From igb at batten.eu.org  Fri Jun  7 11:56:35 2013
From: igb at batten.eu.org (Ian Batten)
Date: Fri, 7 Jun 2013 11:56:35 +0100
Subject: PRISM && Excited Guardianista
Message-ID: <B71A727C-0740-4AE2-86D8-8AC7EA22E896@batten.eu.org>

The Graun are very excited about: http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data

The most interesting thing to me is that he slides they have say it has a budget of $20m per year.

Given the likely costs of even the fairly anodyne proposals in the Data Communications Bill, either there a few zeros missing or the content of the project is being somewhat over-interpreted.

ian



From lists at internetpolicyagency.com  Fri Jun  7 12:22:42 2013
From: lists at internetpolicyagency.com (Roland Perry)
Date: Fri, 7 Jun 2013 12:22:42 +0100
Subject: PRISM && Excited Guardianista
In-Reply-To: <B71A727C-0740-4AE2-86D8-8AC7EA22E896@batten.eu.org>
References: <B71A727C-0740-4AE2-86D8-8AC7EA22E896@batten.eu.org>
Message-ID: <8xnm+gQCKcsRFArU@perry.co.uk>

In article <B71A727C-0740-4AE2-86D8-8AC7EA22E896 at batten.eu.org>, Ian 
Batten <igb at batten.eu.org> writes
>The Graun are very excited about: http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data
>
>The most interesting thing to me is that he slides they have say it has a budget of $20m per year.

This story resurfaces every year pretty much. Must be that time again.

Last year, one version of the story estimated that they've amassed 20 
trillion data records. At $20m that would be a bargain.

On the other hand "Wired" seems to think the budget for the latest data 
centre was $2bn.
-- 
Roland Perry


From maryhawking at tigers.demon.co.uk  Fri Jun  7 13:38:12 2013
From: maryhawking at tigers.demon.co.uk (Mary Hawking)
Date: Fri, 7 Jun 2013 13:38:12 +0100
Subject: PRISM
Message-ID: <7294CEB3D45449C5B9B5D7D4F0083B2B@MaryPC>

>From the Washington Post
http://www.washingtonpost.com/wp-srv/special/politics/prism-collection-docum
ents/ 
link from
http://tinyurl.com/mm3ttqt 
Should I stop using social media and think twice about Dropbox?

Mary Hawking
Retired from NHS on 31.3.13 because of the Health and Social Care Act 2012
"thinking - independent thinking - is to humans as swimming is to cats: we
can do it if we really have to."  Mark Earles on Radio 4
blog http://maryhawking.wordpress.com/ , bloglist
https://dl.dropbox.com/u/4529244/MH%20blog%20list.doc And Fred! 
http://primaryhealthinfo.wordpress.com/2013/01/20/who-knows-what-and-why/ 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 12586 bytes
Desc: not available
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20130607/6699d096/attachment.bin>

From maxsec at gmail.com  Fri Jun  7 15:28:06 2013
From: maxsec at gmail.com (Martin Hepworth)
Date: Fri, 7 Jun 2013 15:28:06 +0100
Subject: PRISM
In-Reply-To: <7294CEB3D45449C5B9B5D7D4F0083B2B@MaryPC>
References: <7294CEB3D45449C5B9B5D7D4F0083B2B@MaryPC>
Message-ID: <CAGDKorKzpORj3sE4kOBX1wcikFjSVx3xwp+b5GeCiYP=W=HViA@mail.gmail.com>

maybe and perhaps;-)

dont post all your thoughts willy nilly to social media I think is a good
default, think about what and how you're saying if the +20year old you
would think posting that is a good idea.

dropbox stuff and other 'open' filesharing should also be treated with
caution and encrypt the file before for anything of any sensitivity.


-- 
Martin Hepworth, CISSP
Oxford, UK


On 7 June 2013 13:38, Mary Hawking <maryhawking at tigers.demon.co.uk> wrote:

> From the Washington Post
>
> http://www.washingtonpost.com/wp-srv/special/politics/prism-collection-docum
> ents/
> link from
> http://tinyurl.com/mm3ttqt
> Should I stop using social media and think twice about Dropbox?
>
> Mary Hawking
> Retired from NHS on 31.3.13 because of the Health and Social Care Act 2012
> "thinking - independent thinking - is to humans as swimming is to cats: we
> can do it if we really have to."  Mark Earles on Radio 4
> blog http://maryhawking.wordpress.com/ , bloglist
> https://dl.dropbox.com/u/4529244/MH%20blog%20list.doc And Fred!
> http://primaryhealthinfo.wordpress.com/2013/01/20/who-knows-what-and-why/
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20130607/dfb75aa8/attachment-0001.html>

From lists at casparbowden.net  Fri Jun  7 15:40:24 2013
From: lists at casparbowden.net (Caspar Bowden (lists))
Date: Fri, 07 Jun 2013 15:40:24 +0100
Subject: PRISM && Excited Guardianista
In-Reply-To: <8xnm+gQCKcsRFArU@perry.co.uk>
References: <B71A727C-0740-4AE2-86D8-8AC7EA22E896@batten.eu.org>
	<8xnm+gQCKcsRFArU@perry.co.uk>
Message-ID: <51B1F0D8.1030406@casparbowden.net>

These may explain why it's not old hat (search my name since January if 
want more)

http://euobserver.com/justice/118857
http://www.out-law.com/en/articles/2013/january/eu-urged-to-scrap-use-of-personal-data-measures-for-cloud-computing-amid-us-surveillance-concerns/

NSA have confirmed the story
http://www.bbc.co.uk/news/world-us-canada-22809541

Caspar

On 06/07/13 12:22, Roland Perry wrote:
> In article <B71A727C-0740-4AE2-86D8-8AC7EA22E896 at batten.eu.org>, Ian 
> Batten <igb at batten.eu.org> writes
>> The Graun are very excited about: 
>> http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data
>>
>> The most interesting thing to me is that he slides they have say it 
>> has a budget of $20m per year.
>
> This story resurfaces every year pretty much. Must be that time again.
>
> Last year, one version of the story estimated that they've amassed 20 
> trillion data records. At $20m that would be a bargain.
>
> On the other hand "Wired" seems to think the budget for the latest 
> data centre was $2bn.



From k.brown at bbk.ac.uk  Fri Jun  7 15:55:39 2013
From: k.brown at bbk.ac.uk (k.brown at bbk.ac.uk)
Date: Fri, 7 Jun 2013 15:55:39 +0100
Subject: PRISM && Excited Guardianista
In-Reply-To: <CAJ0hfoudKpKVHQegC4_wvg5Mz9k5x_i6-vOo+C2a0O+V3k0hOA@mail.gmail.com>
References: <B71A727C-0740-4AE2-86D8-8AC7EA22E896@batten.eu.org>
	<8xnm+gQCKcsRFArU@perry.co.uk>
	<CAJ0hfoudKpKVHQegC4_wvg5Mz9k5x_i6-vOo+C2a0O+V3k0hOA@mail.gmail.com>
Message-ID: <CAJ0hfosTXyBt+YHUmgYJkpdpgcu9bdj4WfXs=i7_KJOONnHb6w@mail.gmail.com>

Is it just me or is this the sort of thing that paranoid lefty geeks
like me have believed to be going on for about the last 30 years?


-- 
Ken Brown


From bdm at fenrir.org.uk  Fri Jun  7 16:07:37 2013
From: bdm at fenrir.org.uk (Brian Morrison)
Date: Fri, 7 Jun 2013 16:07:37 +0100
Subject: PRISM && Excited Guardianista
In-Reply-To: <CAJ0hfosTXyBt+YHUmgYJkpdpgcu9bdj4WfXs=i7_KJOONnHb6w@mail.gmail.com>
References: <B71A727C-0740-4AE2-86D8-8AC7EA22E896@batten.eu.org>
	<8xnm+gQCKcsRFArU@perry.co.uk>
	<CAJ0hfoudKpKVHQegC4_wvg5Mz9k5x_i6-vOo+C2a0O+V3k0hOA@mail.gmail.com>
	<CAJ0hfosTXyBt+YHUmgYJkpdpgcu9bdj4WfXs=i7_KJOONnHb6w@mail.gmail.com>
Message-ID: <20130607160737.000012c0@surtees.fenrir.org.uk>

On Fri, 7 Jun 2013 15:55:39 +0100
k.brown at bbk.ac.uk wrote:

> Is it just me or is this the sort of thing that paranoid lefty geeks
> like me have believed to be going on for about the last 30 years?

It would appear that much of the paranoia of both left and right has
been based on something real rather than something imagined.

Presumably now that the cat is among the pigeons there might be a
popular backlash if enough people take exception to what is being done
in their name.

-- 

Brian Morrison


From lists at internetpolicyagency.com  Fri Jun  7 20:30:59 2013
From: lists at internetpolicyagency.com (Roland Perry)
Date: Fri, 7 Jun 2013 20:30:59 +0100
Subject: PRISM && Excited Guardianista
In-Reply-To: <51B1F0D8.1030406@casparbowden.net>
References: <B71A727C-0740-4AE2-86D8-8AC7EA22E896@batten.eu.org>
	<8xnm+gQCKcsRFArU@perry.co.uk> <51B1F0D8.1030406@casparbowden.net>
Message-ID: <zdbl17dzTjsRFA54@perry.co.uk>

In article <51B1F0D8.1030406 at casparbowden.net>, "Caspar Bowden (lists)" 
<lists at casparbowden.net> writes
>These may explain why it's not old hat (search my name since January if 
>want more)
>
>http://www.out-law.com/en/articles/2013/january/eu-urged-to-scrap-use-of
>-personal-data-measures-for-cloud-computing-amid-us-surveillance-concern
>s/

People were discussing these issues more than three years ago, at 
conferences I was attending.
-- 
Roland Perry


From lists at internetpolicyagency.com  Fri Jun  7 20:35:06 2013
From: lists at internetpolicyagency.com (Roland Perry)
Date: Fri, 7 Jun 2013 20:35:06 +0100
Subject: PRISM
In-Reply-To: <CAGDKorKzpORj3sE4kOBX1wcikFjSVx3xwp+b5GeCiYP=W=HViA@mail.gmail.com>
References: <7294CEB3D45449C5B9B5D7D4F0083B2B@MaryPC>
	<CAGDKorKzpORj3sE4kOBX1wcikFjSVx3xwp+b5GeCiYP=W=HViA@mail.gmail.com>
Message-ID: <ENtoR2eqXjsRFA$h@perry.co.uk>

In article 
<CAGDKorKzpORj3sE4kOBX1wcikFjSVx3xwp+b5GeCiYP=W=HViA at mail.gmail.com>, 
Martin Hepworth <maxsec at gmail.com> writes

>dont post all your thoughts willy nilly to social media I think is a 
>good default

I'd have thought most people with any interest in these issues would 
only post to social media things they were happy for anyone/everyone to 
see. That's certainly been my policy on usenet and lists such as this 
for a decade, and on Facebook/Twitter etc ever since they became trendy 
(by which I mean I didn't post until they became trendy, rather than I 
thought what I posted before they were trendy might in any sense at all 
be a secret).
-- 
Roland Perry


From lists at casparbowden.net  Fri Jun  7 20:58:38 2013
From: lists at casparbowden.net (Caspar Bowden (lists))
Date: Fri, 07 Jun 2013 20:58:38 +0100
Subject: PRISM && Excited Guardianista
In-Reply-To: <zdbl17dzTjsRFA54@perry.co.uk>
References: <B71A727C-0740-4AE2-86D8-8AC7EA22E896@batten.eu.org>
	<8xnm+gQCKcsRFArU@perry.co.uk> <51B1F0D8.1030406@casparbowden.net>
	<zdbl17dzTjsRFA54@perry.co.uk>
Message-ID: <51B23B6E.1010308@casparbowden.net>

On 06/07/13 20:30, Roland Perry wrote:
> In article <51B1F0D8.1030406 at casparbowden.net>, "Caspar Bowden 
> (lists)" <lists at casparbowden.net> writes
>> These may explain why it's not old hat (search my name since January 
>> if want more)
>>
>> http://www.out-law.com/en/articles/2013/january/eu-urged-to-scrap-use-of
>> -personal-data-measures-for-cloud-computing-amid-us-surveillance-concern
>> s/
>
> People were discussing these issues more than three years ago, at 
> conferences I was attending.

Really ? FISAAA 2008 s.1881a (aka 702). Which conference(s) ?

Maybe you are thinking of PATRIOT

CB



From pwt at iosis.co.uk  Fri Jun  7 21:45:21 2013
From: pwt at iosis.co.uk (Peter Tomlinson)
Date: Fri, 07 Jun 2013 21:45:21 +0100
Subject: PRISM
In-Reply-To: <ENtoR2eqXjsRFA$h@perry.co.uk>
References: <7294CEB3D45449C5B9B5D7D4F0083B2B@MaryPC><CAGDKorKzpORj3sE4kOBX1wcikFjSVx3xwp+b5GeCiYP=W=HViA@mail.gmail.com>
	<ENtoR2eqXjsRFA$h@perry.co.uk>
Message-ID: <51B24661.1070804@iosis.co.uk>

I'm even more of a [secular] iconoclast than Roland. Don't get into 
Twitter or Facebook at all, refuse the requests to 'Connect' on 
LinkedIn. But still got something nasty into my system this week, 
Kaspersky didn't block it but later found it and got rid of it. However, 
back on topic: yes, I expect that traffic data will be collected on the 
mobile phone network, and that content may be monitored on the net. But 
I suspect that sometimes the more progressive of the watchers are happy 
for us to be combative (e.g. 2007 File on 4 on BBC R4 that helped kill 
off the ID Card project).

Peter

On 07/06/2013 20:35, Roland Perry wrote:
> In article 
> <CAGDKorKzpORj3sE4kOBX1wcikFjSVx3xwp+b5GeCiYP=W=HViA at mail.gmail.com>, 
> Martin Hepworth <maxsec at gmail.com> writes
>
>> dont post all your thoughts willy nilly to social media I think is a 
>> good default
>
> I'd have thought most people with any interest in these issues would 
> only post to social media things they were happy for anyone/everyone 
> to see. That's certainly been my policy on usenet and lists such as 
> this for a decade, and on Facebook/Twitter etc ever since they became 
> trendy (by which I mean I didn't post until they became trendy, rather 
> than I thought what I posted before they were trendy might in any 
> sense at all be a secret).



From pwt at iosis.co.uk  Fri Jun  7 21:51:08 2013
From: pwt at iosis.co.uk (Peter Tomlinson)
Date: Fri, 07 Jun 2013 21:51:08 +0100
Subject: PRISM: Fwd: Tom Watson MP
In-Reply-To: <089e016812f81013bb04de951751@google.com>
References: <089e016812f81013bb04de951751@google.com>
Message-ID: <51B247BC.9040601@iosis.co.uk>

Tom Watson MP has spoken.


-------- Original Message --------
Subject: 	Tom Watson MP
Date: 	Fri, 07 Jun 2013 19:03:45 +0000
From: 	Tom Watson MP <newsfromtomwatsonmp at mac.com>

	



Tom Watson MP


  Tom Watson MP <http://www.tom-watson.co.uk>

	

------------------------------------------------------------------------

Open Rights Group press release on the PRISM project 
<http://www.tom-watson.co.uk/2013/06/open-rights-group-press-release-on-the-prism-project> 


Posted: 07 Jun 2013 07:26 AM PDT

The Open Rights Group has issued a press release on the PRISM project 
<https://www.openrightsgroup.org/press/releases/prism-us-surveillance-serious-questions-for-the-uk-government>. 
I shall be tabling questions as soon as I can when Parliament returns on 
Monday.
Digital rights campaigners Open Rights Group are extremely concerned by 
these unprecedented revelations of US spying on foreign citizens.
Executive Director Jim Killock said
?The UK Government must tell us what they knew about PRISM. An 
investigation in Parliament is badly needed to find out whether the UK 
Government or intelligence agencies were in any way involved with any 
related invasion of UK citizens? privacy.?
?US web companies operating in Britain must explain their role in this 
snooping on their clients? communications and cloud services?
There should be answers to:
1. What did the UK Government know about the PRISM programme?
2. Given the history of collaboration between the US and the UK, can 
they give us assurances that UK secret services have not been involved 
in the PRISM programme?
3. Will the UK Government be seeking clarification from the US 
Government about whether the data of UK citizens is being monitored by 
the NSA?
4. Has the UK received any intelligence based on queries made through 
the alleged PRISM programme?
5. Would the Government advise that UK citizens, businesses and MPs stop 
using services provided by American web companies such as Google, 
Facebook and Microsoft?
6. Can the UK Government give assurance that the commericial 
confidentiality of UK businesses has not been breached through the PRISM 
programme?


	





From lists at internetpolicyagency.com  Sat Jun  8 09:12:53 2013
From: lists at internetpolicyagency.com (Roland Perry)
Date: Sat, 8 Jun 2013 09:12:53 +0100
Subject: PRISM && Excited Guardianista
In-Reply-To: <51B23B6E.1010308@casparbowden.net>
References: <B71A727C-0740-4AE2-86D8-8AC7EA22E896@batten.eu.org>
	<8xnm+gQCKcsRFArU@perry.co.uk> <51B1F0D8.1030406@casparbowden.net>
	<zdbl17dzTjsRFA54@perry.co.uk> <51B23B6E.1010308@casparbowden.net>
Message-ID: <J52rsk6FeusRFANx@perry.co.uk>

In article <51B23B6E.1010308 at casparbowden.net>, "Caspar Bowden (lists)"
<lists at casparbowden.net> writes
>>> These may explain why it's not old hat (search my name since January
>>>if want more)
>>>
>>> http://www.out-law.com/en/articles/2013/january/eu-urged-to-scrap-use-of
>>> -personal-data-measures-for-cloud-computing-amid-us-surveillance-concern
>>> s/
>>
>> People were discussing these issues more than three years ago, at
>>conferences I was attending.
>
>Really ? FISAAA 2008 s.1881a (aka 702). Which conference(s) ?

<http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/Document
s/Reports-Presentations/2079_reps_IF10_yvespoullet1b.pdf>
-- 
Roland Perry


From lists at casparbowden.net  Sat Jun  8 11:41:36 2013
From: lists at casparbowden.net (Caspar Bowden (lists))
Date: Sat, 08 Jun 2013 11:41:36 +0100
Subject: PRISM && Excited Guardianista
In-Reply-To: <J52rsk6FeusRFANx@perry.co.uk>
References: <B71A727C-0740-4AE2-86D8-8AC7EA22E896@batten.eu.org>
	<8xnm+gQCKcsRFArU@perry.co.uk> <51B1F0D8.1030406@casparbowden.net>
	<zdbl17dzTjsRFA54@perry.co.uk> <51B23B6E.1010308@casparbowden.net>
	<J52rsk6FeusRFANx@perry.co.uk>
Message-ID: <51B30A60.8060202@casparbowden.net>

On 06/08/13 09:12, Roland Perry wrote:
> In article <51B23B6E.1010308 at casparbowden.net>, "Caspar Bowden (lists)"
> <lists at casparbowden.net> writes
>>>> These may explain why it's not old hat (search my name since January
>>>> if want more)
>>>>
>>>> http://www.out-law.com/en/articles/2013/january/eu-urged-to-scrap-use-of
>>>> -personal-data-measures-for-cloud-computing-amid-us-surveillance-concern
>>>> s/
>>> People were discussing these issues more than three years ago, at
>>> conferences I was attending.
>> Really ? FISAAA 2008 s.1881a (aka 702). Which conference(s) ?
> <http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/Document
> s/Reports-Presentations/2079_reps_IF10_yvespoullet1b.pdf>

Well, this CoE stuff doesn't deal with "national security" matters, 
doesn't mention FISA or FISAAA (or PAA) or comparble laws (to thes 
extent there are any), and I was speaking at subsequent conferences 
where two of the author's learned about the gruesome details of FISAAA 
1881a from me (and were rather taken aback because it manifestly broke ECHR)

Aside form that, right on topic Roland

Caspar


From zenadsl6186 at zen.co.uk  Sat Jun  8 12:31:53 2013
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Sat, 08 Jun 2013 12:31:53 +0100
Subject: PRISM && Excited Guardianista
In-Reply-To: <B71A727C-0740-4AE2-86D8-8AC7EA22E896@batten.eu.org>
References: <B71A727C-0740-4AE2-86D8-8AC7EA22E896@batten.eu.org>
Message-ID: <51B31629.6020508@zen.co.uk>

On 07/06/13 11:56, Ian Batten wrote:
> The Graun are very excited about: http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data
>
> The most interesting thing to me is that he slides they have say it has a budget of $20m per year.
>
> Given the likely costs of even the fairly anodyne proposals in the Data Communications Bill, either there a few zeros missing or the content of the project is being somewhat over-interpreted.

I think there are a few zeros missing ..


I hear BritGov has gotten some data from the PRISM program - but where's 
the quid pro quo?

It used to be, in the bad old echelon days, that if a UK spy bod wanted 
some data (often comms content, ie telephone taps) on a UK subject in 
the UK he would ask the Yanks to obtain it for him, and vice-versa. Is 
GCHQ spying on the Americans?



Also, as I read the DPA, if some EU private data is processed by being 
demanded by a US court because it's stored in a US cloud, then the data 
controller is guilty of an offence.

That's a bit uncertain and there may be those who disagree, eg there are 
exceptions for processing required by an enactment, but I take that to 
mean a UK or EU enactment, and not a US enactment.

and then there's 5.1.(a) {...this Act applies to a data controller in 
respect of any data only if .. the data controller is established in the 
United Kingdom and the data are processed in the context of that 
establishment}, which I take to mean normally or occasionally so 
processesed, and that if a specific processing is outside that context 
it is not excluded - but that's far from clear.

Or maybe it's still within that context, as it's processed from their 
cloud space.

Apart from those maybes, it looks to me like it's an offence.

Doesn't matter whether the controller processed it or not, or authorised 
the processing. it's still an offence under section 21(1) if processing 
as in 17.(1) happens without a relevant entry.


Of course, data controllers might just add "processing in accordance 
with a FISA warrant" in their DPA register entries - would that be 
allowed? I'm not very good on DPA.


-- Peter Fairbrother


From lists at internetpolicyagency.com  Sat Jun  8 15:50:55 2013
From: lists at internetpolicyagency.com (Roland Perry)
Date: Sat, 8 Jun 2013 15:50:55 +0100
Subject: PRISM && Excited Guardianista
In-Reply-To: <51B30A60.8060202@casparbowden.net>
References: <B71A727C-0740-4AE2-86D8-8AC7EA22E896@batten.eu.org>
	<8xnm+gQCKcsRFArU@perry.co.uk> <51B1F0D8.1030406@casparbowden.net>
	<zdbl17dzTjsRFA54@perry.co.uk> <51B23B6E.1010308@casparbowden.net>
	<J52rsk6FeusRFANx@perry.co.uk> <51B30A60.8060202@casparbowden.net>
Message-ID: <iNEhB8APT0sRFAKn@perry.co.uk>

In article <51B30A60.8060202 at casparbowden.net>, "Caspar Bowden (lists)" 
<lists at casparbowden.net> writes
>>>>> These may explain why it's not old hat (search my name since January
>>>>> if want more)
>>>>>
>>>>> http://www.out-law.com/en/articles/2013/january/eu-urged-to-scrap-use-of
>>>>> -personal-data-measures-for-cloud-computing-amid-us-surveillance-concern
>>>>> s/
>>>> People were discussing these issues more than three years ago, at
>>>> conferences I was attending.
>>> Really ? FISAAA 2008 s.1881a (aka 702). Which conference(s) ?
>> <http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/Document
>> s/Reports-Presentations/2079_reps_IF10_yvespoullet1b.pdf>
>
>Well, this CoE stuff doesn't deal with "national security" matters, 
>doesn't mention FISA or FISAAA (or PAA) or comparble laws (to thes 
>extent there are any), and I was speaking at subsequent conferences 
>where two of the author's learned about the gruesome details of FISAAA 
>1881a from me (and were rather taken aback because it manifestly broke 
>ECHR)
>
>Aside form that, right on topic Roland

The warning was there: don't use US-based cloud services if you want to 
comply with EU Data Protection Law, Caspar.

Surveillance of this kind is hardly unknown, whether you want to call it 
PRISM, or Echelon, or something in between.

And you know that; does "overlapping warrants" ring a bell??
-- 
Roland Perry


From tony.naggs at googlemail.com  Sun Jun  9 17:39:04 2013
From: tony.naggs at googlemail.com (Tony Naggs)
Date: Sun, 9 Jun 2013 17:39:04 +0100
Subject: DC4420 (Defcon London) Call for Speakers / Papers
In-Reply-To: <CAK0b=2c9HRRHxJ5cyYxV-g=1RDkY9pe7OBrW82WzL1P=v6LxZA@mail.gmail.com>
References: <CAK0b=2c9HRRHxJ5cyYxV-g=1RDkY9pe7OBrW82WzL1P=v6LxZA@mail.gmail.com>
Message-ID: <CAK0b=2fpYPgAT-K5U76e44aWbXaO2dGjV452MiK7xFaUviL2KA@mail.gmail.com>

Hi

I help organise the DC4420 meetings in London, and hope this may be of
interest to some people here.

Contents:
1. Brief info about DC4420
2. Lightning Talks wanted for June 25th meeting
3. Call for Papers for meetings during the rest of 2013

Please note that I don't intend to regularly post about DC4420 here,
we have a mailing list, Twitter account & LinkedIn in group for
announcements about monthly meetings.

Cheers, Tony

~~

Brief info about DC4420

This the London DEFCON group, some organisers & regulars are involved
with organising the DEFCON event in Las Vegas every July/August.

Our interests are geeky, including computer security, cryptography,
doing novel & cool stuff with gadgets, making things at hackerspaces.
Nearly everything that would be appropriate at Defcon in Las Vergas.

We meet monthly in a bar in London, our current venue is downstairs at
The Phoenix, Cavendish Square, nearest tube stop is Oxford Circus.

Admission is free, bar rules are over 18s only.

Talks start at 19:30 but we have the room from about 18:00 to kicking out.

Attendence varies, typically around 100.

The main rules are to be respectful to the venue & other attendees,
and to be quiet whilst the speakers are presenting.
Recruitment pitches need to be cleared first.

Meetings are on the last Tuesday of the month except December...
June - 25th
July - 30th
August - 27th
September - 24th
October - 29th
November - 26th
December - 17th

www.dc4420.org
Twitter: @dc4420
Google Calendar:
http://www.google.com/calendar/embed?src=s26o14a4d60qo6ngj5kqpaekt8%40group.calendar.google.com&ctz=Europe/London

~~

Lightning Talks (up to 15 minutes) wanted for June 25th meeting

OK, you've got the whole weekend ahead of you to dig out that project
you *know* you've been dying to talk about but haven't quite got the
rough edges off...

This month we're doing our annual lightning talk session, and we
welcome any and all 15 minute submissions. In fact, don't bother
submitting them, just come along and give us what you've got!

There will be prizes! Probably hacking related, who knows? And some
stickers, obviously. And maybe a hard-to-get t-shirt or two...

~~

Call for Papers for meetings during the rest of 2013

Our usual format is normally two talks: a primary 1 hour (ish) and a
secondary 30 minutes (ish).

This could be a great opportunity to practice a talk you will give at
a larger conference overseas, get a wider audience for reporting on
your InfoSec MSc or PhD research, etc...

We welcome first time speakers!

Please send proposals for talks (or other activities?) to talks at dc4420.org


From zenadsl6186 at zen.co.uk  Sun Jun  9 20:06:31 2013
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Sun, 09 Jun 2013 20:06:31 +0100
Subject: PRISM && Excited Guardianista
In-Reply-To: <51B30A60.8060202@casparbowden.net>
References: <B71A727C-0740-4AE2-86D8-8AC7EA22E896@batten.eu.org>	<8xnm+gQCKcsRFArU@perry.co.uk>
	<51B1F0D8.1030406@casparbowden.net>	<zdbl17dzTjsRFA54@perry.co.uk>
	<51B23B6E.1010308@casparbowden.net>	<J52rsk6FeusRFANx@perry.co.uk>
	<51B30A60.8060202@casparbowden.net>
Message-ID: <51B4D237.4040607@zen.co.uk>

On 08/06/13 11:41, Caspar Bowden (lists) wrote:

> Well, this CoE stuff doesn't deal with "national security" matters,
> doesn't mention FISA or FISAAA (or PAA) or comparable laws (to the
> extent there are any)

There's RIPA.

One section 8(4) warrant from the Foreign Secretary, and GCHQ can scoop 
up any and all "external" traffic (anything sent or received outside the 
UK).

Such a warrant could also require the networks to give them copies of 
all traffic entering or leaving the UK, including content; although 
historically they have preferred to collect it surreptitiously and 
largely without involving the communications providers by tapping 
microwave links and cables as they enter or leave the country.

Such a warrant could include the legal power to intercept all US 
internal internet and telephone traffic. So collecting it isn't a legal 
problem.



As to sharing the product, that's okay, see 4(1) (for the EU, needs no 
UK warrant) and 5(1)(c) (for everyone else- needs 8(4) warrant). GCHQ 
can obtain intercepted traffic from, or give intercepted traffic to NSA, 
no problem.


But as for requesting it-  well, there's RIPA subsection 1(4):
{
(4)Where the United Kingdom is a party to an international agreement which?

(a)relates to the provision of mutual assistance in connection with, or 
in the form of, the interception of communications,

(b)requires the issue of a warrant, order or equivalent instrument in 
cases in which assistance is given, and

(c)is designated for the purposes of this subsection by an order made by 
the Secretary of State,

it shall be the duty of the Secretary of State to secure that no request 
for assistance in accordance with the agreement is made on behalf of a 
person in the United Kingdom to the competent authorities of a country 
or territory outside the United Kingdom except with lawful authority.
}

Not that it would be much of a duty anyway (eg a ss 8(4) warrant would 
be lawful authority). but if the SoS doesn't designate an agreement, 
there is no duty on him, and designating an agreement does nothing else.

I wonder, have any orders designating a UK-US agreement under ss.1(4) 
been made?

Nope, just an EU-wide one.

-- Peter Fairbrother


From pwt at iosis.co.uk  Sun Jun  9 20:49:38 2013
From: pwt at iosis.co.uk (Peter Tomlinson)
Date: Sun, 09 Jun 2013 20:49:38 +0100
Subject: Fwd: New guidance issued on 'identity proofing' and verification
In-Reply-To: <51B4B20E.8030408@salendine.plus.com>
References: <51B4B20E.8030408@salendine.plus.com>
Message-ID: <51B4DC52.1050601@iosis.co.uk>

CESG has spoken on Identity Assurance for online transactions (4 levels 
of it). See the article from Pinsent Masons and the CESG document.

Peter

On 07/06/2013 07:44, Out-Law.com wrote:
>
> New guidance issued on 'identity proofing' and verification 
> <http://PinsentMasons.us4.list-manage.com/track/click?u=ecfdaa9c129c10f0fc9fb0485&id=adfbb3e259&e=c95cb32fa7>
> The Government and the UK's National Technical Authority on 
> Information Assurance (CESG) have published new guidance on 'identity 
> proofing' and verification.
> 06/06/2013
http://www.out-law.com/en/articles/2013/june/new-guidance-issued-on-identity-proofing-and-verification/

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/204448/GPG_45_Identity_proofing_and_verification_of_an_individual_2.0_May-2013.pdf 






From lists at casparbowden.net  Sun Jun  9 21:37:22 2013
From: lists at casparbowden.net (Caspar Bowden (lists))
Date: Sun, 09 Jun 2013 21:37:22 +0100
Subject: PRISM && Excited Guardianista
In-Reply-To: <51B4D237.4040607@zen.co.uk>
References: <B71A727C-0740-4AE2-86D8-8AC7EA22E896@batten.eu.org>	<8xnm+gQCKcsRFArU@perry.co.uk>
	<51B1F0D8.1030406@casparbowden.net>	<zdbl17dzTjsRFA54@perry.co.uk>
	<51B23B6E.1010308@casparbowden.net>	<J52rsk6FeusRFANx@perry.co.uk>
	<51B30A60.8060202@casparbowden.net> <51B4D237.4040607@zen.co.uk>
Message-ID: <51B4E782.3060307@casparbowden.net>

Thanks Peter, those bits of RIPA were on mu to do list to rummage

On 06/09/13 20:06, Peter Fairbrother wrote:
> ...
> it shall be the duty of the Secretary of State to secure that no 
> request for assistance in accordance with the agreement is made on 
> behalf of a person in the United Kingdom to the competent authorities 
> of a country or territory outside the United Kingdom except with 
> lawful authority.

I wonder what kinds of lawful authority there can be ?

> Not that it would be much of a duty anyway (eg a ss 8(4) warrant would 
> be lawful authority). 

Would it ?  Maybe, but v. helpful if you can spell out if you can see 
how that fits (maybe trivial)

> but if the SoS doesn't designate an agreement, 

Which bit is that?

> there is no duty on him, and designating an agreement does nothing else.
>
> I wonder, have any orders designating a UK-US agreement under ss.1(4) 
> been made?

Aha. Anyone else? where would one look for that ?
>
> Nope, just an EU-wide one.

And where is that ?

Sorry if these obvious just overloaded right now

CB


From anish.mohammed at gmail.com  Sun Jun  9 21:05:53 2013
From: anish.mohammed at gmail.com (Anish Mohammed)
Date: Sun, 9 Jun 2013 21:05:53 +0100
Subject: New guidance issued on 'identity proofing' and verification
In-Reply-To: <51B4DC52.1050601@iosis.co.uk>
References: <51B4B20E.8030408@salendine.plus.com>
	<51B4DC52.1050601@iosis.co.uk>
Message-ID: <26CE9F5A-9823-448E-B7D5-A359435D883E@gmail.com>

This has been in the works for a while afaik

Anish Mohammed
Twitter: anishmohammed
http://uk.linkedin.com/in/anishmohammed

On 9 Jun 2013, at 20:49, Peter Tomlinson <pwt at iosis.co.uk> wrote:

> CESG has spoken on Identity Assurance for online transactions (4 levels of it). See the article from Pinsent Masons and the CESG document.
> 
> Peter
> 
> On 07/06/2013 07:44, Out-Law.com wrote:
>> 
>> New guidance issued on 'identity proofing' and verification <http://PinsentMasons.us4.list-manage.com/track/click?u=ecfdaa9c129c10f0fc9fb0485&id=adfbb3e259&e=c95cb32fa7>
>> The Government and the UK's National Technical Authority on Information Assurance (CESG) have published new guidance on 'identity proofing' and verification.
>> 06/06/2013
> http://www.out-law.com/en/articles/2013/june/new-guidance-issued-on-identity-proofing-and-verification/
> 
> https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/204448/GPG_45_Identity_proofing_and_verification_of_an_individual_2.0_May-2013.pdf 
> 
> 
> 
> 


From tonynaggs at gmail.com  Mon Jun 10 14:44:50 2013
From: tonynaggs at gmail.com (Tony Naggs)
Date: Mon, 10 Jun 2013 14:44:50 +0100
Subject: PRISM
In-Reply-To: <7294CEB3D45449C5B9B5D7D4F0083B2B@MaryPC>
References: <7294CEB3D45449C5B9B5D7D4F0083B2B@MaryPC>
Message-ID: <CAK0b=2fHqp8yQt2atpmtodMZ3LcCVLpNXdNHPgUT8QooOD_-Gg@mail.gmail.com>

On 7 June 2013 13:38, Mary Hawking <maryhawking at tigers.demon.co.uk> wrote:
> From the Washington Post
> http://www.washingtonpost.com/wp-srv/special/politics/prism-collection-docum
> ents/
> link from
> http://tinyurl.com/mm3ttqt
> Should I stop using social media and think twice about Dropbox?

It depends what you are using them for, social networks will preserve
a map of your contacts & connections and are probably trawled by the
CIA/NSA.

Dropbox have keys to decrypt your files, though they probably don't do
this in bulk - like phone call content it is only interesting to
security services or law enforcement after you appear on their radar.
You could encrypt files before storing them on Dropbox.

Cheers,
Tony


From pwt at iosis.co.uk  Mon Jun 10 16:09:02 2013
From: pwt at iosis.co.uk (Peter Tomlinson)
Date: Mon, 10 Jun 2013 16:09:02 +0100
Subject: Not quite off topic...
Message-ID: <51B5EC0E.3060904@iosis.co.uk>

Circulated by BCS on behalf of IAAC:

The Department of Culture, Media and Sport (DCMS) is proposing some 
changes to classifications of official statistics which could be of 
significant detriment to the Tech Sector and wider economic growth. They 
are proposing re-classifying 39% of IT & Telecoms occupations and 57% of 
the IT & Telecoms industry as 'creative' alongside the following six 
creative industry sectors: advertising and marketing; architecture; 
design; film & TV; publishing; music and the arts.

There is concern that this fragmentation would mean that with regard to 
official statistics and government policy, IT & Telecoms would not be 
recognised as a coherent sector of strategic importance in its own 
right. There is also concern in some quarters that it also fails to 
recognise that all sectors of the economy, including engineering, 
financial services, retail, health, have a strong and increasing 
dependency on IT specialists.

A background paper is attached [was attached but I have stripped it off 
- see [1] below] which provides more detail and provides a direct route 
for response to the consultation (there are only three questions).

The consultation is open until 14th June 2013 and can be found at:
https://www.gov.uk/government/consultations/classifying-and-measuring-the-creative-industries-consultation-on-proposed-changes.?

[1] You can obtain it from "Taylor, Judith" <judith.taylor at hq.bcs.org.uk>

Peter



From zenadsl6186 at zen.co.uk  Tue Jun 11 15:41:46 2013
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Tue, 11 Jun 2013 15:41:46 +0100
Subject: PRISM && Excited Guardianista
In-Reply-To: <51B4E782.3060307@casparbowden.net>
References: <B71A727C-0740-4AE2-86D8-8AC7EA22E896@batten.eu.org>	<8xnm+gQCKcsRFArU@perry.co.uk>	<51B1F0D8.1030406@casparbowden.net>	<zdbl17dzTjsRFA54@perry.co.uk>	<51B23B6E.1010308@casparbowden.net>	<J52rsk6FeusRFANx@perry.co.uk>	<51B30A60.8060202@casparbowden.net>
	<51B4D237.4040607@zen.co.uk> <51B4E782.3060307@casparbowden.net>
Message-ID: <51B7372A.8060106@zen.co.uk>

Hi Caspar, how's self-employment?

Sorry for the delay in replying, everything seems to have broken at once 
and I'm just catching up fixing it.



First a bit of context: requesting that a specific interception be 
carried out is RIPA ss.1(1) interception when the request is made in the 
UK, no matter where to rest of the interception takes place, see ss.2(4).

Whether receiving unrequested interception product is RIPA ss.1(1) 
interception is unclear. Requesting/receiving  traffic or comms data 
isn't interception.

The following relates to whether a request for interception is legal.




If the UK want to ask the US to make an interception or to request 
intercepted content they can, under 5(1)(b).

{" (b) the making, in accordance with an international mutual assistance 
agreement, of a request for the provision of such assistance in 
connection with, or in the form of, an interception of communications as 
may be so described; "}

It would require a warrant, which could be a "blanket" s.8(4) 
certificated warrant if sender or recipient is outside the UK; and it 
can be a "senior official" who signs it, doesn't need to be under the 
hand of the SoS. SoS has to sign the certificate, but the certificate 
can be used for many warrants.


If the UK want to give intercepted content to the US they can, under 
5(1)(c).

{" (c) the provision, in accordance with an international mutual 
assistance agreement, to the competent authorities of a country or 
territory outside the United Kingdom of any such assistance in 
connection with, or in the form of, an interception of communications as 
may be so described; "}

Again it needs a warrant, can be 8(4) if sender or recipient is outside 
the UK.




There is also a different system, ss.4(1) used for intra-EU assistance. 
  As the subject has to be outside the UK I assume ss.4(1) is mostly 
about requesting data from other countries, and it couldn't normally be 
used for eg requesting data on UK citizens in the UK:

{" (1)Conduct by any person (?the interceptor?) consisting in the 
interception of a communication in the course of its transmission by 
means of a telecommunication system is authorised by this section if?

(a)the interception is carried out for the purpose of obtaining 
information about the communications of a person who, or who the 
interceptor has reasonable grounds for believing, is in a country or 
territory outside the United Kingdom;

(b)the interception relates to the use of a telecommunications service 
provided to persons in that country [...]

(c)the person who provides that service [...] is required by the law of 
that country or territory to carry out, secure or facilitate the 
interception in question;

(d) the situation is one in relation to which such further conditions as 
may be prescribed by regulations made by the Secretary of State are 
required to be satisfied before conduct may be treated as authorised by 
virtue of this subsection; [...] "}

Further conditions as in paragraph d, are in:

The Regulation of Investigatory Powers (Conditions for the Lawful 
Interception of Persons outside the United Kingdom) Regulations 2004:

{" 3  For the purposes of section 4(1)(d) of the Regulation of 
Investigatory Powers Act 2000, the following conditions are prescribed?

(a)the interception is carried out for the purposes of a criminal 
investigation;

(b)the criminal investigation is being carried out in a country or 
territory that is party to an international agreement designated for the 
purposes of section 1(4) of that Act. "}

So ss.4(1) could not be used for requesting US interception product, as 
no UK-US agreement has been designated for the purposes of ss.1(4), see 
below. Also, a warrant, order or equivalent instrument has to be 
required under the treaty.



If an EU country asks the UK for a domestic UK interception, I think the 
SoS has to issue a UK warrant.


And then there's ss.1(4), which is a bit unusual. It's not really in a 
sensible place in RIPA, comes from nowhere and goes nowhere. I think it 
has something to do with the EU agreement:

The Convention on Mutual Assistance in Criminal Matters between the 
Member States of the European Union established by Council Act of 29th 
May 2000 (2000/C197/01)

as mentioned in

The Regulation of Investigatory Powers (Designation of an International 
Agreement) Order 2004.

Well it definitely does have something to do with that Agreement, as 
that's the only Agreement which has been designated under ss.1(4), and 
ss.1(4) (but not ss.4(1)) only applies to agreements which have been so 
designated.

All ss.1(4) does is place a duty on the SoS to ensure that requests made 
to foreign countries are properly made.



On 09/06/13 21:37, Caspar Bowden (lists) wrote:
> Thanks Peter, those bits of RIPA were on mu to do list to rummage
>
> On 06/09/13 20:06, Peter Fairbrother wrote:
>> ...
>> it shall be the duty of the Secretary of State to secure that no
>> request for assistance in accordance with the agreement is made on
>> behalf of a person in the United Kingdom to the competent authorities
>> of a country or territory outside the United Kingdom except with
>> lawful authority.
>
> I wonder what kinds of lawful authority there can be ?

That's in the next subsection, ss.1(5), and is the same as for 
interception in general.

>> Not that it would be much of a duty anyway (eg a ss 8(4) warrant would
>> be lawful authority).
>
> Would it ? Maybe, but v. helpful if you can spell out if you can see how
> that fits (maybe trivial)

Yes, as above: it falls under ss.1(5)

5) Conduct has lawful authority for the purposes of this section if, and 
only if? [...]

(b)it takes place in accordance with a warrant under section 5 (?an 
interception warrant?); or

>
>> but if the SoS doesn't designate an agreement,
>
> Which bit is that?

ss.1(4)(c):

{" (c)is designated for the purposes of this subsection by an order made 
by the Secretary of State, "}

>
>> there is no duty on him, and designating an agreement does nothing else.
>>
>> I wonder, have any orders designating a UK-US agreement under ss.1(4)
>> been made?
>
> Aha. Anyone else? where would one look for that ?
>>
>> Nope, just an EU-wide one.
>
> And where is that ?

see above
>
> Sorry if these obvious just overloaded right now

no prob


-- Peter Fairbrother


From lists at casparbowden.net  Tue Jun 11 21:14:16 2013
From: lists at casparbowden.net (Caspar Bowden (lists))
Date: Tue, 11 Jun 2013 21:14:16 +0100
Subject: PRISM && Excited Guardianista
In-Reply-To: <51B7372A.8060106@zen.co.uk>
References: <B71A727C-0740-4AE2-86D8-8AC7EA22E896@batten.eu.org>	<8xnm+gQCKcsRFArU@perry.co.uk>	<51B1F0D8.1030406@casparbowden.net>	<zdbl17dzTjsRFA54@perry.co.uk>	<51B23B6E.1010308@casparbowden.net>	<J52rsk6FeusRFANx@perry.co.uk>	<51B30A60.8060202@casparbowden.net>
	<51B4D237.4040607@zen.co.uk> <51B4E782.3060307@casparbowden.net>
	<51B7372A.8060106@zen.co.uk>
Message-ID: <51B78518.5000302@casparbowden.net>

Very helpful. Thanks Peter

CB

On 06/11/13 15:41, Peter Fairbrother wrote:
> Hi Caspar, how's self-employment?
>
> Sorry for the delay in replying, everything seems to have broken at 
> once and I'm just catching up fixing it.
>
>
>
> First a bit of context: requesting that a specific interception be 
> carried out is RIPA ss.1(1) interception when the request is made in 
> the UK, no matter where to rest of the interception takes place, see 
> ss.2(4).
>
> Whether receiving unrequested interception product is RIPA ss.1(1) 
> interception is unclear. Requesting/receiving  traffic or comms data 
> isn't interception.
>
> The following relates to whether a request for interception is legal.
>
>
>
>
> If the UK want to ask the US to make an interception or to request 
> intercepted content they can, under 5(1)(b).
>
> {" (b) the making, in accordance with an international mutual 
> assistance agreement, of a request for the provision of such 
> assistance in connection with, or in the form of, an interception of 
> communications as may be so described; "}
>
> It would require a warrant, which could be a "blanket" s.8(4) 
> certificated warrant if sender or recipient is outside the UK; and it 
> can be a "senior official" who signs it, doesn't need to be under the 
> hand of the SoS. SoS has to sign the certificate, but the certificate 
> can be used for many warrants.
>
>
> If the UK want to give intercepted content to the US they can, under 
> 5(1)(c).
>
> {" (c) the provision, in accordance with an international mutual 
> assistance agreement, to the competent authorities of a country or 
> territory outside the United Kingdom of any such assistance in 
> connection with, or in the form of, an interception of communications 
> as may be so described; "}
>
> Again it needs a warrant, can be 8(4) if sender or recipient is 
> outside the UK.
>
>
>
>
> There is also a different system, ss.4(1) used for intra-EU 
> assistance.  As the subject has to be outside the UK I assume ss.4(1) 
> is mostly about requesting data from other countries, and it couldn't 
> normally be used for eg requesting data on UK citizens in the UK:
>
> {" (1)Conduct by any person (?the interceptor?) consisting in the 
> interception of a communication in the course of its transmission by 
> means of a telecommunication system is authorised by this section if?
>
> (a)the interception is carried out for the purpose of obtaining 
> information about the communications of a person who, or who the 
> interceptor has reasonable grounds for believing, is in a country or 
> territory outside the United Kingdom;
>
> (b)the interception relates to the use of a telecommunications service 
> provided to persons in that country [...]
>
> (c)the person who provides that service [...] is required by the law 
> of that country or territory to carry out, secure or facilitate the 
> interception in question;
>
> (d) the situation is one in relation to which such further conditions 
> as may be prescribed by regulations made by the Secretary of State are 
> required to be satisfied before conduct may be treated as authorised 
> by virtue of this subsection; [...] "}
>
> Further conditions as in paragraph d, are in:
>
> The Regulation of Investigatory Powers (Conditions for the Lawful 
> Interception of Persons outside the United Kingdom) Regulations 2004:
>
> {" 3  For the purposes of section 4(1)(d) of the Regulation of 
> Investigatory Powers Act 2000, the following conditions are prescribed?
>
> (a)the interception is carried out for the purposes of a criminal 
> investigation;
>
> (b)the criminal investigation is being carried out in a country or 
> territory that is party to an international agreement designated for 
> the purposes of section 1(4) of that Act. "}
>
> So ss.4(1) could not be used for requesting US interception product, 
> as no UK-US agreement has been designated for the purposes of ss.1(4), 
> see below. Also, a warrant, order or equivalent instrument has to be 
> required under the treaty.
>
>
>
> If an EU country asks the UK for a domestic UK interception, I think 
> the SoS has to issue a UK warrant.
>
>
> And then there's ss.1(4), which is a bit unusual. It's not really in a 
> sensible place in RIPA, comes from nowhere and goes nowhere. I think 
> it has something to do with the EU agreement:
>
> The Convention on Mutual Assistance in Criminal Matters between the 
> Member States of the European Union established by Council Act of 29th 
> May 2000 (2000/C197/01)
>
> as mentioned in
>
> The Regulation of Investigatory Powers (Designation of an 
> International Agreement) Order 2004.
>
> Well it definitely does have something to do with that Agreement, as 
> that's the only Agreement which has been designated under ss.1(4), and 
> ss.1(4) (but not ss.4(1)) only applies to agreements which have been 
> so designated.
>
> All ss.1(4) does is place a duty on the SoS to ensure that requests 
> made to foreign countries are properly made.
>
>
>
> On 09/06/13 21:37, Caspar Bowden (lists) wrote:
>> Thanks Peter, those bits of RIPA were on mu to do list to rummage
>>
>> On 06/09/13 20:06, Peter Fairbrother wrote:
>>> ...
>>> it shall be the duty of the Secretary of State to secure that no
>>> request for assistance in accordance with the agreement is made on
>>> behalf of a person in the United Kingdom to the competent authorities
>>> of a country or territory outside the United Kingdom except with
>>> lawful authority.
>>
>> I wonder what kinds of lawful authority there can be ?
>
> That's in the next subsection, ss.1(5), and is the same as for 
> interception in general.
>
>>> Not that it would be much of a duty anyway (eg a ss 8(4) warrant would
>>> be lawful authority).
>>
>> Would it ? Maybe, but v. helpful if you can spell out if you can see how
>> that fits (maybe trivial)
>
> Yes, as above: it falls under ss.1(5)
>
> 5) Conduct has lawful authority for the purposes of this section if, 
> and only if? [...]
>
> (b)it takes place in accordance with a warrant under section 5 (?an 
> interception warrant?); or
>
>>
>>> but if the SoS doesn't designate an agreement,
>>
>> Which bit is that?
>
> ss.1(4)(c):
>
> {" (c)is designated for the purposes of this subsection by an order 
> made by the Secretary of State, "}
>
>>
>>> there is no duty on him, and designating an agreement does nothing 
>>> else.
>>>
>>> I wonder, have any orders designating a UK-US agreement under ss.1(4)
>>> been made?
>>
>> Aha. Anyone else? where would one look for that ?
>>>
>>> Nope, just an EU-wide one.
>>
>> And where is that ?
>
> see above
>>
>> Sorry if these obvious just overloaded right now
>
> no prob
>
>
> -- Peter Fairbrother
>
>



From james2 at jfirth.net  Wed Jun 12 11:17:47 2013
From: james2 at jfirth.net (James Firth)
Date: Wed, 12 Jun 2013 11:17:47 +0100
Subject: PRISM && Excited Guardianista
In-Reply-To: <51B7372A.8060106@zen.co.uk>
References: <B71A727C-0740-4AE2-86D8-8AC7EA22E896@batten.eu.org>	<8xnm+gQCKcsRFArU@perry.co.uk>	<51B1F0D8.1030406@casparbowden.net>	<zdbl17dzTjsRFA54@perry.co.uk>	<51B23B6E.1010308@casparbowden.net>	<J52rsk6FeusRFANx@perry.co.uk>	<51B30A60.8060202@casparbowden.net>	<51B4D237.4040607@zen.co.uk>
	<51B4E782.3060307@casparbowden.net> <51B7372A.8060106@zen.co.uk>
Message-ID: <004401ce6756$1a3ac2b0$4eb04810$@net>

Bending the discussion a bit to crypto, I've seen questions on my Twitter
stream about Kasper's talk at OrgCon this weekend. Slides:
http://www.openrightsgroup.org/assets/files/pdfs/presentations/How_to_wireta
p_the_Cloud_without_anybody_noticing_ORGcon_8.6.2013.pdf

Specifically on slide 16, NSA capability to collect all cross-border
traffic.

And slide 17 "(FISA ?1881a) reaches inside the SSL!" 

I suspect Kasper may have been referring to PRISM collection *bypassing*
SSL, however does anyone have a feeling on whether FISA could be used to
compel a CSP to hand-over private SSL keys to be able to decrypt this
cross-border traffic?

Also I remember late in 2011 Google started using forward secrecy:
http://googleonlinesecurity.blogspot.co.uk/2011/11/protecting-data-for-long-
term-with.html

FS would, in theory at least, make knowledge of the private key somewhat
moot.  

Or would it?  

Knowledge of the system architecture, being able to watch the secondary key
exchange, and the possibility - likelihood - of the NSA having custom kit
(D-wave quantum computer, anyone?) opens the possibility that sessions can
be decoded with workable overhead.  

James Firth




From zenadsl6186 at zen.co.uk  Wed Jun 12 16:56:34 2013
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Wed, 12 Jun 2013 16:56:34 +0100
Subject: PRISM && Excited Guardianista
In-Reply-To: <004401ce6756$1a3ac2b0$4eb04810$@net>
References: <B71A727C-0740-4AE2-86D8-8AC7EA22E896@batten.eu.org>	<8xnm+gQCKcsRFArU@perry.co.uk>	<51B1F0D8.1030406@casparbowden.net>	<zdbl17dzTjsRFA54@perry.co.uk>	<51B23B6E.1010308@casparbowden.net>	<J52rsk6FeusRFANx@perry.co.uk>	<51B30A60.8060202@casparbowden.net>	<51B4D237.4040607@zen.co.uk>	<51B4E782.3060307@casparbowden.net>
	<51B7372A.8060106@zen.co.uk> <004401ce6756$1a3ac2b0$4eb04810$@net>
Message-ID: <51B89A32.50205@zen.co.uk>

On 12/06/13 11:17, James Firth wrote:
> Bending the discussion a bit to crypto, I've seen questions on my Twitter
> stream about Kasper's talk at OrgCon this weekend. Slides:
> http://www.openrightsgroup.org/assets/files/pdfs/presentations/How_to_wireta
> p_the_Cloud_without_anybody_noticing_ORGcon_8.6.2013.pdf
>
> Specifically on slide 16, NSA capability to collect all cross-border
> traffic.

I don't know for sure that GCHQ can do the same, but it would be lawful 
if a warrant to do it has been issued by the Foreign Secretary - and as 
historically, GCHQ are known to have tapped all telephone traffic 
entering of leaving the UK, so I imagine nowadays they actually do 
intercept almost all internet traffic entering or leaving the UK.

Quite how much of it they look at is another question, but I imagine 
they can look at anything they please.

There are a couple of hints about that in RIPA, especially section 16.

> And slide 17 "(FISA ?1881a) reaches inside the SSL!"

I think Caspar is saying that US law can require IPSs, websites like 
Google, Facebook etc, the Banks, Cloud providers, and anyone else, to 
assist in decrypting SSL traffic. Which it can.

In other words, the websites, banks and clouds could be required to give 
out plaintext anyway, so the use of SSL wouldn't achieve much.

> I suspect Kasper may have been referring to PRISM collection *bypassing*
> SSL, however does anyone have a feeling on whether FISA could be used to
> compel a CSP to hand-over private SSL keys to be able to decrypt this
> cross-border traffic?

It could.

However the Websites, Banks and Clouds would raise a stink about giving 
up their master SSL certificate keys, as they are also used to identify 
the websites, banks and clouds to USPersons.

Instead they might prefer to give up SSL session keys, and/or forward 
secrecy data.

They might use a different certificate for nonUSPerson traffic, and give 
NSA that private key.

> Also I remember late in 2011 Google started using forward secrecy:
> http://googleonlinesecurity.blogspot.co.uk/2011/11/protecting-data-for-long-
> term-with.html
>
> FS would, in theory at least, make knowledge of the private key somewhat
> moot.
>
> Or would it?

It should to some extent, if Google create the FS secrets randomly, 
don't give them out, and destroy them as soon as they have been used.

However as an example, Google could/would in any case keep a note of the 
time and sender's IP and what they searched for anyway, plus which links 
were clicked, which data could be demanded - so in reality FS doesn't do 
all that much.

> Knowledge of the system architecture, being able to watch the secondary key
> exchange, and the possibility - likelihood - of the NSA having custom kit
> (D-wave quantum computer, anyone?) opens the possibility that sessions can
> be decoded with workable overhead.

I think it possible that NSA have the capability to break 1kbit RSA, if 
only at a rate of a few keys per week - but after a few weeks they would 
have keys to about 99% of the web's non-FS SSL traffic.


If they can do that then most likely they can also break FS 1kbit DH, 
again at a few primes per week, but as SSL only uses a few primes.


A D-Wave machine wouldn't help though, it's the wrong kind of Quantum 
Computer (if it is a QC - it seems to be, but I'm not entirely sure) and 
doesn't seem to give much if any speedup over classical computers anyway.


-- Peter Fairbrother


From james2 at jfirth.net  Wed Jun 12 17:20:45 2013
From: james2 at jfirth.net (James Firth)
Date: Wed, 12 Jun 2013 17:20:45 +0100
Subject: PRISM && Excited Guardianista
In-Reply-To: <51B89A32.50205@zen.co.uk>
References: <B71A727C-0740-4AE2-86D8-8AC7EA22E896@batten.eu.org>	<8xnm+gQCKcsRFArU@perry.co.uk>	<51B1F0D8.1030406@casparbowden.net>	<zdbl17dzTjsRFA54@perry.co.uk>	<51B23B6E.1010308@casparbowden.net>	<J52rsk6FeusRFANx@perry.co.uk>	<51B30A60.8060202@casparbowden.net>	<51B4D237.4040607@zen.co.uk>	<51B4E782.3060307@casparbowden.net>	<51B7372A.8060106@zen.co.uk>
	<004401ce6756$1a3ac2b0$4eb04810$@net> <51B89A32.50205@zen.co.uk>
Message-ID: <00b701ce6788$cb21db90$616592b0$@net>

Peter Fairbrother wrote:
> A D-Wave machine wouldn't help though, it's the wrong kind of Quantum
> Computer (if it is a QC - it seems to be, but I'm not entirely sure) and
> doesn't seem to give much if any speedup over classical computers anyway.

I was using a commercial example that we know about as an indicator as to
what we might not know about.

But, from a very naive perspective at least, surely what some seem to now
refer to as an "adiabatic QC", as distinct from a quantum implementation of
gated logic, is actually a better starting point for cryptanalysis, assuming
it is possible to map the mathematical boundary conditions of an algorithm
into something the D-wave can "anneal".

Nature ran a reasonable blog on speed comparisons and limitations of D-Wave:
http://blogs.nature.com/news/2013/05/quantum-computer-passes-speed-test.html

James Firth




From zenadsl6186 at zen.co.uk  Wed Jun 12 18:19:49 2013
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Wed, 12 Jun 2013 18:19:49 +0100
Subject: PRISM && Excited Guardianista
In-Reply-To: <00b701ce6788$cb21db90$616592b0$@net>
References: <B71A727C-0740-4AE2-86D8-8AC7EA22E896@batten.eu.org>	<8xnm+gQCKcsRFArU@perry.co.uk>	<51B1F0D8.1030406@casparbowden.net>	<zdbl17dzTjsRFA54@perry.co.uk>	<51B23B6E.1010308@casparbowden.net>	<J52rsk6FeusRFANx@perry.co.uk>	<51B30A60.8060202@casparbowden.net>	<51B4D237.4040607@zen.co.uk>	<51B4E782.3060307@casparbowden.net>	<51B7372A.8060106@zen.co.uk>	<004401ce6756$1a3ac2b0$4eb04810$@net>
	<51B89A32.50205@zen.co.uk> <00b701ce6788$cb21db90$616592b0$@net>
Message-ID: <51B8ADB5.1030903@zen.co.uk>

On 12/06/13 17:20, James Firth wrote:
> Peter Fairbrother wrote:
>> A D-Wave machine wouldn't help though, it's the wrong kind of Quantum
>> Computer (if it is a QC - it seems to be, but I'm not entirely sure) and
>> doesn't seem to give much if any speedup over classical computers anyway.
>
> I was using a commercial example that we know about as an indicator as to
> what we might not know about.
>
> But, from a very naive perspective at least, surely what some seem to now
> refer to as an "adiabatic QC", as distinct from a quantum implementation of
> gated logic, is actually a better starting point for cryptanalysis, assuming
> it is possible to map the mathematical boundary conditions of an algorithm
> into something the D-wave can "anneal".

The problem as I see it is the lack of local minima - there is only one 
minimum, the correct solution, and the value of the rest of the search 
space is constant (with random fluctuations). The trial key X-1 has no 
lower value than the key X-2, or X+1, where X is the correct key.

So the state would have to go pretty much immediately from the beginning 
random state to the final solution state, and no intermediate annealing 
action would be possible (or useful).

If it worked it would solve the problem in essentially zero time - but I 
don't think the D-Wave, or any other machine, could do that.


At least that's my opinion, but I claim no great expertise here.


-- Peter Fairbrother


>
> Nature ran a reasonable blog on speed comparisons and limitations of D-Wave:
> http://blogs.nature.com/news/2013/05/quantum-computer-passes-speed-test.html
>
> James Firth
>
>
>
>



From k.brown at bbk.ac.uk  Thu Jun 13 17:27:25 2013
From: k.brown at bbk.ac.uk (k.brown at bbk.ac.uk)
Date: Thu, 13 Jun 2013 17:27:25 +0100
Subject: Fwd: New guidance issued on 'identity proofing' and verification
In-Reply-To: <26CE9F5A-9823-448E-B7D5-A359435D883E@gmail.com>
References: <51B4B20E.8030408@salendine.plus.com>
	<51B4DC52.1050601@iosis.co.uk>
	<26CE9F5A-9823-448E-B7D5-A359435D883E@gmail.com>
Message-ID: <CAJ0hfosSMQ0otNxFvZ-G2xrRAA-2fY4Dx+50qwU71Z3gxgE0sQ@mail.gmail.com>

Its a combination of the 60-year attempt by government departments to
invent a real-world  problem for civilians for which compulsary
identiy cards would be a plausible solution, and the current
governments campaign to rebrand the unemployed as worthless criminals.


From tonynaggs at gmail.com  Fri Jun 21 16:50:48 2013
From: tonynaggs at gmail.com (Tony Naggs)
Date: Fri, 21 Jun 2013 16:50:48 +0100
Subject: DC4420 - London DEFCON - June meet - Lightning Talks!!! - Tuesday
	25th June 2013
Message-ID: <CAK0b=2fx58YqSGOi+5mijx+AE=10+VGfO-BND4m2oGCt-2LR4A@mail.gmail.com>

I know I promised not to deluge UK Crypto with stuff about DC4420, but
people have asked me if they need an invitation to come along ...

We welcome everyone interested in InfoSec, breaking, making, or
hacking on software & hardware.
(Though the bar has an over 18s rule.)
These events work by people being respectful of each other,
comfortable and relaxed.

Cme along and maybe make some new friends!

***

If you have prepared a Lightning Talk already, thanks we are looking
forward to seeing you!

Otherwise, you've got one last weekend ahead of you to dig out that
project you *know* you've been dying to talk about but haven't quite
got the rough edges off...

This month we're doing our annual lightning talk session, and we
welcome any and all 15 minute submissions. (Can be shorter if you
prefer.) In fact, don't bother submitting them, just come along and
give us what you've got!

There will be prizes! Probably hacking related, who knows? And some
stickers, obviously. And maybe a hard-to-get t-shirt or two...


If you want to display slides from your MacBook or Netbook please note
that the projector only has a VGA connection.


***

Venue:

The Phoenix, Cavendish Square

http://www.phoenixcavendishsquare.co.uk/

Date:

Tuesday 25th June, 2013

Time:

17:30 till kicking out - talk starts at 19:30

Entry is free, see you there!

http://dc4420.org



I trust you all to bring a variety of talks!


Cheers,
Tony


From igb at batten.eu.org  Fri Jun 28 12:22:12 2013
From: igb at batten.eu.org (Ian Batten)
Date: Fri, 28 Jun 2013 12:22:12 +0100
Subject: Doormat argument about Voicemail dismissed by Court of Appeal
Message-ID: <1C103425-09F3-47C4-9711-B685D998A634@batten.eu.org>

http://www.guardian.co.uk/uk/2013/jun/28/rebekah-brooks-andy-coulson-phone-hacking

> They argued that the words used in RIPA "do not extend to cover voicemail messages once they have been accessed by the intended recipient".
> 
> 
> In their judgment, the three judges ruled: "Contrary to the legal submission on behalf of the appellants, the resulting situation is not lacking in legal certainty".

That pretty much puts that argument to bed, I would have thought, and presumably with it the various discussions about at which point in the chain of delivery an email message may or may not be intercepted.

ian



From jon+ukcrypto at unequivocal.co.uk  Sun Jun 30 14:48:03 2013
From: jon+ukcrypto at unequivocal.co.uk (Jon Ribbens)
Date: Sun, 30 Jun 2013 14:48:03 +0100
Subject: Doormat argument about Voicemail dismissed by Court of Appeal
In-Reply-To: <1C103425-09F3-47C4-9711-B685D998A634@batten.eu.org>
References: <1C103425-09F3-47C4-9711-B685D998A634@batten.eu.org>
Message-ID: <20130630134803.GK15311@snowy.squish.net>

On Fri, Jun 28, 2013 at 12:22:12PM +0100, Ian Batten wrote:
> http://www.guardian.co.uk/uk/2013/jun/28/rebekah-brooks-andy-coulson-phone-hacking
> > They argued that the words used in RIPA "do not extend to cover
> > voicemail messages once they have been accessed by the intended
> > recipient".
> > 
> > In their judgment, the three judges ruled: "Contrary to the legal
> > submission on behalf of the appellants, the resulting situation is
> > not lacking in legal certainty".

The Guardian's reporting is rather misleading there. That quote from
the judgement is not related to the "doormat" argument quoted in the
previous paragraph.

> That pretty much puts that argument to bed, I would have thought,
> and presumably with it the various discussions about at which point
> in the chain of delivery an email message may or may not be
> intercepted.

That depends - what do you think it says about email interception? ;-)


From mozolevsky at gmail.com  Sun Jun 30 14:59:04 2013
From: mozolevsky at gmail.com (Igor Mozolevsky)
Date: Sun, 30 Jun 2013 14:59:04 +0100
Subject: Doormat argument about Voicemail dismissed by Court of Appeal
In-Reply-To: <20130630134803.GK15311@snowy.squish.net>
References: <1C103425-09F3-47C4-9711-B685D998A634@batten.eu.org>
	<20130630134803.GK15311@snowy.squish.net>
Message-ID: <CADWvR2gjL=et3_u1ZSWA31KAA-Xcn0ebO0QByjjX+UY6ct4sVg@mail.gmail.com>

On 30 June 2013 14:48, Jon Ribbens <jon+ukcrypto at unequivocal.co.uk> wrote:
> On Fri, Jun 28, 2013 at 12:22:12PM +0100, Ian Batten wrote:
>> http://www.guardian.co.uk/uk/2013/jun/28/rebekah-brooks-andy-coulson-phone-hacking
>> > They argued that the words used in RIPA "do not extend to cover
>> > voicemail messages once they have been accessed by the intended
>> > recipient".
>> >
>> > In their judgment, the three judges ruled: "Contrary to the legal
>> > submission on behalf of the appellants, the resulting situation is
>> > not lacking in legal certainty".
>
> The Guardian's reporting is rather misleading there. That quote from
> the judgement is not related to the "doormat" argument quoted in the
> previous paragraph.

The full judgment is on Bailii btw:
http://www.bailii.org/ew/cases/EWCA/Crim/2013/1026.html


-- 
Igor M.


From zenadsl6186 at zen.co.uk  Sun Jun 30 17:28:42 2013
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Sun, 30 Jun 2013 17:28:42 +0100
Subject: Doormat argument about Voicemail dismissed by Court of Appeal
In-Reply-To: <CADWvR2gjL=et3_u1ZSWA31KAA-Xcn0ebO0QByjjX+UY6ct4sVg@mail.gmail.com>
References: <1C103425-09F3-47C4-9711-B685D998A634@batten.eu.org>
	<20130630134803.GK15311@snowy.squish.net>
	<CADWvR2gjL=et3_u1ZSWA31KAA-Xcn0ebO0QByjjX+UY6ct4sVg@mail.gmail.com>
Message-ID: <51D05CBA.1080001@zen.co.uk>

On 30/06/13 14:59, Igor Mozolevsky wrote:
> On 30 June 2013 14:48, Jon Ribbens<jon+ukcrypto at unequivocal.co.uk>  wrote:
>> On Fri, Jun 28, 2013 at 12:22:12PM +0100, Ian Batten wrote:
>>> http://www.guardian.co.uk/uk/2013/jun/28/rebekah-brooks-andy-coulson-phone-hacking
>>>> They argued that the words used in RIPA "do not extend to cover
>>>> voicemail messages once they have been accessed by the intended
>>>> recipient".
>>>>
>>>> In their judgment, the three judges ruled: "Contrary to the legal
>>>> submission on behalf of the appellants, the resulting situation is
>>>> not lacking in legal certainty".
>>
>> The Guardian's reporting is rather misleading there. That quote from
>> the judgement is not related to the "doormat" argument quoted in the
>> previous paragraph.


Maybe it is, at least somewhat, if you accept (my) interpretation of 
"doormat" as being something outside the system used to transmit the 
communication - the copy of the communication on the doormat is no 
longer in the system, as it's in a place outside the system used to 
transmit the communication.


Of course a doormat may be inside the system - eg in a block of flats, 
where the table the mail for all the flats is placed on, or the 
concierge, is part of a private system attached to the public system 
(and thus part of the overall system).

And my doormat is outside my door, not inside - but nevermind :)


> The full judgment is on Bailii btw:
> http://www.bailii.org/ew/cases/EWCA/Crim/2013/1026.html

Thanks for the reference.


Couple of points arising - first, " 11: The Crown does not maintain that 
the course of transmission necessarily includes all periods during which 
the transmission system stores the communication. "

I sort-of think it does, or at least the circumstances in which the 
communication should be protected against "listening, tapping, storage 
or other kinds of interception or surveillance" include all times when 
the system stores the communication - but as that issue wasn't 
addressed, and practical instances where it might matter are few and far 
between, I'll just point that out.



Second,  Article 5(1) of the 2002 EU directive:

" Member States shall ensure the confidentiality of communications and 
the related traffic data by means of a public communications network and 
publicly available electronic communications services, through national 
legislation. In particular, they shall prohibit listening, tapping, 
storage or other kinds of interception or surveillance of communications 
and the related traffic data by persons other than users, without the 
consent of the users concerned, except when legally authorised to do so 
in accordance with Article 15(1). "


Is there some UK law which prevents "listening, tapping, storage or 
other kinds of interception or surveillance of [..] the related traffic 
data" ?

RIPA part 1 says doing things to or with traffic data isn't interception 
- does that comply with the directive? -  and part 2 says that there are 
lawful ways for Plod etc to access that data - but is there a general 
proscription against Jimmy Gumshoe getting hold of traffic data?

Where?

DPA (ahem)?




To get back to email, it's now entirely clear that if it is on your 
ISP's servers and available to you, it is "in transmission" whether you 
have downloaded it or not. We always thought so, but it's clear now.

I personally think an email is also "in transmission" if it is stored 
there and not available to you - and it should be subject to Article 
5(1) of the 2002 Directive - but that's a matter I won't go into.

BTW, some IPSs delete email when downloaded, some keep it available for 
a set period unless manually deleted - the Court didn't seem to know that.




The question then arises, where does the system end? Is your 
computer/blackberry/email program part of the system?

As you couldn't receive the communication without them, I think they 
have to be part of the public communications system when the 
communication is being received.

But do they remain part of the system at other times? When?

I think they always do, but afaict the judgement doesn't go anywhere 
near that issue.



-- Peter Fairbrother


From zenadsl6186 at zen.co.uk  Sun Jun 30 17:52:17 2013
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Sun, 30 Jun 2013 17:52:17 +0100
Subject: PRISM && Excited Guardianista
In-Reply-To: <51B89A32.50205@zen.co.uk>
References: <B71A727C-0740-4AE2-86D8-8AC7EA22E896@batten.eu.org>	<8xnm+gQCKcsRFArU@perry.co.uk>	<51B1F0D8.1030406@casparbowden.net>	<zdbl17dzTjsRFA54@perry.co.uk>	<51B23B6E.1010308@casparbowden.net>	<J52rsk6FeusRFANx@perry.co.uk>	<51B30A60.8060202@casparbowden.net>	<51B4D237.4040607@zen.co.uk>	<51B4E782.3060307@casparbowden.net>
	<51B7372A.8060106@zen.co.uk> <004401ce6756$1a3ac2b0$4eb04810$@net>
	<51B89A32.50205@zen.co.uk>
Message-ID: <51D06241.3030806@zen.co.uk>

On 12/06/13 16:56, Peter Fairbrother wrote:
> On 12/06/13 11:17, James Firth wrote:
>> Bending the discussion a bit to crypto, I've seen questions on my Twitter
>> stream about Kasper's talk at OrgCon this weekend. Slides:
>> http://www.openrightsgroup.org/assets/files/pdfs/presentations/How_to_wireta
>>
>> p_the_Cloud_without_anybody_noticing_ORGcon_8.6.2013.pdf
>>
>> Specifically on slide 16, NSA capability to collect all cross-border
>> traffic.
>
> I don't know for sure that GCHQ can do the same, but it would be lawful
> if a warrant to do it has been issued by the Foreign Secretary - and as
> historically, GCHQ are known to have tapped all telephone traffic
> entering of leaving the UK, so I imagine nowadays they actually do
> intercept almost all internet traffic entering or leaving the UK.
>
> Quite how much of it they look at is another question, but I imagine
> they can look at anything they please.
>
> There are a couple of hints about that in RIPA, especially section 16.

Hah! told you so. (couldn't resist, sorry :)

http://www.guardian.co.uk/uk/2013/jun/21/gchq-cables-secret-world-communications-nsa


To the point:

Quote: " The source with knowledge of intelligence said on Friday the 
companies were obliged to co-operate in this operation. They are 
forbidden from revealing the existence of warrants compelling them to 
allow GCHQ access to the cables.

"There's an overarching condition of the licensing of the companies that 
they have to co-operate in this. Should they decline, we can compel them 
to do so. They have no choice." "


Well they can be compelled by RIPA, but I don't know about any 
"overarching condition of the licensing" which would compel them.

Anyone?



So, it seems CGHQ tap the cables as they leave the country, presumably 
with a "black box" type of tap arrangement.

That could be done, and compelled, under RIPA, as in the first instance 
all the communications on the cable are intended for recipients outside 
the UK, so a certificated warrant could demand "all the traffic on this 
cable".

The situation is different though for domestic cables and trunks. There 
is no way a certificated warrant could say "give me all the traffic on 
this link", so if an ISP granted black-box access to CGHQ on such a link 
it would be an offence under s.1(1) of RIPA.


[It would be modifying the system as to make some or all of the contents 
of the communication available, while being transmitted, to a person 
other than the sender or intended recipient of the communication, s.2(2).

While it perfectly proper to give GCHQ access to comms for which it has 
presented a warrant, it's illegal to modify the system in order to give 
them access to comms for which they don't have a warrant - and adding a 
black-box does exactly that.

With the black box they can access comms for which they don't have a 
warrant - without it they can't. So adding the black box gives them that 
access.

Doesn't matter whether they are good boys and don't abuse the box, it's 
still making  some or all of the contents of the communication 
available, while being transmitted, to a person other than the sender or 
intended recipient of the communication - comms for which they do not 
have a warrant ]


-- Peter Fairbrother