The Draft Communications Data Bill, widely known as the “Snooper’s Charter”, was always going to cause a stir. Now, those anxious about the Coalition’s plans have homed in on the technical barriers.
The clauses outlined yesterday, which would replace those in Part 1 Chapter 2 of the Regulation of Investigatory Powers Act (RIPA) and Part 11 of the Anti-Terrorism Crime and Security Act 2001, did not include details on how their technological aspects would work.
But so broad were the proposed measures that an Act based on them would come undone due to various technological issues. Much has already been made of the ease with which criminals can hide their IP, and the difficulty of splitting comms and content data. Having looked through the bill, here are five more issues the government needs to look at if it wants to see this highly controversial bill through:
As Privacy International’s Sam Smith notes, in the run up to the bill’s publication, the rhetoric was all about modern communication methods such as Skype. It was one of deputy prime minister Nick Clegg’s main concerns that Skype would be watched over by law enforcement. Yesterday’s draft did nothing to clear up the question of whether the government would be able to use comms data from Microsoft’s VoIP service.
Whilst it seems Skype would be classed as a telecommunications provider according to the draft’s definition, there are other factors to take into consideration here. As TechWeekEurope has noted before, using Skype could help people avoid having their conversations spied on. When you send messages or chat over Skype, the data is encrypted, making it very hard for anyone to make sense of. Furthermore, Skype works over a peer-to-peer framework and does not currently store information on its servers, although that is set to change as it moves into big data analytics.
“There is little in here specifically about the ‘new communication methods’ – it’s primarily focused on grabbing everything and hoping it can be figured out later,” Smith says.
Similar issues surround services using the Secure Sockets Layer (SSL) for protection. Will the government be able to get hold of data that is sent through sites like Twitter, which have HTTPS turned on by default? Again, the bill does not appear to mention anything on this.
Cracking large scale SSL encrypted data would take some serious computing power. The only way government could efficiently make sense of such information is if it set up server farms to do extensive brute force attacks, which would add significant cost to the operation. Unless they already have that power. Perhaps a substantial portion of the £1.8 billion cost of the project is going towards that.
“It’s quite possible GCHQ have a way of breaking SSL, but this is supposed to be a police bill, not an intelligence services bill,” Smith says.
The government’s response to this issue thus far has been to claim that it will just work. As Smith notes, that’s “ideology over practicality” – something the government is going to have to move away from if it wants the new bill to be successful.
It remains contentious as to whether black boxes, which many believe will be shoved into ISPs across Britain as a result of any Act, would be able to split comms data from content. What is clear, though, is that if they were to be placed in service providers’ data centres, they would be a mighty fine target for attacks. Holding all that user content in one place – a place connected to the Internet – is just plain dangerous.
Without wanting to inspire conspiracy theorists out there, it is also believed a Chinese hardware vendor is being lined up to provide these black boxes. Would the government want to risk surveillance from China too?
There are some serious questions over what the government classes as a communications device, and what that means for its snooping remit.
The draft says that the secretary of state would be able to ask for an order that would “ensure or otherwise facilitate the availability of communications data from telecommunications operators so that it can be obtained by relevant public authorities”. It goes on to say “the term ‘telecommunications operator’ is defined in clause 28 as a person who controls or provides a telecommunication system, or provides a telecommunications service”.
Now, the draft defines a telecommunication system as “a system (including the apparatus comprised in it) that exists (whether wholly or partly in the United Kingdom or elsewhere) for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electro-magnetic energy”.
As you can imagine, that makes a lot of technologies a telecommunication system and a lot of companies telecoms providers. “The definition of equipment that falls under the bill is potentially so broad (basing it on electromagnetic transmissions), that a slightly faulty hair dryer may be included and the speakers used in the local pub certainly are,” Smith notes.
With the dawn of the Internet of Things, where billions of devices are transmitting data, the above definitions, and the clauses they relate to, could make Snooper’s Charter massively intrusive. The government could find out things like when you’ve put your washing on, or even when and where you drove your car.
The government has to be clearer on what data it will have access to if it wants to have a realistic Act at the end of this process.
As the government has repeatedly pointed out, there are some safeguards in place. One of the most interesting is in Clause 2, which states that before the secretary of state can get data from service providers, he or she has to consult with certain groups.
“These persons include Ofcom (which is the independent regulator and competition authority for the UK communications industries). The secretary of state must also, as appropriate, consult the persons likely to have requirements or restrictions imposed on them (for example, telecommunications operators) and their representatives, the Technical Advisory Board (established by section 13 of RIPA), and bodies which have statutory functions affecting telecommunications operators,” the draft bill reads.
This is a nice safeguard and gives companies like BT and Virgin a chance to have a say. But there does not appear to be a stipulation that the secretary of state has to take any of their advice on board.
“Given how consultation with the bill has gone, this doesn’t bode well. This is a fundamental problem for the future,” Smith adds.
It seems there are many such fundamental problems in the Draft Communications Data Bill. Come November, it’s likely we will see if the government has addressed any of them.
Are you a privacy pro? Try our quiz!
Google parent Alphabet sees market capitalisation surge over $2tn on plan to over first-ever cash…
Google asks Virginia federal court to dismiss case brought by US Justice Department and eight…
Snapchat parent Snap reports user growth, revenues in spite of tough competition, in what may…
Intel shares sag after company shares gloomy revenue predictions, as data centre chip demand hit…
Germany's Tuta Mail says Google broke EU's new DMA rules with March algorithm update that…
US auto safety regulator opens new investigation into adequacy of Tesla Autopilot recall, saying it…
View Comments
Encryption happened, it's everywhere. The government needs to realise that this is a battle that cannot be won in a free country. It cannot be undone without physical force. It's time to let it go.
The question is why does the government need this? Its not going to be a problem for 'serious' terrorists who will simply bypass it, and doesn't need a lot of knowledge or cost to do.
Normal surveillance techniques are going to be far more effective than published methods of tracking which pre-warns the bad guys! Or may be its a fiendishly clever ruse to make the bad guy think they are safe if they avoid the monitoring.
£1.5 Billion could buy and awful lot of good conventional intelligence which it appears MI5/MI6 and the government have in very short supply!
I have never read so much crap in my life.
They can already get your comms data if they contact your CSP/ISP, via a warrant or with your permission. They want to create a more steamlined process by having all of this in one place.
As for "HTTTPS" - yeh it will mask the traffic but it won't stop them from knowing that your IP was communicating with another IP, at a certain date.
They don't care about content, and any content that does slip through the net will be dismissed, used for intelligence in very sensitive cases and most likely in-admissible in any case.
Black-boxes - well, they do exist I can tell you that much, and they have been installed in exchanges for decades.
Because they have been using RIPA more and more, they want to save money and time by implementing these sorts of systems, it's beaurocracy!