From igb at batten.eu.org  Wed Nov  4 14:08:20 2015
From: igb at batten.eu.org (Ian Batten)
Date: Wed, 4 Nov 2015 14:08:20 +0000
Subject: ICR "Unique Identifiers"
Message-ID: <C5A5B053-5205-4B8B-A581-769A4794B196@batten.eu.org>

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/473745/Factsheet-Internet_Connection_Records.pdf <https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/473745/Factsheet-Internet_Connection_Records.pdf>

> However, without the retention of ICRs, resolving an IP address back to a single user will often not be possible as multiple users may be associated with that IP address. ICRs therefore provide the unique identifier to distinguish between different users of a shared IP address. 
> 
> 
What?  What?  What is this on about?  I?m guessing it means you need to store whatever the token was that was used to issue an IP number (IMEI, modem MAC, etc), but it?s surely not going to be able to do anyhing about downstream NAT?

ian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20151104/46bc53df/attachment.html>

From lists at internetpolicyagency.com  Wed Nov  4 16:19:13 2015
From: lists at internetpolicyagency.com (Roland Perry)
Date: Wed, 4 Nov 2015 16:19:13 +0000
Subject: ICR "Unique Identifiers"
In-Reply-To: <C5A5B053-5205-4B8B-A581-769A4794B196@batten.eu.org>
References: <C5A5B053-5205-4B8B-A581-769A4794B196@batten.eu.org>
Message-ID: <U9SqFwDBAjOWFATH@perry.co.uk>

In article <C5A5B053-5205-4B8B-A581-769A4794B196 at batten.eu.org>, Ian 
Batten <igb at batten.eu.org> writes
>What? ?What? ?What is this on about? ?I?m guessing it means you 
>need to store whatever the token was that was used to issue an IP 
>number (IMEI, modem MAC, etc), but it?s surely not going to be able 
>to do anyhing about downstream NAT

It's not a secret that they are trying to "do something" about 
Carrier-Grade NAT, which has always been a characteristic of most GSM 
data access, but is now infiltrating fixed broadband, largely because of 
the exhaustion of IPv4 addressing.

It's the 2015 equivalent of wanting to know which subscriber had which 
dynamic IP address (at a specific time/date) issued from a dial-up modem 
in the 90's.
-- 
Roland Perry


From zenadsl6186 at zen.co.uk  Wed Nov  4 17:38:20 2015
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Wed, 04 Nov 2015 17:38:20 +0000
Subject: Draft Investigatory Powers Bill
Message-ID: <563A428C.7010102@zen.co.uk>

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/473770/Draft_Investigatory_Powers_Bill.pdf

I have had a quick look, nothing direct about banning encryption. The 
requirements for "relevant operators" maintaining a "technical 
capability" have changed though, worryingly so. A "relevant operator" is 
"any person who provides, or is proposing to provide [...] 
telecommunications services.

189 (c) "The obligations that may be imposed by regulations under this 
section include, among other things obligations relating to the removal 
of electronic protection applied by a relevant operator to any 
communications or data"

hmmm, "applied by a relevant operator" ? Does Apple apply the 
encryption, or does the user?  "among other things"??






Otherwise it seems largely to repeat the (already-found illegal) status 
quo of DRIPA, RIPA 2000, Police Act, ACTSA 2001, JSA 2013, Intelligence 
Services Act 1994 etc, but with two main additions:

Part 6 chapter 2 Bulk acquisition warrants. These are warrants to demand 
comms data for UK subject in bulk [1]. Combined with the extended power 
in Part 4 to require ISPs to retain comms data, which it has been 
announced will be applied to weblog data, they allows warrants to be 
issued for GCHQ to demand, collect and examine [2] all weblog-level data 
in the UK and elsewhere.

Which, if it isn't being done now, would be a large _increase_ in the 
invasions of privacy UK investigatory powers law imposes on the 
innocent, while both UK and EU Courts have said they are already too 
invasive...




There are some other newish bits about equipment interference (hacking) 
and bulk personal datasets (?telephone directories? - doesn't seem to 
have much to do with comms though), but on a quick look I found no real 
surprises there.





Other major niggles and worries (so far - the Bill is 192 pages long!):

No longer only one set of premises or person per domestic interception 
warrant [RIPA 8,1], - under 13.2 a domestic warrant can be applied to a 
"group of persons who share a common purpose or who carry on, or may 
carry on, a particular activity"  - muslims, as in people who go to mosques?

Draft bill redefines content - but not unambiguously. Definition is also 
flawed regarding last slash in weblogs, 193(6) "anything in the context 
of web browsing which identifies the telecommunications service 
concerned is not content" - there should be an "only" or "solely" 
between "which" and "identifies".


s.188 national security notices

they haven't yet regularised ntl warrants while they have the chance


-- Peter Fairbrother



[1] RIPA pt1 Ch2 authorisations and notices could in theory be used for 
bulk acquisition of traffic data, but in practice I don't think they are 
- any old policeman, council parking inspector, uncle Tom Cobbley and 
all can issue them.

There are also powers in Intelligence Services Act 1994 and ACTSA 2001 
and [...] regarding bulk collection of comms data and comms data 
retention, but again I do not think they have as yet been used for eg 
weblog-scale data retention.

In other words, I don't think mass collection of UK weblog-scale data by 
GCHQ is actually happening right now. I might be wrong.


[2] draft bill, s.187(a)



From s at msmith.net  Wed Nov  4 15:38:59 2015
From: s at msmith.net (Sam Smith)
Date: Wed, 04 Nov 2015 15:38:59 +0000
Subject: ICR "Unique Identifiers"
In-Reply-To: <C5A5B053-5205-4B8B-A581-769A4794B196@batten.eu.org>
References: <C5A5B053-5205-4B8B-A581-769A4794B196@batten.eu.org>
Message-ID: <BF65DA10-8EBC-4ACF-A82A-F62F70067563@msmith.net>


> On 4 Nov 02015, at 14:08, Ian Batten <igb at batten.eu.org> wrote:
> 
> https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/473745/Factsheet-Internet_Connection_Records.pdf
> 
>> However, without the retention of ICRs, resolving an IP address back to a single user will often not be possible as multiple users may be associated with that IP address. ICRs therefore provide the unique identifier to distinguish between different users of a shared IP address. 
>> 
>> 
> What?  What?  What is this on about?  I?m guessing it means you need to store whatever the token was that was used to issue an IP number (IMEI, modem MAC, etc), but it?s surely not going to be able to do anyhing about downstream NAT?

downstream NAT is less of a problem for inbound connections to that IP.

This is IP level retention, not HTTP level.



Sam



From lists at barnfather.net  Wed Nov  4 17:55:28 2015
From: lists at barnfather.net (Paul Barnfather)
Date: Wed, 4 Nov 2015 17:55:28 +0000
Subject: Draft Investigatory Powers Bill
In-Reply-To: <563A428C.7010102@zen.co.uk>
References: <563A428C.7010102@zen.co.uk>
Message-ID: <FEC28FB7-570E-4FA6-9E28-E4C688571AE6@barnfather.net>


> On 4 Nov 2015, at 17:38, Peter Fairbrother <zenadsl6186 at zen.co.uk> wrote:
> 
> https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/473770/Draft_Investigatory_Powers_Bill.pdf
> 
> I have had a quick look, nothing direct about banning encryption. 

<snip>

Is (end-to-end) encryption nevertheless banned implicitly by this Bill, via the requirement for the "relevant operator? to provide the required ?technical capability??

Presumably Skype/Apple/Facebook/etc will need to add this logging and storage capability if they wish to provide services to the UK. If that is technically impossible (e.g. for true P2P communications or end-to-end encryption with no middleman), then doesn?t the service effectively become illegal?

The various commentators are talking about ?Internet service providers?, but it seems they are not just talking about ISPs like Talk Talk and BT. As far as I can tell, they mean ?anyone that provides a communications service on the Internet?. So, presumably my bank?s secure messaging service is covered by this Bill as well?

I?m really struggling to understand the implications of this, so please correct me if I?m wrong...

From zenadsl6186 at zen.co.uk  Wed Nov  4 20:06:20 2015
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Wed, 04 Nov 2015 20:06:20 +0000
Subject: Draft Investigatory Powers Bill
In-Reply-To: <FEC28FB7-570E-4FA6-9E28-E4C688571AE6@barnfather.net>
References: <563A428C.7010102@zen.co.uk>
	<FEC28FB7-570E-4FA6-9E28-E4C688571AE6@barnfather.net>
Message-ID: <563A653C.8090701@zen.co.uk>

On 04/11/15 17:55, Paul Barnfather wrote:
>
>> On 4 Nov 2015, at 17:38, Peter Fairbrother <zenadsl6186 at zen.co.uk>
>> wrote:
>>
>> https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/473770/Draft_Investigatory_Powers_Bill.pdf
>>
>>
>>
I have had a quick look, nothing direct about banning encryption.

> <snip>
>
> Is (end-to-end) encryption nevertheless banned implicitly by this
> Bill, via the requirement for the "relevant operator? to provide the
> required ?technical capability??
>
> Presumably Skype/Apple/Facebook/etc will need to add this logging and
> storage capability if they wish to provide services to the UK. If
> that is technically impossible (e.g. for true P2P communications or
> end-to-end encryption with no middleman), then doesn?t the service
> effectively become illegal?
>
> The various commentators are talking about ?Internet service
> providers?, but it seems they are not just talking about ISPs like
> Talk Talk and BT. As far as I can tell, they mean ?anyone that
> provides a communications service on the Internet?.


yep.  Ss.198(2) - "any person who provides, or is proposing to provide 
[...] telecommunications services".

Including persons outside the UK, ss.198(8).


193(11) ?Telecommunications service? means any service that consists in 
the provision of access to, and of facilities for making use of, any 
telecommunication system (whether or not one provided by the person 
providing the service).

193(13) ?Telecommunication system? means a system (including the 
apparatus comprised in it) that exists (whether wholly or partly in the 
United Kingdom or elsewhere) for the purpose of facilitating the 
transmission ofcommunications by any means involving the use of 
electrical or electro-magnetic energy.



So, presumably my
> bank?s secure messaging service is covered by this Bill as well?
>
> I?m really struggling to understand the implications of this, so
> please correct me if I?m wrong...
>


AFAICT, you ain't wrong.

However, note that this is only an enabling bill - there would have to 
be a separate regulation, which would have to go through Parliament 
separately, to actually enforce anything.



The same is _not_ true of a requirement to retain comms data (of any
type) under the Bill - the SoS just decides to issue a retention notice, 
and what types of data it refers to.




-- Peter Fairbrother





From lists at internetpolicyagency.com  Wed Nov  4 20:09:25 2015
From: lists at internetpolicyagency.com (Roland Perry)
Date: Wed, 4 Nov 2015 20:09:25 +0000
Subject: Draft Investigatory Powers Bill
In-Reply-To: <563A428C.7010102@zen.co.uk>
References: <563A428C.7010102@zen.co.uk>
Message-ID: <06fSUvI1XmOWFAn7@perry.co.uk>

In article <563A428C.7010102 at zen.co.uk>, Peter Fairbrother 
<zenadsl6186 at zen.co.uk> writes
>Otherwise it seems largely to repeat the (already-found illegal) status 
>quo of DRIPA, RIPA 2000, Police Act, ACTSA 2001, JSA 2013, Intelligence 
>Services Act 1994 etc

JOOI, what has been already-found illegal about RIPAs rules for 
disclosure of comms data?
-- 
Roland Perry


From lists at internetpolicyagency.com  Wed Nov  4 20:13:52 2015
From: lists at internetpolicyagency.com (Roland Perry)
Date: Wed, 4 Nov 2015 20:13:52 +0000
Subject: Draft Investigatory Powers Bill
In-Reply-To: <FEC28FB7-570E-4FA6-9E28-E4C688571AE6@barnfather.net>
References: <563A428C.7010102@zen.co.uk>
	<FEC28FB7-570E-4FA6-9E28-E4C688571AE6@barnfather.net>
Message-ID: <gqSXAQJAcmOWFAEl@perry.co.uk>

In article <FEC28FB7-570E-4FA6-9E28-E4C688571AE6 at barnfather.net>, Paul 
Barnfather <lists at barnfather.net> writes
>
>The various commentators are talking about ?Internet service providers?, but it seems they are not just talking about ISPs like Talk Talk and
>BT. As far as I can tell, they mean ?anyone that provides a communications service on the Internet?. So, presumably my bank?s secure messaging
>service is covered by this Bill as well?

I'd expect the new rules to say that a connectivity ISP such as TalkTalk 
should log the fact you had a session with your bank. But nothing more 
than that.

Is who you bank with a secret? And might knowing who a criminal banked 
with be a useful step in apprehending him (after you've used a more 
traditional warrant to get sight of his bank statements), if he's just 
ripped off a few thousand innocent consumers by a few tens of pounds 
each.
-- 
Roland Perry


From zenadsl6186 at zen.co.uk  Wed Nov  4 20:21:29 2015
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Wed, 04 Nov 2015 20:21:29 +0000
Subject: s.94 Telecommunications Act 1984
Message-ID: <563A68C9.8030809@zen.co.uk>

Teresa May announced today that secret orders have been issued to ISPs 
to  intercept bulk communications data of people in the UK.


Now that the cat is out of the bag, would anyone with experience if this 
like to comment on the extent of this previous practice - eg, how does 
it compare in extent with the plans to require retention of, and and 
require production of, all "internet connection records" (whatever they 
might be).


-- Peter Fairbrother


From zenadsl6186 at zen.co.uk  Wed Nov  4 20:38:24 2015
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Wed, 04 Nov 2015 20:38:24 +0000
Subject: Draft Investigatory Powers Bill
In-Reply-To: <06fSUvI1XmOWFAn7@perry.co.uk>
References: <563A428C.7010102@zen.co.uk> <06fSUvI1XmOWFAn7@perry.co.uk>
Message-ID: <563A6CC0.2070904@zen.co.uk>

On 04/11/15 20:09, Roland Perry wrote:
> In article <563A428C.7010102 at zen.co.uk>, Peter Fairbrother
> <zenadsl6186 at zen.co.uk> writes
>> Otherwise it seems largely to repeat the (already-found illegal)
>> status quo of DRIPA, RIPA 2000, Police Act, ACTSA 2001, JSA 2013,
>> Intelligence Services Act 1994 etc
>
> JOOI, what has been already-found illegal about RIPAs rules for
> disclosure of comms data?

I was referring to the EU (digital rights ireland) and UK ([2015] EWHC 
2092) supreme courts decisions that the then/present comms data 
_retention_ regime was/is/are illegal.


AFAIR. there might have been something in those judgements about comms 
data disclosure as well .. but in any case, you can't disclose what you 
ain't got.



now iffn GCHQ are collecting bulk comms data in real time - I'd be 
pretty damn sure that that was illegal as well.


-- Peter Fairbrother


From marcus at connectotel.com  Wed Nov  4 16:55:36 2015
From: marcus at connectotel.com (Marcus Williamson)
Date: Wed, 04 Nov 2015 16:55:36 +0000
Subject: ICR "Unique Identifiers"
In-Reply-To: <C5A5B053-5205-4B8B-A581-769A4794B196@batten.eu.org>
References: <C5A5B053-5205-4B8B-A581-769A4794B196@batten.eu.org>
Message-ID: <e2ek3bp6mckp2ld9bv5hnvejdj9b5tlvgb@4ax.com>


This statement in the document is false, as far as I can see from a technical
perspective:

"ICRs therefore provide the unique identifier to distinguish between different
users of a shared IP address"

On Wed, 4 Nov 2015 14:08:20 +0000, you wrote:

>https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/473745/Factsheet-Internet_Connection_Records.pdf <https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/473745/Factsheet-Internet_Connection_Records.pdf>
>
>> However, without the retention of ICRs, resolving an IP address back to a single user will often not be possible as multiple users may be associated with that IP address. ICRs therefore provide the unique identifier to distinguish between different users of a shared IP address. 
>> 
>> 
>What?  What?  What is this on about?  I?m guessing it means you need to store whatever the token was that was used to issue an IP number (IMEI, modem MAC, etc), but it?s surely not going to be able to do anyhing about downstream NAT?
>
>ian



From Andrew.Cormack at jisc.ac.uk  Wed Nov  4 18:15:51 2015
From: Andrew.Cormack at jisc.ac.uk (Andrew Cormack)
Date: Wed, 4 Nov 2015 18:15:51 +0000
Subject: ICR "Unique Identifiers"
In-Reply-To: <U9SqFwDBAjOWFATH@perry.co.uk>
References: <C5A5B053-5205-4B8B-A581-769A4794B196@batten.eu.org>
	<U9SqFwDBAjOWFATH@perry.co.uk>
Message-ID: <AM2PR07MB0595637B338BC8873129C709AA2A0@AM2PR07MB0595.eurprd07.prod.outlook.com>

Drafting of that definition is awful. From the context of the draft Bill I'd presumed ICRs were full URLs! If NAT/DHCP logs, then why the additional limits on access/use in c47(4)?

BTW, has anyone compared+contrasted clause 51(1)(b) with clause 1(1) of the Comms Data Bill? From a quick look I can't see anything in today's Bill that limits what a "filtering arrangement" might be, so long as it "facilitates the obtaining of communications data". If there really are no statutory limits, that purpose could stretch a *lot* wider than the "API to ISP logging systems" that I've seen mentioned on Twitter. Might a duty to use weak/backdoor crypto, even, be covered by "facilitating the obtaining of communications data"?

Andrew

> -----Original Message-----
> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
> bounces at chiark.greenend.org.uk] On Behalf Of Roland Perry
> Sent: 04 November 2015 16:19
> To: ukcrypto at chiark.greenend.org.uk
> Subject: Re: ICR "Unique Identifiers"
> 
> In article <C5A5B053-5205-4B8B-A581-769A4794B196 at batten.eu.org>, Ian
> Batten <igb at batten.eu.org> writes
> >What? ?What? ?What is this on about? ?I?m guessing it means you
> >need to store whatever the token was that was used to issue an IP
> >number (IMEI, modem MAC, etc), but it?s surely not going to be able
> >to do anyhing about downstream NAT
> 
> It's not a secret that they are trying to "do something" about
> Carrier-Grade NAT, which has always been a characteristic of most GSM
> data access, but is now infiltrating fixed broadband, largely because of
> the exhaustion of IPv4 addressing.
> 
> It's the 2015 equivalent of wanting to know which subscriber had which
> dynamic IP address (at a specific time/date) issued from a dial-up modem
> in the 90's.
> --
> Roland Perry


From zenadsl6186 at zen.co.uk  Thu Nov  5 01:54:38 2015
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Thu, 05 Nov 2015 01:54:38 +0000
Subject: ICR "Unique Identifiers"
In-Reply-To: <e2ek3bp6mckp2ld9bv5hnvejdj9b5tlvgb@4ax.com>
References: <C5A5B053-5205-4B8B-A581-769A4794B196@batten.eu.org>
	<e2ek3bp6mckp2ld9bv5hnvejdj9b5tlvgb@4ax.com>
Message-ID: <563AB6DE.5020408@zen.co.uk>

On 04/11/15 16:55, Marcus Williamson wrote:
>
> This statement in the document is false, as far as I can see from a technical
> perspective:
>
> "ICRs therefore provide the unique identifier to distinguish between different
> users of a shared IP address"


I think it's got to be true, because they probably define an ICR as 
something which does that  :(

What it technically consists of, or whether it is technically reasonable 
or even possible, I don't think they are actually bovvered at all about. 
It's SEP (the ISPs').



Afaict these statements are not true:

"The draft Bill will require that ICRs are retained by communications 
service providers"

The Draft Bill does nothing of the kind - though it does grant the SoS 
pretty well unlimited powers to require comms data retention, it does 
not in itself actually require any data retention, nor does it mention 
ICRs anywhere.

BTW, these are direct powers; requirements for comms data retention do 
not have to be formulated as regulations, the SoS just orders them.

Nor do they require judicial authorisation - the SoS just orders them 
and voila, there they are.

Parliament has no say in what data is to be retained.




"It could never contain a full web address as under
the law these would be defined as content."

nitpicking, www.google.com/ _is_ a full web address.

Nor would a full web address like www.google.com/gay+porn be defined as 
content  - 193(6)(a) "anything in the context of web browsing which 
identifies the telecommunications service concerned is not content,".

A full web address does that.


-- Peter Fairbrother


>
> On Wed, 4 Nov 2015 14:08:20 +0000, you wrote:
>
>> https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/473745/Factsheet-Internet_Connection_Records.pdf <https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/473745/Factsheet-Internet_Connection_Records.pdf>
>>
>>> However, without the retention of ICRs, resolving an IP address back to a single user will often not be possible as multiple users may be associated with that IP address. ICRs therefore provide the unique identifier to distinguish between different users of a shared IP address.
>>>
>>>
>> What?  What?  What is this on about?  I?m guessing it means you need to store whatever the token was that was used to issue an IP number (IMEI, modem MAC, etc), but it?s surely not going to be able to do anyhing about downstream NAT?
>>
>> ian
>
>
>



From igb at batten.eu.org  Thu Nov  5 07:31:50 2015
From: igb at batten.eu.org (Ian Batten)
Date: Thu, 5 Nov 2015 07:31:50 +0000
Subject: ICR "Unique Identifiers"
In-Reply-To: <AM2PR07MB0595637B338BC8873129C709AA2A0@AM2PR07MB0595.eurprd07.prod.outlook.com>
References: <C5A5B053-5205-4B8B-A581-769A4794B196@batten.eu.org>
	<U9SqFwDBAjOWFATH@perry.co.uk>
	<AM2PR07MB0595637B338BC8873129C709AA2A0@AM2PR07MB0595.eurprd07.prod.outlook.com>
Message-ID: <E38D9655-4CE9-47EE-BE9E-99C4B7A28A77@batten.eu.org>


> On 4 Nov 2015, at 18:15, Andrew Cormack <Andrew.Cormack at jisc.ac.uk> wrote:
> 
> Drafting of that definition is awful. From the context of the draft Bill I'd presumed ICRs were full URLs! If NAT/DHCP logs, then why the additional limits on access/use in c47(4)?
> 
> BTW, has anyone compared+contrasted clause 51(1)(b) with clause 1(1) of the Comms Data Bill? From a quick look I can't see anything in today's Bill that limits what a "filtering arrangement" might be, so long as it "facilitates the obtaining of communications data". If there really are no statutory limits, that purpose could stretch a *lot* wider than the "API to ISP logging systems" that I've seen mentioned on Twitter. Might a duty to use weak/backdoor crypto, even, be covered by "facilitating the obtaining of communications data??

My hands are full getting my thesis corrections in, but once I?ve done that I?ll fish out an analysis I did of the filtering arrangements in the draft Snooper?s Charter, which were much more opaque but presumably covered roughly the same territory.

ian

> 
> Andrew
> 
>> -----Original Message-----
>> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
>> bounces at chiark.greenend.org.uk] On Behalf Of Roland Perry
>> Sent: 04 November 2015 16:19
>> To: ukcrypto at chiark.greenend.org.uk
>> Subject: Re: ICR "Unique Identifiers"
>> 
>> In article <C5A5B053-5205-4B8B-A581-769A4794B196 at batten.eu.org>, Ian
>> Batten <igb at batten.eu.org> writes
>>> What?  What?  What is this on about?  I?m guessing it means you
>>> need to store whatever the token was that was used to issue an IP
>>> number (IMEI, modem MAC, etc), but it?s surely not going to be able
>>> to do anyhing about downstream NAT
>> 
>> It's not a secret that they are trying to "do something" about
>> Carrier-Grade NAT, which has always been a characteristic of most GSM
>> data access, but is now infiltrating fixed broadband, largely because of
>> the exhaustion of IPv4 addressing.
>> 
>> It's the 2015 equivalent of wanting to know which subscriber had which
>> dynamic IP address (at a specific time/date) issued from a dial-up modem
>> in the 90's.
>> --
>> Roland Perry
> 



From Andrew.Cormack at jisc.ac.uk  Thu Nov  5 09:19:47 2015
From: Andrew.Cormack at jisc.ac.uk (Andrew Cormack)
Date: Thu, 5 Nov 2015 09:19:47 +0000
Subject: ICR "Unique Identifiers"
In-Reply-To: <E38D9655-4CE9-47EE-BE9E-99C4B7A28A77@batten.eu.org>
References: <C5A5B053-5205-4B8B-A581-769A4794B196@batten.eu.org>
	<U9SqFwDBAjOWFATH@perry.co.uk>
	<AM2PR07MB0595637B338BC8873129C709AA2A0@AM2PR07MB0595.eurprd07.prod.outlook.com>
	<E38D9655-4CE9-47EE-BE9E-99C4B7A28A77@batten.eu.org>
Message-ID: <AM2PR07MB059565A56A23AC96F53F36E5AA290@AM2PR07MB0595.eurprd07.prod.outlook.com>

> -----Original Message-----
> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
> bounces at chiark.greenend.org.uk] On Behalf Of Ian Batten
> Sent: 05 November 2015 07:32
> To: UK Cryptography Policy Discussion Group
> <ukcrypto at chiark.greenend.org.uk>
> Subject: Re: ICR "Unique Identifiers"
> 
> 
> > On 4 Nov 2015, at 18:15, Andrew Cormack <Andrew.Cormack at jisc.ac.uk>
> wrote:
> >
> > Drafting of that definition is awful. From the context of the draft Bill I'd
> presumed ICRs were full URLs! If NAT/DHCP logs, then why the additional
> limits on access/use in c47(4)?
> >
> > BTW, has anyone compared+contrasted clause 51(1)(b) with clause 1(1) of
> the Comms Data Bill? From a quick look I can't see anything in today's Bill that
> limits what a "filtering arrangement" might be, so long as it "facilitates the
> obtaining of communications data". If there really are no statutory limits, that
> purpose could stretch a *lot* wider than the "API to ISP logging systems"
> that I've seen mentioned on Twitter. Might a duty to use weak/backdoor
> crypto, even, be covered by "facilitating the obtaining of communications
> data??
> 
> My hands are full getting my thesis corrections in, but once I?ve done that I?ll
> fish out an analysis I did of the filtering arrangements in the draft Snooper?s
> Charter, which were much more opaque but presumably covered roughly
> the same territory.

Yes, that's what I assumed - same words, must be same content. But (unlike CDB), as far as I can see the IPBill doesn't actually define what it means by "filtering arrangements". Hence my concern that the power there is much more like CDB 1(1), which was "anything to facilitate the availability of Comms Data". And the full potential scope of that power has become more apparent to me every time the Gov't/Home Office has mentioned something new on its wish list :(

Good luck with the thesis. I'm now waiting to hear the result of my LLM :)

Andrew

> ian
> 
> >
> > Andrew
> >
> >> -----Original Message-----
> >> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
> >> bounces at chiark.greenend.org.uk] On Behalf Of Roland Perry
> >> Sent: 04 November 2015 16:19
> >> To: ukcrypto at chiark.greenend.org.uk
> >> Subject: Re: ICR "Unique Identifiers"
> >>
> >> In article <C5A5B053-5205-4B8B-A581-769A4794B196 at batten.eu.org>, Ian
> >> Batten <igb at batten.eu.org> writes
> >>> What?  What?  What is this on about?  I?m guessing it means you
> >>> need to store whatever the token was that was used to issue an IP
> >>> number (IMEI, modem MAC, etc), but it?s surely not going to be able
> >>> to do anyhing about downstream NAT
> >>
> >> It's not a secret that they are trying to "do something" about
> >> Carrier-Grade NAT, which has always been a characteristic of most GSM
> >> data access, but is now infiltrating fixed broadband, largely because of
> >> the exhaustion of IPv4 addressing.
> >>
> >> It's the 2015 equivalent of wanting to know which subscriber had which
> >> dynamic IP address (at a specific time/date) issued from a dial-up modem
> >> in the 90's.
> >> --
> >> Roland Perry
> >
> 


From Andrew.Cormack at jisc.ac.uk  Thu Nov  5 09:22:34 2015
From: Andrew.Cormack at jisc.ac.uk (Andrew Cormack)
Date: Thu, 5 Nov 2015 09:22:34 +0000
Subject: Draft Investigatory Powers Bill
In-Reply-To: <06fSUvI1XmOWFAn7@perry.co.uk>
References: <563A428C.7010102@zen.co.uk> <06fSUvI1XmOWFAn7@perry.co.uk>
Message-ID: <AM2PR07MB05955F5A515FDC8B44394CF1AA290@AM2PR07MB0595.eurprd07.prod.outlook.com>

Can't remember whether it was technically "found illegal", or whether the ECJ vaporised the Data Retention Directive first. But there was a lot of concern that the purposes for which data could be disclosed under RIPA were wider than the ones for which it could be retained under the DRD/DRR.

IPBill "fixes" that by having the same long list of purposes for both retention and disclosure. E.g. both are now permitted for "crime" rather than requiring "serious crime" as the old retention regs did

Andrew



> -----Original Message-----
> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
> bounces at chiark.greenend.org.uk] On Behalf Of Roland Perry
> Sent: 04 November 2015 20:09
> To: ukcrypto at chiark.greenend.org.uk
> Subject: Re: Draft Investigatory Powers Bill
> 
> In article <563A428C.7010102 at zen.co.uk>, Peter Fairbrother
> <zenadsl6186 at zen.co.uk> writes
> >Otherwise it seems largely to repeat the (already-found illegal) status
> >quo of DRIPA, RIPA 2000, Police Act, ACTSA 2001, JSA 2013, Intelligence
> >Services Act 1994 etc
> 
> JOOI, what has been already-found illegal about RIPAs rules for
> disclosure of comms data?
> --
> Roland Perry



From lists at internetpolicyagency.com  Thu Nov  5 12:51:40 2015
From: lists at internetpolicyagency.com (Roland Perry)
Date: Thu, 5 Nov 2015 12:51:40 +0000
Subject: Draft Investigatory Powers Bill
In-Reply-To: <563A6CC0.2070904@zen.co.uk>
References: <563A428C.7010102@zen.co.uk> <06fSUvI1XmOWFAn7@perry.co.uk>
	<563A6CC0.2070904@zen.co.uk>
Message-ID: <Cw1$2lucD1OWFAQ4@perry.co.uk>

In article <563A6CC0.2070904 at zen.co.uk>, Peter Fairbrother 
<zenadsl6186 at zen.co.uk> writes

>> JOOI, what has been already-found illegal about RIPAs rules for
>> disclosure of comms data?
>
>I was referring to the EU (digital rights ireland) and UK ([2015] EWHC 
>2092) supreme courts decisions that the then/present comms data 
>_retention_ regime was/is/are illegal.

Ah-ha! There's nothing about that sort of data retention in RIPA.

If commentators can't distinguish between data retention and data 
disclosure, then the debate is never going to get usefully off the
first base.
-- 
Roland Perry


From lists at internetpolicyagency.com  Thu Nov  5 12:56:20 2015
From: lists at internetpolicyagency.com (Roland Perry)
Date: Thu, 5 Nov 2015 12:56:20 +0000
Subject: Draft Investigatory Powers Bill
In-Reply-To: <AM2PR07MB05955F5A515FDC8B44394CF1AA290@AM2PR07MB0595.eurprd07.prod.outlook.com>
References: <563A428C.7010102@zen.co.uk> <06fSUvI1XmOWFAn7@perry.co.uk>
	<AM2PR07MB05955F5A515FDC8B44394CF1AA290@AM2PR07MB0595.eurprd07.prod.outlook.com>
Message-ID: <aw$5WXv0H1OWFAT4@perry.co.uk>

In article 
<AM2PR07MB05955F5A515FDC8B44394CF1AA290 at AM2PR07MB0595.eurprd07.prod.outlo
ok.com>, Andrew Cormack <Andrew.Cormack at jisc.ac.uk> writes

>Can't remember whether it was technically "found illegal", or whether 
>the ECJ vaporised the Data Retention Directive first. But there was a 
>lot of concern that the purposes for which data could be disclosed 
>under RIPA were wider than the ones for which it could be retained 
>under the DRD/DRR.

The whole point of RIPA was that disclosure was required *if you 
happened to have* the data.

If you didn't have it, all the authorities could do is ask you to start 
gathering it for specific individuals.

The various Data Retention schemes (of which this is merely the most 
recent) had their own lists of things which communications providers 
should retain speculatively for all subscribers.

And yes, I agree that until now those measures have had much shorter 
lists of "thing the retain" than RIPA has of "things to disclose it you 
happen to have them".
-- 
Roland Perry


From lists at internetpolicyagency.com  Thu Nov  5 12:57:25 2015
From: lists at internetpolicyagency.com (Roland Perry)
Date: Thu, 5 Nov 2015 12:57:25 +0000
Subject: s.94 Telecommunications Act 1984
In-Reply-To: <563A68C9.8030809@zen.co.uk>
References: <563A68C9.8030809@zen.co.uk>
Message-ID: <dgP4S3v1I1OWFAzO@perry.co.uk>

In article <563A68C9.8030809 at zen.co.uk>, Peter Fairbrother 
<zenadsl6186 at zen.co.uk> writes
>Teresa May announced today that secret orders have been issued to ISPs 
>to  intercept bulk communications data of people in the UK.

Can you elucidate? Is this all customers of all ISPs, or some more 
precisely defined subset.
-- 
Roland Perry


From lists at internetpolicyagency.com  Thu Nov  5 12:58:41 2015
From: lists at internetpolicyagency.com (Roland Perry)
Date: Thu, 5 Nov 2015 12:58:41 +0000
Subject: ICR "Unique Identifiers"
In-Reply-To: <E38D9655-4CE9-47EE-BE9E-99C4B7A28A77@batten.eu.org>
References: <C5A5B053-5205-4B8B-A581-769A4794B196@batten.eu.org>
	<U9SqFwDBAjOWFATH@perry.co.uk>
	<AM2PR07MB0595637B338BC8873129C709AA2A0@AM2PR07MB0595.eurprd07.prod.outlook.com>
	<E38D9655-4CE9-47EE-BE9E-99C4B7A28A77@batten.eu.org>
Message-ID: <mnyGDQwBK1OWFA1R@perry.co.uk>

In article <E38D9655-4CE9-47EE-BE9E-99C4B7A28A77 at batten.eu.org>, Ian 
Batten <igb at batten.eu.org> writes

>My hands are full getting my thesis corrections in, but once I?ve done
>that I?ll fish out an analysis I did of the filtering arrangements in the
>draft Snooper?s Charter

This one's a draft, too.
-- 
Roland Perry


From lists at internetpolicyagency.com  Thu Nov  5 13:03:56 2015
From: lists at internetpolicyagency.com (Roland Perry)
Date: Thu, 5 Nov 2015 13:03:56 +0000
Subject: ICR "Unique Identifiers"
In-Reply-To: <e2ek3bp6mckp2ld9bv5hnvejdj9b5tlvgb@4ax.com>
References: <C5A5B053-5205-4B8B-A581-769A4794B196@batten.eu.org>
	<e2ek3bp6mckp2ld9bv5hnvejdj9b5tlvgb@4ax.com>
Message-ID: <33tC3Hx8O1OWFA2w@perry.co.uk>

In article <e2ek3bp6mckp2ld9bv5hnvejdj9b5tlvgb at 4ax.com>, Marcus 
Williamson <marcus at connectotel.com> writes

>This statement in the document is false, as far as I can see from a technical
>perspective:
>
>"ICRs therefore provide the unique identifier to distinguish between different
>users of a shared IP address"

I'm sure that this is about identifying the users behind 
carrier-grade-NAT. Which is widespread on 3G and being rolled out by BT 
to its broadband customers on the cheapest tariffs (as an IPv4 
exhaustion measure rather than anything more sinister).

-- 
Roland Perry


From zenadsl6186 at zen.co.uk  Thu Nov  5 13:58:21 2015
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Thu, 05 Nov 2015 13:58:21 +0000
Subject: s.94 Telecommunications Act 1984
In-Reply-To: <dgP4S3v1I1OWFAzO@perry.co.uk>
References: <563A68C9.8030809@zen.co.uk> <dgP4S3v1I1OWFAzO@perry.co.uk>
Message-ID: <563B607D.50509@zen.co.uk>

On 05/11/15 12:57, Roland Perry wrote:
> In article <563A68C9.8030809 at zen.co.uk>, Peter Fairbrother
> <zenadsl6186 at zen.co.uk> writes
>> Teresa May announced today that secret orders have been issued to ISPs
>> to  intercept bulk communications data of people in the UK.
>
> Can you elucidate? Is this all customers of all ISPs, or some more
> precisely defined subset.

Ah, apparently it's only telephone service providers. And only some of them.


Such a big deal was made of it (justification for weblog retention, it's 
what's already happening) that I had thought it would at least apply to 
ISPs.


-- Peter Fairbrother




From zenadsl6186 at zen.co.uk  Thu Nov  5 14:01:42 2015
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Thu, 05 Nov 2015 14:01:42 +0000
Subject: Draft Investigatory Powers Bill
In-Reply-To: <Cw1$2lucD1OWFAQ4@perry.co.uk>
References: <563A428C.7010102@zen.co.uk>
	<06fSUvI1XmOWFAn7@perry.co.uk>	<563A6CC0.2070904@zen.co.uk>
	<Cw1$2lucD1OWFAQ4@perry.co.uk>
Message-ID: <563B6146.1020306@zen.co.uk>

On 05/11/15 12:51, Roland Perry wrote:
> In article <563A6CC0.2070904 at zen.co.uk>, Peter Fairbrother
> <zenadsl6186 at zen.co.uk> writes

You missed out a relevant part of the thread

Otherwise it seems largely to repeat the (already-found illegal)
status quo of DRIPA, RIPA 2000, Police Act, ACTSA 2001, JSA 2013,
Intelligence Services Act 1994 etc


>
>>> JOOI, what has been already-found illegal about RIPAs rules for
>>> disclosure of comms data?
>>
>> I was referring to the EU (digital rights ireland) and UK ([2015] EWHC
>> 2092) supreme courts decisions that the then/present comms data
>> _retention_ regime was/is/are illegal.
>
> Ah-ha! There's nothing about that sort of data retention in RIPA.
>
> If commentators can't distinguish between data retention and data
> disclosure, then the debate is never going to get usefully off the
> first base.


Seems to me you were the commentator who had a problem here. I mentioned 
"status quo", you turned that into  "rules for disclosure of comms data".

-- Peter Fairbrother




From lists at internetpolicyagency.com  Thu Nov  5 19:19:57 2015
From: lists at internetpolicyagency.com (Roland Perry)
Date: Thu, 5 Nov 2015 19:19:57 +0000
Subject: Draft Investigatory Powers Bill
In-Reply-To: <563B6146.1020306@zen.co.uk>
References: <563A428C.7010102@zen.co.uk> <06fSUvI1XmOWFAn7@perry.co.uk>
	<563A6CC0.2070904@zen.co.uk> <Cw1$2lucD1OWFAQ4@perry.co.uk>
	<563B6146.1020306@zen.co.uk>
Message-ID: <nmlWzBKdv6OWFAlM@perry.co.uk>

In article <563B6146.1020306 at zen.co.uk>, Peter Fairbrother 
<zenadsl6186 at zen.co.uk> writes

>it seems largely to repeat the (already-found illegal)
>status quo of DRIPA, RIPA 2000, Police Act, ACTSA 2001, JSA 2013,
>Intelligence Services Act 1994 etc

You have still failed to explain what's been found illegal in RIPA.

If you can explain that, I'll look at how the same illegality might 
apply to the other measures you mention.
-- 
Roland Perry


From igb at batten.eu.org  Wed Nov 11 17:13:52 2015
From: igb at batten.eu.org (Ian Batten)
Date: Wed, 11 Nov 2015 17:13:52 +0000
Subject: ICR "Unique Identifiers"
In-Reply-To: <33tC3Hx8O1OWFA2w@perry.co.uk>
References: <C5A5B053-5205-4B8B-A581-769A4794B196@batten.eu.org>
	<e2ek3bp6mckp2ld9bv5hnvejdj9b5tlvgb@4ax.com>
	<33tC3Hx8O1OWFA2w@perry.co.uk>
Message-ID: <D7B0B305-33EF-4999-A9EA-DD7163C9411C@batten.eu.org>


> On 5 Nov 2015, at 13:03, Roland Perry <lists at internetpolicyagency.com> wrote:
> 
> In article <e2ek3bp6mckp2ld9bv5hnvejdj9b5tlvgb at 4ax.com>, Marcus Williamson <marcus at connectotel.com> writes
> 
>> This statement in the document is false, as far as I can see from a technical
>> perspective:
>> 
>> "ICRs therefore provide the unique identifier to distinguish between different
>> users of a shared IP address"
> 
> I'm sure that this is about identifying the users behind carrier-grade-NAT.

I agree.

As one of my students asked after a lecture on, co-incidentally, the problems caused for law enforcement by CG NAT, 
?wouldn?t it be better for the government to spend the money encouraging IPv6??

ian



From lists at internetpolicyagency.com  Wed Nov 11 19:14:23 2015
From: lists at internetpolicyagency.com (Roland Perry)
Date: Wed, 11 Nov 2015 19:14:23 +0000
Subject: ICR "Unique Identifiers"
In-Reply-To: <D7B0B305-33EF-4999-A9EA-DD7163C9411C@batten.eu.org>
References: <C5A5B053-5205-4B8B-A581-769A4794B196@batten.eu.org>
	<e2ek3bp6mckp2ld9bv5hnvejdj9b5tlvgb@4ax.com>
	<33tC3Hx8O1OWFA2w@perry.co.uk>
	<D7B0B305-33EF-4999-A9EA-DD7163C9411C@batten.eu.org>
Message-ID: <5HPBb$BPO5QWFAFT@perry.co.uk>

In article <D7B0B305-33EF-4999-A9EA-DD7163C9411C at batten.eu.org>, Ian 
Batten <igb at batten.eu.org> writes
>>> This statement in the document is false, as far as I can see from a technical
>>> perspective:
>>>
>>> "ICRs therefore provide the unique identifier to distinguish between different
>>> users of a shared IP address"
>>
>> I'm sure that this is about identifying the users behind carrier-grade-NAT.
>
>I agree.
>
>As one of my students asked after a lecture on, co-incidentally, the problems
 >caused for law enforcement by CG NAT, "wouldn?t it be better for the
 >government to spend the money encouraging IPv6?"

You have to persuade a whole range of international mobile phone
handset and infrastructure designers/manufacturers. People were talking 
seriously about the need for IPv6 for mobiles and broadband back in at 
least 2007:

http://archive.icann.org/en/meetings/losangeles2007/node/36.html

...especially the final presentation, but not much has happened.
-- 
Roland Perry


From james at talkunafraid.co.uk  Wed Nov 11 17:20:06 2015
From: james at talkunafraid.co.uk (James Harrison)
Date: Wed, 11 Nov 2015 17:20:06 +0000
Subject: ICR "Unique Identifiers"
In-Reply-To: <D7B0B305-33EF-4999-A9EA-DD7163C9411C@batten.eu.org>
References: <C5A5B053-5205-4B8B-A581-769A4794B196@batten.eu.org>
	<e2ek3bp6mckp2ld9bv5hnvejdj9b5tlvgb@4ax.com>
	<33tC3Hx8O1OWFA2w@perry.co.uk>
	<D7B0B305-33EF-4999-A9EA-DD7163C9411C@batten.eu.org>
Message-ID: <564378C6.5050405@talkunafraid.co.uk>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/11/2015 17:13, Ian Batten wrote:
> As one of my students asked after a lecture on, co-incidentally,
> the problems caused for law enforcement by CG NAT, ?wouldn?t it be
> better for the government to spend the money encouraging IPv6??

This was suggested by one of the members of the Science and Technology
committee discussing the technical issues of the bill on Tuesday.
There was broad agreement, though the technical bods being questioned
were quick to point out that it was not a silver bullet.

- -- 
Cheers,
James Harrison
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQIcBAEBAgAGBQJWQ3jGAAoJENTyYHL8dmp9TrAP/ixHndNrw52zPK7+FhUpkXo1
S4ZiNrzrA+8wIjfoMLMxqMpucFqNBj/KIQkewa3SKr7HPl733N7mBds2MDq7v5Sa
QZt/oioIERTqKhrXbsDdTdexzzOyEKzvASzhzoyV0FiTOn6bco5CN6uLEhmPBDbj
JxPkCyhJAx+PJ4Akvbc/UPDvciJjaqRxGmnD6E6mH7JgeajRjSXkfaSQ1Sh/7mdM
rxy4szeccaKn0E4Poqn2XT+puTzrC/Awy/YHpGCiCtx9BFUzfbqFCtF/zGmAApoE
KOgQLlOXCqHJFRf/bQv3PTM+Ep+Lp2AS2H+XbRwfusBOb1vrvtftEgjVJ1jIMwmY
/AEWVacZLQ+91aoBBm0v6WTGwb6m3TpPxZxhVFSP9mp0Vipm2VvfNPHVVB1PtNY8
6O5fMNS9jN468egGwCoIvBblNExLbuocyH8zo71VMkEYv/reOj9Z5POvGXKJZLBy
BKPTX5W27zyDv7HR9yBn9+CAiWWUL7qHq/lPgbtA4owQmKoD/hXEA7Hpo0uEjIh5
EamjpoL/undLoggaqAM+2AYnY1BMFSiirA/fYFp5HSBu2/qgDxMDE0JbuTkVPcUG
7AxAL9b+Y2csD2sFLwbE8HAcl0nVWDzjPyZySrGeDU8t/VU2Gl+CrccTzXFTzRbW
BV1iBkuzHqc0pt5Q1pxw
=qh4a
-----END PGP SIGNATURE-----