Europe Already Has Draft Standard For Real-Time Government Snooping On Services Like Facebook And Gmail

from the not-that-we'd-ever-use-it dept

As the old joke goes, standards are wonderful things, that's why we have so many of them. But who would have thought that ETSI, the European Telecommunications Standards Institute, has already produced a draft standard on how European governments can snoop on cloud-based services like Facebook and Gmail -- even when encrypted connections are used?

ETSI DTR 101 567, to give it the full title, was pointed out to us by Erich Moechel, who has written an excellent exploration of its elements (original in German). Here's the summary from the draft standard (Microsoft Word format):

The present document provides an overview on requests for handover and delivery of real-time information associated with cloud/virtual services. The report identifies Lawful Interception needs and requirements in the converged cloud/virtual service environment, the challenges and obstacles of complying with those requirements, what implementations can be achieved under existing ETSI LI [Lawful Interception] standards, and what new work may be required to achieve needed Lawful Interception capabilities. Cloud Services in whichever forms they take (Infrastructure, Software, Platform or combinations of these) are often trans border in nature and the information required to maintain Lawful Interception (LI) capability or sufficient coverage for LI support may vary in different countries, or within platforms of different security assurance levels. This work aims to ensure capabilities can be maintained while allowing business to utilise the advantages and innovations of Cloud Services and was undertaken cooperatively with relevant cloud security technical bodies.
As that makes clear, this is being presented as "maintaining" interception capabilities in a world where cloud computing makes previous approaches inapplicable. The new standard specifically mentions social networking, file sharing and video conferencing as new areas that need to be addressed.

One key section spells out how this is to be achieved:

If the traffic is encrypted, the entity responsible for key management must ensure it can be decrypted by the CSP [Communication Service Provider] or LEA [Law Enforcement Agency].

In order to maintain LI coverage the cloud service provider must implement a Cloud Lawful Interception Function (CLIF). This can be by way of Applications Programming Interface (API) or more likely ensuring presentation of information in a format recognisable to interception mechanisms. Deep packet inspection is likely to be a constituent part of this system.
As this makes clear, along with the intercepted information, the standard envisages encryption keys being handed over routinely. Just to make things complete, DPI -- deep packet inspection -- is also regarded as a likely element of the system.

Since this is currently a draft, the threat it represents might be seen as purely theoretical; but a recent article in the Guardian confirms that the UK government "quietly agreed to measures that could increase the ability of the security services to intercept online communication" -- a reference to the ETSI draft. The Guardian also provides us with some explanation of why this draft just happens to be available at precisely the moment when the UK government is announcing a plan that seems likely to use it:

Etsi has faced criticism in the past for the pre-emptive inclusion of wiretapping capabilities, a decision that critics say encouraged European governments to pass their wiretapping laws accordingly. According to Ross Anderson, professor in security engineering at the University of Cambridge Computer Laboratory, the institute has strong links with the intelligence agencies and has a significant British contingent, along with a number of US government advisers.
It's a classic case of policy laundering; here's how it will probably work.

The British government insists now that it will "only" gather communications data, and not content. At the same time, it will require that ISPs adopt the new ETSI cloud interception standard (once it's been finalized) in the "black boxes" that they must install under the proposed snooping legislation. That will put in place all the capabilities needed for accessing encrypted streams -- since those providing cloud services will be required to hand over the encryption keys -- and hence the content. The UK government may not intend accessing content today, but thanks to the wonders of function creep, when it decides to do it tomorrow the facility will be there waiting for it.

Meanwhile, European governments will be able to point to the UK's adoption of the ETSI standard as just "good practice"; they will ask their own ISPs to implement it, while insisting that they too have no intention of accessing the contents of people's Internet streams either. Until, that is, the day comes -- probably in the wake of some terrorist attack or pedophile scandal -- when the governments will note that since the capability is available, it would be "irresponsible" not to use it to tackle these terrible crimes. The US government will then bemoan the fact that Europe is taking better care of its citizens than it can, and will therefore pass laws requiring US ISPs to install similar real-time access to their systems, and for cloud-based services to hand over the encryption keys. Luckily, there will be a well-tried European standard that can serve as a model....

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: europe, privacy, snooping, standards


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    gorehound (profile), 3 Aug 2012 @ 9:39am

    More Spying

    Another day and another tale of governments using Tech to spy on people.And of course we will see more Draconian Bills either passed or Voted upon in our own Nation.We just had one that thankfully did not pass.Not because of the Content so much as because of the Dysfunctional Congress.
    Thank You this once for being so Dysfunctional, US Gov.
    The new saying to replace the "Save The Children" will be "We Must Stop Cyberwhatever" .

    link to this | view in chronology ]

    • icon
      Baldaur Regis (profile), 3 Aug 2012 @ 12:24pm

      Re: More Spying

      Or maybe the new saying will be "We Must Stop the CyberChildren From Saving Whatever".

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Aug 2012 @ 9:46am

    If the traffic is encrypted, the entity responsible for key management must ensure it can be decrypted by the CSP [Communication Service Provider] or LEA [Law Enforcement Agency].

    There's no better justification for the abolishment of centrally meted keys. What ETSI proposes is changing their role from trusted security service provider to "man in the middle".

    You can bet the farm that if they implemented their man-in-the-middle approach, using standard government bull-in-china-shop protocol, they would leave doors swinging wide open on their hinges.

    link to this | view in chronology ]

    • icon
      Not an Electronic Rodent (profile), 4 Aug 2012 @ 3:45pm

      Re:

      You can bet the farm that if they implemented their man-in-the-middle approach, using standard government bull-in-china-shop protocol, they would leave doors swinging wide open on their hinges.
      First thing I thought on reading the article was "So, if they're holding all the encryption keys ready to hand over to the government on demand, then what happens when that store (inevitably) get hacked?"

      link to this | view in chronology ]

  • icon
    Zakida Paul (profile), 3 Aug 2012 @ 9:49am

    What happens if governments succeed in wiping out all terrorists/pedophiles/pirates/criminals? Who will they use as justify their brain fart legislation?

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 3 Aug 2012 @ 11:02am

      Re:

      Their laws are designed not to succeed in their stated goals. Instead, they drive the problems further underground, making them more resilient.

      As such, they'll never run out of excuses.

      link to this | view in chronology ]

  • identicon
    John Doe, 3 Aug 2012 @ 9:50am

    Who knew the digital age would be the end of our liberties?

    Who would have suspected that the digital age would bring such a rapid end to what few liberties we have left?

    link to this | view in chronology ]

    • icon
      Zakida Paul (profile), 3 Aug 2012 @ 9:59am

      Re: Who knew the digital age would be the end of our liberties?

      Yep, what should be a golden age of information and freedom is becoming an age of government oppression, all because the dinosaurs have no understanding of technology. It's sad really.

      link to this | view in chronology ]

      • icon
        weneedhelp (profile), 3 Aug 2012 @ 10:09am

        Re: Re: Who knew the digital age would be the end of our liberties?

        A Nation of Sheep Breeds a Government of Wolves.

        link to this | view in chronology ]

      • identicon
        Anonymous Coward, 3 Aug 2012 @ 10:09am

        Re: Re: Who knew the digital age would be the end of our liberties?

        ... what should be a golden age of information and freedom is becoming an age of government oppression...

        And thusly, techno-utopianism gives way to techo-dystopianism.

         

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 3 Aug 2012 @ 10:13am

          Re: Re: Re: Who knew the digital age would be the end of our liberties?

          ... techno-utopianism gives way to techo-dystopianism.

          Oh, and that would be a really cool name for a band:
          The Techno-Dystopians


           

          link to this | view in chronology ]

    • identicon
      Anony., 5 Aug 2012 @ 9:14am

      Re: Who knew the digital age would be the end of our liberties?

      Its not the end friend. only the beginning.

      link to this | view in chronology ]

  • identicon
    OMG PirateMike Guy, 3 Aug 2012 @ 10:00am

    If you have nothing to hide, you have nothing to fear.

    C'mon guys, this is the government - they're here to serve us. Except for Pirate Mike and all the freetarding pirates here.

    link to this | view in chronology ]

    • identicon
      gnudist, 3 Aug 2012 @ 10:03am

      Re:

      Yes, no one here except freetards pirating privacy.

      link to this | view in chronology ]

    • icon
      weneedhelp (profile), 3 Aug 2012 @ 10:04am

      Re:

      "If you have nothing to hide, you have nothing to fear."

      Taking the Adolf Hitler approach to the situation huh?

      Good to know.

      link to this | view in chronology ]

    • identicon
      John Doe, 3 Aug 2012 @ 10:04am

      Re:

      I assume, maybe incorrectly, you are being sarcastic? If not, then maybe you should re-read what you wrote, the government is here "to serve us", not the other way around. Why is it they feel they can snoop on us when we can't even see advance text of international trade agreements? Seems they are the ones with something to hide.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Aug 2012 @ 10:01am

    out of curiosity, who was the arse hole that started all this crap? the UK used to be a responsible place to live. it is fast becoming a 'democratic China' with more and more privacy and freedom violations executed by the Government and more and more new laws being introduced that remove privacy and freedoms already established, all in the name of protecting the people. if what is happening is 'for the people', dont they think that perhaps the people need to know what is going on, why it's going on and be allowed to have a say in whether or not to let it continue going on and whether we need protecting from it? i dont think the government should have such control anyway, particularly when they use the 'security of the nation' as the excuse, when what they are really after is to keep a closer watch on what their own citizens are doing. it's also not right for certain powerful people in the US with their distorted view of the world to keep influencing what happens elsewhere just to try to spread that view. it's even worse for stupid idiots to go along with that distorted view by doing what they want.

    link to this | view in chronology ]

    • icon
      Seegras (profile), 4 Aug 2012 @ 2:33am

      Who started it?

      Difficult to tell. There was some trend in the nineties to go into that direction, more prohibitions, more surveillance, all over most countries, and all over most political parties.

      There were/are certainly some drivers of it, NeoCons for instance, but the general mentality has shifted. Everyone had and has its pet-issue which he wants prohibited. From alcohol and drugs to prostitution and pornography, to pollution to guns.

      9/11 was of course the first high, but the trend hasn't subsided since then. None of the draconian laws in the US (and elsewhere!) enacted in the aftermath were ever repelled.

      I'm tempted to write a book about "The Rise of Fascism in the 21st Century". Because that's exactly what is happening.

      link to this | view in chronology ]

  • identicon
    SAG, 3 Aug 2012 @ 10:58am

    Cue the encryption devs...

    One thing this might lead to is an increase in pre-encrypted traffic that is then sent over the back-doored encrypted cloud service. What good will the monitoring be when they discover that they need more keys to actually see what the content is...?

    Something to think about in this ridiculous game of whack-a-mole intelligence gathering.

    link to this | view in chronology ]

    • icon
      Ninja (profile), 3 Aug 2012 @ 11:25am

      Re: Cue the encryption devs...

      And the real criminals will be further pushed underground becoming further untraceable. But hey, it's for the children!

      If I were a kid, I'd be asking the Govt to fuck off and leave my future alone. A pity, I really feel for our kids.

      link to this | view in chronology ]

  • identicon
    Jake, 3 Aug 2012 @ 12:14pm

    I don't think the problem is having the capability to conduct this kind of surveillence operation; I can remember enough of the Troubles to recognise that being completely unable to intercept the communications of people who are planning on blowing shit up on a large scale is a problem.

    But if we're going to have this capability, there needs to be some fairly strict rules on what it it can be used for. Rules that cannot simply be made to go away the first time something bad happens, and more importantly, carry actual serious penalties for breaking them. Otherwise, not only does function creep guarantee that everyone will have their every thought and deed taken down to be used as evidence against them any time the state (or a sufficiently unscrupulous tabloid newspaper, aided and abetted by some script kiddies), but there'll be so many false positives to wade through that the actual bad guys get lost in the background noise.

    link to this | view in chronology ]

    • icon
      John Fenderson (profile), 3 Aug 2012 @ 2:38pm

      Re:

      I don't think the problem is having the capability to conduct this kind of surveillence operation


      I do. This type of capability has always been abused, often widely, regardless of what rules or oversight is put into place. There is no reason to think that the future will be any different.

      I understand that this capability can be used to prevent great harm, but it is also used to cause great harm, so that argument doesn't hold as much weight with me as it otherwise might.

      But I do make a distinction: it's one thing to allow police access to information that is gathered as a side-effect of engaging in an activity. It's an entirely different thing to require that activities be conducted in a way to specifically allow for such surveillance. The latter is, in my opinion, simply despotic.

      link to this | view in chronology ]

  • identicon
    arcan, 3 Aug 2012 @ 2:46pm

    i think there should be a clause that says the first time this law is misused under it's original purpose parliament and the PM will be hung, drawn, quartered, and then be lethally injected.

    link to this | view in chronology ]

  • identicon
    Andyj, 4 Aug 2012 @ 2:22am

    Failure of Law.

    The passage reads:
    "Lawful Interception"

    WRONG!!
    It's not lawful, its "LEGAL Interception".
    The paper has no legal validity. Or should I say, will fail in a court of law.

    What these clowns do not realise if anyone uses any form of peer to peer communication without reference to any central server using encryption (suitably adjusted) then there is no simple real time perusing documents/audio/video.

    For instance. The west readying for war have done their best to cut out the real Syrian news agency (sana.sy) from the public eye but if you go there using the IP# you have a direct route to the other news, keeping the eye of Sauron off your back.

    "Fascism should more properly be called corporatism because it is the merger of state and corporate power." -- Benito Mussolini

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Aug 2012 @ 4:55am

    if the government, any government, were in power to serve us, why is it that we are the last ones to know what the fuckers are up to, particularly when whatever it is they are up to affects us the most? everyone else in whatever country seems to know what's going on, except us. why is it that we never get the opportunity to even give opinions on what they are up to? why is it the first we know of something is when some poor sod gets thrown in jail on some trumped up charge that no one knew existed?

    link to this | view in chronology ]

  • identicon
    Dave, 4 Aug 2012 @ 10:10am

    Last one to leave the planet, turn the lights out.

    This is all getting rather beyond the pale, beyond a joke and any other hackneyed phrases you can think of to apply to government snooping. Why the hell should this be allowed to happen? Private mails and conversations are meant to be just that - PRIVATE! Do you hear that, governments of the world? I just hope that even stronger encryption will ensue but the government would probably then make that illegal. Guilty if encrypted. I gather it's already happened in a way with at least one person refusing to hand over encryption keys. I would support anyone refusing to reveal personal details. It would be like the Post Office opening and reading each and every letter they handle, although nothing would surprise me these days! Extremely depressing situation.

    link to this | view in chronology ]

  • identicon
    Androgynous Cowherd, 4 Aug 2012 @ 1:27pm

    The US government will then bemoan the fact that Europe is taking better care of its citizens than it can, and will therefore pass laws requiring US ISPs to install similar real-time access to their systems, and for cloud-based services to hand over the encryption keys. Luckily, there will be a well-tried European standard that can serve as a model....


    Luckily, there will be TOR.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Aug 2012 @ 7:26pm

    Decrypt VPNs' traffic.

    link to this | view in chronology ]

  • identicon
    Phil S, 9 Aug 2012 @ 2:34am

    A Workable Solution?

    Seems we already have a convenient "solution" - micro DS and Carrier Pigeons. Old Tech meets New Tech!!

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.