Draft IP-Bill enters wrap-up phase

Thu Jan 14 10:41:02 GMT 2016

Yesterday was the last oral evidence session (as far as I know) and the
Committee now has just four weeks to write up its report.

According to Teresa May in her evidence yesterday, the so called "end to
end encryption" issue is in effect asking third parties [itself a term
of art in these discussions] to produce plain text in the same way that
RIPA currently asks telecoms providers to *when they apply the
encryption themselves*.

No government sponsored back doors/secret keys.

But they *would* expect someone like Apple to deliver the plain text of
a specific iMessage, if asked. Within an overall umbrella of 'reasonably
practical'. In the specific case of Apple, that might be wishful
thinking based on a mistaken impression that an iMessage has four ends:
sender/Apple/Apple/recipient, or perhaps it's wishful thinking that
Apple would co-operate in a targeted MiTM attack (some modalities of
which are discussed here):

<http://blog.cryptographyengineering.com/2015/09/lets-talk-about-
imessage-again.html>

The other new information which might be of particular interest to folk
here is the position with so-called "Coffee shop networks" and of course
academic networks. There was a bit of a fudge here, because no-one
mentioned that large numbers of coffee shop networks are actually run by
public operators like "The Cloud", which is a Sky subsidiary, and of
course Sky is one of the big providers that the Home Office is
presumably already talking to. (Ditto O2, BT, Virgin etc).

On the assumption they actually meant genuinely privately run coffee
shop networks, the answer was in effect that if a large enough bunch of
criminals started using any particular network, or set up shop in a
particular academic institution, then the Bill has to ensure that their
activities could be monitored if required. In other words, no safe
haven; not that all these places would be hooked up from day one.

Moving on, and following SFS2016, there was a call for new catchphrases,
I see Philip Virgo has suggested "Hoover Powers" for bulk data
gathering, and my own offering is 192.gov for the bulk datasets.

Teresa May would not give examples of bulk datasets for fear of tipping
off criminals (or so she said). But did say that an 'obvious one' would
be the list of people with a firearms licence. Not that all criminals
with firearms are listed there, of course!

The police already have that list (as is to be expected) within the
"Names File" below - although missing from Wikipedia's entry - plus a
few others as listed here:

https://en.wikipedia.org/wiki/Police_National_Computer#Databases

Meanwhile, looking at the Home Office's recently published written
evidence to the Joint Scrutiny Committee, I see they have a concept of
"domain name", such that both news.bbc.co.uk and bbc.co.uk/news would be
redacted to bbc.co.uk for the purposes of Internet Connection Records.

But how would this work (eg) for the school I worked with until
recently, whose url is www.wbs.eu.com; because of the arrangements
surrounding eu.com (and a few similar ones) the "domain" could be
interpreted as just eu.com

-- 
Roland Perry