The UK Open Rights Group has just published "Why the Snoopers’ Charter is the wrong approach: A call for targeted and accountable investigatory powers," a digital paper on why and how governments go terribly wrong with Internet surveillance proposals, and what a reasonable and accountable form of surveillance would look like. Jim Killock from ORG sez,

After the Snoopers' Charter debacle, the Open Rights Group asks why intrusive new laws are being suggested, if they are needed at all and what the alternatives are. Some of the UK's most prominent surveillance experts examine the history of UK surveillance law and the challenges posed by the explosion of digital datasets. Contributors include journalist Duncan Campbell, legal expert Angela Patrick from Justice, Richard Clayton of Cambridge University Computer Labs and Peter Sommer, Visiting Professor at De Montfort University.

Digital Surveillance (Thanks, Jim!)

(Disclaimer: I am proud to have co-founded the Open Rights Group, and to volunteer on its advisory council)

After months of activist agitation and a crushing disappointment from the cowards in the House of Representatives, the US senate has effectively killed CISPA, a sweeping Internet surveillance proposal. This is astoundingly great news! But CISPA died once before, and came back from the dead, and it will not likely stay dead this time around either. The price of liberty is eternal vigilance, etc etc etc:

Sen. Jay Rockefeller (D-WV), the chairman of the U.S. Senate Committee on Commerce, Science and Transportation, said in a statement on April 18 that CISPA's privacy protections are "insufficient."

A committee aide told ZDNet on Thursday that Rockefeller believes the Senate will not take up CISPA. The White House has also said the President won't sign the House bill.

Staff and senators are understood to be "drafting separate bills" that will maintain the cybersecurity information sharing while preserving civil liberties and privacy rights.

Rockefeller's comments are significant as he takes up the lead on the Commerce Committee, which will be the first branch of the Senate that will debate its own cybersecurity legislation.

Michelle Richardson, legislative council with the American Civil Liberties Union, told the publication she thinks CISPA is "dead for now," and said the Senate will "probably pick up where it left off last year."

CISPA 'dead' in Senate, privacy concerns cited [Zack Whittaker/ZDNet]

Aw, yeah! The UK Communications Data Bill -- AKA the "Snooper's Charter," a sweeping, totalitarian universal Internet surveillance bill that the Conservative government had sworn to pass -- is dead! Yesterday, Nick Clegg, leader of the Liberal Democrats in Parliament, announced that his party would not support the bill, and effectively killed it. Though I've been bitterly disappointed with some of the terminal compromises the LibDems have made, this makes me grateful to have them in Parliament. The kind of universal surveillance proposed in the Snooper's Charter was broadly supported by the last Labour government, which radically expanded state surveillance powers, and by the Tories -- thank goodness for the LibDems mustering a scrap of backbone at last!

The only downside is that the Open Rights Group had a whole series of great "Professor Elemental" videos that used pointed, excellent humour to mock and undermine the bill and drum up opposition to it, and now that's all going to go to waste (I blogged episode one yesterday).

Aw, who'm I kidding? This kind of thing never stays dead.

The snooper's charter has reminded Nick Clegg, finally, he is a liberal

Britain's Communications Data Bill -- AKA the Snooper's Charter -- would effectively eliminate private communications in the UK, giving government and the police the power to spy on virtually everything you do online (which is rapidly merging with everything you do, full stop). The major ISPs in the UK have apparently been turned to the government's cause, and have been quietly supporting the bill, which strips their customers of any semblance of privacy.

The government defends this proposal by saying that they're not intercepting "messages," only "envelopes." That is, they'll get the subject lines, social graph data, who is talking, where, how often, and who replies, how long the messages are, and so on. I like to imagine Alan Turing taking this approach to informational significance: "Mr Churchill, I'm sorry, there's no point in what you're asking us to do: all we can decode from the Nazis is who is sending messages, who receives them, what they're about, where they're sent from, how often they're sent, and how long they are. Nothing compromising." (Then I imagine the ghost of Turing haunting Home Secretary Teresa May, who claims that none of that kind of data compromises Britons' privacy).

In an open letter to the major ISPs, the Open Rights Group, Big Brother Watch, and Privacy International accuse the ISPs of entering into a conspiracy of silence on the surveillance system:

It has become clear that a critical component of the Communications Data Bill is that UK communication service providers will be required by law to create data they currently do not have any business purpose for, and store it for a period of 12 months.

Plainly, this crosses a line no democratic country has yet crossed – paying private companies to record what their customers are doing solely for the purposes of the state.

These proposals are not fit for purpose, which possibly explains why the Home Office is so keen to ensure they are not aired publicly.

There has been no public consultation, while on none of your websites is there any reference to these discussions. Meetings have been held behind closed doors as policy has been developed in secret, seemingly the same policy formulated several years ago despite widespread warnings from technical experts.

That your businesses appear willing to be co-opted as an arm of the state to monitor every single one of your customers is a dangerous step, exacerbated by your silence

Consumers are increasingly concerned about their privacy, both in terms of how much data is collected about them and how securely that data is kept. Many businesses have made a virtue of respecting consumer privacy and ensuring safe and secure internet access.

Sadly, your customers have not had the opportunity to comment on these proposals. Indeed, were it not for civil society groups and the media, they would have no idea such a policy was being considered.

We believe this is a critical failure not only of Government, but a betrayal of your customers' interests. You appear to be engaged in a conspiracy of silence with the Home Office, the only concern being whether or not you will be able to recover your costs.

ISPs In ‘Conspiracy Of Silence’ With Government On Snooper’s Charter (via ./)

Nicholas Koutros sez,

Bill C-30 in Canada argued that police need new lawful access powers in order to keep up with modern criminals. This paper examines the police's own reports to demonstrate that the use of electronic surveillance is actually on the decline over the past 30 years; down nearly elevenfold. While it may be true that the process has become too onerous, as the police claim, we argue that this decline is the result of police not being compelled to report on new methods of surveillance.

The current report is antiquated and can't incorporate new methods of surveillance such as production orders. With Bill C-55 (which imposes new reporting requirements on emergency intercepts) currently being debated in the House of Commons it appears that MPs are finally recognizing the failings of the current transparency regime.

Big Brother's Shadow: Historical Decline in Electronic Surveillance by Canadian Federal Law Enforcement

Yesterday morning, I wrote about the closed-door International Telecommunications Union meeting where they were working on standardizing "deep packet inspection" -- a technology crucial to mass Internet surveillance. Other standards bodies have refused to touch DPI because of the risk to Internet users that arises from making it easier to spy on them. But not the ITU.

The ITU standardization effort has been conducted in secret, without public scrutiny. Now, Asher Wolf writes,

I publicly asked (via Twitter) if anyone could give me access to documents relating to the ITU's DPI recommendations, now endorsed by the U.N. The ITU's senior communications officer, Toby Johnson, emailed me a copy of their unpublished policy recommendations.

OOOPS!

5 hours later, they emailed, asking me not to publish it, in part or in whole, and that it was for my eyes only.

Please publish it (credit me for sending it to you.)

Also note:

1. The recommendations *NEVER* discuss the impact of DPI.

2. A FEW EXAMPLES OF POTENTIAL DPI USE CITED BY THE ITU:

"I.9.2 DPI engine use case: Simple fixed string matching for BitTorrent"
"II.3.4 Example “Forwarding copy right protected audio content”"
"II.3.6 Example “Detection of a specific transferred file from a particular user”"
"II.4.2 Example “Security check – Block SIP messages (across entire SIP traffic) with specific content types”"
"II.4.5 Example “Identify particular host by evaluating all RTCP SDES packets”"
"II.4.6 Example “Measure Spanish Jabber traffic”"
"II.4.7 Example “Blocking of dedicated games”"
"II.4.11 Example “Identify uploading BitTorrent users”"
"II.4.13 Example “Blocking Peer-to-Peer VoIP telephony
with proprietary end-to-end application control protocols”"
"II.5.1 Example “Detecting a specific Peer-to-Peer VoIP telephony with proprietary end-to-end application control protocols”"

Read the rest

The International Telecommunications Union, a UN agency dominated by veterans of incumbent telcoms who mistrust the Internet, and representatives of repressive governments who want to control it, have quietly begun the standardization process for a kind of invasive network spying called "deep packet inspection" (DPI). Other standards bodies have shied away from standardizing surveillance technology, but the ITU just dived in with both feet, and proposed a standard that includes not only garden-variety spying, but also spying "in case of a local availability of the used encryption key(s)" -- a situation that includes the kind of spying Iran's government is suspected of engaging in, when an Iranian hacker stole signing keys from the Dutch certificate authority DigiNotar, allowing for silent interception of Facebook and Gmail traffic by Iranian dissidents.

The ITU-T DPI standard holds very little in reserve when it comes to privacy invasion. For example, the document optionally requires DPI systems to support inspection of encrypted traffic “in case of a local availability of the used encryption key(s).” It’s not entirely clear under what circumstances ISPs might have access to such keys, but in any event the very notion of decrypting the users’ traffic (quite possibly against their will) is antithetical to most norms, policies, and laws concerning privacy of communications. In discussing IPSec, an end-to-end encryption technology that obscures all traffic content, the document notes that “aspects related to application identification are for further study” – as if some future work may be dedicated to somehow breaking or circumventing IPSec.

Several global standards bodies, including the IETF and W3C, have launched initiatives to incorporate privacy considerations into their work. In fact, the IETF has long had a policy of not considering technical requirements for wiretapping in its work, taking the seemingly opposite approach to the ITU-T DPI document, as Germany pointed out in voicing its opposition to the ITU-T standard earlier this year. The ITU-T standard barely acknowledges that DPI has privacy implications, let alone does it provide a thorough analysis of how the potential privacy threats associated with the technology might be mitigated.

These aspects of the ITU-T Recommendation are troubling in light of calls from Russia and a number of Middle Eastern countries to make ITU-T Recommendations mandatory for Internet technology companies and network operators to build into their products. Mandatory standards are a bad idea even when they are well designed. Forcing the world’s technology companies to adopt standards developed in a body that fails to conduct rigorous privacy analysis could have dire global consequences for online trust and users’ rights.

Adoption of Traffic Sniffing Standard Fans WCIT Flames [CDT]

This morning saw the publication of an editorial in The Sun by Theresa May, the UK home secretary, defending her bulk Internet surveillance proposal, the Communications Data Bill, AKA the "Snooper's Charter."

In the article, May cites a submission by by Peter Davies (Chief Executive of the Child Exploitation and Online Protection centre) as an example of why all Internet communications should be stored and made accessible to police without a warrant. Davies told the story of a murder that had been difficult to solve, and suggests that dragnet surveillance would have made the police's job simpler.

But as the Open Rights Group points out, the case in question is anything but a defense of bulk data-retention. Indeed, it involves a corrupt police officer who improperly used retained records to find information to pass on to a crime boss about a couple who were subsequently murdered. In other words, logging and storing information made it possible for a criminal and a corrupt cop to track people down.

It's nothing short of bizarre for Theresa May to cite this as a reason to retain more information, on more people, and to give access to that information to more agencies.

Tales of the Unexpected: the Communications Data Bill

Speaking in London on Nov 24 about the Snooper's Charter —

Hey, Londoners! I'm speaking at one of the Open Rights Group's meetings on the Snooper's Charter (the proposed new mass-scale network spying bill) in London on Nov 24. It's free, but they'd like you to register so they know how many to plan for. — Cory •