Mastering the Internet

Peter Fairbrother ukcrypto at chiark.greenend.org.uk
Wed, 06 May 2009 17:34:55 +0100 

Ian Batten wrote:
> 
> On 06 May 09, at 1139, Charles Lindsey wrote:
> 
>> On Tue, 05 May 2009 21:19:47 +0100, Peter Fairbrother 
>> <zenadsl6186@zen.co.uk> wrote:
>>
>>> Sigh. Flows where? To GCHQ. or along the wire to the box?
>>>
>>> (hint - the answer is the second one. In the first case, even if the 
>>> box isn't switched on, it's still interception, as long as GCHQ 
>>> control the switch.)
>>
>> Exactly! That is the nub of the whole matter. If there exists some 
>> point in the system beyond which data does not flow unless some 
>> "switch" is set (and whether that is before, inside, of after the 
>> "black box" is just a metter of semantics), then the question is "who 
>> controls that switch?". If it is the ISP who opens it in response to a 
>> properly authorized request (whether for traffic data or full content, 
>> or whatever) then that is fine. If it is GCHQ, then it is 
>> interception, and hence illegal.
> 
> What about if it's GCHQ who opens it in response to a properly 
> authorized request?   Or is it your contention that they cannot be 
> trusted no matter what governance is in place?

Can't speak for Charles, but that's not my contention, see below.

What I was talking about is what the law says about who controls the 
switch.

If CGHQ control the switch then the ISP has been making content 
available to them when they shouldn't - and whether or not CGHQ misuse 
the switch doesn't change that.

Look at it from GCHQ's pov - "I could get that traffic if I wanted to, 
just by flicking that switch - that traffic is available to me".

<i digress>

"availability" is seldom (if ever) an absolute however.

For instance, installing an interception capability changes GCHQs 
position from "I can't get the data without tapping the fibres" to "I 
can't get the data unless I can get the ISP to flick the switch" - 
significantly easier, and I contend that the installation has made the 
data more available to them than it was, and the installation therefore 
was interception (but legal under s3(3)(b))

It's important to remember that when thinking about data availability 
structures. A small change can make a big difference to a single 
player's comparative availability, ie how hard it is for that player to 
get data.

This point doesn't seem to be well recognised in law - but law saying 
"Fish are Birds" is just words, it doesn't put wings on fish.

</i digress>



However it's also a good thing, from an infosec viewpoint, that the 
switch be controlled by the ISP. The ISP necessarily has the physical 
capability to access content, so they should control who else has access 
to it.

You have to trust the ISP to behave properly with your content - but you 
don't have to trust GCHQ, and as "trust"  means something which can be 
broken, it's best not to include it in your system design.

This is just infosec 101 stuff, but many people don't seem to get it. 
Similarly with medical records - doctors generate the data, and you have 
to trust them with it. You don't have to trust the "spine". So who 
should control access to the records?


So my contention is that GCHQ should not be trusted - not because they 
are untrustworthy, but simply because there is no need to trust them!

> 
> Hint: there's only been one documented case of mass interception and 
> modification of traffic in the UK.  Was it carried out by (a) spooky 
> people from Cheltenham or (b) an ISP seeking additional advertising 
> revenue?  What makes you believe that ISPs are the ones wearing the 
> white hats?

Maybe that's because access to the data is, at present, physically in 
the control of the ISP, not GCHQ.




On another but related point, DPI looking for comms data under a s22 
order or authorisaton - again it should be the ISPs who do it, not GCHQ, 
and for the same reason.

This is the sticking point - if the ISPs do it, and their inspection of 
data is limited to doing that sort of DPI for that sort of reason, I 
wouldn't find it any worse than requiring access to comms data of other 
types.

The problem however comes when "they" want records of all comms to be 
kept ... it's easy enough to do that sort of DPI in real time if you 
know eg a single subject's ISP and IP, but it gets real expensive when 
you have to DPI all the net's data looking for "hidden comms", and 
record the results, probably in a searchable way, to boot.

-- Peter Fairbrother