Disruptive ProactivityInvestigatory Powers Bill, IPv6, Crypto, and (no) cookies for you.
Last Tuesday, I went along to the Science and Technology committee’s hearing on the IP Bill (see endnote for why). There were some good questions.
Given my past work on the draft Communications Data Bill, there are two areas which came up where this bill is substantively different, in a way that is probably interesting. Those areas are encryption and IPv6. There are other areas of interest, such as the filter, which is as bad an idea now as it was then. I’m sure Lord Haw Haw of Berriew will be on TV shortly to explain why, despite the agencies getting “no new powers” in the bill, it should be passed immediately for their benefit.
A good bit of the Bill
There is a good bit of the bill, and it’s a direct result of the work done by Privacy International (after I left) and many others at the Investigatory Powers Tribunal. From what Sir David Omand, former director of GCHQ, said, it appears that the IPT cases have forced the Government to ensure that any techniques are publicly avowed.
It will take a written Parliamentary Question to the Home Secretary to confirm that this is the case, but following the publication of the “arrangements” alongside the IP Bill, are there any techniques available to the agencies that are not avowed? Is they’re anything they’re hiding because they’re so afraid of the public knowing about it more than sneaking it in to other things?
Those techniques include categories like “hack the planet” or “steal anything”, but we at least have some guidelines on those things. To quote the former head of the NSA “Give me the box you will allow me to operate in. I’m going to play to the very edges of that box.”
There’s a lot in the bill, and some of the discussions should be about whether we should be doing those things, let alone how. But, due to the avowal requirements, this should be a complete list.
For the first time ever, the bill gives us the Home Office’s desire for the box. Now we get to talk about in a democratic fashion. Thanks Snowden.
IPv6 and Internet Connection Records
Remembering that the thing that the police and agencies are most worried about is smartphones. The world’s changed, and Stella Creasy, MP for Walthamstow, noticed (Q16).
In 2012, IPv6 was still on the horizon. Facebook had reached 0.5% of global traffic using it, all the current smartphones worked with it, but none of the networks that the West cared about were deploying it in any meaningful way.
Step forward 3 years, BT, Sky and Virgin have started deploying IPv6 to home connections, the “current smartphones” from 2012 are now ancient history, and pretty much every smartphone in active use fully works with IPv6, the mobile networks are capable of rolling it out themselves (and a bunch of US networks have), and, probably most importantly, Apple has mandated that if want to put an (updated) app in the app store, it has to work over IPv6.
If the world has changed, so have the spooks. The main problem to deployment of IPv6 on a mass domestic scale in 2012 was said to be that the snooping kit GCHQ has on the backbones didn’t do IPv6. If BT, Sky and Virgin are now rolling out IPv6 to ADSL customers, then that problem has gone away. The providers would have happily done that in 2012 if the Home Office had paid for it, I’m guessing that the Home Office can only ignore the march of progress for so long, or, more likely, it became a greater cost to the providers not to do IPv6 than to do it, so the broadband companies are doing it.
But the realities of the world have a habit of being ignored by the legislation, which was at the heart of Stella Creasy’s question.
Currently, a mobile phone has a private IP address (of its own) which gets translated to a public (shared) one for talking to the internet. If the police go to facebook, and ask where someone connected from, the best they can get is currently the shared address (which might be shared with 5000 other customers in any one second, and a different 5000 ten seconds later (port reuse is set to be really fast)). That doesn’t help them.
IPv6 allows them to say “the device had this address”, in a manner which allows the requestor to go to the telco and ask a question that is possible to answer.
IPv6 and Internet connection records allow the process to go the other way – the “whatsapp vs snapchat question” – which communications mechanisms did this device use? (it’s probably facebook, it’s almost always facebook, but it could be something else – yahoo messenger, slack, skype, whatsapp, snapchat, imessage, signal, et al). The police can then go and ask that communications company “who was this device talking to?”, in the case of a missing person. This doesn’t require subterfuge – they know who to call.
The use of an Internet Connection Record, unlike the requirement to keep weblogs, or the other proposals from 2012, does not prevent end to end encryption. ICRs are records that a connection was made, and make no attempt to peek in to it. As a result, none of the problems of encryption or port numbers come into play. This addresses some, but not all, of the problems the draft Communications Bill Committee had when they rejected the bill in 2012.
Given the concern is mobile phones/tablets which can move, rather than laptops/desktops (which tend to use wired broadband most of the time, and if they don’t, they’re indistinguishable from mobile phones), the requirement from Apple for iOS 9 apps to support IPv6 (in testing and practice, not just theory) is the largest change in the world. When that happens, 20 years of hard work by the IPv6 community has delivered. Everything will still work for the user, but the tech will have changed underneath.
(As an aside, it would be useful to have clarity on whether an ICR includes hostnames from DNS, or whether that some IP addresses are used by only one company (e.g. facebook) means that the service is identifiable from the IP alone).
When the telcos switch on IPv6, with full privacy protections enabled, traceability for the police in missing person cases immediately goes up. It is not difficult to argue that the delays from the mobile providers are harming the safety of vulnerable individuals, even if the communications are fully encrypted…
facebook-nocrypto.com
I won’t repeat the inanities of our Prime Minister on encryption. If you’ve read this far, I’m assuming you already know about them.
Apparently, encryption is not (explicitly) prohibited in the bill (although s189 might be interpreted that way, which is a question for the draft bill committee to address and dispel). The government can not prevent everyone’s iMessages being end-to-end encrypted. But it’s possibly not as simple as that..
Let’s assume that, when the Home Secretary has spoken in the House of Commons, that she hasn’t told porkies; she may have let people jump to wrong conclusions, but didn’t actively mislead.
Firstly, there’s the hacking provisions (both “equipment interference” and “bulk equipment interference”), which allow for the device to give up keys or unencrypted content. I’m not going to address those here — if the someone else can run whatever they like on your device (which is what happens in hacking), your device is no longer your device, it’s mostly theirs, they might just let you have enough of it not to notice. But that’s nothing to do with the encryption.
When Barack Obama was President-Elect, his website became change.gov, and they wanted it to be everything that a website should have been in 2008. However, as a .gov, there were other rules that were to be followed, and that included the problem of youtube embedded videos, and tracking cookies. Being eager to help, Google created youtube-nocookie.com which is exactly the same as youtube for embedding videos, but doesn’t track you (really). When you want to embed a video, and click the “show more” options, that is exactly what the “Enable privacy-enhanced mode” does (turned off by default).
If there can be a privacy enhanced mode for Youtube, why not a privacy reduced mode? The draft Bill would seem to give the Home Office that sort of power.
Facebook heavily protects their communications into facebook.com, via HSTS (HTTP Strict Transport Security) and other measures. But could they have my version of the app connect into facebook-nocrypto.com ? They certainly could if they chose to, or were required to. It’s not necessarily quite mass surveillance, and it’s not quite hacking, but it is in the Bill in clause 101.
Even, if the Home Secretary can’t require facebook to buy a different domain and have some people use it silently, can the Home Office issue a warrant to facebook such that my facebook app talks to an IP address directly rather than facebook.com? HSTS doesn’t protect IP addresses, and that connection could be unencrypted. In an IPv6 world, that starts to be somewhat interesting, especially when you can monitor via Internet Connection Records who is connecting to what.
Apart from end-to-end encryption, the infosec community have no common approaches to mitigating this sort of approach by Governments.
Medical records and the IP Bill: My day job remains working for medConfidential, and as that relates to the draft IP Bill is limited to looking at one small part of Bulk Personal Datasets – which is a very narrow remit, missing a wide range of important issues both in Bulk Personal Datasets and in other sections of the bill (such as those in this blog post, which is a personal blog post, not a medconfidential one). MedConfidential isn’t resourced to do everything, other organisations should have been there for other aspects of the bill. If you wish to widen our remit, medconfidential will happily accept the substantial donations it would take to do this work. Sensible policy will not come from having some interested experts pay partial attention in their free time – it’s how those who care about the issues in this blog post will lose yet again (and doing it a different way is how those similar has been won).