What do you think about communications data collection and storage?

Roland Perry ukcrypto at chiark.greenend.org.uk
Fri, 1 May 2009 20:32:16 +0100 

In article 
<a2b6592c0905011111l1f8c556cvaa181af7306a1a35@mail.gmail.com>, Igor 
Mozolevsky <igor@hybrid-lab.co.uk> writes
>2009/5/1 Roland Perry:
>
>> One of the fallacies (which I've been pointing out for at least the last
>> eight years) is that the communications data for a particular communication
>> is a static thing.
>
>That still doesn't address what is actually being recorded and more
>interestingly where.

You can only record what's available, but you can record that from 
anywhere along the route that you have a probe.

>The where part matters a fair bit here - for
>example, if the data was sniffed out from the wire and logged at the
>application layer, mounting a DoS on all of the sniffers is fairly
>easy - you just have to mount a sizable frag attack and exhaust
>sniffers' buffers and they will either be unable to take any more
>traffic after that (while waiting to reassemble buffered packets) or
>(more likely) crash... Even the script kiddies know how to use frag
>attacks to bypass I(D|P)Ses and deliver attack data to the target,

I'm struggling to understand how the criminal sat at his ADSL PC in 
London mounts that attack on an indeterminate bit of network the other 
end of the county.

>so why is there a perception that any serious criminal would send data 
>in clear text and essentially get `logged' this way?

It is always the case that some criminals will try to cloak their 
activities, but the majority simply don't bother (or even know how).

>Besides, this reflects the situation with CCTV - the whole logging
>initiative is not going prevent crime. Instead, it merely *may*
>provide some corroborating evidence of a crime.

I think it may help prevent some crimes, if you can home in on the 
conspirators just before they act.

>Except, one needs to be much more technically skilled to look at logs, 
>correlate them and figure out what is going on than to look at CCTV 
>footage. Then there are technical factors like, clock drift between 
>logging hosts...

I'm not sure clock drift matters much when all you are doing is making a 
list of the web pages I surf to, and who I send emails to.

>> To return to a postal/courier analogy...
>
>[snip]
>
>The problem with the postal analogy is that a) the whole address is
>written on the packet

It isn't. None of the depots in between have their addresses written on 
the outside, nor do they have the licence number of the delivery van. 
That's a fundamental part of the analogy.

>and b) whatever is going to that address is nicely wrapped inside and 
>can be viewed with an x-ray machine or opened up for inspection.

Isn't that what DPI is supposed to do? Although as I said earlier, 
what's probably more interesting is that the parcel was delivered to 
you, and not your neighbour.
-- 
Roland Perry