Rep. Peter King -- whose past "hits" have included demanding that the Treasury Department add Wikileaks to its terrorist list, that the Boston bombings showed that we needed even more surveillance, and that reporters who report on leaks like the Ed Snowden leak should be prosecuted -- is apparently upset with President Obama's comments last week concerning how the administration is looking to deal with NSA surveillance.
Now, we were disappointed in those comments as well, but mainly because they were mostly meaningless trifles, designed to appease the public with promises of more transparency, rather than an actual promise to cut back on spying on every single person in the US. Apparently King is upset on the other side of things, believing that even the tiniest amount of increased transparency means that Al Qaeda will win:
The President’s announcement today that he will pursue “reforms” to National Security Agency counterterrorism programs is a monumental failure in presidential wartime leadership and responsibility. These programs are legal, transparent and contain the appropriate checks and balances among the executive, legislative and judicial branches of our government. These intelligence tools keep Americans safe every single day.
America is at war with Islamist terror groups that kill and maim innocent civilians. The current threat to the Homeland is just as high as it was before 9/11. It is difficult to imagine past war leaders such as Franklin Roosevelt or Winston Churchill willingly surrendering signals intelligence tools that are needed to fight our enemies. We need a president who defends our intelligence programs, explains them appropriately to the American people, and uses every legal capability in his arsenal to defeat al Qaeda.
It's difficult to know where to start with this, since it's almost all ridiculous. The programs are not at all transparent, don't appear to contain any significant checks and balances and are of questionable legality. Furthermore, multiple Senators have pointed out that there is no evidence that the hoovering up of all phone records has done anything to "keep Americans safe every day."
The second paragraph is just pure fearmongering based on nothing -- especially the claims about the threats being just as high today as they were before 9/11. Of course, what's even more ridiculous here is that King was a long time supporter of foreign terrorist organization, the IRA, including supposedly endorsing an attack on a police station that killed nine people. I wonder if he felt that the UK government should have used the same secret surveillance techniques against the IRA?
King wasn't done there, apparently. Following that statement, he went on Face the Nation and apparently said with a straight face that the public referring to the NSA's activity as "spying" or "snooping" was slandering the NSA and somehow diminishes their patriotism. Really. The man is apparently serious.
“These people in the NSA are patriots,” King said. “Probably what’s annoyed me the most over the last several months is people casually using words like ‘spying,’ ‘snooping,’ ‘what is the NSA up to now?’ Does anybody think General Alexander wants to snoop on America? I think that demeans the whole political dialogue, and that’s why I wish the president would be more outgoing and defend the NSA lot more than he did.”
“This has really been a slander on the thousand of good men and women who every day dedicate their lives to our country, and particularly General Alexander, who is as patriotic as anyone I have ever met in government or anywhere,” King said. “There is too much loose talk here. Every time i hear ‘snooping’ and ‘spying’, it just drives me crazy. We know what these men and women are doing, and they’re absolutely dedicated patriots.”
Meanwhile, King is not the only one in Congress who is upset that the President even hinted at reforms and transparency. House Speaker John Boehner issued a slightly less inflammatory statement arguing that the President must not back down on keeping the program intact, despite the fact that (again) there is no evidence that it has been necessary in stopping a single terrorist attack.
Transparency is important, but we expect the White House to insist that no reform will compromise the operational integrity of the program. That must be the president’s red line, and he must enforce it. Our priority should continue to be saving American lives, not saving face.”
Actually, I thought our priority should be protecting the Constitution -- including the 4th Amendment -- but it appears that many members of Congress have forgotten that little requirement.
Last year, we reported on Australia's plans to bring in comprehensive snooping on its citizens, and more recently how its spies had realized that encrypted services offered an easy way to avoid much of that surveillance. Reuters is now reporting that Australia has put its spying plans on hold -- for the moment:
Australia's government on Monday shelved plans to force phone and Internet companies to hold two years of phone call and email data following concerns raised by a parliamentary inquiry into telecommunications interception laws.
…
[Lawmakers on the telecommunications inquiry] said Internet browsing data should be excluded from the plans, and called for greater oversight of government agency access to telecommunications data by the ombudsmen and the Inspector-General of Intelligence and Security.
However, this seems to be only a temporary reprieve: as the article above notes, Australia will be holding elections in September, and it is expected that the center-right Coalition, currently in opposition, will win power, and probably bring back the proposals. Of course, the current round of leaks about spying on a massive scale by the NSA and GCHQ may well have some impact on the debate, as will any future leaks of information, especially if they concern Australia directly.
One unfortunate knock-on effect of the revelations about the extent of NSA information gathering seems to be that the spies in other countries are starting to feel under-informed by comparison. Of course, many of them already knew about what was going on: in addition to the British and the Dutch, there are now reports that Germany was also kept informed at the highest levels (original in German.) That would probably explain the revelation by the news magazine Der Spiegel that Germany has been trying to beef up its own snooping capabilities for a while:
Last year, [Germany's foreign intelligence agency] BND head Gerhard Schindler told the Confidential Committee of the German parliament, the Bundestag, about a secret program that, in his opinion, would make his agency a major international player. Schindler said the BND wanted to invest €100 million ($133 million) over the coming five years. The money is to finance up to 100 new jobs in the technical surveillance department, along with enhanced computing capacities.
Small beer compared to the NSA, but it's a start. Der Spiegel's article provides some details on how they do it in Germany:
The largest traffic control takes place in Frankfurt, in a data processing center owned by the Association of the German Internet Industry. Via this hub, the largest in Europe, e-mails, phone calls, Skype conversations and text messages flow from regions that interest the BND like Russia and Eastern Europe, along with crisis areas like Somalia, countries in the Middle East, and states like Pakistan and Afghanistan.
But the BND still has a long way to go before it attains NSA-like levels of snooping:
In contrast to the NSA, though, the German intelligence agency has been overwhelmed by this daunting wealth of information. Last year, it monitored just under 5 percent, roughly every 20th phone call, every 20th e-mail and every 20th Facebook exchange. In the year 2011, the BND used over 16,000 search words to fish in this data stream.
As in the US, the idea is that this targets foreigners:
German law allows the BND to monitor any form of communication that has a foreign element, be it a mobile phone conversation, a Facebook chat or an exchange via AOL Messenger. For the purposes of "strategic communications surveillance," the foreign intelligence agency is allowed to copy and review 20 percent of this data traffic. There is even a regulation requiring German providers "to maintain a complete copy of the telecommunications."
Here's how the BND tries to achieve that:
If e-mail addresses surface that end in ".de" (for Germany), they have to be erased. The international dialing code for Germany, 0049, and IP addresses that were apparently given to customers in Germany also pass through the net.
Of course, as in the US, it doesn't quite work out like that:
At first glance, it's not evident where users live whose information is saved by Yahoo, Google or Apple. And how are the agencies supposed to spot a Taliban commander who has acquired an email address with German provider GMX? Meanwhile, the status of Facebook chats and conversations on Skype remains completely unclear.
Given this evident desire to create its own snooping apparatus, coupled with the fact that Germany has doubtless benefited from NSA spying, perhaps it's no surprise the German government's protests about its citizens being subject to extensive NSA surveillance have been muted. Maybe a little too muted: Der Spiegel quotes the question posed by Cornelia Rogall-Grothe, a state secretary in the German Interior Ministry, to the US Embassy in Berlin, in the wake of the revelations about NSA spying:
"Are US agencies running a program or computer system with the name Prism?," the Interior Ministry official asked.
Although New Zealand's decision not to allow patents for programs "as such" was welcome, other moves there have been more problematic. For example, after it became clear that the New Zealand intelligence service, the Government Communications Security Bureau (GCSB), illegally wiretapped and spied on Kim Dotcom, the New Zealand government announced that it would change the law so as to make it legal in the future to snoop on New Zealanders as well as on foreigners. Judging by a major new bill that has been unveiled, that was just the start of a thoroughgoing plan to put in place the capability to spy on every New Zealander's Internet activity at any moment.
Here's an excellent analysis of what the bill proposes, from Thomas Beagle, co-founder of the New Zealand digital rights organization Tech Liberty:
The TICS [Telecommunications (Interception Capability and Security)] Bill is a replacement for the Telecommunications (Interception Capability) Act 2004. This law forced communications providers (ISPs, telcos, data networks, etc) to provide "lawful intercept" capabilities so that the Police, SIS and GCSB could access communications once they had a suitable warrant. The new bill expands and clarifies these requirements.
However, the addition of the word "security" is the key to what has changed. The new bill now gives the GCSB sweeping powers of oversight and control over the design, deployment and operation of all data and telecommunications networks run by network providers in New Zealand. The stated reasons are to both protect New Zealand's infrastructure and to ensure that surveillance agencies can spy on traffic when required. As part of this, the GCSB will have the power to stop network providers from reselling overseas services that do not provide these capabilities.
As Beagle goes on to explain, this will have a number of implications, including a requirement to build backdoors into all telecoms networks:
From the Bill:
A network operator must ensure that every public telecommunications network that the operator owns, controls, or operates, and every telecommunications service that the operator provides in New Zealand, has full interception capability.
Note that the surveillance agencies still need to have a legally issued warrant (under the Search & Surveillance Act, NZ SIS Act, or GCSB Act) to actually intercept any communications and there are obligations to avoid capturing communications that are not covered by the warrant.
Here's one way that could dramatically impact Internet users in New Zealand:
It then goes on to give the Minister the power to ban the resale of an off-shore telecommunications service in New Zealand if it does not provide interception capabilities. This could stop the resale of foreign-hosted VPNs, instant message services, email, etc.
Another clause could have major implications for Megaupload:
Network operators must decrypt the intercepted communications if they have provided the encryption, but there is no obligation to do so if the encryption is provided by others.
What does this mean for providers such as Mega (file locker) or LastPass (password storage) who have a business model based on the fact that they supply a cloud product that uses encryption but have deliberately designed it so that they can not decrypt the files themselves? This gives users the assurance that they can trust them with their data. Will the government close them down unless they provide a backdoor into the system?
One deeply troubling aspect is the following:
There is also a provision that allows the courts to receive classified information in a court case in the absence of the defendant or the defendant's lawyer. This applies to information that might reveal details of the interception methods used by the surveillance agency or is about particular operations in relation to any of the functions of the surveillance agency, or is provided as secret information from the surveillance agencies of another country. It can also be used if that disclosure would prejudice security of NZ, prejudice the maintenance of law, or endanger the safety of any person.
As Beagle notes:
particularly offensive to civil liberties are the provisions for convicting people based on secret evidence. How can you defend yourself fairly when you can't even find out the evidence presented against you?
He concludes with an important point:
One must ask where the justification for this expansion of power is coming from. Has New Zealand already been materially affected by attacks on our communications infrastructure? It seems clear that while the GCSB may not be that competent at exercising the powers they already have, they have done a fine job of convincing the government that they can handle a lot more.
That's a question that needs to be put to the governments of other countries, like the US and UK, that are also seeking to extend massively their ability to spy on their own citizens. What evidence do they have that such extreme, liberty-threatening powers are actually necessary, and will make the public safer, rather than simply being a convenient way for governments to identify whistleblowers who expose their incompetence and corruption, say, or to spy on those who dare to oppose them?
My goodness. Yesterday we posted about Rep. Louis Gohmert's incredible, head-shakingly ignorant exchange with lawyer Orin Kerr during a Congressional hearing concerning "hacking" and the CFAA. In that discussion, Gohmert spoke out in favor of being able to "hack back" and destroy the computers of hackers -- and grew indignant at the mere suggestion that this might have unintended consequences or lead people to attack the wrong targets. Gohmert thought that such talk was just Kerr trying to protect hackers.
I thought perhaps Rep. Gohmert was just having a bad day. Maybe he's having a bad month. In a different hearing, held yesterday concerning ECPA reform, Gohmert opened his mouth again, and it was even worse. Much, much worse. Cringe-inducingly clueless. Yell at your screen clueless. Watch for yourself, but be prepared to want to yell.
The short version of this is that he seems to think that when Google has advertisements on Gmail, that's the same thing as selling all of the information in your email to advertisers. And no matter how many times Google's lawyer politely tries to explain the difference, Gohmert doesn't get it. He thinks he's making a point -- smirking the whole time -- that what Google does is somehow the equivalent of government snooping, in that he keeps asking if Google can just "sell" access to everyone's email to the government. I'm going to post a transcript below, and because I simply cannot not interject how ridiculously uninformed Gohmert's line of questioning is, I'm going to interject in the transcript as appropriate.
Rep. Gohmert: I was curious. Doesn't Google sell information acquired from emails to different vendors so that they can target certain individuals with their promotions?
Google lawyer whose name I didn't catch: Uh, no, we don't sell email content. We do have a system -- similar to the system we have for scanning for spam and malware -- that can identify what type of ads are most relevant to serve on email messages. It's an automated process. There's no human interaction. Certainly, the email is not sold to anybody or disclosed.
Gohmert: So how do these other vendors get our emails and think that we may be interested in the products they're selling.
Okay, already we're off to a great start in monumental ignorance. The initial question was based on a complete falsehood -- that Google sells such information -- and after the lawyer told him that this is not true, Gohmert completely ignores that and still asks how they get the emails. It never seems to occur to him that they don't get the emails.
Google lawyer: They don't actually get your email. What they're able to do is through our advertising business be able to identify keywords that they would like to trigger the display of one of their ads, but they don't get information about who the user is or any...
Gohmert: Well that brings me back. So they get information about keywords in our emails that they use to decide who to send promotions to, albeit automatically done. Correct?
NO. Not correct. In fact, that's the exact opposite of what the lawyer just said. Gohmert can't seem to comprehend that Google placing targeted ads next to emails has NOTHING to do with sending any information back to the advertiser. I wonder, when Rep. Gohmert turns on his television to watch the evening news, does he think that the TV station is sending his name, address, channel watching info, etc. back to advertisers? That's not how it works. At all. The advertisers state where they want their ads to appear, and Google's system figures out where to place the ads. At no point does any information from email accounts go back to anyone. And yet Gohmert keeps asking.
And not understanding the rather basic answers. Unfortunately, the lawyer tries to actually explain reality to Gohmert in a professional and detailed manner, when it seems clear that the proper way to answer his questions is in shorter, simpler sentences such as: "No, that's 100% incorrect."
Lawyer: The email context is used to identify what ads are most relevant to the user...
Gohmert: And do they pay for the right or the contractual ability to target those individuals who use those keywords?
Lawyer: I might phrase that slightly differently, but the gist is correct, that advertisers are able to bid for the placement of advertisements to users, where our system has detected might be interested in the advertisement.
Gohmert: Okay, so what would prevent the federal government from making a deal with Google, so they could also "Scroogle" people, and say "I want to know everyone who has ever used the term 'Benghazi'" or "I want everyone who's ever used... a certain term." Would you discriminate against the government, or would you allow the government to know about all emails that included those words?
Okay, try not to hit your head on your desk after that exchange. First, he (perhaps accidentally) gets a statement more or less correct, that advertisers pay to have their ads show up, but immediately follows that up with something completely unrelated to that. First, he tosses in "Scroogled" -- a term that Microsoft uses in its advertising against Gmail and in favor of Outlook.com -- suggesting exactly where this "line" of questioning may have originated. Tip to Microsoft lobbyists, by the way: if you want to put Google on the hot seat, it might help to try a line of questioning that actually makes sense.
Then, the second part, you just have to say huh? The lawyer already explained, repeatedly, that Google doesn't send any information back to the advertiser, and yet he's trying to suggest that the government snooping through your email is the same thing... and Google somehow not giving the government that info is Google "discriminating" against the government? What? Really?
Lawyer [confounded look] Uh... sir, I think those are apples and oranges. I think the disclosure of the identity...
Gohmert: I'm not asking for a fruit comparison. I'm just asking would you be willing to make that deal with the government? The same one you do with private advertisers, so that the government would know which emails are using which words.
Seriously? I recognize that there are no requirements on intelligence to get elected to Congress, but is there anyone who honestly could not comprehend what he meant by saying it's "apples and oranges"? But, clearly he does not understand that because not only does he mock the analogy, he then repeats the same question in which he insists -- despite the multiple explanations that state the exact opposite -- that advertisers get access to emails and information about email users, and that the government should be able to do the same thing.
Lawyer: Thank you, sir. I meant by that, that it isn't the same deal that's being suggested there.
Gohmert: But I'm asking specifically if the same type of deal could be made by the federal government? [some pointless rant about US government videos aired overseas that is completely irrelevant and which it wasn't worth transcribing] But if that same government will spend tens of thousands to do a commercial, they might, under some hare-brained idea like to do a deal to get all the email addresses that use certain words. Couldn't they make that same kind of deal that private advertisers do?
Holy crap. Gohmert, for the fourth time already, nobody gets email addresses. No private business gets the email addresses. No private business gets to see inside of anyone's email. Seeing inside someone's email has nothing to do with buying ads in email. If the government wants to "do the same deal as private advertisers" then yes it can advertise on Gmail... and it still won't get the email addresses or any other information about emailers, because at no point does Google advertising work that way.
Lawyer: We would not honor a request from the government for such a...
Gohmert: So you would discriminate against the government if they tried to do what your private advertisers do?
No. No. No. No. No. The lawyer already told you half a dozen times, no. The government can do exactly what private advertisers do, which is buy ads. And, just like private advertisers, they would get back no email addresses or any such information.
Lawyer: I don't think that describes what private advertisers...
Gohmert: Okay, does anybody here have any -- obviously, you're doing a good job protecting your employer -- but does anybody have any proposed legislation that would assist us in what we're doing?
What are we doing, here? Because it certainly seems like you're making one of the most ignorant arguments ever to come out of an elected officials' mouth, and that's saying quite a bit. You keep saying "private advertisers get A" when the reality is that private advertisers get nothing of the sort -- and then you ignore that (over and over and over and over again) and then say "well if private advertisers get A, why can't the government get A." The answer is because neither of them get A and never have.
Gohmert: I would be very interested in any phrase, any clauses, any items that we might add to legislation, or take from existing legislation, to help us deal with this problem. Because I am very interested and very concerned about our privacy and our email.
If you were either interested or concerned then you would know that no such information goes back to advertisers before you stepped into the room (hell, before you got elected, really). But, even if you were ignorant of that fact before the hearing, the fact that the lawyer tried half a dozen times, in a half a dozen different ways to tell you that the information is not shared should have educated you on that fact. So I'm "very interested" in what sort of "language" Gohmert is going to try to add to legislation that deals with a non-existent problem that he insists is real.
Gohmert: And just so the simpletons that sometimes write for the Huffington Post understand, I don't want the government to have all that information.
Rep. Sensenbrenner: For the point of personal privilege, my son writes for the Huffington Post.
Gohmert: Well then maybe he's not one of the simpletons I was referring to.
Sensenbrenner: He does have a Phd.
Gohmert: Well, you can still be a PHUL.
Har, har, har... wait, what? So much insanity to unpack. First of all, Gohmert seems to think that people will be making fun of him for suggesting that the government should "buy" access to your email on Google. And, yes, we will make fun of that, but not for the reasons that he thinks they will. No one thinks that Gohmert seriously wants the government to buy access to information on Google. What everyone's laughing (or cringing) at is the idea that anyone could buy that info, because you can't. No private advertiser. No government. It's just not possible.
But, I guess we're all just "simpletons."
Seriously, however, we as citizens deserve better politicians. No one expects politicians to necessarily understand every aspect of technology, but there are some simple concepts that you should at least be able to grasp when explained to you repeatedly by experts. When a politician repeatedly demonstrates no ability to comprehend a rather basic concept -- and to then granstand on their own ignorance -- it's time to find better politicians. Quickly.
As you're probably aware since it's "the big story" right now, General David Petreaus stepped down last week after an FBI investigation turned up an affair he'd been having. It seems that every few hours more news "breaks" on the story, and it keeps getting more involved, with a growing number of players (and with each new revelation the story gets more and more bizarre). However, some have started wondering how and why the FBI was snooping on various emails. The original story was that it came about after Petreaus' mistress allegedly sent threatening (anonymous) emails to another woman, who reported them to the FBI. From that came a wider investigation, which supposedly may involve another General and a variety of other players. But some are realizing that this seems to show how the FBI has pretty free rein in terms of snooping on email accounts hosted online:
Under the 1986 Electronic Communications Privacy Act, federal authorities need only a subpoena approved by a federal prosecutor — not a judge — to obtain electronic messages that are six months old or older. To get more recent communications, a warrant from a judge is required. This is a higher standard that requires proof of probable cause that a crime is being committed.
But even that isn't entirely clear. Folks like Julian Sanchez have been puzzling through the timeline of events and wondering how a simple investigation into a small number of "rude" (but not illegal) emails then uncovered thousands of questionable emails involving a different general as alleged in the news that broke last night. It feels like the FBI may have taken a simple report of misconduct (which may have been driven by another love triangle issue involving an FBI agent who seemed to take the whole thing a lot more personally than makes sense) and turned it into a massive fishing expedition.
Given how fast new parts of this story keep breaking, I'm sure there are still a number of other dominoes to fall, but hopefully this actually gets people to pay attention to just how easy it is for law enforcement to snoop on people's emails these days based on next to nothing.
The draft bill of the UK's "Snooper's Charter", which would require ISPs to record key information about every email sent and Web site visited by UK citizens, and mobile phone companies to log all their calls, was published back in July. Before it is debated by politicians, a Joint Committee from both the House of Commons and House of Lords is conducting "pre-legislative scrutiny."
Jimmy Wales, the founder of Wikipedia, has sharply criticised the government's "snooper's charter", designed to track internet, text and email use of all British citizens, as "technologically incompetent".
He said Wikipedia would move to encrypt all its connections with Britain if UK internet companies, such as Vodafone and Virgin Media, were mandated by the government to keep track of every single page accessed by UK citizens.
He went on to suggest that other Internet companies would do the same, forcing the UK authorities to resort to what he called "black arts" to break the encryption. As he pointed out: "It is not the sort of thing I'd expect from a western democracy. It is the kind of thing I would expect from the Iranians or the Chinese."
To a certain extent, this is just bluster: Wales has no formal power to instruct Wikipedia to encrypt its connections, and even assuming that happened, it's not certain that companies like Google and Facebook would risk fines or imprisonment for their staff by refusing to hand over encryption keys. But Wales' intervention had a big symbolic importance: he's not only the co-founder of Wikipedia -- which even politicians have heard of and probably use -- he's also one of the UK government's own special tech advisers, appointed back in March.
His comments are, therefore, a real slap in the face, and a useful reminder that by pushing for this kind of total surveillance the UK government is not only making itself look oppressive, but stupid too.
Back in 2008, we wrote about how the Indian government was demanding that RIM let it snoop on encrypted messages from Blackberry users. RIM's response was that it was simply impossible to snoop on its enterprise customers' messages, since they set their own encryption keys. A few months later, the government claimed to have cracked RIM's encryption, though the whole claim was sketchy. In 2010, the government again demanded the right to spy on Blackberry users (raising more questions about that encryption cracking claim). RIM apparently offered up a "solution" that the Indian government rejected, because it didn't let them snoop enough (basically it allowed snooping on consumers, but not corporate accounts).
Now, however, there are reports that RIM has come up with a "solution" to let the Indian government spy on enterprise users as well:
RIM recently demonstrated a solution developed by a firm called Verint that can intercept messages and emails exchanged between BlackBerry handsets, and make these encrypted communications available in a readable format to Indian security agencies, according to an exchange of communications between the Canadian company and the Indian government.
If you're a RIM Blackberry customer, and you bought into it because of the security features, now would be the point where you get pretty pissed off and start seeking alternatives. The report from the Economic Times suggests RIM did this because of the "importance" of the Indian market. RIM is clearly in trouble. Its failure to keep up on the innovation front means that the company is clearly struggling. But kowtowing to a government by allowing it to spy on users is hardly the sort of thing that's likely to get you more customers. It seems like it should do exactly the opposite.
As the old joke goes, standards are wonderful things, that's why we have so many of them. But who would have thought that ETSI, the European Telecommunications Standards Institute, has already produced a draft standard on how European governments can snoop on cloud-based services like Facebook and Gmail -- even when encrypted connections are used?
ETSI DTR 101 567, to give it the full title, was pointed out to us by Erich Moechel, who has written an excellent exploration of its elements (original in German). Here's the summary from the draft standard (Microsoft Word format):
The present document provides an overview on requests for handover and delivery of real-time information associated with cloud/virtual services. The report identifies Lawful Interception needs and requirements in the converged cloud/virtual service environment, the challenges and obstacles of complying with those requirements, what implementations can be achieved under existing ETSI LI [Lawful Interception] standards, and what new work may be required to achieve needed Lawful Interception capabilities. Cloud Services in whichever forms they take (Infrastructure, Software, Platform or combinations of these) are often trans border in nature and the information required to maintain Lawful Interception (LI) capability or sufficient coverage for LI support may vary in different countries, or within platforms of different security assurance levels. This work aims to ensure capabilities can be maintained while allowing business to utilise the advantages and innovations of Cloud Services and was undertaken cooperatively with relevant cloud security technical bodies.
As that makes clear, this is being presented as "maintaining" interception capabilities in a world where cloud computing makes previous approaches inapplicable. The new standard specifically mentions social networking, file sharing and video conferencing as new areas that need to be addressed.
One key section spells out how this is to be achieved:
If the traffic is encrypted, the entity responsible for key management must ensure it can be decrypted by the CSP [Communication Service Provider] or LEA [Law Enforcement Agency].
In order to maintain LI coverage the cloud service provider must implement a Cloud Lawful Interception Function (CLIF). This can be by way of Applications Programming Interface (API) or more likely ensuring presentation of information in a format recognisable to interception mechanisms. Deep packet inspection is likely to be a constituent part of this system.
As this makes clear, along with the intercepted information, the standard envisages encryption keys being handed over routinely. Just to make things complete, DPI -- deep packet inspection -- is also regarded as a likely element of the system.
Since this is currently a draft, the threat it represents might be seen as purely theoretical; but a recent article in the Guardian confirms that the UK government "quietly agreed to measures that could increase the ability of the security services to intercept online communication" -- a reference to the ETSI draft.
The Guardian also provides us with some explanation of why this draft just happens to be available at precisely the moment when the UK government is announcing a plan that seems likely to use it:
Etsi has faced criticism in the past for the pre-emptive inclusion of wiretapping capabilities, a decision that critics say encouraged European governments to pass their wiretapping laws accordingly. According to Ross Anderson, professor in security engineering at the University of Cambridge Computer Laboratory, the institute has strong links with the intelligence agencies and has a significant British contingent, along with a number of US government advisers.
It's a classic case of policy laundering; here's how it will probably work.
The British government insists now that it will "only" gather communications data, and not content. At the same time, it will require that ISPs adopt the new ETSI cloud interception standard (once it's been finalized) in the "black boxes" that they must install under the proposed snooping legislation. That will put in place all the capabilities needed for accessing encrypted streams -- since those providing cloud services will be required to hand over the encryption keys -- and hence the content. The UK government may not intend accessing content today, but thanks to the wonders of function creep, when it decides to do it tomorrow the facility will be there waiting for it.
Meanwhile, European governments will be able to point to the UK's adoption of the ETSI standard as just "good practice"; they will ask their own ISPs to implement it, while insisting that they too have no intention of accessing the contents of people's Internet streams either. Until, that is, the day comes -- probably in the wake of some terrorist attack or pedophile scandal -- when the governments will note that since the capability is available, it would be "irresponsible" not to use it to tackle these terrible crimes. The US government will then bemoan the fact that Europe is taking better care of its citizens than it can, and will therefore pass laws requiring US ISPs to install similar real-time access to their systems, and for cloud-based services to hand over the encryption keys. Luckily, there will be a well-tried European standard that can serve as a model....
They say that a lie is halfway around the world before the truth has got its boots on, and the same seems to be true about Internet policy: the bad ideas spread like wildfire, while the good ones languish in obscurity. Snooping on the Net activity of an entire population is the latest example: now Australia wants to join the club that currently consists of the US and UK, with Canada waiting in the wings. Here's part of the EFF's excellent summary of what the Australian government is proposing:
Last week, Australian Attorney General Nicola Roxon submitted to Parliament a package of proposals intended to advance a National Security Inquiry in an effort to expand governmental surveillance powers. In a 60-page discussion paper, Roxon calls for making it easier for law enforcement and intelligence agencies to spy on Twitter and Facebook users, which would likely be achieved by compelling companies to create backdoors to enable surveillance. The proposals also revive a controversial data retention regime. And an especially problematic proposal would go so far as to establish a new crime: failure to assist law enforcement in the decryption of communications.
That last part is clearly modeled on a similar provision requiring encryption keys to be handed to the police on demand found in the UK's Regulation of Investigatory Powers Act. Surprisingly, that was passed back in 2000, but it is only now that most people are waking up to the ridiculous nature of its measures. As Rick Falkvinge explained in a recent post:
You’re not going to be sent to jail for refusal to give up encryption keys. You’re going to be sent to jail for an inability to unlock something that the police think is encrypted. Yes, this is where the hairs rise on our arms: if you have a recorded file with radio noise from the local telescope that you use for generation of random numbers, and the police asks you to produce the decryption key to show them the three documents inside the encrypted container that your radio noise looks like, you will be sent to jail for up to five years for your inability to produce the imagined documents.
In that same column, Falkvinge makes a crucial point:
The next step, of course, is that the citizens protect themselves from snooping -- at which point some bureaucrat will confuse the government’s ability to snoop on citizen’s lives for a right to snoop on citizen’s lives at any time, and create harsh punishments for any citizens who try to keep a shred of their privacy.
This is precisely what is happening in the countries that are bringing in blanket surveillance of their entire populations: just because this is now becoming technically possible, so the argument goes, we must implement such schemes because otherwise terrorists and pedophiles will take advantage of technology in ways that will make their discovery and arrest harder.
But just because something can be done, doesn't mean that it should. Exactly the same argument could be made about installing CCTV in everyone's home: with the falling cost of cameras, and the availability of the Internet, that's now a realistic option. It would also ensure that those same terrorists and pedophiles couldn't use advanced technology like curtains to thwart the forces of law and order.
And yet nobody would seriously suggest bringing in such a scheme, because it is recognized as a step too far, and that there are other ways of catching criminals without recourse to such extreme measures -- using traditional police and intelligence techniques that aren't dependent on deploying technology, but build on basic human skills and professional experience. So why is it suddenly acceptable to bring in the digital equivalent of CCTVs that record our every online move?
One reason is probably because governments can point to each others' plans to show that "everyone" is doing it, which means it is "obviously" a reasonable thing to do. That makes the latest announcement of snooping plans bad not just for Australians, but for everyone else too, since it bolsters the argument that total Net surveillance is the new normal.
