IMP - an overview

A significant paper from the LSE provides an overview and substantial critique of the Government plans for review of the interception of communications traffic data - currently under consultation.

The paper, which can be downloaded here provides a review of UK intercept law, changes in communications and the technological limitations of the proposals for high levels of deep packet inspection (DPI). This is a paper that is informative and a useful contribution to the debate. It notes that there are significant privacy issues although these are for others to discuss. What it does do is to point out the limitations of the core technology concepts behind the Intercept Modernisation Programme (IMP) and ‘Mastering the Internet’, the GCHQ programme aimed at collecting and analysing data within the UK’s Internet traffic.

Every MP and member of the House of Lords should read this - and should then be made to sit an examination on its contents with passage to permission to debate only granted on being able to demonstrate a satisfactory understanding of the content. Well, pigs might fly!

The Home Office Consultation, ‘Protecting the Public in a Changing Communications Environment’ can be downloaded here.

Not so centralised database ……

So, after all the speculation, the Home Office have now published the consultation paper on ‘Protecting the Public in a Changing Communications Environment’ and it now makes clear that the idea of a single centralised database containing records of all telephone calls, Internet login/logout, email, web access etc. has been kicked into touch. Page 25 of the paper makes clear, ‘The Government has no plans to create a centralised database to store all communications data.’

However, it is also clear that this would be the preferred option, ‘This approach would have several advantages. It would be the option most likely to come close to maintaining the historic capability of public authorities in their use of communications data. It would be the most effective at delivering fast and efficient access in support of the law enforcement and intelligence agencies and emergency services; the least challenging technically to implement; and the cheapest to build and run.’ But, Government is clearly aware of the sensitive politics of any implementation in this manner and has accepted that this wqould be a step too far and a massive intrusion into privacy. Richard Thomas, Information Commissioner, had made it quite clear that a single centralised database would be seen as an infringement of data privacy legislation and this advice seems to have been taken on board, ‘The Government recognises the privacy implications in holding all communications data from the UK from a 12-month period in a single store. The Government therefore does not propose to pursue this approach.’

So, the remaining option is to require communications service providers (CSPs) to retain data themselves and to release to national security and law enforcement authorities on receipt of the appropriate (RIPA) authority. That is similar to the current provision and the requirements of the Data Retention Regulations. However, the proposed plans go further than the requirements of the European Data Retention Directive (DRD) - law enforcement agencies have advised government that they require access to a broader range of data than that required under DRD. “We also need to ensure that UK companies collect and store additional types of communications data about their own services, which are not included under the EU Data Retention Directive. This includes data that communication service providers do not generate or process about their services.”

So what would this additional data retention requirement include. Web access for certain - but again, not the content, only the access to the server (to the domain rather to internal pages), volume of data transferred (download/upload), access to third party services.

Ah, this last is interesting. Acccess to third party services. Government is clearly aware of the limitations of the DRD and is now looking to close loopholes. DRD does not include web access and does not include access to services that are not hosted in the UK. Now, we know that a large number of users use webmail and that the major services (Hotmail, Gmail etc.) are hosted in the US. There is no provision under DRD for retention of any data relating to mail sent via these services - nor for any retention of data sent via other means including social networking sites, game sites, forums etc. Govt. now wants to close this loophole, ‘This would include third party data relating to internet-based services and communications services provided from outside the UK.’

Now that leaves some interesting questions. If CSPs are to be required to retain data relating to access to systems and servers outside of their network (and outside of the UK and EU) then they are going to have to collect the data by analysing the traffic flow on their own network. In practice this means deep packet inspection (DPI) of ALL traffic. DPI imposes some overheads - in order to undertake analysis and extraction of data without impacting on user experience will require real-time inspection with substantial processing demands. That is expensive. Well, at least the Govt. recognise this as the potential costs are estimated in the consultation as £2 Billion (yes, that’s right, 2 BILLION pounds).

The technical limitations are not the only concern. For CSPs to effectively read each and every packet will require substantial changes to current legislation. In effect, what will be required will be the electronic equivalent of opening mail, checking the contents and storing data. It is illegal to intercept the post, it is illegal to intercept traffic in a communications environment. Clearly the intention of the Government is to change the legal position to allow CSPs to analyse traffic and to retain data.

At present, there may be some inspection going on at CSP level in order to identify traffic types and to prioritise traffic flow - packet shaping. This is used to control use of high volume services such as peer to peer transfer. What is currently done is relatively simple compared to what may be required - traffic packets are checked to see what the type of data is and automatically routed or controlled as a result. The plan is for data to be read and then recorded and retained - and for the data to be retained for 12 months.

Now we can see an advantage for the Govt. in making CSPs retain the data. If there is a leak of data then it will be the CSPs at fault and not the Govt. Govt. agencies (national security, law enforcement etc.) will only become involved when they request data to be transferred from the CSP store.

The single centralised database has become a decentralised, distributed store of data. Once you set those up, the next step is to look to see how they could all be linked. We know that the Govt. views the single database as being the best option (and the cheapest). What they are going to do is to plan a distributed store that may circumvent privacy concerns, will be more expensive but will still store the same information. And that is going to be far more than is currently retained.

Privacy watchdogs will just be sharpening their claws - they will need them.

May we live in interesting times ……!

The next week (week beginning 27th April 2009) appears to have the makings of a rather interesting time. Perhaps the ancient Chinese proverb was indeed close to the truth.

Later this week we expect the Home Office to publish details of the Intercept Modernisation Programme and the Communications Data Bill. Readers will remember that the Bill was originally trailed in the Government’s Draft Legislative Programme published in summer 2008 but was quietly dropped from the Queen’s Speech later in the year for ‘ additional public consultation.’

Well, it seems that time for consultation is here and we now expect the Home Office to publish the consultation document and details of the Intercept Modernisation Programme (IMP). The Daily Telegraph today (Saturday 25th April) printed a front page story to indicate that the consultation will resurrect the ideas of a single centralised database to hold details of all telephone calls, emails, web access etc. The Telegraph reports (in print - it does not appear on their web site - why not?) that the Information Commissioner has reiterated his opposition to the database, indicating that he considers this to be a major intrusion into privacy.

The Government, of course, appear to be trotting out the same old story - we need to monitor web access, email etc. in order to track terrorists and serious organised crime. And, if recent performance is anything to go by, also those sending their children to school and those ‘allowing’ their dogs to foul the pavement.

There are fundamental issues of privacy and rights of the individual at stake here. The current authoritarian and nanny obsessed government simply cannot be allowed to rail-road this legislation through. Remember the sentient words of Benjamin Franlink in 1775, ‘Those who give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.’

What we need is a little real risk assessment and some real truths - not the one-sided ‘business case’ that we have seen with other consultations. This is a fundamental issue of rights and the ability of the Government to spy on its own citizens. Levels of control as are being suggested have only existed in the most heinous totalitarian regimes - we cannot sleep walk into allowing a British government to overturn centuries of hard won reforms for a short term gain. As Franklin suggests, the cost to the people is just too great.