Europe Already Has Draft Standard For Real-Time Government Snooping On Services Like Facebook And Gmail
from the not-that-we'd-ever-use-it dept
As the old joke goes, standards are wonderful things, that's why we have so many of them. But who would have thought that ETSI, the European Telecommunications Standards Institute, has already produced a draft standard on how European governments can snoop on cloud-based services like Facebook and Gmail -- even when encrypted connections are used?
ETSI DTR 101 567, to give it the full title, was pointed out to us by Erich Moechel, who has written an excellent exploration of its elements (original in German). Here's the summary from the draft standard (Microsoft Word format):
The present document provides an overview on requests for handover and delivery of real-time information associated with cloud/virtual services. The report identifies Lawful Interception needs and requirements in the converged cloud/virtual service environment, the challenges and obstacles of complying with those requirements, what implementations can be achieved under existing ETSI LI [Lawful Interception] standards, and what new work may be required to achieve needed Lawful Interception capabilities. Cloud Services in whichever forms they take (Infrastructure, Software, Platform or combinations of these) are often trans border in nature and the information required to maintain Lawful Interception (LI) capability or sufficient coverage for LI support may vary in different countries, or within platforms of different security assurance levels. This work aims to ensure capabilities can be maintained while allowing business to utilise the advantages and innovations of Cloud Services and was undertaken cooperatively with relevant cloud security technical bodies.
As that makes clear, this is being presented as "maintaining" interception capabilities in a world where cloud computing makes previous approaches inapplicable. The new standard specifically mentions social networking, file sharing and video conferencing as new areas that need to be addressed.
One key section spells out how this is to be achieved:
If the traffic is encrypted, the entity responsible for key management must ensure it can be decrypted by the CSP [Communication Service Provider] or LEA [Law Enforcement Agency].
As this makes clear, along with the intercepted information, the standard envisages encryption keys being handed over routinely. Just to make things complete, DPI -- deep packet inspection -- is also regarded as a likely element of the system.
In order to maintain LI coverage the cloud service provider must implement a Cloud Lawful Interception Function (CLIF). This can be by way of Applications Programming Interface (API) or more likely ensuring presentation of information in a format recognisable to interception mechanisms. Deep packet inspection is likely to be a constituent part of this system.
Since this is currently a draft, the threat it represents might be seen as purely theoretical; but a recent article in the Guardian confirms that the UK government "quietly agreed to measures that could increase the ability of the security services to intercept online communication" -- a reference to the ETSI draft.
The Guardian also provides us with some explanation of why this draft just happens to be available at precisely the moment when the UK government is announcing a plan that seems likely to use it:
Etsi has faced criticism in the past for the pre-emptive inclusion of wiretapping capabilities, a decision that critics say encouraged European governments to pass their wiretapping laws accordingly. According to Ross Anderson, professor in security engineering at the University of Cambridge Computer Laboratory, the institute has strong links with the intelligence agencies and has a significant British contingent, along with a number of US government advisers.
It's a classic case of policy laundering; here's how it will probably work.
The British government insists now that it will "only" gather communications data, and not content. At the same time, it will require that ISPs adopt the new ETSI cloud interception standard (once it's been finalized) in the "black boxes" that they must install under the proposed snooping legislation. That will put in place all the capabilities needed for accessing encrypted streams -- since those providing cloud services will be required to hand over the encryption keys -- and hence the content. The UK government may not intend accessing content today, but thanks to the wonders of function creep, when it decides to do it tomorrow the facility will be there waiting for it.
Meanwhile, European governments will be able to point to the UK's adoption of the ETSI standard as just "good practice"; they will ask their own ISPs to implement it, while insisting that they too have no intention of accessing the contents of people's Internet streams either. Until, that is, the day comes -- probably in the wake of some terrorist attack or pedophile scandal -- when the governments will note that since the capability is available, it would be "irresponsible" not to use it to tackle these terrible crimes. The US government will then bemoan the fact that Europe is taking better care of its citizens than it can, and will therefore pass laws requiring US ISPs to install similar real-time access to their systems, and for cloud-based services to hand over the encryption keys. Luckily, there will be a well-tried European standard that can serve as a model....
Follow me @glynmoody on Twitter or identi.ca, and on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
More Spying
Thank You this once for being so Dysfunctional, US Gov.
The new saying to replace the "Save The Children" will be "We Must Stop Cyberwhatever" .
[ link to this | view in thread ]
There's no better justification for the abolishment of centrally meted keys. What ETSI proposes is changing their role from trusted security service provider to "man in the middle".
You can bet the farm that if they implemented their man-in-the-middle approach, using standard government bull-in-china-shop protocol, they would leave doors swinging wide open on their hinges.
[ link to this | view in thread ]
[ link to this | view in thread ]
Who knew the digital age would be the end of our liberties?
[ link to this | view in thread ]
Re: Who knew the digital age would be the end of our liberties?
[ link to this | view in thread ]
C'mon guys, this is the government - they're here to serve us. Except for Pirate Mike and all the freetarding pirates here.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
Taking the Adolf Hitler approach to the situation huh?
Good to know.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Who knew the digital age would be the end of our liberties?
[ link to this | view in thread ]
Re: Re: Who knew the digital age would be the end of our liberties?
And thusly, techno-utopianism gives way to techo-dystopianism.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Who knew the digital age would be the end of our liberties?
Oh, and that would be a really cool name for a band:
[ link to this | view in thread ]
Cue the encryption devs...
Something to think about in this ridiculous game of whack-a-mole intelligence gathering.
[ link to this | view in thread ]
Re:
As such, they'll never run out of excuses.
[ link to this | view in thread ]
Re: Cue the encryption devs...
If I were a kid, I'd be asking the Govt to fuck off and leave my future alone. A pity, I really feel for our kids.
[ link to this | view in thread ]
But if we're going to have this capability, there needs to be some fairly strict rules on what it it can be used for. Rules that cannot simply be made to go away the first time something bad happens, and more importantly, carry actual serious penalties for breaking them. Otherwise, not only does function creep guarantee that everyone will have their every thought and deed taken down to be used as evidence against them any time the state (or a sufficiently unscrupulous tabloid newspaper, aided and abetted by some script kiddies), but there'll be so many false positives to wade through that the actual bad guys get lost in the background noise.
[ link to this | view in thread ]
Re: More Spying
[ link to this | view in thread ]
Re:
I do. This type of capability has always been abused, often widely, regardless of what rules or oversight is put into place. There is no reason to think that the future will be any different.
I understand that this capability can be used to prevent great harm, but it is also used to cause great harm, so that argument doesn't hold as much weight with me as it otherwise might.
But I do make a distinction: it's one thing to allow police access to information that is gathered as a side-effect of engaging in an activity. It's an entirely different thing to require that activities be conducted in a way to specifically allow for such surveillance. The latter is, in my opinion, simply despotic.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Failure of Law.
"Lawful Interception"
WRONG!!
It's not lawful, its "LEGAL Interception".
The paper has no legal validity. Or should I say, will fail in a court of law.
What these clowns do not realise if anyone uses any form of peer to peer communication without reference to any central server using encryption (suitably adjusted) then there is no simple real time perusing documents/audio/video.
For instance. The west readying for war have done their best to cut out the real Syrian news agency (sana.sy) from the public eye but if you go there using the IP# you have a direct route to the other news, keeping the eye of Sauron off your back.
"Fascism should more properly be called corporatism because it is the merger of state and corporate power." -- Benito Mussolini
[ link to this | view in thread ]
Who started it?
There were/are certainly some drivers of it, NeoCons for instance, but the general mentality has shifted. Everyone had and has its pet-issue which he wants prohibited. From alcohol and drugs to prostitution and pornography, to pollution to guns.
9/11 was of course the first high, but the trend hasn't subsided since then. None of the draconian laws in the US (and elsewhere!) enacted in the aftermath were ever repelled.
I'm tempted to write a book about "The Rise of Fascism in the 21st Century". Because that's exactly what is happening.
[ link to this | view in thread ]
[ link to this | view in thread ]
Last one to leave the planet, turn the lights out.
[ link to this | view in thread ]
Luckily, there will be TOR.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Who knew the digital age would be the end of our liberties?
[ link to this | view in thread ]
[ link to this | view in thread ]
A Workable Solution?
[ link to this | view in thread ]