The Smith Report

[Charles Lindsey]

	On Fri, 2 Jun 2000 18:29:06 +0100
	"Caspar Bowden" <cb@fipr.org> said...

> 
> >Charles Lindsey wrote:
> ...
> > As Smith appeared to envisage it, the black boxes will be the property
> > of the ISPs (after all, Smith reckoned that the ISPs would be
> > paying for them).
> 
> Not sure if you missed this:
> "8.2.4 In order that the solutions proposed could be implemented in a cost
> effective fashion, there is a need to exploit existing design and
> development activity ongoing within Government. Smith recommends that
> Government funds the 'upfront' development of generic selection (for the
> semi-active and passive) and mediation devices to be deployed in each
> option, whilst realising that such an approach is counter to current
> Government policy. Such an approach will provide three basic solutions,
> developed in a co-ordinated and cost effective manner, that can be deployed
> across ISPs as appropriate."
> 
> In other words ISPs are supposed to pay for boxes that the Government has
> designed and programmed. Would any ISP involved in discussions with
> Government like to confirm whether they have been offered verifiable access
> to the software running on the boxes - if so how? Suppose government
> eventually stumped up the cash (after much operatic grumbling) to pay for
> the boxes - huge sighs of relief from ISP industry, all RIP opposition from
> that quarter collapses, ISPs completely out-of-the-loop.

I would hope no ISP is going to install any box without some firm
assurance about what is inside it, especially so if they are going to
pay for it. See respponse from Richard Clayton.
> 
> > > obviously be possible to signal to the boxes stealthily by sending
> > > instructions as IP traffic in such a way that it would pass
> > > a given box, without any dedicated uplink.
> >
> > Now you are talking about Plod acting in violation of the Computer
> > Misuse Act, of other such hackings.
> 
> It's not hacking, it's government controlling the boxes that they have
> designed. 

But do not own.

> In the remote eventuality that this would be a necessary control
> channel, an ISA 94 or warrant or PA 97 authorization would do nicely to
> permit "interference" with ISP "property".

Eh? Whare are ISA 94 and PA 97 and how do they exempt Plod from breaking
the law?
> 
> I agree it SEEMS to be. Suggest you give S.15(3) a VERY close read. All
> those "notwithstanding"s.

It still seem to apply only to "furriners", though.

> 
> "20(4) In this Chapter 'communications data' means any of the following
> (a) any address or other data COMPRISED IN or attached to a  communication
> (whether by the sender or otherwise) for the purposes of any postal service
> or telecommunication system by means of which it is being or may be
> transmitted;
> (b) any information which includes NONE of the contents of a communication
> (APART from any information falling within paragraph (a)) and is about the
> use made by any person..."
> 
> Sorry I thought my point was more obvious than perhaps it was. We've all
> been wondering how the wording might permit "clickstreams" to be classed as
> comms data, right ? Part of the strangeness is that obviously what is
> content at one protocol level is address info at a higher level.

Yes, but we are only concerned with protocol levels which are relevant
to the transmission.

> 
> So this "APART" loophole seems to give a cart-blanche to look inside the
> data part of a packet (because it is OTHER DATA COMPRISED in a communication
> BY MEANS OF WHICH IT MAY BE TRANSMITTED) - that gives an arbitrary license
> to work your way up through the protocol levels. An http request string
> (with embedded parameters) undoubtedly fulfills the definition. It is "other
> data", and without it the "communication" MAY NOT be "transmitted". The
> trick is to consider the transmission that "may" occur once the request
> string hits the Web server. You also have to construe "communication" not as
> a message, but as a "request to transmit a web page". But that seems within
> a perfectly fair and ordinary meaning of the words, given the surrounding
> environment of linguistic barbarity.

No, I don't see where you get that from. We are talking about
S20:(4)(b), right? That talks about "information" about how a person
has used a telecommunication system (I understand that to mean logging
information), but it explicitly excludes the "contents" unless ("apart
from") those contents were already eligible under S20:(4)(a) I.e., even
if the logs included more of the content than allowed, Plod can only ask
for the S20:(4)(a) portion.

Now, to fit within S20:(4)(a), the data that you are worried
about has to be in the communication "for the purposes of any ...
telecommunication system by means of which it is being or may be
transmitted". So even if the body of the communication is a "request to
transmit a web page", the URL of the web page is not there for any of
those purposes (though the IP address of the web server is). Neither is
the web server a part of any "telecommunication system by means of which
it is being or may be transmitted". The telecommunication system we are
talking about is the one which was transmitting it to the web server.

Mow maybe you are worried that the end points of a transmission are
also a part of the telecommunication system, and worries in that regard
have been expressed in regard to the definition of comms data. But I do
not believe this is so. Nevertheless, I am currently working on wording
which would out it beyobd all doubt. But even as the Bill is written,
I think you could easily argue that a postal telecommunication system,
such as that run by the GPO, begins at the GPS's posting box, and ends
at my letter box.

Charles H. Lindsey ---------At Home, doing my own thing------------------------
Email:     chl@clw.cs.man.ac.uk  Web:   http://www.cs.man.ac.uk/~chl
Voice/Fax: +44 161 437 4506      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9     Fingerprint: 73 6D C2 51 93 A0 01 E7  65 E8 64 7E 14 A4 AB A5