Mastering the Internet
Peter Fairbrother
ukcrypto at chiark.greenend.org.uk
Mon, 04 May 2009 07:02:43 +0100
** If you send any content along the wire to the "black box" you are
making it available to the box and whoever controls or has access to the
box, and you are therefore intercepting. If there isn't a relevant
warrant or Order in place, it's illegal, no matter who asks you
(politely) to do it. **
Roland Perry wrote:
> In article <49FDC647.6030708@zen.co.uk>, Peter Fairbrother
> <zenadsl6186@zen.co.uk> writes
>
>>> Towards the end it relents:
>>> "Although the paper [work] does not say it, its clear
>>> implication is that those kinds of probes should be extended to
>>> cover the entire population for the purposes of monitoring
>>> communications data,2 said the industry source.
>>
>> How is it limited to comms data?
>
> It's possible that the probes could be used to illegally extract a small
> amount of content - but that's an old story and dates back to the
> original RIPA debate.
>
> If you wanted to use the probes to extract "all" comms data, then you
> are back to the central warehouse idea. There either will or won't be
> one, and if there is the probes are merely the way it's implemented.
We are told there won't be a central warehouse?
>
> On the other hand, if you wanted the probes to extract "all" content,
> then the amount of data involved is immense - every communication is
> likely to pass several probes and so the bandwidth back to Cheltenham
> will have to exceed the bandwidth within the UK Internet by an order of
> magnitude.
What if the black boxes look for keywords, encrypted material, etc in
content, and just send that type of content back to Cheltenham? That
solves the bandwidth problem.
Maybe CGHQ programs the box to only send the communications of "persons
of interest"?
Or maybe GCHQ has a magical compression algorithm? We have very little
idea of the actual entropy of most communications.
If you don't know what the black box does - and by definition you don't
- you can't assume that type of fishing isn't happening.
>
>>>> any ISP installing a "black box" will be acting illegally.
>
>>> An order is only required if the CSP resists a polite request to
>>> install a permanent intercept capability. It's not illegal to
>>> install one, just [currently] to operate it without warrants to
>>> extract content from communications.
>>
>> Isn't be covered by 2(2)(a), modification [..] "as to make some or all
>> of the contents of the communication available, while being
>> transmitted, to a person other than the sender or intended recipient
>> of the communication"?
>
> You have to modify *and* make it available. Just doing the modifying is
> entirely legal.
** Read the section again. It says modify _as to_ make available. It
doesn't say it's okay if nothing is actually sent - just the capability
to send some content is enough. **
We may be splitting hairs here. I'm assuming that the black box will be
looking at bytes somehow. and if the wire between the network and the
box transmits any content that's enough to make it available.
I suppose you could switch the black box off unless there is a warrant
in force, and the only data going down the wire to the black box is
content directly related to the warrant - or maybe comms data - but
somehow I don't think that's what the people who make "polite requests"
have in mind!
** If you send any content along the wire to the box, you are making it
available to the box, and you are therefore intercepting. If there isn't
a relevant warrant or Order in place, it's illegal, no matter who asks
you to do it. **
>
>> Are the bytes made available to GCHQ going to be somehow (?)
>> technically limited to comms data and not content by the ISPs/network
>> operators?
>
> That's another ancient question, and the technical answer I guess is
> "probably not", but see my remarks above about the volumes of data.
It could be done - but I agree, probably not. And as above, data volume
isn't a problem if you are just fishing for keywords.
>
>> Note that it's the bytes which are made available, rather than any
>> bytes which are actually looked at, which is the definition. I can't
>> see that happening, but maybe.
>
> No, "making available" doesn't mean saying "here, you can have these if
> you like". You actually have to *send* them.
>
>> Otherwise, putting a black box on the network will make all the bytes,
>> including content, available to GCHQ.
>
> Only if it's activated.
No, only if it has access to traffic. And besides, why put a black box
on the network in the first place if you aren't going to activate it?
That argument's a complete non-starter.
Perhaps if the ISPs only switch it on when a warrant has been issued,
and only send it the relevant data, or only send traffic data - but
afaict that isn't what a black box does.
>
>> And putting that black box in, unless you are required to do so by a
>> Statutory Order eg under s.12, is illegal interception.
>
> Not until it's activated. And the s12 order is a red herring. All it
> allows is the *capability*, it doesn't give the authorities carte
> blanche to intercept anything and everything without a warrant afterwards.
>
> That may be your fundamental misconception.
Eh? Apart from the activation non-issue, see above, I agree with the
previous paragraph!
>
>> Afaics there are no "if"s, "and"s or "but"s about it. GCHQ simply
>> promising to only look at comms data (unless they have a relevant
>> warrant) doesn't change anything, content is made available to them.
>
> If the probes are activated, then you would have to trust them to only
> use them to grab content when warrants were in place.
That doesn't make it legal.
If there is an order to install black boxes, fine, you have to trust GCHQ.
If not, trusting GCHQ isn't an issue - you have already modified the
network so as to made content available to them, and installing black
boxes is therefore illegal.
But you also need
> to trust them not to be illegally intercepting everyone's phone calls
> (especially the mobile ones) using other kinds of equipment they may
> have available.
>
>> There is a mechanism to change this state of affairs, in s.12, and it
>> involves Parliament itself, so I can't see any reasonable Court saying
>> otherwise.
>
> You misunderstand what s12 is all about.
I don't think so. It says the SOS can require something for interception
capability.
I may have misunderstood a part of it though, on re-reading it. S. 12(3)
says "the only steps that may be specified or described in a notice
given to a person under subsection (2) are steps appearing to the
Secretary of State to be necessary for securing that that person has the
practical capability of providing any assistance which he may be
required to provide in relation to relevant interception warrants."
I had taken that to include the fitting of black boxes with access to
content, to be switched on by GCHQ or whoever was implementing the
warrant, with GCHQ then being responsible for only looking at what is
legal. But perhaps I was wrong about that?
>
> Nevertheless, you might want to have a look at: "Regulation of
> Investigatory Powers (Maintenance of Interception Capability) Order .
> 2002" 2002/1931 which does seem to have gone through Parliament despite
> your earlier assertion that no such orders had been laid.
That doesn't cover black boxes, not even nearly.
I repeat:
** If you send any content along the wire to the "black box" you are
making it available to the box and whoever controls or has access to the
box, and you are therefore intercepting. If there isn't a relevant
warrant or Order in place, it's illegal, no matter who asks you
(politely) to do it. **
-- Peter Fairbrother