From zenadsl6186 at zen.co.uk Tue Jul 24 22:57:40 2012 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Tue, 24 Jul 2012 22:57:40 +0100 Subject: sorry, but ... Message-ID: <500F1A54.4040204@zen.co.uk> First, I'd like to apologise again to Francis, whom I probably maligned. I got a bit hypoglycaemic, and didn't notice, and said something silly. Second, I'd like to apologise to you all, because I said I'd analyse the draft bill and comment and so on and I did not do so in timely fashion. That was just lazyness and other-busynesses, and should not have happened. Here's the but - suppose a black box is connected to a UK ISP's IP stream, and it's looking for traffic data in traffic that's to let's say the Facebook or Twitter or googlemail or WoW or Habbo sites. These are afaik all hosted in the US, but they have strong UK connections. Let's suppose both Alice and Bob are in the UK. Now suppose Alice sends Bob a message through facebook, or another US social media sites. The black box sees and finds the traffic data concerned with Alice's message, quite lawfully under the new bill - and the traffic data it sees tells it it's an , a message to a server outside the UK. Now suppose a SoS has signed a blanket warrant to allow the black-box-operating-agency, hereinafter BlackBoxHQ, to intercept all external communications (which he can do with a single stroke of the pen under RIPA 8(4)). BlackBoxHQ can see that Alice's message to Bob next door is in it's first step actually a message to a server in the US, and thus an external communication - and then BlackBoxHQ can look at Alice's message's _content_, not just it's traffic data. This applies to all of Alice's messages sent through any non-UK website, like Facebook or Twitter or googlemail or WoW or Habbo or.. More, it will be very easy for them to look at this content, as they already have the raw IP stream to look at. BTW there's also RIPA 4)1) for the truly sceptical .. -- Peter F From zenadsl6186 at zen.co.uk Tue Jul 24 23:35:33 2012 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Tue, 24 Jul 2012 23:35:33 +0100 Subject: sorry, but ... In-Reply-To: <500F1A54.4040204@zen.co.uk> References: <500F1A54.4040204@zen.co.uk> Message-ID: <500F2335.7090602@zen.co.uk> Ooops, sent too soon.. this is a better version .. sorry again, - Peter On 24/07/12 22:57, Peter Fairbrother wrote: > First, I'd like to apologise again to Francis, whom I probably maligned. > I got a bit hypoglycaemic, and didn't notice, and said something silly. > > > Second, I'd like to apologise to you all, because I said I'd analyse the > draft bill and comment and so on and I did not do so in timely fashion. > That was just lazyness and other-busynesses, and should not have happened. > > > > Here's the but - suppose a black box is connected to a UK ISP's IP > stream, and it's looking for traffic data in traffic that's to let's say > the Facebook or Twitter or googlemail or WoW or Habbo sites. > > These are afaik all hosted in the US, but they have strong UK connections. > > Let's suppose both Alice and Bob are in the UK. Now suppose Alice sends > Bob a message through facebook, or another of the US social media sites. > > > > The black box sees and finds the traffic data concerned with Alice's > message, quite lawfully under the new bill - and the traffic data it > sees tells it it's an external communication, a message to a server outside the UK. > > Now suppose a SoS has signed a blanket warrant to allow the > black-box-operating-agency, hereinafter BlackBoxHQ, to intercept all > external communications (which he can do with a single stroke of the pen > under RIPA 8(4)). > > BlackBoxHQ can see that Alice's message to Bob next door is in it's > first step actually a message to a server in the US, and thus an > external communication - and then BlackBoxHQ can look at Alice's > message's _content_, not just it's traffic data. > > This applies to all of Alice's messages sent through any non-UK website, > like Facebook or Twitter or googlemail or WoW or Habbo or.. > > > More, it will be very easy for them to look at this content, as they > already have the raw IP stream to look at. > > > > > BTW there's also RIPA 4)1) for the truly sceptical .. > > > -- Peter F > > > From tharg at gmx.net Wed Jul 25 09:03:08 2012 From: tharg at gmx.net (Caspar Bowden (travelling)) Date: Wed, 25 Jul 2012 10:03:08 +0200 Subject: sorry, but ... In-Reply-To: <500F2335.7090602@zen.co.uk> References: <500F1A54.4040204@zen.co.uk> <500F2335.7090602@zen.co.uk> Message-ID: <500FA83C.2070209@gmx.net> Hi Peter On 07/25/2012 12:35 AM, Peter Fairbrother wrote: >> stream, and it's looking for traffic data in traffic that's to let's say >> the Facebook or Twitter or googlemail or WoW or Habbo sites. (AFAIK Facebook say they fall under Irish jurisdiction for their EU users w.r.t DP law at least) >> These are afaik all hosted in the US, but they have strong UK >> connections. >> >> Let's suppose both Alice and Bob are in the UK. Now suppose Alice sends >> Bob a message through facebook, or another of the US social media sites. >> >> The black box sees and finds the traffic data concerned with Alice's >> message, quite lawfully under the new bill - and the traffic data it >> sees tells it it's an external communication, a message to a server >> outside the UK. AFAIK the last word (but grateful for any later ref) we have on HMG's understanding is from 4th July 2000 (this was in response to FIPR probing amendments about the new "domestic trawling" warrant in S.16(3), misleadingly placed in a section called "Safeguards"). In theory, what defines internal/external is whether the communication (at whatever protocol level) is "received" in the UK (rather than where a server is located), but in practice this doesn't matter http://www.fipr.org/rip/Bassam%20reply%20to%20Phillips%20on%20S.15.3.htm/ (worth reading whole thing and context at http://www.fipr.org/rip/#Overlapping) How do 8(3) and 15(3) interlock with clause 5(6)?/ <<>>_ >> Now suppose a SoS has signed a blanket warrant to allow the >> black-box-operating-agency, hereinafter BlackBoxHQ, to intercept all >> external communications (which he can do with a single stroke of the pen >> under RIPA 8(4)). >> >> BlackBoxHQ can see that Alice's message to Bob next door is in it's >> first step actually a message to a server in the US, and thus an >> external communication - and then BlackBoxHQ can look at Alice's >> message's _content_, not just it's traffic data. Yes, but FWIW (from Bassam letter) <<>> (original is italicized) This was the most arcane controversy of RIPA (apart from Pt.3) and it proved impossible to get media interest. But given the IoCC has never commented on certificated warrants since the first report after IoCA, we have no idea how diligent he may be at ensuring that nobody is "seeking" to catch internal communications in this way. There is a nastier legal problem, which I call "how do they know there is a pearl inside the oyster, unless they have already looked inside" - this is (badly) explained in the briefing notes at /http://www.fipr.org/rip/#Overlapping. /It seemed to me the first IoCC fudged this point in his invention of "overlapping warrants", and it has never been cleared up or referred to publicly since. It is almost exactly analogous to the issue that later created the tremendous furore in US about "warrantless wiretapping", with the difference that US law protects its own citizens categorically by nationality (which was tougher to wriggle out of - until 2007/8 - than internal/external distinction). There is some kind of irony (not sure what kind) that Bassam's note was written on (US) Independence Day ;-) Caspar / / -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at internetpolicyagency.com Wed Jul 25 09:50:36 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Wed, 25 Jul 2012 09:50:36 +0100 Subject: sorry, but ... In-Reply-To: <500FA83C.2070209@gmx.net> References: <500F1A54.4040204@zen.co.uk> <500F2335.7090602@zen.co.uk> <500FA83C.2070209@gmx.net> Message-ID: In article <500FA83C.2070209 at gmx.net>, "Caspar Bowden (travelling)" writes >>> stream, and it's looking for traffic data in traffic that's to let's say >>> the Facebook or Twitter or googlemail or WoW or Habbo sites. > >(AFAIK Facebook say they fall under Irish jurisdiction for their EU >users w.r.t DP law at least) > >>> These are afaik all hosted in the US, but they have strong UK >>>connections. >>> >>> Let's suppose both Alice and Bob are in the UK. Now suppose Alice sends >>> Bob a message through facebook, or another of the US social media sites. >>> >>> The black box sees and finds the traffic data concerned with Alice's >>> message, quite lawfully under the new bill - and the traffic data it >>> sees tells it it's an external communication, a message to a server >>>outside the UK. > >AFAIK the last word (but grateful for any later ref) we have on HMG's >understanding is from 4th July 2000 (this was in response to FIPR >probing amendments about the new "domestic trawling" warrant in >S.16(3), misleadingly placed in a section called "Safeguards"). > >In theory, what defines internal/external is whether the communication >(at whatever protocol level) is "received" in the UK (rather than where >a server is located), but in practice this doesn't matter One of the things that was never fully explored during RIPA (although I wrote several notes on the subject) is what the status of "one to many" communications is. If I post something to a social networking site (for the sake of argument, unambiguously hosted in USA), who is the recipient of that message? It might be the social networking site, or it might be all my friends/ followers who asked to be immediately and automatically copied, then there are the people who visit the site later. I don't have an answer, just reminding us that it's a complex situation... ps Am I right in saying that the proposed law voids one of the Data Retention Directive's alleged 'shortcomings' [although opinions vary] in that it only applies to classic POP3/SMTP/IMAP/etc email, and not to pages of HTML which happen to contain text from one person to another (eg webmail, but also the IM and 'status update' features of social networking are delivered both ways by HTML). -- Roland Perry From igb at batten.eu.org Wed Jul 25 12:23:57 2012 From: igb at batten.eu.org (Ian Batten) Date: Wed, 25 Jul 2012 12:23:57 +0100 Subject: sorry, but ... In-Reply-To: References: <500F1A54.4040204@zen.co.uk> <500F2335.7090602@zen.co.uk> <500FA83C.2070209@gmx.net> Message-ID: <59511923-50FC-416E-8DCD-3234C2EA8D0F@batten.eu.org> On 25 Jul 2012, at 09:50, Roland Perry wrote: > ps Am I right in saying that the proposed law voids one of the Data Retention Directive's alleged 'shortcomings' [although opinions vary] in that it only applies to classic POP3/SMTP/IMAP/etc email, and not to pages of HTML which happen to contain text from one person to another (eg webmail, but also the IM and 'status update' features of social networking are delivered both ways by HTML). My impression is that not only is that an effect of the draft legislation, it's one of the main intents. You can look at an SMTP/POP3/IMAP exchange and easily distinguish between traffic data and content in a deterministic way (assuming envelope is traffic, body is content and headers are one or the other). But for webmail, there's an HTTP session taking place which contains no useful data at all, and then the content of the HTTP session is envelope, header and body mixed together in arbitrary ways. Being able to get at the traffic data aspects of a webmail service or other web-based communications system without requiring a home secretary warrant seems the main purpose of the legislation. ian From zenadsl6186 at zen.co.uk Wed Jul 25 13:36:59 2012 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Wed, 25 Jul 2012 13:36:59 +0100 Subject: sorry, but ... In-Reply-To: <500FA83C.2070209@gmx.net> References: <500F1A54.4040204@zen.co.uk> <500F2335.7090602@zen.co.uk> <500FA83C.2070209@gmx.net> Message-ID: <500FE86B.4010308@zen.co.uk> Hi Caspar, long time no see. On 25/07/12 09:03, Caspar Bowden (travelling) wrote: > > Hi Peter > > On 07/25/2012 12:35 AM, Peter Fairbrother wrote: >>> stream, and it's looking for traffic data in traffic that's to let's say >>> the Facebook or Twitter or googlemail or WoW or Habbo sites. > > (AFAIK Facebook say they fall under Irish jurisdiction for their EU > users w.r.t DP law at least) > >>> These are afaik all hosted in the US, but they have strong UK >>> connections. >>> >>> Let's suppose both Alice and Bob are in the UK. Now suppose Alice sends >>> Bob a message through facebook, or another of the US social media sites. >>> >>> The black box sees and finds the traffic data concerned with Alice's >>> message, quite lawfully under the new bill - and the traffic data it >>> sees tells it it's an external communication, a message to a server >>> outside the UK. > > AFAIK the last word (but grateful for any later ref) we have on HMG's > understanding is from 4th July 2000 (this was in response to FIPR > probing amendments about the new "domestic trawling" warrant in S.16(3), > misleadingly placed in a section called "Safeguards"). > In theory, what defines internal/external is whether the communication > (at whatever protocol level) is "received" in the UK (rather than where > a server is located), but in practice this doesn't matter Could you say why it doesn't matter? That's not clear to me. Thx. > > http://www.fipr.org/rip/Bassam%20reply%20to%20Phillips%20on%20S.15.3.htm/ > (worth reading whole thing and context at > http://www.fipr.org/rip/#Overlapping) Lord Bassam: I confirm what I said in the House, that a communication from one point in the British Islands to another point in the British Islands is 'internal' even if its route takes it outside the British Islands. [...] and Lord Bassam: > Communications that originate and are received in the UK are always > "internal"; So says Lord Bassam. But I very much doubt that he had Facebook in mind when he said that, so even if he was correct (he wasn't[1]), or if what he said had any legal significance because he said it, it doesn't apply to the Facebook situation. And so as ever we are left with the plain wording of the law: RIPA S.20: ?external communication? means a communication sent or received outside the British Islands; When Alice sends her message to Bob via Facebook in Eire, is her communication received by Facebook? I'd say it was, and I can't see a dozen Judges disagreeing. She might for instance be sending it to Facebook so Bob and Chas could see it, or all her friends could see it - does it make any difference if only one person can see it ? Note this situation is different to an IP packet passing through a third country - it is harder to say then that the communication is received by the router (although the packet obviously is). If she is sending her communication to Facebook then it's an external communication, and it can be intercepted, including content, under an 8(4) warrant. So what can "they" do under an 8(4) warrant? They can look for keywords, they can look at it all - about the only thing they can't do is sort through it for communications to or from a particular person. Except of course they can do that too, if the SoS signs a RIPA S,16(3) certificate which allows it. That certificate can apply to an individual, to some individuals who fit a particular description, to groups, or the whole population - there is no limitation to the number of people named or described in the certificate. (neither is there a limit to the duration of a 16(3) certificate. Also, the certificate which turns an ordinary warrant into a S.8(4) warrant does not have a limited life either. The warrant does, but the certificate does not. How many SoS's have we had since 2000? It would only take two signatures from any one of them... ) > as is well known, some of these will go abroad en route and > so be carried on primarily external trunks. It is _not possible to > intercept the external communications on the trunk without intercepting > the internal communications as well.>>>_ > > >>> Now suppose a SoS has signed a blanket warrant to allow the >>> black-box-operating-agency, hereinafter BlackBoxHQ, to intercept all >>> external communications (which he can do with a single stroke of the pen >>> under RIPA 8(4)). >>> >>> BlackBoxHQ can see that Alice's message to Bob next door is in it's >>> first step actually a message to a server in the US, and thus an >>> external communication - and then BlackBoxHQ can look at Alice's >>> message's _content_, not just it's traffic data. > > Yes, but FWIW (from Bassam letter) > > << communications that fit the descriptions in the certificate. It is > therefore not likely to catch many internal communications. It would of > course be unlawful to /seek/ to catch internal communications in the > absence of an overlapping warrant or a certificate complying with clause > 15(3).>>> > (original is italicized) > > This was the most arcane controversy of RIPA (apart from Pt.3) and it > proved impossible to get media interest. But given the IoCC has never > commented on certificated warrants since the first report after IoCA, we > have no idea how diligent he may be at ensuring that nobody is "seeking" > to catch internal communications in this way. I think you are missing my point. What Bassam is talking about here is whether internal communications get swept up in a search for external communications. The issue I was addressing is intercepting external communications, and Lord Bassam's words are not relevant to that - he simply assumes it's ok. > > There is a nastier legal problem, which I call "how do they know there > is a pearl inside the oyster, unless they have already looked inside" - > this is (badly) explained in the briefing notes at > /http://www.fipr.org/rip/#Overlapping. Yes, that's confusing and sometimes wrong. /It seemed to me the first IoCC > fudged this point in his invention of "overlapping warrants", and it has > never been cleared up or referred to publicly since. I don't think they have them anymore? The grounds for a certifying a warrant are much broader now - so broad that any restrictions they might impose are almost meaningless. They also have S. 16(3) certificates instead if they want to target individuals, or groups (or everybody, if they want). So I don't think they need them anymore either. -- Peter [1] an email is sent to two people, one in the UK, one abroad. The traffic from the sender to the mail server is a single communication. It is external because it is received by person two abroad, even though it is received by person one in the UK - however it "originated and will be received in the UK" and should therefore be internal according to LB. There are several other circumstances where the statement "Communications that originate and are received in the UK are always "internal" would be just plain wrong, and inconsistent with the definition ?external communication? means a communication sent or received outside the British Islands; - unless of course when he uses "internal" he means something other than "not external", the apparently relevent definition. It is almost > exactly analogous to the issue that later created the tremendous furore > in US about "warrantless wiretapping", with the difference that US law > protects its own citizens categorically by nationality (which was > tougher to wriggle out of - until 2007/8 - than internal/external > distinction). There is some kind of irony (not sure what kind) that > Bassam's note was written on (US) Independence Day ;-) > > Caspar > > / > > / From tharg at gmx.net Wed Jul 25 17:45:38 2012 From: tharg at gmx.net (Caspar Bowden (travelling)) Date: Wed, 25 Jul 2012 18:45:38 +0200 Subject: sorry, but ... In-Reply-To: <500FE86B.4010308@zen.co.uk> References: <500F1A54.4040204@zen.co.uk> <500F2335.7090602@zen.co.uk> <500FA83C.2070209@gmx.net> <500FE86B.4010308@zen.co.uk> Message-ID: <501022B2.3070700@gmx.net> Hi Peter 'fraid don't have time to answer all these points, but one of the main points of the probing amendments on 16(3) was to establish if they were intended to make Overlapping warrants obsolete. The answer in Bassam's letter was an unequivocal "no". I don't think Facebook raises any new points of principle regarding interpretation of external/internal, than posting messages to a offshore bulletin-board system with a open or closed membership. How the interpretation works we don't know (one of the main drawbacks of having all of this adjudicated inside the head of a single Commissioner - who have not seen fit to discuss publicly in 26 years) when I said "it doesn't matter", I just meant that Bassam letter makes it clear that internal communications "inadvertently" intercepted under an external warrant do not break the law. Caspar On 07/25/2012 02:36 PM, Peter Fairbrother wrote: > Hi Caspar, long time no see. > > On 25/07/12 09:03, Caspar Bowden (travelling) wrote: >> >> Hi Peter >> >> On 07/25/2012 12:35 AM, Peter Fairbrother wrote: >>>> stream, and it's looking for traffic data in traffic that's to >>>> let's say >>>> the Facebook or Twitter or googlemail or WoW or Habbo sites. >> >> (AFAIK Facebook say they fall under Irish jurisdiction for their EU >> users w.r.t DP law at least) >> >>>> These are afaik all hosted in the US, but they have strong UK >>>> connections. >>>> >>>> Let's suppose both Alice and Bob are in the UK. Now suppose Alice >>>> sends >>>> Bob a message through facebook, or another of the US social media >>>> sites. >>>> >>>> The black box sees and finds the traffic data concerned with Alice's >>>> message, quite lawfully under the new bill - and the traffic data it >>>> sees tells it it's an external communication, a message to a server >>>> outside the UK. >> >> AFAIK the last word (but grateful for any later ref) we have on HMG's >> understanding is from 4th July 2000 (this was in response to FIPR >> probing amendments about the new "domestic trawling" warrant in S.16(3), >> misleadingly placed in a section called "Safeguards"). > >> In theory, what defines internal/external is whether the communication >> (at whatever protocol level) is "received" in the UK (rather than where >> a server is located), but in practice this doesn't matter > > > Could you say why it doesn't matter? That's not clear to me. Thx. >> >> http://www.fipr.org/rip/Bassam%20reply%20to%20Phillips%20on%20S.15.3.htm/ >> >> (worth reading whole thing and context at >> http://www.fipr.org/rip/#Overlapping) > > Lord Bassam: > I confirm what I said in the House, that a communication from one > point in the British Islands to another point in the British Islands > is 'internal' even if its route takes it outside the British Islands. > > [...] > > and > Lord Bassam: >> Communications that originate and are received in the UK are always >> "internal"; > > So says Lord Bassam. But I very much doubt that he had Facebook in > mind when he said that, so even if he was correct (he wasn't[1]), or > if what he said had any legal significance because he said it, it > doesn't apply to the Facebook situation. > > And so as ever we are left with the plain wording of the law: > > RIPA S.20: ?external communication? means a communication sent or > received outside the British Islands; > > When Alice sends her message to Bob via Facebook in Eire, is her > communication received by Facebook? > > I'd say it was, and I can't see a dozen Judges disagreeing. > > She might for instance be sending it to Facebook so Bob and Chas could > see it, or all her friends could see it - does it make any difference > if only one person can see it ? > > > Note this situation is different to an IP packet passing through a > third country - it is harder to say then that the communication is > received by the router (although the packet obviously is). > > If she is sending her communication to Facebook then it's an external > communication, and it can be intercepted, including content, under an > 8(4) warrant. > > > So what can "they" do under an 8(4) warrant? They can look for > keywords, they can look at it all - about the only thing they can't do > is sort through it for communications to or from a particular person. > > Except of course they can do that too, if the SoS signs a RIPA S,16(3) > certificate which allows it. That certificate can apply to an > individual, to some individuals who fit a particular description, to > groups, or the whole population - there is no limitation to the number > of people named or described in the certificate. > > (neither is there a limit to the duration of a 16(3) certificate. > Also, the certificate which turns an ordinary warrant into a S.8(4) > warrant does not have a limited life either. The warrant does, but the > certificate does not. How many SoS's have we had since 2000? It would > only take two signatures from any one of them... ) > > >> as is well known, some of these will go abroad en route and >> so be carried on primarily external trunks. It is _not possible to >> intercept the external communications on the trunk without intercepting >> the internal communications as well.>>>_ >> >> >>>> Now suppose a SoS has signed a blanket warrant to allow the >>>> black-box-operating-agency, hereinafter BlackBoxHQ, to intercept all >>>> external communications (which he can do with a single stroke of >>>> the pen >>>> under RIPA 8(4)). >>>> >>>> BlackBoxHQ can see that Alice's message to Bob next door is in it's >>>> first step actually a message to a server in the US, and thus an >>>> external communication - and then BlackBoxHQ can look at Alice's >>>> message's _content_, not just it's traffic data. >> >> Yes, but FWIW (from Bassam letter) >> >> <<> communications that fit the descriptions in the certificate. It is >> therefore not likely to catch many internal communications. It would of >> course be unlawful to /seek/ to catch internal communications in the >> absence of an overlapping warrant or a certificate complying with clause >> 15(3).>>> >> (original is italicized) >> >> This was the most arcane controversy of RIPA (apart from Pt.3) and it >> proved impossible to get media interest. But given the IoCC has never >> commented on certificated warrants since the first report after IoCA, we >> have no idea how diligent he may be at ensuring that nobody is "seeking" >> to catch internal communications in this way. > > > I think you are missing my point. What Bassam is talking about here is > whether internal communications get swept up in a search for external > communications. > > The issue I was addressing is intercepting external communications, > and Lord Bassam's words are not relevant to that - he simply assumes > it's ok. > >> >> There is a nastier legal problem, which I call "how do they know there >> is a pearl inside the oyster, unless they have already looked inside" - >> this is (badly) explained in the briefing notes at >> /http://www.fipr.org/rip/#Overlapping. > > Yes, that's confusing and sometimes wrong. > > /It seemed to me the first IoCC >> fudged this point in his invention of "overlapping warrants", and it has >> never been cleared up or referred to publicly since. > > I don't think they have them anymore? > > The grounds for a certifying a warrant are much broader now - so broad > that any restrictions they might impose are almost meaningless. > > They also have S. 16(3) certificates instead if they want to target > individuals, or groups (or everybody, if they want). > > So I don't think they need them anymore either. > > > -- Peter > > [1] an email is sent to two people, one in the UK, one abroad. The > traffic from the sender to the mail server is a single communication. > It is external because it is received by person two abroad, even > though it is received by person one in the UK - however it "originated > and will be received in the UK" and should therefore be internal > according to LB. > > There are several other circumstances where the statement > "Communications that originate and are received in the UK are always > "internal" would be just plain wrong, and inconsistent with the > definition ?external communication? means a communication sent or > received outside the British Islands; - unless of course when he uses > "internal" he means something other than "not external", the > apparently relevent definition. > > It is almost >> exactly analogous to the issue that later created the tremendous furore >> in US about "warrantless wiretapping", with the difference that US law >> protects its own citizens categorically by nationality (which was >> tougher to wriggle out of - until 2007/8 - than internal/external >> distinction). There is some kind of irony (not sure what kind) that >> Bassam's note was written on (US) Independence Day ;-) >> >> Caspar >> >> / >> >> / > > > > From lists at internetpolicyagency.com Wed Jul 25 19:18:56 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Wed, 25 Jul 2012 19:18:56 +0100 Subject: sorry, but ... In-Reply-To: <59511923-50FC-416E-8DCD-3234C2EA8D0F@batten.eu.org> References: <500F1A54.4040204@zen.co.uk> <500F2335.7090602@zen.co.uk> <500FA83C.2070209@gmx.net> <59511923-50FC-416E-8DCD-3234C2EA8D0F@batten.eu.org> Message-ID: In article <59511923-50FC-416E-8DCD-3234C2EA8D0F at batten.eu.org>, Ian Batten writes >for webmail, there's an HTTP session taking place which contains no useful data at all It says I read my email, which is about as much (ie as little) as a typical POP3 log says. -- Roland Perry From Andrew.Cormack at ja.net Wed Jul 25 17:13:57 2012 From: Andrew.Cormack at ja.net (Andrew Cormack) Date: Wed, 25 Jul 2012 16:13:57 +0000 Subject: non-interception (was RE: sorry, but ...) In-Reply-To: <59511923-50FC-416E-8DCD-3234C2EA8D0F@batten.eu.org> References: <500F1A54.4040204@zen.co.uk> <500F2335.7090602@zen.co.uk> <500FA83C.2070209@gmx.net> <59511923-50FC-416E-8DCD-3234C2EA8D0F@batten.eu.org> Message-ID: <61E52F3A5532BE43B0211254F13883AE09FA469C@EXC001> > -----Original Message----- > From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto- > bounces at chiark.greenend.org.uk] On Behalf Of Ian Batten > Sent: 25 July 2012 12:24 > To: UK Cryptography Policy Discussion Group > Subject: Re: sorry, but ... > > > On 25 Jul 2012, at 09:50, Roland Perry wrote: > > > ps Am I right in saying that the proposed law voids one of the Data > Retention Directive's alleged 'shortcomings' [although opinions vary] > in that it only applies to classic POP3/SMTP/IMAP/etc email, and not to > pages of HTML which happen to contain text from one person to another > (eg webmail, but also the IM and 'status update' features of social > networking are delivered both ways by HTML). > > My impression is that not only is that an effect of the draft > legislation, it's one of the main intents. You can look at an > SMTP/POP3/IMAP exchange and easily distinguish between traffic data and > content in a deterministic way (assuming envelope is traffic, body is > content and headers are one or the other). But for webmail, there's an > HTTP session taking place which contains no useful data at all, and > then the content of the HTTP session is envelope, header and body mixed > together in arbitrary ways. Being able to get at the traffic data > aspects of a webmail service or other web-based communications system > without requiring a home secretary warrant seems the main purpose of > the legislation. > > ian I'm exploring the analogy that the new law would allow someone to sit in a pub, listen to all conversations, but only remember phrases similar to "I phoned Fred yesterday", "when did you phone Fred?"/"yesterday", etc. Does that work? Andrew From lists at internetpolicyagency.com Thu Jul 26 06:31:55 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 26 Jul 2012 06:31:55 +0100 Subject: non-interception (was RE: sorry, but ...) In-Reply-To: <61E52F3A5532BE43B0211254F13883AE09FA469C@EXC001> References: <500F1A54.4040204@zen.co.uk> <500F2335.7090602@zen.co.uk> <500FA83C.2070209@gmx.net> <59511923-50FC-416E-8DCD-3234C2EA8D0F@batten.eu.org> <61E52F3A5532BE43B0211254F13883AE09FA469C@EXC001> Message-ID: In article <61E52F3A5532BE43B0211254F13883AE09FA469C at EXC001>, Andrew Cormack writes >>Being able to get at the traffic data >> aspects of a webmail service or other web-based communications system >> without requiring a home secretary warrant seems the main purpose of >> the legislation. > >I'm exploring the analogy that the new law would allow someone to sit in a pub, listen to all conversations, but only remember phrases similar >to "I phoned Fred yesterday", "when did you phone Fred?"/"yesterday", etc. Does that work? There could be some location (address) information too. Like overhearing: Caller: Hello. Recipient: Where are you. Caller: I'm on the train. Which might be two bits of content and one bit of traffic data. Of course, if the caller is actually in the pub, he might still diplomatically have said "on the train"! -- Roland Perry From Andrew.Cormack at ja.net Thu Jul 26 09:21:09 2012 From: Andrew.Cormack at ja.net (Andrew Cormack) Date: Thu, 26 Jul 2012 08:21:09 +0000 Subject: non-interception (was RE: sorry, but ...) In-Reply-To: References: <500F1A54.4040204@zen.co.uk> <500F2335.7090602@zen.co.uk> <500FA83C.2070209@gmx.net> <59511923-50FC-416E-8DCD-3234C2EA8D0F@batten.eu.org> <61E52F3A5532BE43B0211254F13883AE09FA469C@EXC001> Message-ID: <61E52F3A5532BE43B0211254F13883AE09FA48B2@EXC001> > -----Original Message----- > From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto- > bounces at chiark.greenend.org.uk] On Behalf Of Roland Perry > Sent: 26 July 2012 06:32 > To: ukcrypto at chiark.greenend.org.uk > Subject: Re: non-interception (was RE: sorry, but ...) > > In article <61E52F3A5532BE43B0211254F13883AE09FA469C at EXC001>, Andrew > Cormack writes > >>Being able to get at the traffic data > >> aspects of a webmail service or other web-based communications > system > >> without requiring a home secretary warrant seems the main purpose of > >> the legislation. > > > >I'm exploring the analogy that the new law would allow someone to sit > in a pub, listen to all conversations, but only remember phrases > similar > >to "I phoned Fred yesterday", "when did you phone Fred?"/"yesterday", > etc. Does that work? > > There could be some location (address) information too. Like > overhearing: > > Caller: Hello. > Recipient: Where are you. > Caller: I'm on the train. > > Which might be two bits of content and one bit of traffic data. Agreed. > Of course, if the caller is actually in the pub, he might still > diplomatically have said "on the train"! IIRC the law says "identifies, or purports to identify, the location" ;-) Andrew > -- > Roland Perry From chl at clerew.man.ac.uk Thu Jul 26 12:54:01 2012 From: chl at clerew.man.ac.uk (Charles Lindsey) Date: Thu, 26 Jul 2012 12:54:01 +0100 Subject: sorry, but ... In-Reply-To: <500FE86B.4010308@zen.co.uk> References: <500F1A54.4040204@zen.co.uk> <500F2335.7090602@zen.co.uk> <500FA83C.2070209@gmx.net> <500FE86B.4010308@zen.co.uk> Message-ID: On Wed, 25 Jul 2012 13:36:59 +0100, Peter Fairbrother wrote: > > And so as ever we are left with the plain wording of the law: > > RIPA S.20: ?external communication? means a communication sent or > received outside the British Islands; > > When Alice sends her message to Bob via Facebook in Eire, is her > communication received by Facebook? > If Alice's Facebook account is setup so that all the world can see her messages, then there is no issue, because Law Enforcement officers are a subset of "all the world", and they can just "look". If, as is more likely, only Alice's "friends" can see them, then Facebook have set up a communication system that allows messages to be sent from Alice to those Friends (whether or not the Friends need to log on to Facebook in order to read them). Thus Facebook is providing "mere conduit" as well as storage facilities accessible only by Alice + Friends. Now if all the Friends are situated in the UK, then any message is inevitably both 'sent' and 'received' within the UK, and is therefore internal, since it seems to be agreed that a server, wherever located, which provides mere conduit, or temporary buffering/storage to facilitate such conduit, is itself neither a sender nor a receiver. Now if one of Alice's friends (say Bob) happens to reside outside the UK, then things might get more interesting, since every message is potentially from Alice to Bob (but what if Bob never actually bothers to read it). -- Charles?H.?Lindsey?---------At?Home,?doing?my?own?thing------------------------ Tel:?+44?161?436?6131? ???Web:?http://www.cs.man.ac.uk/~chl Email:?chl at clerew.man.ac.uk??????Snail:?5?Clerewood?Ave,?CHEADLE,?SK8?3JU,?U.K. PGP:?2C15F1A9??????Fingerprint:?73?6D?C2?51?93?A0?01?E7?65?E8?64?7E?14?A4?AB?A5 From lists at internetpolicyagency.com Thu Jul 26 14:10:41 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 26 Jul 2012 14:10:41 +0100 Subject: sorry, but ... In-Reply-To: References: <500F1A54.4040204@zen.co.uk> <500F2335.7090602@zen.co.uk> <500FA83C.2070209@gmx.net> <500FE86B.4010308@zen.co.uk> Message-ID: In article , Charles Lindsey writes >If Alice's Facebook account is setup so that all the world can see her >messages, then there is no issue, because Law Enforcement officers are >a subset of "all the world", and they can just "look". > >If, as is more likely, only Alice's "friends" can see them, then >Facebook have set up a communication system that allows messages to be >sent from Alice to those Friends (whether or not the Friends need to >log on to Facebook in order to read them). Thus Facebook is providing >"mere conduit" as well as storage facilities accessible only by Alice >+ Friends. > >Now if all the Friends are situated in the UK A huge assumption. My Facebook friends are literally all over the world. Even someone with a UK-based work life is quite likely to have at least one relative abroad. >, then any message is inevitably both 'sent' and 'received' within the >UK, and is therefore internal, since it seems to be agreed that a >server, wherever located, which provides mere conduit, or temporary >buffering/storage to facilitate such conduit, is itself neither a >sender nor a receiver. > >Now if one of Alice's friends (say Bob) happens to reside outside the >UK, then things might get more interesting, since every message is >potentially from Alice to Bob (but what if Bob never actually bothers >to read it). Bob may have an email alert, which means he'll get sent the message whether he wants it or not. Similarly, if Bob has a Tweetdeck account linked to his Facebook, he'll be "pushed" many of the postings that way. This is all far to technology specific to be of use making law, however. You simply have to assume that there will be a Bob, and he will get the message. -- Roland Perry From pwt at iosis.co.uk Thu Jul 26 15:40:54 2012 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Thu, 26 Jul 2012 15:40:54 +0100 Subject: sorry, but ... In-Reply-To: References: <500F1A54.4040204@zen.co.uk> <500F2335.7090602@zen.co.uk><500FA83C.2070209@gmx.net> <500FE86B.4010308@zen.co.uk> Message-ID: <501156F6.1050400@iosis.co.uk> On 26/07/2012 14:10, Roland Perry wrote: > > A huge assumption. My Facebook friends are literally all over the > world. Even someone with a UK-based work life is quite likely to have > at least one relative abroad. > I nearly wrote something including that I have only one known relative abroad, and she's a recluse... (But then remembered that a diligent distant cousin living in the UK, with the help of another relative abroad, has found a lot but mostly deceased). Anyway I'm no fan of those social internet networks whose owners' main aim is to make money (or share value). Then I read in Roland's posting: > This is all far too technology specific to be of use making law, > however. You simply have to assume that there will be a Bob [who is > outside the UK], and he will get the message. (I have inferred that in context Bob is outside the UK.) So its a connected world where the connections are mostly not visible to the sender, and one hopes that our legislators wake up to that. Physical world analogue: if I send a letter by Royal Mail, I don't routinely know if the intended recipient gets it, and I assume that the Law Enforcement officers can look at it if they have just cause. Peter From lists at internetpolicyagency.com Thu Jul 26 17:41:32 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 26 Jul 2012 17:41:32 +0100 Subject: sorry, but ... In-Reply-To: <501156F6.1050400@iosis.co.uk> References: <500F1A54.4040204@zen.co.uk> <500F2335.7090602@zen.co.uk> <500FA83C.2070209@gmx.net> <500FE86B.4010308@zen.co.uk> <501156F6.1050400@iosis.co.uk> Message-ID: In article <501156F6.1050400 at iosis.co.uk>, Peter Tomlinson writes >> This is all far too technology specific to be of use making law, >>however. You simply have to assume that there will be a Bob [who is >>outside the UK], and he will get the message. >(I have inferred that in context Bob is outside the UK.) Indeed, sorry I didn't make that clear. >So its a connected world where the connections are mostly not visible >to the sender, and one hopes that our legislators wake up to that. > >Physical world analogue: if I send a letter by Royal Mail, I don't >routinely know if the intended recipient gets it, and I assume that the >Law Enforcement officers can look at it if they have just cause. What's important is whether they are looking at just the outside, or what's inside the envelope (the latter being a whole lot more difficult to do legally for both mail and email). -- Roland Perry From alec.muffett at gmail.com Thu Jul 26 17:59:06 2012 From: alec.muffett at gmail.com (Alec Muffett) Date: Thu, 26 Jul 2012 17:59:06 +0100 Subject: Tesco Barcode Amusement. Message-ID: http://dropsafe.crypticide.com/article/7778 -a From pwt at iosis.co.uk Thu Jul 26 18:14:34 2012 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Thu, 26 Jul 2012 18:14:34 +0100 Subject: sorry, but ... In-Reply-To: References: <500F1A54.4040204@zen.co.uk> <500F2335.7090602@zen.co.uk><500FA83C.2070209@gmx.net> <500FE86B.4010308@zen.co.uk> <501156F6.1050400@iosis.co.uk> Message-ID: <50117AFA.2010107@iosis.co.uk> On 26/07/2012 17:41, Roland Perry wrote: > In article <501156F6.1050400 at iosis.co.uk>, Peter Tomlinson > writes > >> So its a connected world where the connections are mostly not visible >> to the sender, and one hopes that our legislators wake up to that. >> >> Physical world analogue: if I send a letter by Royal Mail, I don't >> routinely know if the intended recipient gets it, and I assume that >> the Law Enforcement officers can look at it if they have just cause. > > What's important is whether they are looking at just the outside, or > what's inside the envelope (the latter being a whole lot more > difficult to do legally for both mail and email). But 'the latter' is extremely easy to do for email (unless the sender encrypts it with his own key), and hence our dilemma in the area discussed in this thread. So should we not resolve the problem ourselves by moving wholesale to encrypted content in emails? [1] Since there is in some quarters serious consideration of everyone having easy access to a system that issues eID credentials (although I have not looked at progress in the USA for some time, and nor do I know how EU programmes such as STORK are progressing), it is then relatively trivial to add encrypted email (relative in relation to the Gordian Knot without a solution that we seem to have at present). Peter [1] And of course leaving in place the current methodology for those who don't mind sending letters that are easy for the watchers to look at. I leave it to others to work out how to undo the legal Gordian Knot. From lists at internetpolicyagency.com Thu Jul 26 20:38:37 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 26 Jul 2012 20:38:37 +0100 Subject: sorry, but ... In-Reply-To: <50117AFA.2010107@iosis.co.uk> References: <500F1A54.4040204@zen.co.uk> <500F2335.7090602@zen.co.uk> <500FA83C.2070209@gmx.net> <500FE86B.4010308@zen.co.uk> <501156F6.1050400@iosis.co.uk> <50117AFA.2010107@iosis.co.uk> Message-ID: In article <50117AFA.2010107 at iosis.co.uk>, Peter Tomlinson writes >>> So its a connected world where the connections are mostly not >>>visible to the sender, and one hopes that our legislators wake up to >>> >>> >>> Physical world analogue: if I send a letter by Royal Mail, I don't >>>routinely know if the intended recipient gets it, and I assume that >>>the Law Enforcement officers can look at it if they have just cause. >> >> What's important is whether they are looking at just the outside, or >>what's inside the envelope (the latter being a whole lot more >>difficult to do legally for both mail and email). > >But 'the latter' is extremely easy to do for email (unless the sender >encrypts it with his own key), The difficulty I refer to is obtaining a relevant warrant. -- Roland Perry From pwt at iosis.co.uk Thu Jul 26 20:51:47 2012 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Thu, 26 Jul 2012 20:51:47 +0100 Subject: sorry, but ... In-Reply-To: References: <500F1A54.4040204@zen.co.uk> <500F2335.7090602@zen.co.uk><500FA83C.2070209@gmx.net> <500FE86B.4010308@zen.co.uk> <501156F6.1050400@iosis.co.uk> <50117AFA.2010107@iosis.co.uk> Message-ID: <50119FD3.5010507@iosis.co.uk> On 26/07/2012 20:38, Roland Perry wrote: > In article <50117AFA.2010107 at iosis.co.uk>, Peter Tomlinson > writes >>>> So its a connected world where the connections are mostly not >>>> visible to the sender, and one hopes that our legislators wake up to >>>> >>>> Physical world analogue: if I send a letter by Royal Mail, I don't >>>> routinely know if the intended recipient gets it, and I assume that >>>> the Law Enforcement officers can look at it if they have just cause. >>> >>> What's important is whether they are looking at just the outside, or >>> what's inside the envelope (the latter being a whole lot more >>> difficult to do legally for both mail and email). >> >> But 'the latter' is extremely easy to do for email (unless the sender >> encrypts it with his own key), > > The difficulty I refer to is obtaining a relevant warrant. > Sorry (sic), I was going in a different direction, obviously: trying to find a way for traffic data to be seen without inadvertently seeing the content of the message, as I though that that was part of the problem. Peter From marcus at connectotel.com Fri Jul 27 00:40:11 2012 From: marcus at connectotel.com (Marcus Williamson) Date: Fri, 27 Jul 2012 00:40:11 +0100 Subject: Big Alan is watching you… on YouView Message-ID: <3al318tj0lq0n1a7tfna630mi37ol6ucc7@4ax.com> Big Alan is watching you on YouView http://www.independent.co.uk/arts-entertainment/tv/news/big-alan-is-watching-you-on-youview-7965127.html From chl at clerew.man.ac.uk Fri Jul 27 11:03:33 2012 From: chl at clerew.man.ac.uk (Charles Lindsey) Date: Fri, 27 Jul 2012 11:03:33 +0100 Subject: sorry, but ... In-Reply-To: References: <500F1A54.4040204@zen.co.uk> <500F2335.7090602@zen.co.uk> <500FA83C.2070209@gmx.net> <500FE86B.4010308@zen.co.uk> Message-ID: On Thu, 26 Jul 2012 14:10:41 +0100, Roland Perry wrote: >> Now if all the Friends are situated in the UK > > A huge assumption. My Facebook friends are literally all over the world. > Even someone with a UK-based work life is quite likely to have at least > one relative abroad. > >> , then any message is inevitably both 'sent' and 'received' within the >> UK, and is therefore internal, since it seems to be agreed that a >> server, wherever located, which provides mere conduit, or temporary >> buffering/storage to facilitate such conduit, is itself neither a >> sender nor a receiver. >> >> Now if one of Alice's friends (say Bob) happens to reside outside the >> UK, then things might get more interesting, since every message is >> potentially from Alice to Bob (but what if Bob never actually bothers >> to read it). > > Bob may have an email alert, which means he'll get sent the message > whether he wants it or not. Similarly, if Bob has a Tweetdeck account > linked to his Facebook, he'll be "pushed" many of the postings that way. > > This is all far to technology specific to be of use making law, however. > You simply have to assume that there will be a Bob, and he will get the > message. If it so happens that there exists no such Bob outside of the UK, then "They" will be breaking the law if they intercept it without a warrant. I reckon the onus is on "Them" to ascertain that there does exist an extra-terroitorial Bob if they want to go ahead and intercept without a warrant. How "They" ascertain that is "Their" problem, and I doubt that even the most microscopic examination of Alice's communication with Facebook would reveal that. -- Charles?H.?Lindsey?---------At?Home,?doing?my?own?thing------------------------ Tel:?+44?161?436?6131? ???Web:?http://www.cs.man.ac.uk/~chl Email:?chl at clerew.man.ac.uk??????Snail:?5?Clerewood?Ave,?CHEADLE,?SK8?3JU,?U.K. PGP:?2C15F1A9??????Fingerprint:?73?6D?C2?51?93?A0?01?E7?65?E8?64?7E?14?A4?AB?A5 From lists at internetpolicyagency.com Fri Jul 27 17:36:39 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 27 Jul 2012 17:36:39 +0100 Subject: sorry, but ... In-Reply-To: References: <500F1A54.4040204@zen.co.uk> <500F2335.7090602@zen.co.uk> <500FA83C.2070209@gmx.net> <500FE86B.4010308@zen.co.uk> Message-ID: In article , Charles Lindsey writes >>> Now if all the Friends are situated in the UK >> >> A huge assumption. My Facebook friends are literally all over the >>world. Even someone with a UK-based work life is quite likely to >>have at least one relative abroad. >> >>> , then any message is inevitably both 'sent' and 'received' within >>>the UK, and is therefore internal, since it seems to be agreed >>>that a server, wherever located, which provides mere conduit, or >>>temporary buffering/storage to facilitate such conduit, is itself >>>neither a sender nor a receiver. >>> >>> Now if one of Alice's friends (say Bob) happens to reside outside >>>the UK, then things might get more interesting, since every >>>message is potentially from Alice to Bob (but what if Bob never >>>actually bothers to read it). >> >> Bob may have an email alert, which means he'll get sent the message >>whether he wants it or not. Similarly, if Bob has a Tweetdeck account >>linked to his Facebook, he'll be "pushed" many of the postings that way. >> >> This is all far to technology specific to be of use making law, >>however. You simply have to assume that there will be a Bob, and he >>will get the message. > >If it so happens that there exists no such Bob outside of the UK, then >"They" will be breaking the law if they intercept it without a warrant. >I reckon the onus is on "Them" to ascertain that there does exist an >extra-terroitorial Bob if they want to go ahead and intercept without a >warrant. How "They" ascertain that is "Their" problem, and I doubt that >even the most microscopic examination of Alice's communication with >Facebook would reveal that. I'm not sure the law as currently drafted can cope with one-to-many messaging, where some recipients are in the UK and some aren't (and cases where all aren't will indeed be difficult to determine on the fly). I was wondering if a single non-UK Bob would make the message fair game - despite there also being many UK-based recipients. Or might the social networking server be deemed a single recipient (in most case not-in-the-UK), which then 'explodes' the message to multiple recipients (in various countries) as a completely separate exercise. [But see the 'mere conduit' proposition quoted above]. Surely, what's required is a proper policy debate on one-to-many messages (and some resulting suitable law), rather than trying to work out how a one-to-one messaging law might apply to them? -- Roland Perry From zenadsl6186 at zen.co.uk Fri Jul 27 23:36:58 2012 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Fri, 27 Jul 2012 23:36:58 +0100 Subject: sorry, but ... In-Reply-To: References: <500F1A54.4040204@zen.co.uk> <500F2335.7090602@zen.co.uk> <500FA83C.2070209@gmx.net> <500FE86B.4010308@zen.co.uk> Message-ID: <5013180A.2020800@zen.co.uk> On 27/07/12 17:36, Roland Perry wrote: > In article , Charles Lindsey > writes >>>> Now if all the Friends are situated in the UK >>> >>> A huge assumption. My Facebook friends are literally all over the >>> world. Even someone with a UK-based work life is quite likely to have >>> at least one relative abroad. >>> >>>> , then any message is inevitably both 'sent' and 'received' within >>>> the UK, and is therefore internal, since it seems to be agreed that >>>> a server, wherever located, which provides mere conduit, or >>>> temporary buffering/storage to facilitate such conduit, is itself >>>> neither a sender nor a receiver. >>>> >>>> Now if one of Alice's friends (say Bob) happens to reside outside >>>> the UK, then things might get more interesting, since every message >>>> is potentially from Alice to Bob (but what if Bob never actually >>>> bothers to read it). >>> >>> Bob may have an email alert, which means he'll get sent the message >>> whether he wants it or not. Similarly, if Bob has a Tweetdeck account >>> linked to his Facebook, he'll be "pushed" many of the postings that way. >>> >>> This is all far to technology specific to be of use making law, >>> however. You simply have to assume that there will be a Bob, and he >>> will get the message. >> >> If it so happens that there exists no such Bob outside of the UK, then >> "They" will be breaking the law if they intercept it without a >> warrant. I reckon the onus is on "Them" to ascertain that there does >> exist an extra-terroitorial Bob if they want to go ahead and intercept >> without a warrant. How "They" ascertain that is "Their" problem, and I >> doubt that even the most microscopic examination of Alice's >> communication with Facebook would reveal that. > > I'm not sure the law as currently drafted can cope with one-to-many > messaging, where some recipients are in the UK and some aren't (and > cases where all aren't will indeed be difficult to determine on the fly). > > I was wondering if a single non-UK Bob would make the message fair game > - despite there also being many UK-based recipients. > > Or might the social networking server be deemed a single recipient (in > most case not-in-the-UK), which then 'explodes' the message to multiple > recipients (in various countries) as a completely separate exercise. > > [But see the 'mere conduit' proposition quoted above]. > > Surely, what's required is a proper policy debate on one-to-many > messages (and some resulting suitable law), rather than trying to work > out how a one-to-one messaging law might apply to them? Suppose Alice posts something to her facebook page, so only her friends [1] can look at it. However, only one friend actually does that - Bob. RIPA S.20: ?external communication? means a communication sent or received outside the British Islands; Now assume they are looking at a message as it departs from Alice, it hasn't been received by anyone yet. [ In fact any in-transit message has not been received yet, obviously, as it is still in transit; and for any outgoing message in transit, say an email to Afghanistan, even recording it's content for potential later examination if it is found to later to have been received outside the UK would still be just as much an illegal interception as looking at domestic traffic - it has not been sent or received outside the British Islands, so it is not an ?external communication?. The fact that it is addressed to, and being sent to, someone outside the UK does not actually change that. I digress, slightly } Anywhoo, suppose Bob is outside the UK. "They", meaning the UK internet monitors, will probably never know whether Bob has received the post. Facebook is outside the UK [2], and traffic between them and Bob is not something they have easy access to. Now suppose Bob is in the UK. They may know whether Bob receives Alice's post, But what they will not know is whether Charles in Pakistan has also received it. We know Charles hasn't, but they never will - is it okay for them to assume that Charles has {or rather he will}, and thus that it's an external communication? I can see a Judge just throwing his hands up at this point and saying "Alice's communication is to Facebook". Which I think it is anyway. It's probably to Bob too, but that doesn't mean it isn't to Facebook. [1] I digress again, but kids very frequently show facebook pages to each other, in the flesh, even if the page is blocked to the second kid. The page owner may never find out. Some teachers and mothers think this is a big problem, and they are probably right. [2] although, being in Dublin or wherever in Eire, is it outside the British Islands? I dunno -- Peter Fairbrother From lists at internetpolicyagency.com Sun Jul 29 09:06:41 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Sun, 29 Jul 2012 09:06:41 +0100 Subject: sorry, but ... In-Reply-To: <5013180A.2020800@zen.co.uk> References: <500F1A54.4040204@zen.co.uk> <500F2335.7090602@zen.co.uk> <500FA83C.2070209@gmx.net> <500FE86B.4010308@zen.co.uk> <5013180A.2020800@zen.co.uk> Message-ID: In article <5013180A.2020800 at zen.co.uk>, Peter Fairbrother writes >RIPA S.20: ?external communication? means a communication sent or >received outside the British Islands; > >Now assume they are looking at a message as it departs from Alice, it >hasn't been received by anyone yet. > >[ In fact any in-transit message has not been received yet, obviously, >as it is still in transit; That's over-analysing the situation. And in any event a transmission by TCP/IP involves a handshake, so the message is provably partly received even before the transmission has complete. >Anywhoo, suppose Bob is outside the UK. "They", meaning the UK internet >monitors, will probably never know whether Bob has received the post. It's not useful to think about posting to/from a social network site as emails, in general they are much more like Instant Messaging. If you are logged into Facebook, for example, the recipient(s) will receive them straight away. Although many sites also have routine alert emails which often contain snippets of "what you are missing by not logging in". >Facebook is outside the UK [2], and traffic between them and Bob is not >something they have easy access to. They'd have to log in as Bob, which they could presumably do if they sniffed his password, or obtained it from the social networking site with an appropriate warrant. I'm not aware of any sites that object to multiple log-ins, indeed they are almost a feature (being logged in on a smartphone as well as a desktop). Also none (yet) require anything more exotic than a simple username/password. >Now suppose Bob is in the UK. They may know whether Bob receives >Alice's post, But what they will not know is whether Charles in >Pakistan has also received it. We know Charles hasn't, but they never >will - is it okay for them to assume that Charles has {or rather he >will}, and thus that it's an external communication? Once you have IM and one-to-many messaging, simple questions such as these don't make sense any more. Indeed, numerous social networking sites are one-to-everyone (eg anyone who has my "Wall" open in front of them, and I post a public 'status update'). For emphasis, that's everyone everywhere [apologies to T-Mobile]. >I can see a Judge just throwing his hands up at this point and saying >"Alice's communication is to Facebook". That's one solution, but it needs to be reflected in the legislation, so we all know where we stand. >Which I think it is anyway. It's probably to Bob too, but that doesn't >mean it isn't to Facebook. Because of the promiscuous nature of public postings, it's not even possible to list all the potential Bobs. >[1] I digress again, but kids very frequently show facebook pages to >each other, in the flesh, even if the page is blocked to the second >kid. The page owner may never find out. On most sites, you don't even find out if the first kid looked at it. Linked-In is one of the few that tells you who has been reading your profile. >Some teachers and mothers think this is a big problem, and they are >probably right. Is it any different to a child showing another the birthday card that just arrived in the post, or borrowing an older brother's log-in to circumvent some blocking added to an account? Control of content (with or without minors involved) is a very big subject, and best left to its own thread I think. -- Roland Perry From zenadsl6186 at zen.co.uk Sun Jul 29 14:32:19 2012 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Sun, 29 Jul 2012 14:32:19 +0100 Subject: sorry, but ... In-Reply-To: References: <500F1A54.4040204@zen.co.uk> <500F2335.7090602@zen.co.uk> <500FA83C.2070209@gmx.net> <500FE86B.4010308@zen.co.uk> <5013180A.2020800@zen.co.uk> Message-ID: <50153B63.6030602@zen.co.uk> On 29/07/12 09:06, Roland Perry wrote: > In article <5013180A.2020800 at zen.co.uk>, Peter Fairbrother > writes > >> RIPA S.20: ?external communication? means a communication sent or >> received outside the British Islands; [..] >> [ In fact any in-transit message has not been received yet, obviously, >> as it is still in transit; > > That's over-analysing the situation. And in any event a transmission by > TCP/IP involves a handshake, so the message is provably partly received > even before the transmission has complete. The RIPA word is "communication" not message (my fault), and I do not think the communication (as opposed to the packets or bits) is received until it has all reached some destination. Otherwise we could talk about each and every switch in the network, which is probably not what was meant. If it was you could intercept at telephone exchanges without a warrant .. However I can't find a definition for "communication" in RIPA or elsewhere. [..] > It's not useful to think about posting to/from a social network site as > emails, in general they are much more like Instant Messaging. In general there is also a "fetch-it-later" facility for those who are not logged in, which is very like web-based email. >> Now suppose Bob is in the UK. They may know whether Bob receives >> Alice's post, But what they will not know is whether Charles in >> Pakistan has also received it. We know Charles hasn't, but they never >> will - is it okay for them to assume that Charles has {or rather he >> will}, and thus that it's an external communication? > > Once you have IM and one-to-many messaging, simple questions such as > these don't make sense any more. I don't know what officially happens when the law stops making sense, but I think most often Judges just make it up. > Indeed, numerous social networking sites are one-to-everyone (eg anyone > who has my "Wall" open in front of them, and I post a public 'status > update'). For emphasis, that's everyone everywhere [apologies to T-Mobile]. The web itself does much the same. As do blogs etc.. > >> I can see a Judge just throwing his hands up at this point and saying >> "Alice's communication is to Facebook". > > That's one solution, but it needs to be reflected in the legislation, so > we all know where we stand. Yes. It's probably to Bob too, but that doesn't mean it isn't to Facebook. Clearing that up would be good. And clearing up the stored comms NTL vs Ipswich question would be good too - the Police need a warrant from the HS to intercept telephone calls, but not to intercept email? Where's the sense in that? However I'm pretty sure that that is where we stand, and it's not a comfortable place to be. It means they can eg see all Facebook traffic, including all content. And that is not obvious from reading the Bill. If you don't think that is a big deal, have a look at this: http://xkcd.com/802/ Though wading through pages and pages of "I'm on the train" "I'm on the train too" "I'm in carriage B" "So am I" "Yes, I can see you" "So, when does the concert start?" ... (wiht typos wtc) might get a bit boring -- Peter Fairbrother From zenadsl6186 at zen.co.uk Sun Jul 29 14:42:05 2012 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Sun, 29 Jul 2012 14:42:05 +0100 Subject: sorry, but ... In-Reply-To: <501022B2.3070700@gmx.net> References: <500F1A54.4040204@zen.co.uk> <500F2335.7090602@zen.co.uk> <500FA83C.2070209@gmx.net> <500FE86B.4010308@zen.co.uk> <501022B2.3070700@gmx.net> Message-ID: <50153DAD.9090607@zen.co.uk> Hi Caspar > 'fraid don't have time to answer all these points, but one of the main > points of the probing amendments on 16(3) was to establish if they were > intended to make Overlapping warrants obsolete. The answer in Bassam's > letter was an unequivocal "no". What's S.16(3) for then? Afaics it does slightly more than an overlapping warrant did. That was mostly a rhetorical question ;^) ... I have never thought that Lord Bassam ever actually understood the complexities of RIPA. > I don't think Facebook raises any new points of principle regarding > interpretation of external/internal, than posting messages to a offshore > bulletin-board system with a open or closed membership. Yes - except Facebook is used very much more. -- Peter How the > interpretation works we don't know (one of the main drawbacks of having > all of this adjudicated inside the head of a single Commissioner - who > have not seen fit to discuss publicly in 26 years) > > when I said "it doesn't matter", I just meant that Bassam letter makes > it clear that internal communications "inadvertently" intercepted under > an external warrant do not break the law. > > Caspar > > On 07/25/2012 02:36 PM, Peter Fairbrother wrote: >> Hi Caspar, long time no see. >> >> On 25/07/12 09:03, Caspar Bowden (travelling) wrote: >>> >>> Hi Peter >>> >>> On 07/25/2012 12:35 AM, Peter Fairbrother wrote: >>>>> stream, and it's looking for traffic data in traffic that's to >>>>> let's say >>>>> the Facebook or Twitter or googlemail or WoW or Habbo sites. >>> >>> (AFAIK Facebook say they fall under Irish jurisdiction for their EU >>> users w.r.t DP law at least) >>> >>>>> These are afaik all hosted in the US, but they have strong UK >>>>> connections. >>>>> >>>>> Let's suppose both Alice and Bob are in the UK. Now suppose Alice >>>>> sends >>>>> Bob a message through facebook, or another of the US social media >>>>> sites. >>>>> >>>>> The black box sees and finds the traffic data concerned with Alice's >>>>> message, quite lawfully under the new bill - and the traffic data it >>>>> sees tells it it's an external communication, a message to a server >>>>> outside the UK. >>> >>> AFAIK the last word (but grateful for any later ref) we have on HMG's >>> understanding is from 4th July 2000 (this was in response to FIPR >>> probing amendments about the new "domestic trawling" warrant in S.16(3), >>> misleadingly placed in a section called "Safeguards"). >> >>> In theory, what defines internal/external is whether the communication >>> (at whatever protocol level) is "received" in the UK (rather than where >>> a server is located), but in practice this doesn't matter >> >> >> Could you say why it doesn't matter? That's not clear to me. Thx. >>> >>> http://www.fipr.org/rip/Bassam%20reply%20to%20Phillips%20on%20S.15.3.htm/ >>> >>> (worth reading whole thing and context at >>> http://www.fipr.org/rip/#Overlapping) >> >> Lord Bassam: >> I confirm what I said in the House, that a communication from one >> point in the British Islands to another point in the British Islands >> is 'internal' even if its route takes it outside the British Islands. >> >> [...] >> >> and >> Lord Bassam: >>> Communications that originate and are received in the UK are always >>> "internal"; >> >> So says Lord Bassam. But I very much doubt that he had Facebook in >> mind when he said that, so even if he was correct (he wasn't[1]), or >> if what he said had any legal significance because he said it, it >> doesn't apply to the Facebook situation. >> >> And so as ever we are left with the plain wording of the law: >> >> RIPA S.20: ?external communication? means a communication sent or >> received outside the British Islands; >> >> When Alice sends her message to Bob via Facebook in Eire, is her >> communication received by Facebook? >> >> I'd say it was, and I can't see a dozen Judges disagreeing. >> >> She might for instance be sending it to Facebook so Bob and Chas could >> see it, or all her friends could see it - does it make any difference >> if only one person can see it ? >> >> >> Note this situation is different to an IP packet passing through a >> third country - it is harder to say then that the communication is >> received by the router (although the packet obviously is). >> >> If she is sending her communication to Facebook then it's an external >> communication, and it can be intercepted, including content, under an >> 8(4) warrant. >> >> >> So what can "they" do under an 8(4) warrant? They can look for >> keywords, they can look at it all - about the only thing they can't do >> is sort through it for communications to or from a particular person. >> >> Except of course they can do that too, if the SoS signs a RIPA S,16(3) >> certificate which allows it. That certificate can apply to an >> individual, to some individuals who fit a particular description, to >> groups, or the whole population - there is no limitation to the number >> of people named or described in the certificate. >> >> (neither is there a limit to the duration of a 16(3) certificate. >> Also, the certificate which turns an ordinary warrant into a S.8(4) >> warrant does not have a limited life either. The warrant does, but the >> certificate does not. How many SoS's have we had since 2000? It would >> only take two signatures from any one of them... ) >> >> >>> as is well known, some of these will go abroad en route and >>> so be carried on primarily external trunks. It is _not possible to >>> intercept the external communications on the trunk without intercepting >>> the internal communications as well.>>>_ >>> >>> >>>>> Now suppose a SoS has signed a blanket warrant to allow the >>>>> black-box-operating-agency, hereinafter BlackBoxHQ, to intercept all >>>>> external communications (which he can do with a single stroke of >>>>> the pen >>>>> under RIPA 8(4)). >>>>> >>>>> BlackBoxHQ can see that Alice's message to Bob next door is in it's >>>>> first step actually a message to a server in the US, and thus an >>>>> external communication - and then BlackBoxHQ can look at Alice's >>>>> message's _content_, not just it's traffic data. >>> >>> Yes, but FWIW (from Bassam letter) >>> >>> <<>> communications that fit the descriptions in the certificate. It is >>> therefore not likely to catch many internal communications. It would of >>> course be unlawful to /seek/ to catch internal communications in the >>> absence of an overlapping warrant or a certificate complying with clause >>> 15(3).>>> >>> (original is italicized) >>> >>> This was the most arcane controversy of RIPA (apart from Pt.3) and it >>> proved impossible to get media interest. But given the IoCC has never >>> commented on certificated warrants since the first report after IoCA, we >>> have no idea how diligent he may be at ensuring that nobody is "seeking" >>> to catch internal communications in this way. >> >> >> I think you are missing my point. What Bassam is talking about here is >> whether internal communications get swept up in a search for external >> communications. >> >> The issue I was addressing is intercepting external communications, >> and Lord Bassam's words are not relevant to that - he simply assumes >> it's ok. >> >>> >>> There is a nastier legal problem, which I call "how do they know there >>> is a pearl inside the oyster, unless they have already looked inside" - >>> this is (badly) explained in the briefing notes at >>> /http://www.fipr.org/rip/#Overlapping. >> >> Yes, that's confusing and sometimes wrong. >> >> /It seemed to me the first IoCC >>> fudged this point in his invention of "overlapping warrants", and it has >>> never been cleared up or referred to publicly since. >> >> I don't think they have them anymore? >> >> The grounds for a certifying a warrant are much broader now - so broad >> that any restrictions they might impose are almost meaningless. >> >> They also have S. 16(3) certificates instead if they want to target >> individuals, or groups (or everybody, if they want). >> >> So I don't think they need them anymore either. >> >> >> -- Peter >> >> [1] an email is sent to two people, one in the UK, one abroad. The >> traffic from the sender to the mail server is a single communication. >> It is external because it is received by person two abroad, even >> though it is received by person one in the UK - however it "originated >> and will be received in the UK" and should therefore be internal >> according to LB. >> >> There are several other circumstances where the statement >> "Communications that originate and are received in the UK are always >> "internal" would be just plain wrong, and inconsistent with the >> definition ?external communication? means a communication sent or >> received outside the British Islands; - unless of course when he uses >> "internal" he means something other than "not external", the >> apparently relevent definition. >> >> It is almost >>> exactly analogous to the issue that later created the tremendous furore >>> in US about "warrantless wiretapping", with the difference that US law >>> protects its own citizens categorically by nationality (which was >>> tougher to wriggle out of - until 2007/8 - than internal/external >>> distinction). There is some kind of irony (not sure what kind) that >>> Bassam's note was written on (US) Independence Day ;-) >>> >>> Caspar >>> >>> / >>> >>> / >> >> >> >> > > > From pwt at iosis.co.uk Sun Jul 29 16:49:11 2012 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Sun, 29 Jul 2012 16:49:11 +0100 Subject: sorry, but ... In-Reply-To: <50153B63.6030602@zen.co.uk> References: <500F1A54.4040204@zen.co.uk><500F2335.7090602@zen.co.uk> <500FA83C.2070209@gmx.net><500FE86B.4010308@zen.co.uk> <5013180A.2020800@zen.co.uk> <50153B63.6030602@zen.co.uk> Message-ID: <50155B77.1090600@iosis.co.uk> On 29/07/2012 14:32, Peter Fairbrother wrote: > > The RIPA word is "communication" not message (my fault), and I do not > think the communication (as opposed to the packets or bits) is > received until it has all reached some destination. > > Otherwise we could talk about each and every switch in the network, > which is probably not what was meant. If it was you could intercept at > telephone exchanges without a warrant .. > > However I can't find a definition for "communication" in RIPA or > elsewhere. > If a communication passes through your hands on its way to someone else, the gentlemanly thing to do (with apologies to the ladies) is to look only at the routing information and send it on its way, and to do that even if the envelope is unsealed. Peter From lists at internetpolicyagency.com Tue Jul 31 10:15:13 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 31 Jul 2012 10:15:13 +0100 Subject: sorry, but ... In-Reply-To: <50153B63.6030602@zen.co.uk> References: <500F1A54.4040204@zen.co.uk> <500F2335.7090602@zen.co.uk> <500FA83C.2070209@gmx.net> <500FE86B.4010308@zen.co.uk> <5013180A.2020800@zen.co.uk> <50153B63.6030602@zen.co.uk> Message-ID: <9p2mosohI6FQFAGq@perry.co.uk> In article <50153B63.6030602 at zen.co.uk>, Peter Fairbrother writes >>> RIPA S.20: ?external communication? means a communication sent or >>> received outside the British Islands; >[..] >>> [ In fact any in-transit message has not been received yet, obviously, >>> as it is still in transit; >> >> That's over-analysing the situation. And in any event a transmission by >> TCP/IP involves a handshake, so the message is provably partly received >> even before the transmission has complete. > >The RIPA word is "communication" not message (my fault), and I do not >think the communication (as opposed to the packets or bits) is received >until it has all reached some destination. A communication is a flow of information, not a lump of information. As with earlier discussion of social networking communications they are more analogous to phone calls than postal items. No-one would say a phone call wasn't received until the caller put down the phone. Not fully received, perhaps, but the conversation could have gone on for hours. >Otherwise we could talk about each and every switch in the network, >which is probably not what was meant. If it was you could intercept at >telephone exchanges without a warrant .. There's no loophole for intercepting at switches (either TCP/IP or POTS) because RIPA 1(1) says: "... at any place in the United Kingdom, any communication in the course of its transmission..." Which is one of several references to "course of its transmission" indicating that this is a continuous (flowing) process. >However I can't find a definition for "communication" in RIPA or elsewhere. > >[..] >> It's not useful to think about posting to/from a social network site as >> emails, in general they are much more like Instant Messaging. > >In general there is also a "fetch-it-later" facility for those who are >not logged in, which is very like web-based email. There's a mixture; but in terms of being received immediately, that can also apply to webmail - my Googlemail pops up an alert as soon as one has been received. Other modes which need taking account of are the "don't store (nor forward)", essentially peer-to-peer only, method used by Skype, where the message is saved on the sender's machine until the recipient is online. What's important here is (legislatively) coping with a process which is a flow, not as a series of hops. Although the law needs to be equally applicable to both. >>> Now suppose Bob is in the UK. They may know whether Bob receives >>> Alice's post, But what they will not know is whether Charles in >>> Pakistan has also received it. We know Charles hasn't, but they never >>> will - is it okay for them to assume that Charles has {or rather he >>> will}, and thus that it's an external communication? >> >> Once you have IM and one-to-many messaging, simple questions such as >> these don't make sense any more. > >I don't know what officially happens when the law stops making sense, >but I think most often Judges just make it up. My position on this is that when I raised such issues immediately post-RIPA the feeling was that they could be tackled at the first major revision. Which is now. And is doubly important to do so, because the communications the revisions are aimed at have this very same one-to-many characteristic. Again, many recipients in many countries. Needs to be reflected in the law. >> Indeed, numerous social networking sites are one-to-everyone (eg anyone >> who has my "Wall" open in front of them, and I post a public 'status >> update'). For emphasis, that's everyone everywhere [apologies to T-Mobile]. > >The web itself does much the same. As do blogs etc.. Indeed, and even though it's possible to argue that a public web page doesn't contain any secrets, the transmission to any one recipient is still (and rightly so) a protected activity. Even the traffic data element - which brings us full circle back to the 21(6) tailpiece, viz: "but that expression includes data identifying a computer file or computer program access to which is obtained, or which is run, by means of the communication to the extent only that the file or program is identified by reference to the apparatus in which it is stored." >>> I can see a Judge just throwing his hands up at this point and saying >>> "Alice's communication is to Facebook". >> >> That's one solution, but it needs to be reflected in the legislation, so >> we all know where we stand. > >Yes. It's probably to Bob too, but that doesn't mean it isn't to >Facebook. Clearing that up would be good. > >And clearing up the stored comms NTL vs Ipswich question would be good >too - the Police need a warrant from the HS to intercept telephone >calls, but not to intercept email? Where's the sense in that? I continue to think that the decision in NTL was flawed. Remember that it wasn't about intercepting emails as such, but revolved around a provision enabling a "preservation order" [my words] for evidence that was likely to be destroyed before that evidence could be obtained with a production order. Some background: We know that "stored messages" are protected (although it would do no harm to amend the legislation to make it clearer whether it's intended that 'saved' email/SMS/voicemail etc are supposed to have the full protection of RIPA, or a watered down version once they have been first received but are available for second and third receipt) but this has the awkward side effect that if the police seize a PC or server, which happens to include some stored emails, they would be conducting an illegal interception, were it not for the provision that the conduct is lawful if... 1(5) "it is in exercise, in relation to any stored communication, of any statutory power that is exercised (apart from this section) for the purpose of obtaining information or of taking possession of any document or other property". But it wasn't intended, allegedly, allow the police to grab all stored messages going through a CSPs servers for (eg) a period of 10 days, in the hope that some of those messages might be useful. That's what's known in the trade as a fishing expedition. (And so is a classic interception warrant, but the safeguards for obtaining one are much stricter). On the other hand, if the police knew about some specific emails which needed to be preserved, then the preservation process they went through was the right one, but I'd be happier if I understood what data they collected, and how they justified it to a possibly different court, when the production order (that required the pre-emptive preservation in order to be effective) was finally drawn up. >However I'm pretty sure that that is where we stand, and it's not a >comfortable place to be. It means they can eg see all Facebook traffic, >including all content. And that is not obvious from reading the Bill. Any communications system that is "intercept ready" (and that includes most telephone exchanges, and a lot of carrier-grade routers I expect) can do this already. The main difference is that if the "intercept ready" paraphernalia allows for pre-filtering of the data stream, then you are less likely to get an unmanageably large amount of product. >wading through pages and pages of > >"I'm on the train" >"I'm on the train too" >"I'm in carriage B" >"So am I" >"Yes, I can see you" >"So, when does the concert start?" >... > >(wiht typos wtc) might get a bit boring Filters don't get bored. -- Roland Perry From tharg at gmx.net Tue Jul 31 14:09:48 2012 From: tharg at gmx.net (Caspar Bowden (travelling)) Date: Tue, 31 Jul 2012 15:09:48 +0200 Subject: What is a "communication" (was Re: sorry, but ... In-Reply-To: <9p2mosohI6FQFAGq@perry.co.uk> References: <500F1A54.4040204@zen.co.uk> <500F2335.7090602@zen.co.uk> <500FA83C.2070209@gmx.net> <500FE86B.4010308@zen.co.uk> <5013180A.2020800@zen.co.uk> <50153B63.6030602@zen.co.uk> <9p2mosohI6FQFAGq@perry.co.uk> Message-ID: <5017D91C.1050209@gmx.net> On 07/31/2012 11:15 AM, Roland Perry wrote: > That's over-analysing the situation. And in any event a transmission by > TCP/IP involves a handshake, so the message is provably partly received > even before the transmission has complete. >> The RIPA word is "communication" not message (my fault), and I do not >> think the communication (as opposed to the packets or bits) is received >> until it has all reached some destination. > A communication is a flow of information, not a lump of information... If I may, I wanted to fork the thread here to focus on what we mean by a communication, in the sense of the logical level of the protocol stack. It always seemed to me that "communication" had to be interpreted as a transmission of information at an arbitrary *logical* layer of the stack(s) - it might mean an e-mail, or a web page, or an IM, or a phone call, or an SMS etc. If a hacker was communicating by port-knocking, it might mean a datagram. So the interpretation of communication w.r.t. to whether something is internal or external, would not be affected by e.g. whether any dropped packets as part of an email message were received by a random router outside the UK (and perhaps "made available" to a engineer looking at a log file), but whether the (intended) sender and receiver are both in the UK. That was another major motivation for the probing of s.16(3) resulting in Bassam's letter. The logic is that ECHR would prohibit discrimination by nationality (unlike US law like FISA), so the discrimination between mass and targeted surveillance occurs according to the internal/external criterion. In a packet switched network, that criterion only makes sense if you focus on the location of the sender and intended receiver, at any given logical layer. So the S.16(3) probing was intended to force the govt. to acknowledge "if that's what you want, then this is what is going to happen" Caspar From tharg at gmx.net Tue Jul 31 14:16:19 2012 From: tharg at gmx.net (Caspar Bowden (travelling)) Date: Tue, 31 Jul 2012 15:16:19 +0200 Subject: sorry, but ... In-Reply-To: <50153DAD.9090607@zen.co.uk> References: <500F1A54.4040204@zen.co.uk> <500F2335.7090602@zen.co.uk> <500FA83C.2070209@gmx.net> <500FE86B.4010308@zen.co.uk> <501022B2.3070700@gmx.net> <50153DAD.9090607@zen.co.uk> Message-ID: <5017DAA3.8090202@gmx.net> On 07/29/2012 03:42 PM, Peter Fairbrother wrote: > > What's S.16(3) for then? Afaics it does slightly more than an > overlapping warrant did. My best surmise is that overlapping warrants were invented circa 1986 to cope with what later became known as "reverse targeting", whereas s.16(3) effectively invented a 3rd type of warrant for domestic mass-surveillance (data-mining for arbitrary "factors") > That was mostly a rhetorical question ;^) ... I have never thought > that Lord Bassam ever actually understood the complexities of RIPA. No, but it was noticeable from the Opposition Advisers' Box that whenever amendments came up involving West Country activities rather than the Home Office stuff, there would be a changing of the guard, and a different bunch of officials would traipse into the govt. Advisers' Box. Bassam may not have had much clue, but Ministers don't draft such letters themselves. Caspar From lists at internetpolicyagency.com Tue Jul 31 20:54:51 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 31 Jul 2012 20:54:51 +0100 Subject: What is a "communication" (was Re: sorry, but ... In-Reply-To: <5017D91C.1050209@gmx.net> References: <500F1A54.4040204@zen.co.uk> <500F2335.7090602@zen.co.uk> <500FA83C.2070209@gmx.net> <500FE86B.4010308@zen.co.uk> <5013180A.2020800@zen.co.uk> <50153B63.6030602@zen.co.uk> <9p2mosohI6FQFAGq@perry.co.uk> <5017D91C.1050209@gmx.net> Message-ID: In article <5017D91C.1050209 at gmx.net>, "Caspar Bowden (travelling)" writes >It always seemed to me that "communication" had to be interpreted as a >transmission of information at an arbitrary *logical* layer of the >stack(s) - it might mean an e-mail, or a web page, or an IM, or a phone >call, or an SMS etc. If a hacker was communicating by port-knocking, it >might mean a datagram. > >So the interpretation of communication w.r.t. to whether something is >internal or external, would not be affected by e.g. whether any dropped >packets as part of an email message were received by a random router >outside the UK (and perhaps "made available" to a engineer looking at a >log file), but whether the (intended) sender and receiver are both in >the UK. How do we extend that theory to the situation where there are many receivers in many countries, and when no-one (barring the intermediary such as Facebook knows who the receivers are, and only really dodgy stuff like geo-location by IP address can determine where they are? (Unless they are using a proxy...) -- Roland Perry From zenadsl6186 at zen.co.uk Tue Jul 31 22:10:47 2012 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Tue, 31 Jul 2012 22:10:47 +0100 Subject: sorry, but ... In-Reply-To: <5017DAA3.8090202@gmx.net> References: <500F1A54.4040204@zen.co.uk> <500F2335.7090602@zen.co.uk> <500FA83C.2070209@gmx.net> <500FE86B.4010308@zen.co.uk> <501022B2.3070700@gmx.net> <50153DAD.9090607@zen.co.uk> <5017DAA3.8090202@gmx.net> Message-ID: <501849D7.3020808@zen.co.uk> On 31/07/12 14:16, Caspar Bowden (travelling) wrote: > On 07/29/2012 03:42 PM, Peter Fairbrother wrote: >> >> What's S.16(3) for then? Afaics it does slightly more than an >> overlapping warrant did. > > My best surmise is that overlapping warrants were invented circa 1986 to > cope with what later became known as "reverse targeting", whereas > s.16(3) effectively invented a 3rd type of warrant for domestic > mass-surveillance (data-mining for arbitrary "factors") > >> That was mostly a rhetorical question ;^) ... I have never thought >> that Lord Bassam ever actually understood the complexities of RIPA. > > No, but it was noticeable from the Opposition Advisers' Box that > whenever amendments came up involving West Country activities rather > than the Home Office stuff, there would be a changing of the guard, and > a different bunch of officials would traipse into the govt. Advisers' > Box. Bassam may not have had much clue, but Ministers don't draft such > letters themselves. Ah yes ... two bunches of advisors ... who each have different agendas, and most likely have different interpretations and understandings of the complexities ... No wonder it often doesn't make sense overall. -- Peter Fairbrother From zenadsl6186 at zen.co.uk Tue Jul 31 23:03:12 2012 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Tue, 31 Jul 2012 23:03:12 +0100 Subject: sorry, but ... In-Reply-To: <9p2mosohI6FQFAGq@perry.co.uk> References: <500F1A54.4040204@zen.co.uk> <500F2335.7090602@zen.co.uk> <500FA83C.2070209@gmx.net> <500FE86B.4010308@zen.co.uk> <5013180A.2020800@zen.co.uk> <50153B63.6030602@zen.co.uk> <9p2mosohI6FQFAGq@perry.co.uk> Message-ID: <50185620.5000307@zen.co.uk> On 31/07/12 10:15, Roland Perry wrote: > In article<50153B63.6030602 at zen.co.uk>, Peter Fairbrother > writes >>>> RIPA S.20: ?external communication? means a communication sent or >>>> received outside the British Islands; >> [..] >>>> [ In fact any in-transit message has not been received yet, obviously, >>>> as it is still in transit; >>> >>> That's over-analysing the situation. And in any event a transmission by >>> TCP/IP involves a handshake, so the message is provably partly received >>> even before the transmission has complete. >> >> The RIPA word is "communication" not message (my fault), and I do not >> think the communication (as opposed to the packets or bits) is received >> until it has all reached some destination. > > A communication is a flow of information, not a lump of information. As > with earlier discussion of social networking communications they are > more analogous to phone calls than postal items. No-one would say a > phone call wasn't received until the caller put down the phone. Not > fully received, perhaps, but the conversation could have gone on for > hours. > >> Otherwise we could talk about each and every switch in the network, >> which is probably not what was meant. If it was you could intercept at >> telephone exchanges without a warrant .. > > There's no loophole for intercepting at switches (either TCP/IP or POTS) > because RIPA 1(1) says: "... at any place in the United Kingdom, any > communication in the course of its transmission..." > > Which is one of several references to "course of its transmission" > indicating that this is a continuous (flowing) process. Err, while I do not think you can intercept at each and every switch in the network, I have to disagree a little on point - there is little I can see in RIPA which implies or involves flowing, except between two places. A switch is a place - intercepting the wires between switches is not the same as intercepting at a switch after the switch has received the message and before it sends it on again. What RIPA does talk about is the sender and the intended recipient of a communication, and more, that those are the relevant places - and I take that to mean at the level of eg the person who sends an email, and the person who it is meant for, rather than eg the network or physical or even application layers. A communication is, or should be, thought of as always being between the highest level applicable. If it's limited to eg the physical layer there is no communication to the intended recipient, which I take to mean the person the ultimate sender meant the message for. All this is fine until you get to messages intended for multiple recipients, or messages left to be picked up (eg email, facebook etc) of course .. [1] It's also getting back to the argument about machines - in general the person who owns or operates a machine is responsible for the actions of that machine (unless he did not expect that the machine would perform those actions and was not reckless about whether it might). The machine itself is not responsible - machines cannot take or accept legal responsibility, or at least not yet. >> And clearing up the stored comms NTL vs Ipswich question would be good >> too - the Police need a warrant from the HS to intercept telephone >> calls, but not to intercept email? Where's the sense in that? > > I continue to think that the decision in NTL was flawed. Remember that > it wasn't about intercepting emails as such, but revolved around a > provision enabling a "preservation order" [my words] for evidence that > was likely to be destroyed before that evidence could be obtained with a > production order. That was the immediate issue, perhaps, though imo focussing on it is a bit of a red herring - the wider issue was whether the Police could in effect intercept communications in transit in a public telecoms system if they were emails, because they were stored in transit, but they couldn't intercept such comms if they were not stored eg telephone calls. And that was why the decision was wrong imo, apart from being arbitrary and making-up-law-on-the-fly-ish - the general protection against interception of communications without a warrant signed by a Minister was lost for email; and there is nothing I can find in PACE which directly allowed the Police to demand stored emails from CSPs. [1] I guess that a message left in Facebook is a stored communication. If the Police etc have some power, perhaps under PACE a la NTL, to obtain such stored messages without it contravening the anti-interception provisions of RIPA, could they just intercept all the Facebook traffic and filter out everything which will not be a stored communication (ie Facebook housekeeping traffic - oops that's mostly traffic data so they can get that too) in order to obtain the stored comms under a PACE warrant? Can't see why not ... -- Peter Fairbrother