FW: [Apc-euroir-ws] "RIP Act" could result in massive surveillance -- BBC
Caspar Bowden
cb at fipr.org
Thu, 6 Sep 2001 21:11:03 +0100
Cross-posting from an APC list - hope sufficiently on topic
--
Caspar =
Bowden=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
=A0=A0=A0 www.fipr.org
Director, Foundation for Information Policy Research
Tel: +44(0)20 7354 2333=20
> [mailto:apc-euroir-ws-admin@gn.apc.org] On Behalf Of Paul Mobbs
> Sent: 06 September 2001 12:55
> To: apc-euroir-ws@gn.apc.org; ir-l@gn.apc.org
> Subject: [Apc-euroir-ws]
> "RIP Act" could result in massive surveillance -- BBC
>=20
> http://news.bbc.co.uk/hi/english/sci/tech/newsid_1500000/1500889.stm
> By BBC News Online technology correspondent Mark Ward Wednesday, 22=20
> August, 2001, 07:39 GMT
>
> Laws designed to catch computer criminals could result in a
> huge increase in the amount of covert surveillance carried=20
> out on British citizens by the police and intelligence services.
>=20
> The controversial Regulation of Investigatory Powers Act
> requires many companies providing communication services to=20
> install technology that allows up to one in 10,000 of their=20
> customers to be watched at the same time. Experts and lobby=20
> groups fear that this requirement could drive a "tenfold"=20
> increase in the number of wiretaps and threaten the=20
> fundamental rights to privacy of many citizens.
>..
> "It could allow a tenfold increase in the current level of=20
> interceptions that are going on," said Caspar Bowden
There seems to me to be a puzzle about how S.8(4) warrants are to be
implemented. These are the ECHELON warrants for mass-trawling - which in
popular conception are limited to external communications. But according
to a Home Office Minister's letter (Lord Bassam) RIP is "intended to
provide for (the) possibility" that ISPs will have to comply with a
trawling warrant
(http://www.fipr.org/rip/Bassam%20reply%20to%20Phillips%20on%20S.15.3.ht
m).=20
How ?
Presumably by issuing a S.12 order to require the ISP to be capable of
either (a) filtering the entire flow of data against keywords [etc.] or
(b) piping the whole lot to Cheltenham.
Can ISPs neatly separate external and domestic traffic and just hand
over just stuff "sent or received" outside UK ?=20
I don't think so.
But what about S12CoP.8(g) "Simultaneous interception for at most 1 in
10,000 of the end users...This sets the maximum capacity a CSP can be
obliged to provide by **a** section 12 notice"=20
That doesn't seem to admit any room for keyword spotting [etc.] ECHELON
style in ANY S.12 order that might be issued.
So what's the trick ?
There are several ways to construe loopholes:
http://www.homeoffice.gov.uk/ripa/section12.htm
1) suppose you were ECHELON spotting for "Osama bin Laden" and a
shedload of other ECHELON words. If you average the sporadic hits you
get over the pipe required to carry 1:10,000 the whole time, that
suffices for keeping a pretty sharp eye on the whole population.=20
AND/OR
2) is a "waranted person" a named person, or can it be interpreted as a
category of persons that match ? [...fulfill the description on the
certifoicate of an 8(4)]
3) If so, then look at S12CoP.8(b) "This requirement only applies if the
warranted person can be associated with a specific telecommunications
identifier". I think most people would say that 'requirement' here just
meant clause 8(b). But actually the entirety of paragraph 8 is entitled
"General Requirement for...". So one could interpret this to mean that
*all* of para 8 is disapplied BECAUSE S.8(4) warrants define their
targets with arbitrary "factors" that need NOT be **telecommunications
identifiers**
See also
http://www.chiark.greenend.org.uk/pipermail/ukcrypto/2000-December/01446
5.html
And
http://www.chiark.greenend.org.uk/pipermail/ukcrypto/2001-August/017007.
html
So 1:10,000 might be small potatoes (with a red herring?). Is the real
story whether/how/why/when ISPs will have to implement 8(4) warrants ?
--
Caspar =
Bowden=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
=A0=A0=A0 www.fipr.org
Director, Foundation for Information Policy Research
Tel: +44(0)20 7354 2333=20