range of organisations and can be the normal suspects such as the Police or Government angencies and also your local council and other angencies (for example may be investigation benefit fraud). There are other oddities in the Act so if your sending encrypted Emails, you can be asked to surrender the encryption keys and it's an offence not to hand them over and you can languish in jail until you do. The DCDB extends these powers so that ISPs will have to monitor more services and store more information about users. This includes things like emails (who sent an email to who and at what time) and what websites are being visited, it may also extend to VoIP calls (which might originate from say a VoIP phone used by the customer but the service used it not run by the ISP). Most ISPs don't monitor these things and don't actually have the equipment to do so and the Government is proposing to put 'black boxes' into the ISPs' network and they will do the snooping. Currently the Government will pay for the boxes. This sounds reasonably fair but as with everything there are potential issues. There are very companies that have the technology to do this, but there are a few so it's likely that the Government will just use them. This means that they are known systems and they'll be the target of every hacker as they'll be storing a wealth of useful information that will be valuable to someone. Most ISPs are using fast internal networks running at 1 Gigabit per second (Gb/s), some are using 10 Gb/s networks and some even 40 Gb/s networks (and in future networking technologies will increase to 100 Gb/s). The black boxes will work at a specified speed (say currently at 1 GB/s) so if an ISP increases the network speeds, more black boxes will have to be installed in order to keep up with the increased network traffic. Who then pays for more boxes? The Government may try and restrict the ISPs from increasing the network speeds so they don't have to install faster or more boxes. This already happens in countries where their Governments have resticted policies on what customers can view etc. The Government may also want to snoop on web traffic, that's pretty easy when it's normal HTTP traffic as you'd use to visit say The Next Web as the ISP can just put a web proxy and force all web traffic through the proxy and log whatever's been requested and send the request on the the actual site that's been requested by the customer. It may be slightly slower, but the customer wouldn't know that the traffic has been intercepted. However sites also use HTTPS or encrypted HTTP. This is where it gets very nasty as putting a proxy in the middle doesn't work. The web traffic is forced to the proxy and it establishes the encryption protocols to the proxy and the proxy then starts it's own encryption to the desired site. Except that the browser 'knows' that it's not really the remote site as the encryption certificate wont match what the browser's expecting and thus the little padlock that shows that the connection is secure wont be locked and the customer knows the connection has been intercepted. It is possible to fake the secure connection (by installing a Government security certificate) on all the UK browsers, which is difficult but not impossible. This then would match all certificates issued by anyone and thus the proxy could pretend to be whatever site it wanted to and all UK browsers would believe it. However that's a HUGE security risk and anyone managing to break into the proxy could steal huge amounts of valuable data including secure connections to on-line banking and other services. Anyone stealing the Government certificate would also also be able to emulate any secure site they wanted to too. So if the DCDB does become the Communications Data Act, then ISPs may be forced to stiffle technology advances to ensure the Government can keep up with the snooping as well as making the UK a massive target for terrorists attacking the snooping systems themselves.
Post a Comment