The Smith Report

Charles Lindsey Charles Lindsey <chl at clw.cs.man.ac.uk>
Fri, 2 Jun 2000 15:22:43 +0100 (BST) 

	On Fri, 2 Jun 2000 09:57:46 +0100
	"Caspar Bowden" <cb@fipr.org> said...

> >Charles Lindsey wrote:
> 
> As previously, "there is absolutely no official, let alone binding or
> public, confirmation that the assumptions that you are making about what
> constitutes comms data vs. content, whether warrants must be served on ISPs,
> or limits on the operation of black-boxes, are correct."

Yes, it would indeed be nice to hear some government feedback on this.
Would it be a proper use of parliamentary written questions/answers to
elicit such information, and has anyone got an MP who could be persuaded
to ask same?

But I am more concerned about the definition of data comms, and what
those S21 "authorisations" are for than I am about the black boxes.

> Well although Smith did not discuss it, I find it inconceivable that
> deploying perhaps hundreds of boxes (as the Germans are evidently planning
> to do - http://biz.yahoo.com/bw/000309/nj_radcom__1.html) would be thought
> practical without an uplink - software contains bugs that must be patched -
> are they going to send out motorcycle couriers at 3am? If a box falls over,
> are they going to rely on the ISP to reboot it in the middle of the night?

As Smith appeared to envisage it, the black boxes will be the property
of the ISPs (after all, Smith reckoned that the ISPs would be paying for
them). The proper way to do a software patch is for it to be sent to the
ISP, who then decides whether to implement it. Note that some of the
software on the boxes will probably be provided by the ISP anyway. And
yes, if the box falls over in the middle of the night, the ISP has to
reboot it (maybe following an urgent request from GTAC).

> 
> And if you're willing to entertain some technical insider threat, it would
> obviously be possible to signal to the boxes stealthily by sending
> instructions as IP traffic in such a way that it would pass a given box,
> without any dedicated uplink.

Now you are talking about Plod acting in violation of the Computer
Misuse Act, of other such hackings. Yes, I agree that S20(2) stinks and
needs tightening up.

> But as I think you have mentioned, digital telephone exchanges already have
> remote access ports for eavesdropping and there are plenty of anecdotes
> about them being used. Why do you have such touching faith that the
> intention of RIP is to eliminate such modes of access, rather than
> systematize it? 

I think that practice is now outlawed by the Bill. Whether the
Parliamentary Draftsmen realise that is another matter.

> If you are deducing that from one sentence in the first
> clause of the Bill, parliamentary draftsmen are a lot more subtle than
> that - S.15 is overdue for some serious scrutiny for example.

S15 seems to be concerned with interceptions not involving people in
the British Islands. The whole Bill sets out to be extremely nasty to
"furriners", which I do not like, but I have been concentrating on the
problems of us here at home.

> But where do you draw the line? According to your way of thinking if Plod
> turns up in overalls and a false beard in the ISP machine room pretending to
> fix the water-cooler, but actually knobbling the kit in some way, the ISP is
> in the clear providing he doesn't realize what's going on. But if he is
> suspicious, then he must challenge water-cooler man, who then produces a
> warrant from his back pocket and carries on with the job. That is
> preposterous.

Yes, I don't like the excesses of S20(2) and S21(5), and have frequently
said so.

> > Actually, the definition of communications data in the Bill is quite
> > good, when measured by its usually lamentable standard. Yes, it could
> > be tightened up, and some of my amendments address that.
> 
> As remarked to Roland - you can drive a bus through the definition:
> 
> "20(4) In this Chapter 'communications data' means any of the following
> (a) any address or other data COMPRISED IN or attached to a communication
> (whether by the sender or otherwise) for the purposes of any postal service
> or telecommunication system by means of which it is being or may be
> transmitted;

So that gives you the envelope ("attached") and such of the
headers ("comprised") as are relevant "for the purposes of any ...
telecommunication system". That is currently being discussed in another
thread, and the issues are set out in Scenario 24.

> (b) any information which includes NONE of the contents of a communication
> (APART from any information falling within paragraph (a)) and is about the
> use made by any person..."

That seems to cover whatever logs the ISP keeps, but excluding any content 
"apart from" that which would have been acceptable under (a).
> 
> So that "APART" seems to mean that comms data CAN include the contents,
> provided it is "COMPRISED IN" a communication. Doesn't that sound like a
> fairly reasonable description a datagram, headers and payload?

No, because datagram, headers and payload do not "fall within paragraph
(a)" except for those bits thereof relevant "for the purposes of any ...
telecommunication system".

Charles H. Lindsey ---------At Home, doing my own thing------------------------
Email:     chl@clw.cs.man.ac.uk  Web:   http://www.cs.man.ac.uk/~chl
Voice/Fax: +44 161 437 4506      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9     Fingerprint: 73 6D C2 51 93 A0 01 E7  65 E8 64 7E 14 A4 AB A5