a convenient truth

After the ringing endorsement for more “talking rubbish” from Tom in the comments to my last post, I feel newly inspired to spout off.

So, a couple of news items in recent weeks about our government’s incompetent attempts to turn our generally-mostly-well-behaved-as-long-as-you-are-white police force into some kind of robo-stasi.  The ethics of these things are pretty obvious, but what perplexes me is how some of these powers are supposed to be used.

First, the Computer Misuse Act (1995) allows the police to hack into “compromised” systems without a warrant.  Who knew?  Not me. Anyway, apparently they plan to “step up this activity”.

Now as it happens I have briefly met some of the chaps from SOCA, who presumably would be executing this brief.  I am sure they are fine upstanding members of the constabulary, but leet haxors they are not.  Frankly I think it’s unlikely they could drive a pivot table in Excel, let alone devise a 0-day.  The drafters of this act perhaps envisaged the police employing uber hackers from the underground, which superficially sounds quite exciting, but it’s an ITV plot I’m afraid.  If the Old Bill know of uber hackers in the UK they’re most likely to feel their collars.

Alternatively of course they could employ russian hackers, but the amazingly bad idea of involving anyone associated with the FSB with sensitive police business may be apparent even to the clouded minds of our senior officers.

Security firms, on the whole, will also try their best to keep the police off your network, since they won’t be able to tell if it’s the police or not.  For all the fretting about these powers, in practice it’s only those who take no care at all who need to worry, and their machines are probably infested with viruses already.

Second is the rather more disturbing intention of the Government’s to require ISPs to log every email sent. Again, the ethical problems with this are pretty obvious but the practical implications are bizarre.

When you send an email from your workplace to someone else, it’s very likely that your emails never directly touch one of your ISPs mail servers - your mail goes to your corporate mailserver, then over the internet to your receipient’s mailserver.  That mail does traverse your ISPs network, but not their mailservers.

So to log this activity, your ISP would need to run a filter on all TCP traffic for port 25, decode this traffic and extract the headers.  Although this is onerous for ISPs, it’s possible.  It will inevitably make email less reliable, and slower, but hey who cares, right.

But, and this is a but you could drive a truck through, a whole load of people use opportunistic strong encryption for email. It’s enabled out of the box on all decent mail systems these days, and from watching our own logs I guess well more than half of email is encrypted for transport now.

Cracking this is not only difficult-to-impossible, but illegal in many cases. It certainly is more than onerous.

So, may  I just ask, WTF?  Are they really proposing on making laws to legislate for the impossible just to irritate everyone?

I want to share a moment of angst.

I read a great comment about blogs perhaps two months ago, and it’s completely clobbered my blogging.  It’s taken some time for me to realise that this one comment has caused such a period of Bloggers Block.

The comment was from someone irritating like Dave Winer, but it struck something of a chord.  The gist was that the best blogs are those where people talk about what they know - but that the world is full of blogs where people sound off about things they know nothing about.  Unfortunately this struck home - this blog is full of me sounding off about subjects that I am, realistically, on the whole, clueless about.

Of course I’d love to think my opinion on any subject is by it’s very essence the purest gold; my every sentence dripping not only with sardonic vigour but such volumes of essential wisdom that readers are stunned into respectful silence.

Lying awake at 2am though, I know this is not the case, and to pretend otherwise is rather silly.  So, do I continue writing articles that might well be complete rubbish?  I have to say it never bothered me before, but the assertion that I am somehow participating in some huge exercise in dumbing down the Internet offended me somehow, all the more so since it could be true.

I know vast quantities of stuff about some extremely obscure things, but we have a work blog for that kind of stuff.  [Not that I use it, since it's the horrible Movable Type.  We have a new WordPress blog coming soon though (like our new website it's been coming soon for about a year), and then I might do some regular blogging there.]

So, a dilemma.  I do not yet know what I’ll do but at least having articulated the problem I may find a solution.  More likely, of course, I will get bored with the dilemma and proceed as before - blogging is a strange pursuit, since it’s purpose is so ill-defined, and I’ve yet to work out why I do it.

Private firm may track all email and calls, reports The Guardian.  It’s a pretty remarkable story, and on the face of it it’s enough to get lots of people very upset already.

I think it’s a lot more insidious than it seems too.  The trick is in the term “Communications Traffic Data”, and what this really means in practice.

As with phone calls now, the government claims it will only record “Communications Traffic Data” and not the content of internet traffic. It’s still quite Big Brother, of course:

By building up a database about our movements - our morning rituals of
checking emails, visiting web sites, buying online - this will build up
a pattern. This in itself is “content”. This will create a pattern of
recognition about our movements. Plus how long would it be before they
start to argue that they need to see the content as well? Curiously,
because so few people in China - relatively speaking - are online
and/or using credit cards, China will look pretty free compared to our
electronically driven society.

It’s a lot worse than this I’m afraid. 

How do we decide what Communications Traffic Data is?  All traffic over the internet is transmitted in packets (called Datagrams) according to the Internet Protocol (IP).  These datagrams have a header, and a body.  The header contains the IP Communications Traffic Data, and the body contains the content.  The IP header contains, amongst other things, the source IP address and destination IP address of the datagram.

So is this what the government counts as Communications Traffic Data?  Well, not quite.  the IP addresses are part of what they want to record, but not everything.  How do we know what type of traffic this is?  Surely whether this is part of an email or part of a web page is Communications Traffic Data too?  Also, who initiated this conversation?  This could be a web request, or a page in response, and which way the traffic is going is important too isn’t it?

Well, that information isn’t in the IP header.  It’s inside the content of the IP packet.  For Web and Email, it’ll be inside a Transmission Control Protocol (TCP) packet, carried within IP.

So, we look at the IP packet, see it’s a TCP packet, unpack the content and look at the TCP header.  The TCP header is the Communications Traffic Data for TCP, and the body is the data.  In the header for the TCP packet we have the information we need to see what port numbers this communication is between, and we know that port 80 is normally web traffic, so now we know it’s a web page.

We also know who started the conversation, so we can keep track of who is asking whom for what.

But, well, what URL is being requested?  Is this Communications Traffic Data? It’s not as far as TCP is concerned, but it is for the Hypertext Transfer Protocol (HTTP).  And surely anyone reasonable would say it’s Communications Data as far as the government is concerned?

So, we unpack the tcp packet, find the HTTP request and look at that.  Now then, there’s not much left of this packet now is there?  For an HTTP request in fact, we can reasonably claim that the entire packet is Communications Traffic Data.

As I understand both existing and planned legislation, there’s no strict definition of what “Commmunications Traffic Data” really is, and the possible database could well end up storing all of these data.

HTTP requests aren’t such a contrived example either.  But try some more on for size.  Imagine an MSN chat conversation.  The IP packets just record that your computer talks to an MSN server somewhere, and that’s it.  That’s a lot less than telephone communications data, which at least records the virtual circuit endpoints (i.e. phone numbers).  So, is it reasonable to unpack all these packets to find the usernames for who is communicating?  Probably.  Again, very little of the actual data is considered to be “content”, and almost all of it is “Communication Data”.

Imagine you are playing an MMO such as World of Warcraft, and you start a private chat with someone else.  Is this Communications Traffic Data?  How about your emotes to someone? 

What about email attachments?  Their size, filenames and types are part of the MIME protocol, within an email, and these could be “Communications Data”.  The actual contents of the attachment would be hard to justify as “Communications Data”, but that’s about it.

As should be clear by now, the Internet is built as layers within layers within layers.  Every layer considers it’s containing stuff to be “just data”.  It’s the most powerful abstraction we have, and without it we would never have been able to build the Internet.

But the Internet was never designed to facilitate state monitoring and control of all communications, and it doesn’t have the ready control knobs that an authoritarian government would have required.  It’s also not easily possible to retrofit them, which is what this government really requires.  They use loose language in statute to allow them to adapt to a technology that they don’t really appreciate.  Because the media don’t appreciate the technology either, we’re likely to find a government with strongly authoritarian instincts being granted vast powers entirely by accident.

That would be tragic.