The Smith Report

Caspar Bowden cb at fipr.org
Fri, 2 Jun 2000 09:57:46 +0100 

OK - let's both switch off after-burners, but I think I'm justified in
repeating

"if the instructions to the parliamentary draftsmen were specifically
intended
to legalise various practices, then agencies aren't going to change their
ways after RIP because they don't fit in with how techies outside government
conceive that they should do their job.

>Charles Lindsey wrote:

> That is why I argued
> at length with Simon over the phrase "the key". That is why I drew
> attention to the fact that Plod CAN get to see signature keys keys in
> spite of protestations in the Bill to the contrary.

As previously, "there is absolutely no official, let alone binding or
public, confirmation that the assumptions that you are making about what
constitutes comms data vs. content, whether warrants must be served on ISPs,
or limits on the operation of black-boxes, are correct."

We have certainly made SOME progress with the government on nature of keys,
but not on the three issues above. Just to elaborate. This bill was written
by taking a set of existing practices in MI5, MI6, GCHQ, NCIS, NCS, Customs
& Excise et al., and finding a lowest-common-denominator forms of words that
would legitimise existing practice. RIP isn't going to stop agencies doing
things that they do already - government doesn't work like that - it will
allow different agencies to do things already done by other agencies, in a
way that they hope will withstand ECHR challenge.

> I think the silence from government indicates that they do
> not regard us as of sufficient importance to take seriously.

I think they take FIPR fairly seriously. Charles Clarke has ducked two
interviews on RIP (one on C4 News, one on Today) when he heard FIPR would be
putting the other viewpoint.

> > > And there is nothing in Smith to suggest that these boxes are
> > > in any way "black" or "opaque".
> >
> > That's not the point. Can you propose a verifiable protocol
> > and design, proof against insider attack, that would allow Swinton
> > Thomas to know what any box had actually been doing, assuming that
> > the boxes will have an uplink and be controllable from GTAC?

> But I deny that assumption, and therefore the question does not arise.

Well although Smith did not discuss it, I find it inconceivable that
deploying perhaps hundreds of boxes (as the Germans are evidently planning
to do - http://biz.yahoo.com/bw/000309/nj_radcom__1.html) would be thought
practical without an uplink - software contains bugs that must be patched -
are they going to send out motorcycle couriers at 3am? If a box falls over,
are they going to rely on the ISP to reboot it in the middle of the night?

And if you're willing to entertain some technical insider threat, it would
obviously be possible to signal to the boxes stealthily by sending
instructions as IP traffic in such a way that it would pass a given box,
without any dedicated uplink.

> That is the fundamental difference between us. I maintain it would be
> unlawful for an ISP to permit a box of that nature to be installed on
> its premises.

But as I think you have mentioned, digital telephone exchanges already have
remote access ports for eavesdropping and there are plenty of anecdotes
about them being used. Why do you have such touching faith that the
intention of RIP is to eliminate such modes of access, rather than
systematize it? If you are deducing that from one sentence in the first
clause of the Bill, parliamentary draftsmen are a lot more subtle than
that - S.15 is overdue for some serious scrutiny for example.

> > a) Part.I Ch.I warrants to intercept the Internet MUST
> ALWAYS be served on
> > ISPs - ESPECIALLY in the circumstance of a Smith Group
> passive box installed
> > on ISP premises, capable of being
>
> No, if Plod can do the intercept by "interfering with wireless
> telegraphy" as the Bill so quaintly puts it, then he needs to
> be allowed
> to do so. And I have referred once or twice to Plod digging
> up the street
> and getting his hands wet.

But where do you draw the line? According to your way of thinking if Plod
turns up in overalls and a false beard in the ISP machine room pretending to
fix the water-cooler, but actually knobbling the kit in some way, the ISP is
in the clear providing he doesn't realize what's going on. But if he is
suspicious, then he must challenge water-cooler man, who then produces a
warrant from his back pocket and carries on with the job. That is
preposterous.

> > c) Exactly how government define communications data in the
> context of the
> > Internet
>
> Actually, the definition of communications data in the Bill is quite
> good, when measured by its usually lamentable standard. Yes, it could
> be tightened up, and some of my amendments address that.

As remarked to Roland - you can drive a bus through the definition:

"20(4) In this Chapter 'communications data' means any of the following
(a) any address or other data COMPRISED IN or attached to a communication
(whether by the sender or otherwise) for the purposes of any postal service
or telecommunication system by means of which it is being or may be
transmitted;
(b) any information which includes NONE of the contents of a communication
(APART from any information falling within paragraph (a)) and is about the
use made by any person..."

So that "APART" seems to mean that comms data CAN include the contents,
provided it is "COMPRISED IN" a communication. Doesn't that sound like a
fairly reasonable description a datagram, headers and payload?
--
Caspar Bowden               Tel: +44(0)20 7354 2333
Director, Foundation for Information Policy Research
RIP Information Centre at:    www.fipr.org/rip#media