Government Snoopers charter announced, many questions left unanswered

Last week's Queen's Speech showed the Coalition's wish list of law proposals and reforms for this Parliamentary legislative agenda. This included a little bit more information on the government plans for updating law enforcement access to communications data that have been circulating under the Communications Capabilities Development Program (CCDP) name since late 2011/early 2012.
 
We now know it's called the draft Communications Data Bill and it "intends to bring forward measures to maintain the ability of the law enforcement and intelligence agencies to access vital communications data under strict safeguards to protect the public, subject to scrutiny of draft clauses"

Luckily, the Bill was moved out of the fast stream "Home Office/Ministry of Justice crime and courts bill" to be considered on it's own merits as a standalone bill.

This is good news because extensive scrutiny and public consideration of draft clauses are essential to fully understanding the implications of this 'Snooper's Charter'. 

Nick Clegg has promised the Bill won't be 'rammed through Parliament' and the Home Office pledge to include strong safeguards.

Nevertheless, the very existence of this proposal is curious given the 2010 Coalition pledge to "end the storage of internet and email records without good reason".

Current System

It's important to remember that communications data is not actual content, but the metadata about phone and Internet communications.

This includes the email addresses of sender and recipient, user location, phone numbers, equipment used, the time and duration of a phone call.

Since 2009, UK ISPs and Telcos have retained communications data collected in the course of business (for billing etc) for 1 year under powers derived from the EU Data Retention Directive.

Under the Regulation of Investigatory Powers Act 2000, law enforcement agencies and other authorised bodies can already access this data, for many reasons including fighting crime and maintaining the economic well being of the country.

So how will this new bill change the current system? It will:

1) Update the framework for collection and retention of communications data by communication service providers (CSPs)

2) Update the framework on lawful access to such data for authorised government bodies including the police and intelligence agencies.

3) Create 'strict safeguards' including:
        - A 1-year limit on data held by CSPs
        - Measures to protect data from unauthorised access or disclosure.
        - Extension of the Interception of Communications Commissioner oversight
        - Provide an independent Technical Advisory Board for CSPs
        - Extend powers of the Investigatory Powers Tribunal for investigating individual complaints

4) Remove communications data laws that have lower standards of protection.

Problematically, this outline doesn't really provide much detail on the nuts and bolts of the new Bill.

There are many key practical areas I think have to be addressed including: What additional powers will be provided for oversight bodies? Do CSPs have to install dedicated 'black box' deep packet inspection technology? Who will pay for this infrastructure and maintenance of interception algorithms? How will the new law handle encrypted communications?

Requiring data from third party services, often outside the UK, raise many questions too: How will US third parties, like Google, Microsoft or Facebook, fit in with UK police seeking social networking and instant messaging comms data? How will CSPs accurately separate the content of communications from the metadata? And how will real time access to data work in practice?

The current EU Data Retention laws have often been criticised for creating a system of mass surveillance.

Yet, instead of rolling back these powers, this Bill wants to further expand and entrench this culture of storing everything 'just in case' it becomes useful.

Whilst it's claimed 'modernisation' is needed to stop terrorism, paedophile rings and other organised criminal activity, these criminal groups will doubtless use encryption technologies and anonymised networks keeping them off the grid anyway.

This just leaves the general population unjustifiably under the gaze of a decentralised network of private surveillance.

Until specific details of the plans are released the many questions outlined above will remain unanswered, preventing any real debate.

However, even when more information becomes available, it remains impossible to envision how treating the entire UK population as a 'nation of suspects' is necessary and proportionate in a democratic society.

Roundup of new articles over at Naked Security

New Naked Security Articles 

I've been busy writing more articles for Naked Security  and I thought it might be a good idea to periodically provide an update of them here too. The links to the original articles are provided with a little blurb and any important updates since the stories were posted too.  Please check them out, and (hopefully) enjoy!

ACTA Protests in Bulgaria - Photo from The Guardian

1) What's all the fuss about ACTA? on 06/02/2012 - In this article I was discussing myths floating around about ACTA, and what can be done to re-instill some democracy into the secretive negotiation and signing process. Widespread protests, following signing in Europe, spread through Poland and other European countries. This brought awareness of ACTA to the fore, and since writing the article further protests have led Germany, The Netherlands and Bulgaria to denounce and refuse to ratify ACTA. Just today it was announced that it will be referred to the European Court of Justice for consideration.

Importantly, negotiations of another sinister trade agreement based acronym are underway in private...the TPP or Trans-Pacific Partnership. I'm intending to write about this in the near future too.

Gary McKinnnon - Photo from The Guardian

2) Should having autism be a legal defence to hacking charges? on 10/02/2012 - I tried to answer this tricky question posed on Channel 4 News. The cases of Gary McKinnon and alleged Lulzsec hacker Ryan Cleary, both who have Asperger Syndrome, have raised legal questions about the impact of their condition. Here is an excerpt of my thoughts from one of my comments. 

People with autism have a very clear understanding of the notions of right and wrong. Professor Baron Cohen found that for Gary McKinnon, his Asperger Syndrome led him to weigh up right and wrong in a manner that seemed morally right to him at the time. However, he did not fully appreciate or foresee the severity of the consequences due to his condition (and "mind blindness"). 

For Gary, he believed finding and disseminating information to the world about UFO's was the right thing to do because it would benefit humanity. This is despite having to hack into NASA &The Pentagon etc to get the information. 

This balancing of interests clearly contrasts with the conclusion someone without the condition may reach. For them the awareness of breaking many laws and fear of prison would be enough incentive to stop hacking. 

Is it fair then that someone, who by virtue of their autism has an altered perception of the situation, could be treated the same as someone without the condition? I am trying to say that because autism is a spectrum disorder it affects all individuals differently. Therefore, any argument should be on a case-by-case basis, with expert assessment.

Perhaps there should be more provisions in place within the legal system to handle a range of outcomes. This is why I don't think having autism should provide an absolute defence. There has clearly been wrongdoing when hackers with autism break into computer systems searching for UFO evidence or otherwise. 

However, maybe there should be other legal measures in place to reflect the defendant's position, like creating a partial defence allowing lowering of charges, or a shortening of sentence. 

Although these measures could be achieved when sentencing is carried out (by incorporating mitigating circumstances), maybe it needs to be a bigger factor than just in the sentencing stage."

Please read the whole article though and let me know what you think.

3) Who has better privacy laws: USA or European Union? on 15/02/2012 - 

In my opinion, the European Union, by far. When reading an article in PCWorld proposing a US digital consumer bill of rights , I was struck by how many of those rights already exist in Europe. This led me to discuss the current sate of EU Data protection laws and outline how reforms in the new Data Protection Regulation will further change data subject protections.

I noted how the new law will "create pro-consumer rights including a broader interpretation of what data is personal, demands for 'explicit' consent for data processing, develop a right to be forgotten, a right to object to data profiling and require greater portability of electronic data. In respect of data loss, there are new 24-hour data breach notification obligations."

In contrast I noted how the US have a "more fragmented approach, with use of industry self-regulation, sector-specific standards (for finance, children rights, federal bodies and healthcare), and state-level rules. Broad constitutional privacy protections in the Fourth Amendment exist too. The US Federal Trade Commission plays an enforcement role, has privacy guidelines, and pushes initiatives like Do Not Track for online marketing. But there is no single body with a sole data protection focus in the US."

4) Canadian politician accuses bill opposition of siding with child porn peddlars on 17/02/2012

The Canadian Bill C-30 seeks new rules for lawful access by law enforcement. It was comments by Canadian Pubic Safety Minister, Vic Toews that brought the bill into popular media last week. He stated that critics of the bill were on the side of child pornographers. This ridiculous statement did nothing for allowing a rationale debate and I wanted to look past this to see what Bill C-30 actually proposes.

It establishes rules for regulation of surveillance, including interception guidelines and obligations. Controversially, it also includes rules permitting law enforcement to approach telecoms companies (telcos) and Internet service providers (ISPs) to demand subscriber data without applying for a warrant. 

The government have argued this is just the modern equivalent of phone book information but when you look at s16(1) of the bill it shows it includes your IP addresses, subscriber ID email address, phone number, name and address.

Professor Michael Geist provided some very useful ideas on improving the Bill to find a compromise, which I discuss and quote in the article. Regulation of surveillance legislation plays a very important role in protecting privacy, and therefore it is important Bill C-30 doesn't fail. It has been pulled back for further revision by the government, and hopefully they will find a middle ground between law enforcement interests and privacy.

UPDATE 24/02/2012 - Michael Geist has suggested 12 recommendations on how to fix Bill C-30, well worth reading.

5) Interception Modernisation Programme or Communications Capabilities Development Programme? Who cares its still storing your data on 22/02/2012

Today I uploaded a story about the Coalition resurrecting the lambasted Interception Modernisation Programme (IMP), which is now known as the Communications Capabilities Development Programme (CCDP). 

The Coalition parties slated Labour for the IMP, rightfully calling it "reckless". When they came to power they committed to ending storage of internet and email records without good reason.

Nevertheless, we somehow have the CCDP, with the formal plans to be published by the end of April 2012, and implemented by the end of June 2015. As Jim Killock, Executive Director at the Open Rights Group said "Labour's online surveillance plans have hardly changed but have been rebranded. They are just as intrusive and offensive."

The CCDP wants, like the IMP, to have ISPs and telcos create databases of communications data for spooks and police to access at their convenience. According to a Telegraph report,  it will define the "who, when and where" of data subjects, including email addresses, IP addresses, phone numbers, time, location, data sender and recipient. It also allows spooks to monitor real time email and text traffic, and social media communications like instant messages on Twitter and Xbox Live.

Once again, there are many things to object to with this, not least its lack of necessity and impact on privacy. There are laws on interception and access to communications data already in place, and the justification of a mass surveillance mechanism like this is unfounded.

Beyond this there are security issues of privately held databases, policy issues incorporating companies into public policing practices (despite their lack of public accountability/transparency) and importantly, the potential for scope creep by storing data "just in case" it becomes useful.

I discuss these in more depth in the article, so please check it out and let me know what you think.

Early impressions of the new UK Cyber Security Strategy

On Friday 25th November, the UK Government released their Cyber Security Strategy for "Protecting and promoting the UK in a digital world". This document follows closely on the heels of the FCO organised 'London Conference on Cyberspace' at the beginning of the month. Such high profile events  are showing the importance of cybersecurity and management of threats on the UK Government mainstream political agenda. The declaration of cyber-security as a Tier 1 threat, and the much-cited investment of £650 million into the four-year National Cyber Security Programme (NCSP) further prove the commitment. This document sets out a UK strategy to be achieved by 2015 and provides the outline for future regulatory approaches to these developing risks.

It states in rather utopian language (taking lessons from the UN clearly...) -

"Our vision is for the UK in 2015 to derive huge economic and social value from a vibrant, resilient and secure cyberspace, where our actions, guided by our core values of liberty, fairness, transparency and the rule of law, enhance prosperity, national security and a strong society"

Despite this laudable sentiment, there has been criticism that the Strategy provides insufficient coherency for realisation of many of its aims. The Chartered Institute of IT notes that a framework for greater integration between public bodies, industry and individual citizens is required. Overlooking the lack of explicit detail at this stage, the Strategy does indicate key areas of investment and development for the next three years. I provide discussion of a few aspects that I found interesting. 

In relation to the NCSP fund mentioned above, the Strategy provides indication of the financial breakdown. The two highest sums are 59% (£383.5m) going to a "Single Intelligence Account" to build cross cutting capabilities including Information Assurance (for classified purposes at GCHQ) and 14% (£91m) going to the Ministry of Defence (for mainstreaming cyber in defence). The Home Office is next in line with 10% (£65m) then another 10% (£65m) to Government ICT. The Cabinet Office gets 5% (£32.5m) and BIS 2% (£13m).

The Strategy clearly acknowledges the importance of strong intelligence and the expertise of GCHQ. The Government wants the UK to pave the way as a leading environment for secure e-commerce and online activity. Development of the 'public/private hub of expertise on cybersecurity' is going to provide practical assistance in this regard. The development of defence technologies by increasing partnerships between GCHQ, private firms and academia is an area where the government foresees growth. Beyond this, a proactive approach to cyber-defence is also creating offensive technologies, which William Hague noted in October. This highlights the UK's role within the increasingly publicised global cyber arms race.

GCHQ estimates "80% or more of currently successful attacks exploit weakness that can be avoided by following simple best practice". The strategy frequently reiterates the need to detect threats and to empower individuals and firms. NATO at the Lisbon Summit also acknowledged the need to prevent, detect and defend against and recover from cyber attacks. Considering that such a high percentage of risk is attributable to avoidable weaknesses, it is important to question how detection systems (through intelligence and surveillance) can operate in a manner that addresses these weaknesses but still respects rights of individuals, particularly privacy. The strategy makes several acknowledgements of the importance in maintaining privacy. In s3.5 privacy is mentioned in relation to individual and collective security and secondly alongside the need to protect intellectual property (s3.6). With regard to intellectual property, an interesting development is its newly defined determination as part of critical infrastructure (when its loss causes significant economic damage to the UK).  Integration of IP protection into cybersecurity policy seems a curious path and suggests future legislative developments with formal consideration of IP with national security interests as opposed to merely economic ones. Importantly for this, the parameters of what is defined as relevant IP will be key. Protecting IP pertaining to military designs and certain industrial property has clear correlation with national interests if considered in relation to cyber-espionage. In other contexts defining the relevant forms of IP to protect may be less obvious.

It is noted that because most of cyberspace infrastructure is owned by private companies, there is great need for "private organisations to work in partnerships with each other, government and law enforcement agencies, sharing information and resources, to transform the response to a common challenge and actively deter the threats we face in cyberspace". These partnerships are recognition of the need for new governance methods, and as long as respective interests are balanced they seem a positive development. However, Lessig in the bible of cyberspace regulation, Code v2.0, noted the risks of seamless integration of law and technological architecture to create a system of perfect regulation in cyberspace. He acknowledges the necessity of a trigger to force this interaction, in this case security issues. It is important to remember that as new security centric governance structures are developing, balanced and proportionate regulation is essential. Proportionality is mentioned in the Strategy, but as many post 9/11 legislative developments have shown, when faced with balancing security and privacy, the government often struggles to achieve the correct balance. The real challenge for this Strategy is foreshadowing effective governance structures that addresses security challenges whilst maintaining respect for individual rights.

An interesting facet of the strategy is building international consensus through the 'soft law' mechanisms of 'norms of behaviour' in cyberspace. The Internet is already fragmented by regional territorial implementation of distinct norms where online practices in one country are well-established, but vehemently rejected in other (by government and citizens). These vary from cultural, religious and political filtering to shutting down communications infrastructure for controlling freedom of speech and association to increasing roles of online intermediaries to tackle issues like IP piracy. Attempting to establish norms in relation to a sensitive topic like national cyber-security seems even less likely to bear productive results. Ultimately it seems more likely internationally the result shall be diplomatic agreements and political commitments, that can be derogated from without formal sanction.

In terms of hard international laws, the UK as Chair of the Council of Europe for six months has made a renewed commitment to persuade other countries to develop compatible laws with the Cybercrime (Budapest) Convention. There is also a commitment at a domestic level to raising awareness of cyber specific sanctions for cyber offences within the UK judiciary. Considered in conjunction with the review of the Computer Misuse Act 1990, this may result in a range of new offences in the revised legislation, fit for purpose in this age. Another area of focus is cross border law enforcement with cooperation and prevention of safe havens. Although this approach seems more plausible in Europe (where information sharing system like Schengen I - with II on its way - already exist) for other non-European countries this seems a more unobtainable. Domestically, the establishment of a cyber crime unit in the new National Crime Agency (NCA) will draw on expertise of Serious Organised Crime Agency (SOCA) and the Met Police Central e-Crime Unit (PCeU). 

The Government indicates increased self-regulation of risks by the public. The Get Safe Online campaign, security kitemarks and increasing responsibilities of ISP's to guide individuals are some of the education focussed measures mentioned. Although there is a clear role here for consumer awareness, the efficacy of these measures will remain to be seen, particularly with kitemarks. On first appearance they sound like a bit of a red herring and susceptible to fraudulent applications. 

Whilst this Strategy provides interesting reading of developments to expect over the next three years, there are certain risks and pitfalls. The extrapolation of specific frameworks from this Strategy will be essential for creating proportionate and balanced regulatory structures. Without doing so, the damage to UK online business, national security and individual rights will be significant.