The Smith Report

Caspar Bowden cb at fipr.org
Fri, 2 Jun 2000 18:29:06 +0100 

>Charles Lindsey wrote:
...
> As Smith appeared to envisage it, the black boxes will be the property
> of the ISPs (after all, Smith reckoned that the ISPs would be
> paying for them).

Not sure if you missed this:
"8.2.4 In order that the solutions proposed could be implemented in a cost
effective fashion, there is a need to exploit existing design and
development activity ongoing within Government. Smith recommends that
Government funds the 'upfront' development of generic selection (for the
semi-active and passive) and mediation devices to be deployed in each
option, whilst realising that such an approach is counter to current
Government policy. Such an approach will provide three basic solutions,
developed in a co-ordinated and cost effective manner, that can be deployed
across ISPs as appropriate."

In other words ISPs are supposed to pay for boxes that the Government has
designed and programmed. Would any ISP involved in discussions with
Government like to confirm whether they have been offered verifiable access
to the software running on the boxes - if so how? Suppose government
eventually stumped up the cash (after much operatic grumbling) to pay for
the boxes - huge sighs of relief from ISP industry, all RIP opposition from
that quarter collapses, ISPs completely out-of-the-loop.

> > obviously be possible to signal to the boxes stealthily by sending
> > instructions as IP traffic in such a way that it would pass
> > a given box, without any dedicated uplink.
>
> Now you are talking about Plod acting in violation of the Computer
> Misuse Act, of other such hackings.

It's not hacking, it's government controlling the boxes that they have
designed. In the remote eventuality that this would be a necessary control
channel, an ISA 94 or warrant or PA 97 authorization would do nicely to
permit "interference" with ISP "property".

> > If you are deducing that from one sentence in the first
> > clause of the Bill, parliamentary draftsmen are a lot more
> > subtle than that - S.15 is overdue for some serious scrutiny for
> > example.
>
> S15 seems to be concerned with interceptions not involving people in
> the British Islands. The whole Bill sets out to be extremely nasty to
> "furriners", which I do not like, but I have been concentrating on the
> problems of us here at home.

I agree it SEEMS to be. Suggest you give S.15(3) a VERY close read. All
those "notwithstanding"s.

"20(4) In this Chapter 'communications data' means any of the following
(a) any address or other data COMPRISED IN or attached to a  communication
(whether by the sender or otherwise) for the purposes of any postal service
or telecommunication system by means of which it is being or may be
transmitted;
(b) any information which includes NONE of the contents of a communication
(APART from any information falling within paragraph (a)) and is about the
use made by any person..."

> > So that "APART" seems to mean that comms data CAN include
> > the contents, provided it is "COMPRISED IN" a communication. Doesn't
that
> > sound like a fairly reasonable description a datagram, headers and
payload?
>
> No, because datagram, headers and payload do not "fall within
> paragraph (a)" except for those bits thereof relevant "for the purposes
> of any ...telecommunication system".

Sorry I thought my point was more obvious than perhaps it was. We've all
been wondering how the wording might permit "clickstreams" to be classed as
comms data, right ? Part of the strangeness is that obviously what is
content at one protocol level is address info at a higher level.

So this "APART" loophole seems to give a cart-blanche to look inside the
data part of a packet (because it is OTHER DATA COMPRISED in a communication
BY MEANS OF WHICH IT MAY BE TRANSMITTED) - that gives an arbitrary license
to work your way up through the protocol levels. An http request string
(with embedded parameters) undoubtedly fulfills the definition. It is "other
data", and without it the "communication" MAY NOT be "transmitted". The
trick is to consider the transmission that "may" occur once the request
string hits the Web server. You also have to construe "communication" not as
a message, but as a "request to transmit a web page". But that seems within
a perfectly fair and ordinary meaning of the words, given the surrounding
environment of linguistic barbarity.

That seems to me to knock on the head any idea that comms data is limited to
IP numbers.
--
Caspar Bowden               Tel: +44(0)20 7354 2333
Director, Foundation for Information Policy Research
RIP Information Centre at:    www.fipr.org/rip#media