Saturday, May 2, 2009

UK to store more "communications data"

The UK has a rather odd regime for intercepting on-line communications. The law distinguishes between the content of communications and "communications data" (such as a list of the telephone calls you have made). Content cannot be used in criminal investigations, although it is widely believed that the security services intercept a lot of it as part of their general signals intelligence activity. However "communications data" is available to pretty much any part of Government provided that a sufficiently senior person signs off on the request. No warrant is needed.

The UK Government is consulting on proposals to require ISPs to gather and store a lot more "communications data". At present they basically have to take the IP header data: origin, destination, port number and protocol (TCP/UDP). Volumes and times are likely to be recorded, and of course your DHCP lease so that they can tie a physical machine to the IP address. So with this they can see that you browsed http://www.bbc.co.uk, but not what you actually read. But the Government argues that this is increasingly insufficient. If its investigating suspicious activity, such as a big purchase of fertilizer, then it needs to find out who the suspect is communicating with. If the suspect uses an off-shore email service such as Gmail then the existing communications data regime can't get at this.

So the Government's proposed solution is to require ISPs to capture and store more data, including "third party data", which seems to mean anything inside the packets that helps to identify the people you are communicating with.

The problem with this is that its an impossible job. Most stuff that is even vaguely sensitive (like Gmail) is sent using HTTPS as a matter of course. Even if this could be got over, communication data is simply too slippery a concept once you get away from IP headers. For instance, MMORPGs like Runescape and World of Warcraft (and for that matter Second Life) have "chat" facilities that use game location to determine who can "hear" you. Suppose a conspiracy decides to meet at the edge of a forest in Runescape: their location is exactly the sort of communications data that the Government wants to capture. Doing so requires someone to reverse engineer the existing Runescape protocol and then write software to extract just that part of the data. This software would then have to be run by every ISP in the UK, and the whole exercise repeated for every other multi-player game and interactive website.

This would be a huge effort, but it would still fail to capture data about any criminal who had a modicum of technical knowledge, because there are too many options for setting up channels that the Government cannot intercept. For instance encrypted messages could be left as Usenet posts. Freenet exists specifically for avoiding surveillance. And SSH tunnel services can let you use any Internet service without being tracked.

So in effect the Government is proposing a huge technical boondoggle to do the impossible. Not for the first time, and I'm sure it won't be for the last.

My full response is available here in PDF format.