"But why did we not breakfast at the Parpaillot?"
"Because we have very important matters to communicate to one another, and it was impossible to talk five minutes in that inn without being annoyed by all those importunate fellows, who keep coming in, saluting you, and addressing you. Here at least," said Athos, pointing to the bastion, "they will not come and disturb us."
"It appears to me," said d'Artagnan, with that prudence which allied itself in him so naturally with excessive bravery, "that we could have found some retired place on the downs or the seashore."
"Where we should have been seen all four conferring together, so that at the end of a quarter of an hour the cardinal would have been informed by his spies that we were holding a council."
"Yes," said Aramis, "Athos is right: animadvertuntur in desertis."
"A desert would not have been amiss," said Porthos; "but it behooved us to find it."
"There is no desert where a bird cannot pass over one's head, where a fish cannot leap out of the water, where a rabbit cannot come out of its burrow, and I believe that bird, fish, and rabbit each becomes a spy of the cardinal. [...]"
During the Parliamentary summer recess / news "silly season" the Home Office are going through the motions of Yet Another Public Consultation.
This one is entitled: Consultation: Transposition of Directive 2006/24/EC (.pdf - 47 pages)
This title seems to be deliberately obscure, but it is in effect about the planned increase in Mandatory Data Retention of Communications Data . This follows on from the European Commission's "policy laundered" Mandatory Data Retention scheme, which affects the 450 million people in the European Union states, but which was steered through the EU bureaucracy by the then British Home Secretary Charles Clarke, during pne of the the UK's 6 month turns at the presidency of the EU.
Several of the larger EU countries cried off fully implementing this scheme for 18 months, but they all implemented the bits dealing with conventional landline telephones and faxes, and mobile phones, as of 1st October 2007 - see SI 2007 No. 2199 ELECTRONIC COMMUNICATIONS The Data Retention (EC Directive) Regulations 2007
Included in the Consultation Document is a new Draft Statutory Instrument, which rolls up all the provisions of that SI 2007 No. 2199, and adds in the vague terms "internet access" and "internet e-mail" and "internet telephony", without clarifying exactly what they mean in detail.
N.B. there is no Data Retention of web site URL visits under this proposed implementation of the European Commission scheme,
However, that does seem to be the way in which the Home Office is dreaming, as part of the Interception Modernisation Programme
See The Register - UK.gov to spend hundreds of millions on snooping silo and, back in July, when Information Commissioner mildly criticises the Home Office's centralised communications traffic database plan
We have heard from people who have attended Home Office briefings to ISPs and Telcos, and they really do seem to imagine that they can inflict a massive secret database, which includes the content of emails etc. as well as the Communications Data logfiles, and that they can get industry to pay for most of it.
As is usual with Home Office documents which mention technology and the law, the examples given, seem to be"finger in the air" hand waving propaganda, without any quantitative figures or even guesstimates about their frequency, and there is a general vagueness about the technological details of what is, and what is not, being regulated.
One of the examples quotes a Media Access Control (MAC) address, as being the way in which a criminal was traced,
e.g. on page 9:
The investigators acquired internet related data (MAC address and consequential subscriber information) from the service provider which indicated the use of a lap top computer and premises from where the suspects had logged onto the internet when posting the advertisements.
However neither the European Commission Directive, nor the Draft Regulations make any mention of MAC address log files at all.
Be very clear, this is not a Public Consultation on the Communications Data Bill which was promised in the Draft Legislative Programme back in May 2008 - see Communications Data Bill announced
The main elements of the Bill are:
- Modify the procedures for acquiring communications data and allow this data to be retained;
- Transpose EU Directive 2006/24/EC on the retention of communications data into UK law.
Why then is this second "main element" of the Bill being implemented not through the Primary Legislation of a new Act of Parliament, as promised in May, but through Secondary Legislation, via a Statutory Instrument under
Draft Regulations laid before Parliament under paragraph 2(2) of Schedule 2 to the European Communities Act 1972, for approval by resolution of each House of Parliament
This means that there can be no Opposition Amendments, the House of Commons and the House of Lords will simply "rubber stamp" the Order, on a "take it or leave it" basis, perhaps without even any "debate" on the floor of their respective Chambers, but in some Committee room, with only a dozen or so legislators present.
The new bits of Mandatory Data Retention which will come into force in March 2009 are:
Data to be retained: internet access, internet e-mail or internet telephony
7. The following data must be retained as respects internet access, internet e-mail or internet telephony--
A. Data necessary to trace and identify the source of a communication:
(a) the user ID allocated;
(b) the user ID and telephone number allocated to the communication entering the public
(c) the name and address of the subscriber or registered user to whom an Internet Protocol (IP) address, user ID or telephone number was allocated at the time of the communication.
B. Data necessary to identify the destination of a communication:
(a) in the case of internet telephony, the user ID or telephone number of the intended recipient of the call;
(b) in the case of internet e-mail or internet telephony, the name and address of the subscriber or registered user and the user ID of the intended recipient of the communication.
Presumably "internet e-mail" means SMYP or POP3 or IMAP mail protocols and does not include , say, X.400 email systems or older "store and forward" email systems ;ike cc:Mail or the original Microsoft Mail, or IBM mainframe PROFS etc. over dialup or leased line connections.
What about the whole world of Instant Messaging ? Under this wording, it all seems to be exempt from being logged at all.
C. Data necessary to identify the date, time and duration of a communication:
(a) in the case of internet access--
(i) the date and time of the log-in to and log-of from the internet access service, based on a specified time zone,
(ii) the IP address, whether dynamic or static, allocated by the internet access service
provider to the communication, and
(iii) the user ID of the subscriber or registered user of the internet access service;
Just how useful is this nowadays, when , for example, BT has about 3.4 million broadband customers, most of whom leave their BT Home Hubs connected to the internet 24/7 ?
The actual user of such a broadband / WiFi internet gateway, is not necessarily the subscriber who pays the bill.
(b) in the case of internet e-mail or internet telephony, the date and time of the log-in to and log-off from the internet e-mail or internet telephony service, based on a specified time zone.
This does not necessarily tell an investigator that a particular person, was at a particular computer , at a particular time. Many email systems connected to broadband or other always on connections, periodically log into and download emails, say every 10 minutes or so, automatically, whether anyone is sitting at a computer or not.
D. Data necessary to identify the type of communication:
(a) in the case of internet e-mail or internet telephony, the internet service used.
E. Data necessary to identify users' communication equipment (or what purports to be their equipment):
(a) in the case of dial-up access, the calling telephone number;
(b) in any other case, the digital subscriber line (DSL) or other end point of the originator of the communication.
Section 13 Data retained by another communications provider, means that smaller or subcontracted "boutique" telcos or isps, need not actually do any of the logging, provided that their upstream providers do it.
This is all very well in theory, but it adds an extra layer of "reasonable doubt" into any attempt to use such Communications Traffic Data logs as evidence in a Court of law, especially if an isp or telco has multiple upstream providers or commercial partners, some of whom are likely to be international companies.
Some Obvious Technical Questions about "internet telephony":
- What exactly does "internet telephony" mean in terms of the logfiles which must be kept ?
- What about Skype ?
- What about the Peer to Peer aspects of the Skype Protocol ?
- What about the Session Initiation Protoco (SIP) used in so many corporate Cisco VoIP phones ?
- Does "internet telephony" include video conferencing protocols like H.323 which is potentially available to millions of Windows computers which have NetMeeting installed by default ?
- What about old skool stuff like CUSeeMe Reflectors ?
- What about Flash version 6 and above which can access your Web Camera (with or without sound) ?
- What about various shared desktop and Groupware programs which allow for collaborative working, say on the same Microsoft Excel spreadsheet between remote locations ?
Most of these protocols use dynamic port allocation, often using lossy UDP rather than TCP, since the occasional glitch in a video or audio stream is something which humans can compensate for mentally.
Skype, for instance uses the very common Web browsing / serving ports 80 and 443 , plus a seemingly randomly selected high port above 1024, and various calls to NTP time servers etc.
In order to monitor Skype VoIP telephony, does all internet traffic have to be monitored and Deep Packet Inspected in order to find the telephone number ?
How exactly does
- Data necessary to trace and identify the source of a communication
- Data necessary to identify the destination of a communication:
- Data necessary to identify the type of communication:
- Data necessary to identify users' communication equipment (or what purports to be their equipment):
apply to encrypted protocols, and to gateways or proxies which do Network Address Translation (i.e. the majority of home or office broadband ethernet / WiFi routers or connection sharing PCs with ADSL modems) ?
In order to properly fulfill those requirement, then would there be a need for retention of Cryptographic Session Keys ?
However, this would contravene Section 4 (5) of these Draft Regulations:
(5) No data revealing the content of a communication is to be retained in pursuance of these Regulations
page 42 Explanatory Notes says:
7.1. The Directive makes no provisions for imposing sanctions on those public communications providers who do not comply with the requirements.
So, in theory, a telecommunications company or internet service provider could tell the Home Office that their proposed data retention / snooping plans for, say, "internet telephony" are unworkable, and there is not much that they can do about it.
Our previous suggestions, in the summer of 2006, regarding the RIPA Part I Chapter II consultation - Acquisition and Disclosure of Communications Traffic Data consultation on the Revised Statutory Code of Practice, were not only ignored, but the Government went ahead and implemented some of the policies they were pretending to consult about, via an Order which was published and came into force during the 12 week consultation period itself.
We are therefore reluctant to actually waste the effort of formally replying to this Consultation, but if you are so inclined, then
7.1. Please send all responses to this consultation by 31 October 2008:
- By e-mail: firstname.lastname@example.org
- By post: Andrew Knight, Home Office, 5th Floor Peel, 2 Marsham Street, London, SW1P 4DF.