Shady ISP Inc (Was Re: Government black boxes will 'collect every email')

Ian Batten ukcrypto at chiark.greenend.org.uk
Mon, 10 Nov 2008 09:30:44 +0000 

On 09 Nov 08, at 1806, Richard Clayton wrote:

>
> ... it doesn't seem entirely likely to me that a system which is overt
> and whose traffic can be cheaply returned to a central site over the
> Internet is especially suitable for interception (as we know it today)
> where the requirements list includes things like it being impossible  
> to
> tell whether anyone is being monitored; who is being monitored; and  
> who
> is doing the monitoring...  [viz: the systems are not overt and  
> deliver
> their results over private networks...]

Although if nearing everyone is being intercepted, the requirements  
covering the secrecy of the targeting list and the inability for a  
subscriber to determine if they are being intercepted evaporate: the  
government would _want_ people to believe they are being intercepted,  
even if they aren't.

However, this all raises the spectre of a scenario we might call  
``Shady ISP''.  You don't need an Annex 2 telephony license to run a  
telco these days, and you never needed one to run an ISP.   However,  
most of the government's proposals assume that the CPs are wearing  
spotless white hats.

Suppose I buy or build a small LLU network using hardware that  
provides baseband voice to VoIP translation in the exchange (any MSAN  
sold for 21CN, for example), using MPF in order to get hold of the  
baseband.   I run a private backhaul network either over my own fibre  
or by using encryption over wholesale facilities.  I hand off off-net  
voice via encrypted links to an overseas telco in a country which  
doesn't have a mutual assistance agreement with the UK.  LINX might  
not deal with me for Internet, but I could peer elsewhere, perhaps at  
SINX (Shady Internet Neutral Exchange).

I sell this as a product for the privacy conscious individual and SME,  
at a premium price.  But not too premium: I need a reasonable number  
of legitimate customers to provide some deniability for my real  
stakeholders.  Those, of course, are any and all shady types.  They  
care very much that I be able to operate, so they quietly fund me via  
``service contracts'' and ``consulting fees'', plus smooth my way with  
the Peoples' Bank of Shadydonia to obtain funding.

Now, the cost of doing this over a few hundred key exchanges is  
probably a few million pounds, depending on backhaul costs: well  
within the budgets of your typical evil conspiracy (I'm thinking  
SPECTRE or SMERSH).  Aside from the money laundering implications,  
which I accept aren't trivial, it's hard to see what `above the line'  
channels are available to stop me from doing this.  Ofcom can't stop  
me: there's not fit and proper person test.  BT can't stop me, because  
Ofcom won't let them.

Now in the real world, I'd find that few suppliers would talk to me  
and that any equipment I did manage to obtain would mysteriously go on  
fire.  But there's a continuum between the white hats assumed by the  
government and the pantomime black hats I am imagining.

After the dot.bust, we joked that we didn't need to enter the  
transmission market, as anyone seeking a world-wide optical network  
could just buy one from the receivers.  In the coming few years,  
obtaining either a functional LLU network or a WiMax license or some  
other handy asset will be easier for people with cash than it was  
historically, and buying a legitimate ISP in order to operate it on  
behalf of people who have nefarious intent wouldn't cost a huge amount  
of money by the standards of, say, a major South American drug cartel.

ian