Sunday, 25 January 2015
Sunday, 4 January 2015
Interception and surveillance complaints to the European Court of Human Rights include a case taken by Big Brother Watch, the Open Rights Group, English PEN and Dr Constanze Kurz and one by the Bureau of Investigative Journalism. See mindmap of legal challenges. Also look out for any further developments arising out of the Investigatory Powers Tribunal decision in December that, in the light of disclosures of interception practice made by the government in the proceedings, future use of Section 8(4) warrants and PRISM intelligence sharing would be ‘in accordance with the law’ under Article 8 of the European Convention on Human Rights. Legality prior to the government disclosures has still to be determined.
Saturday, 3 January 2015
It is tempting just to change 2014 to 2015 in last year’s piece and recirculate. Nudging and Bludgeoning, Magic wand politics, Politicians not understanding the internet, the Internet as Wild West, Cory Doctorow’s warning of the Coming War on General Purpose Computing, Technological neutrality, Copyright wars, Site blocking and Privacy are as topical as they were a year ago.
Friday, 2 January 2015
The primacy that Section 8(4) accords to external communications at the capture stage is thus of limited significance. External and internal communications are inseparable as they pass through a fibre optic cable. If the Secretary of State’s purpose is to capture external communications, and he has a basis for believing that the warrant will fulfil that purpose and is necessary and proportionate, Section 8(4) in practice authorises the capture of all communications passing through the cable whether internal or external. The captured communications, both internal and external, then form a common pool and are treated alike.
Reform of RIPA will be a priority after the 2015 General Election, with legislators mindful of the sunset date of 31 December 2016 for the RIPA amendments made by DRIPA. The pros and cons of Section 8(4) warrants will be hotly contested. Among the possibilities that we can anticipate being advocated may be:
Before commenting on these, one fundamental issue that will be relevant to any interception regime is hidden legal interpretations.
Turning to specific issues around Section 8(4):
The government argument seems implicitly to posit some duty on the agency to enquire into the location of a selection target, albeit that is not spelt out in Section 16.
[Updated 2 Jan 2015 15.30 with additional reference to certificates; and 23.30 to substitute British Islands for British Isles (thanks to @RichGreenhill for pointing that out; and 3 Jan 2015 15:11 to add reference to RIP Bill debate on S16(3)/overlapping warrants.)]
Sunday, 21 December 2014
Wednesday, 3 December 2014
[Further updated 20 January 2015 to add tweet.]
[Also updated 5 January 2015 with this brief commentary on the Home Office Factsheet:
Page 1: Top Lines
"IP resolution is the ability to identify who in the real world was using an Internet IP address at a given point in time." Data retention at best identifies the device or connection being used and any associated subscriber details. The subscriber is not necessarily the user. Page 2 of the Factsheet is accurate: "This data can help identify who has made a communication, when, where and how." (emphasis added)
Page 1: Background
"However, some IP addresses are shared and allocated dynamically." True, but dynamic allocation is not what Clause 17 is about. Dynamic IP address allocation is sequential temporary allocation of a public IP address to one customer after another. Dynamic IP addresses are already explicitly mentioned in the DRIPA datatypes (Data Retention Regulations 2014, Schedule, Paras 13(1)(b) and 11(3)). It is evident from the diagram on page 3 of the Factsheet that the problem being addressed by Clause 17 is simultaneous sharing of a single public IP address by multiple ISP customers.
Page 3 : Diagram
"At 4pm 2,500 people are using a single IP address on the internet." Exactly. The issue is simultaneous sharing of a single IP address, not dynamic (sequential) allocation of an IP address.
"The e-mail service provider now provides police with IP address and port number used to send the e-mail and accurate time." In order to do this the e-mail service provider in the diagram example will have had to retain IP address, port number and timing data. Will such providers, as well as internet access providers, be subject to mandatory retention?
"Police seek details from internet access provider. Internet access provider now identifies the individual using the unique combination of IP address and port number provided at 4pm." The internet access provider identifies the customer, who may be but is not necessarily the individual who used the device in question.]
Four months after DRIPA and 18 months after putting down a marker in the May 2013 Queen’s Speech, the UK government has embarked on a new round of legislation for mandatory retention of communications data. This time it is under the banner of IP address matching.
- Some ISP and mobile operator systems don’t allocate one public IP address to one customer device or connection, but have many customers sharing an IP address simultaneously. They could be required to retain linking data such as port numbers.
- Even if an ISP retains IP address and (say) port number records, it cannot be sure of identifying a single device or connection unless law enforcement can provide it with a both a port number and an IP address to look up. So a cloud storage or web e-mail provider accessed by the user could also be required to retain logs of linking data visible to it, such as port numbers.
- Operators such as public Wi-Fi hotspots could be required to log MAC addresses.
“IP Resolution: Allow for a power to require communications service providers to retain the data necessary to attribute an IP address to an individual.”
“may be used to identify, or assist in identifying, which internet protocol address, or other identifier, belongs to the sender or recipient of a communication (whether or not a person)”.
This is the most curious part of Clause 17. The problem is surely not identifying which IP address ‘belongs’ to a given sender or recipient of the communication, but identifying which device or connection (of many) was used to make a given communication via a given shared public IP address. Is it drafted the wrong way round?
“… An IP address can often be shared by hundreds of people at once – in order to resolve an IP address to an individual other data ("other identifier" in this clause) would be required.”
“Data necessary for the resolution of IP addresses could include port numbers or MAC (media access control) addresses.”
“For example w[h]ere a user uploads an illicit file to a cloud server that server provider, if subject to a data retention notice, would be required to retain sufficient information to enable the internet access provider to identify the user.”
[My 8 point tweet of points on Clause 17:
1/8 Is it about dynamic (sequential) IP address allocation? No. Already covered in DRIPA and so excluded from Cl 17.— Graham Smith (@cyberleagle) January 20, 2015
2/8 The Home Office Factsheet suggests Cl 17 is about simultaneous use of one public IP address by many customers.— Graham Smith (@cyberleagle) January 20, 2015
3/8 But you'd never guess that from reading Cl 17. What else might it cover? Its vague drafting gives little clue.— Graham Smith (@cyberleagle) January 20, 2015
4/8 The Fact Sheet shows it is meant to cover not just internet access, but cloud/web e-mail providers who generate or process data in UK.— Graham Smith (@cyberleagle) January 20, 2015
5/8 Cl 17 isn't limited to data linking a device or connection to a public IP address. Includes 'other identifiers' as well as IP addresses.— Graham Smith (@cyberleagle) January 20, 2015
6/8 What is an 'other identifier'? A MAC address, said the Minister on 9 Dec. The EN seems to suggest a MAC address is linking data. Both?— Graham Smith (@cyberleagle) January 20, 2015
7/8 'Other identifier' is said to 'future proof' Cl 17 by making it 'technologically neutral'. In a provision sunsetted in Dec 2016?— Graham Smith (@cyberleagle) January 20, 2015
8/8 RIPA was drafted to be technologically neutral. The result was a statute universally acknowledged to be impenetrable. #BeenHereBefore— Graham Smith (@cyberleagle) January 20, 2015
[Updated 4 December 2014 with references to the Home Office Factsheet and minor clarifications and edits. Further update 5 January 2015 with comments on the Home Office Factsheet. Further updated 20 January 2015 to add tweet.]