Five Major Tech Issues Facing Snooper’s Charter

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

There are some serious technology issues that need to be ironed out in Snooper’s Charter. Here’s five of the biggest

The Draft Communications Data Bill, widely known as the “Snooper’s Charter”, was always going to cause a stir.  Now, those anxious about the Coalition’s plans have homed in on the technical barriers.

The clauses outlined yesterday, which would replace those in Part 1 Chapter 2 of the Regulation of Investigatory Powers Act (RIPA) and Part 11 of the Anti-Terrorism Crime and Security Act 2001, did not include details on how their technological aspects would work.

But so broad were the proposed measures that an Act based on them would come undone due to various technological issues. Much has already been made of the ease with which criminals can hide their IP, and the difficulty of splitting comms and content data. Having looked through the bill, here are five more issues the government needs to look at if it wants to see this highly controversial bill through:

What about Skype?

As Privacy International’s Sam Smith notes, in the run up to the bill’s publication, the rhetoric was all about modern communication methods such as Skype. It was one of deputy prime minister Nick Clegg’s main concerns that Skype would be watched over by law enforcement. Yesterday’s draft did nothing to clear up the question of whether the government would be able to use comms data from Microsoft’s VoIP service.

Whilst it seems Skype would be classed as a telecommunications provider according to the draft’s definition, there are other factors to take into consideration here. As TechWeekEurope has noted before, using Skype could help people avoid having their conversations spied on. When you send messages or chat over Skype, the data is encrypted, making it very hard for anyone to make sense of. Furthermore, Skype works over a peer-to-peer framework and does not currently store information on its servers, although that is set to change as it moves into big data analytics.

“There is little in here specifically about the ‘new communication methods’ –  it’s primarily focused on grabbing everything and hoping it can be figured out later,” Smith says.

HTTPS headaches

Similar issues surround services using the Secure Sockets Layer (SSL) for protection. Will the government be able to get hold of data that is sent through sites like Twitter, which have HTTPS turned on by default? Again, the bill does not appear to mention anything on this.

Cracking large scale SSL encrypted data would take some serious computing power. The only way government could efficiently make sense of such information is if it set up server farms to do extensive brute force attacks, which would add significant cost to the operation. Unless they already have that power. Perhaps a substantial portion of the £1.8 billion cost of the project is going towards that.

“It’s quite possible GCHQ have a way of breaking SSL, but this is supposed to be a police bill, not an intelligence services bill,” Smith says.

The government’s response to this issue thus far has been to claim that it will just work. As Smith notes, that’s “ideology over practicality” – something the government is going to have to move away from if it wants the new bill to be successful.

The black box threat

It remains contentious as to whether black boxes, which many believe will be shoved into ISPs across Britain as a result of any Act, would be able to split comms data from content. What is clear, though, is that if they were to be placed in service providers’ data centres, they would be a mighty fine target for attacks. Holding all that user content in one place – a place connected to the Internet – is just plain dangerous.

Without wanting to inspire conspiracy theorists out there, it is also believed a Chinese hardware vendor is being lined up to provide these black boxes. Would the government want to risk surveillance from China too?

What’s a ‘telecommunication system’?

There are some serious questions over what the government classes as a communications device, and what that means for its snooping remit.

The draft says that the secretary of state would be able to ask for an order that would “ensure or otherwise facilitate the availability of communications data from telecommunications operators so that it can be obtained by relevant public authorities”. It goes on to say “the term ‘telecommunications operator’ is defined in clause 28 as a person who controls or provides a telecommunication system, or provides a telecommunications service”.

Now, the draft defines a telecommunication system as “a system (including the apparatus comprised in it) that exists (whether wholly or partly in the United Kingdom or elsewhere) for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electro-magnetic energy”.

As you can imagine, that makes a lot of technologies a telecommunication system and a lot of companies telecoms providers. “The definition of equipment that falls under the bill is potentially so broad (basing it on electromagnetic transmissions), that a slightly faulty hair dryer may be included and the speakers used in the local pub certainly are,” Smith notes.

With the dawn of the Internet of Things, where billions of devices are transmitting data, the above definitions, and the clauses they relate to, could make Snooper’s Charter massively intrusive. The government could find out things like when you’ve put your washing on, or even when and where you drove your car. 

The government has to be clearer on what data it will have access to if it wants to have a realistic Act at the end of this process.

Heeding the techies’ advice

As the government has repeatedly pointed out, there are some safeguards in place. One of the most interesting is in Clause 2, which states that before the secretary of state can get data from service providers, he or she has to consult with certain groups.

“These persons include Ofcom (which is the independent regulator and competition authority for the UK communications industries). The secretary of state must also, as appropriate, consult the persons likely to have requirements or restrictions imposed on them (for example, telecommunications operators) and their representatives, the Technical Advisory Board (established by section 13 of RIPA), and bodies which have statutory functions affecting telecommunications operators,” the draft bill reads.

This is a nice safeguard and gives companies like BT and Virgin a chance to have a say. But there does not appear to be a stipulation that the secretary of state has to take any of their advice on board.

“Given how consultation with the bill has gone, this doesn’t bode well. This is a fundamental problem for the future,” Smith adds.

It seems there are many such fundamental problems in the Draft Communications Data Bill. Come November, it’s likely we will see if the government has addressed any of them.

Are you a privacy pro? Try our quiz!