'Today' considers data retention and IMP
John Wilson
ukcrypto at chiark.greenend.org.uk
Fri, 9 Jan 2009 14:50:26 +0000
On Fri, Jan 9, 2009 at 12:47 PM, Richard Clayton <richard@highwayman.com> wrote:
[snip]
> If the encrypted connection is to an ISP then they will log the details
> just as if it were not (One reading of the incompetently written
> Directive says that the log record should include the fact that a
> different service was used)
>
> If the connection is not to an ISP then the Data Retention Directive
> doesn't apply to either end ...
>
>>For example I use one Gmail account as web mail using https: and
>>another via my desktop client using SMTP over SSL (which is the
>>default for GMail I think).
>
> Since Google is in California, they are not bound to preserve anything
> (albeit the concept of Google not recording things is so unlikely, that
> you should assume that they log a great deal, including content, and
> keep it for long periods... read your agreement with them!)
>
> However, that's part of the point of IMP ... once "black boxes" exist at
> ISPs then it is trivial to detect the traffic data ... viz: that you
> connected to Google, and then to estimate the size of the email that was
> transferred. If you don't actually use https: but only log in securely
> and thereafter work in the clear (very common for real webmail systems,
> see UKCrypto passim) then the kit could in principle unpick the HTTP
> traffic and the HTML structure and thereby deduce which mailbox you were
> accessing ... which is traffic data (? well it all depends what level of
> the stack you look at -- something can be content at one level and
> traffic data at the next level up!)
Thank you for that detailed explanation.
So it appears that the implementation Data Retention Directive will
fail to capture any details of emails sent and received via web mail
services located outside the EU (even if the user uses a desktop
client to send and receive emails). As a significant number of people
currently use such a service the fact that you do this is not
sufficient to raise the suspicions of the authorities.
When the government has spent the tens of billions of pounds to
install the black boxes to do deep packet inspection a Gmail user (and
probably users of other web mail services - I have not checked) can,
with two clicks, change the default and always use SSL thereby make
the traffic unreadable by the black boxes. Again, there will be many
people who will have changed the default setting so it doesn't make
you stand out to the authorities.
So, if I'm a bad person, I can stop the authorities collecting
information which allows them to build the relationship maps they love
so much and I can do so in a way which does not make me stand out from
the rest of the population.
Plainly Google will have all this information and more but they will
use it to try and sell the bad person fertiliser and sugar not to stop
him building the bomb.
Am I missing something here?
John Wilson