That report, Access to communications data by the intelligence and security Agencies, concerns the Communications Bill and starts from an assumption that national retention of communications data for the law enforcement and intelligence agencies is necessary. The report is about how this should be achieved. It dismisses a voluntary arrangement with UK content service providers (CSPs), not because it thinks they would be unwilling, but because existing data protection laws prevent them from storing data that isn’t required for their own business purposes. “Whilst they [the CSPs] recognise that they ‘have a responsibility to the country and to the citizens of the country’ the CSPs are clear that they need a legal foundation to retain data.”
The report then asks if existing legislation could be amended, but dismisses both the Regulation of Investigatory Powers Act (RIPA) and the European Data Retention Directive, since “neither offers a solution... Whilst [new primary] legislation is not a perfect solution, we believe it is the best available option.” This is the Communications Bill, designed to allow access to all ‘non-content’ data: that is, who communications are between, when and sometimes from where, and which websites are visited.
One potential problem is that the Communications Bill includes an appeals process for CSPs who object to handing over particular data. In turn, the government “has the ability to take civil action against an uncooperative CSP;” but might decide that such action is not appropriate. “In such cases, it is important that there is an alternative means of accessing that CSP’s data if the Agencies require it.” That alternative action “is to agree with the UK CSPs that they would place ‘probes’ on their network(s) to collect the required CD as it traverses to the end user.”
In other words, the law will allow CSPs to appeal, but if they are successful, the law will allow the intelligence agencies to take the data anyway via black boxes using deep packet inspection (DPI). The difficulty with this proposal is that DPI can provide access to full communications content and not just communications data, and it can be taken without reference to the user or further reference to the CSP (who has already objected). The Intelligence Committee’s position, supported by a quote from BAE Systems Detica (a supplier of DPI to government), is that DPI black boxes can be programmed to look at the communications data without the content. This is questioned by some IT consultants who point out that it isn’t that easy to separate data from content in all cases – particularly citing communications within social networks.
The potential use of DPI is one of the most controversial aspects of the Communications Bill. There are concerns that if it is available for communications data, it will only be a matter of time before it is used for communications content. “Deep Packet Inspection for national security and law enforcement purposes should only ever be used on a genuine suspect under investigation, not wholesale on an entire population – and even then a warrant should be needed,” privacy activist Alexander Hanff, managing director at Think Privacy Ltd, told Infosecurity.
Encryption is also briefly discussed, but redacted, in the report. “We have heard that the Government has *** options in dealing with the challenge encryption poses: ***.” It goes on to say, “In the first instance, agreement should be sought with the Communications Service Provider holding the communications data to provide it in an unencrypted form.”
This could be referring to SSL webmail. An “even scarier suggestion,” explained James Firth, CEO of the Open Digital Policy Organisation Ltd, to Infosecurity, “if Alice did use SSL to connect to her mail service provider it has been suggested - I have a very good contact confirming this - that legislation could be introduced to force her ISP to store the whole encrypted transaction, even though this includes the content.”
The idea, explains Firth, is that the government could get a court order – here or, for example, in the US to force the mail service provider to disclose the user’s private SSL key. From that it would in some cases be possible to replay the SSL transaction to discover the session key and decrypt the contents, then extract the communications data, “and, honest guv,” warns Firth, “ignore any content.”
Systems such as Google’s ‘forward secrecy’ will make it even harder for the intelligence agencies. “Forward secrecy,” explained Firth, “introduces, essentially, a second negotiated secret into the SSL transaction; a secret known only by the client web browser. The protracted SSL handshake with forward secrecy ensures that if one private key was later compromised - e.g. the mail service provider's key - an attacker would still not be able to reproduce the plaintext from a captured encrypted session.”
Without that ‘forward secrecy’, Alexander Hanff warns, “the ISP could easily set up Man in the Middle attacks similar to how Phorm did with their DPI boxes which would allow them to decrypt everything (including the content) which is what I presume was the redacted content in the report released yesterday... This of course would be completely illegal under RIPA (without a warrant) so they would need to introduce legislation to do this (which would put them in breach of the EU Data Retention Directive; but as we know the UK gov are not good at complying with EU Directives so they probably wouldn’t care).”
But despite its many and obvious difficulties, overall the Intelligence and Security Committee is in complete agreement with the government on the need for the Communications Bill. It’s only real concern is that it needs to be better sold to the population.