Evidence for Investigatory Powers Review
Via
email to: independent.reviewer@brickcourt.co.uk
Contents
"Evidence
for Investigatory Powers Review"
This Review needs access to all the RIPA
Commissioners' Annual Report Confidential Annexes
Technology used for snooping has changed since
2000
Stingray IMSI catcher interception is not
covered by RIPA
Confusion and buck passing between the RIPA
Commissioners' Offices
Global Positioning Satellite data
SmartPhone tracking without involving
Communications Service Providers
Google Glass and Augmented Reality heads up
displays, FR & ANPR
Why are there no Criminal Penalties for abuse
of Communications Data ?
IoCC inspection of Prisons has no statutory
basis under RIPA or DRIPA
Amended RIPA should repeal non-RIPA statutory
powers
RIPA Part III access to Cryptographic Keys
Financial Regulators and Cryptographic keys
Tipping Off Secrecy and Warrant Canaries
This
Review must be given access to all of the Regulation of Investigatory Powers
Commissioners' Annual Reports, including their Confidential Annexes, if it is to have any public credibility.
GCHQ Tempora - mass surveillance tapping
of undersea fibre optic communications cables
-
"full take" 3 days
- MetaData / Communications Data 30 days
Mobile
Phones have become SmartPhones i.e.
also powerful hand held computers connected to the internet and other
non-telephony related radio networks like WiFi, BlueTooth, NFC and (listen
only) GPS. They can also include physical sensors such as accelerometers and
fingerprint readers, which may generate personal data.
You may
have read the Spy Blog post with this title.
In the
stupid, rush to pass the Data Retention and Investigatory Powers Act, without
proper scrutiny, the Home Office and Parliament appear to have legally crippled
the Retention of Mobile Phone Location
Data, by only including the Start
Cell ID and not any Intermediate or
End Cell IDs in in the "strict" Schedule
of Relevant Communications:
Mobile Phone Call Detail Records /
Charging Detail Records both the Cell ID at the Start of a
communication and the Cell ID at the End of the mobile phone
communication.
Some systems actually record the Start
and End Cell IDs of both the Recipient of a voice call or SMS text
message and that of the Sender if they are also using a mobile phone.
We think therefore, that these new Regulations make it illegal for
Mobile Phone Network Operators to hand over the "Cell ID at the End
of a communication", or any of the potentially dozens of Intermediate
Cell ID locations which a mobile phone on the move is likely to generate
between the Start and the End of the communication.
If Spy Blog worked for the Police or the
Intelligence Agencies, we would be furious with the Home Office for such
legislative bungling, which actually reduces the useful Communications
Location data from Mobile Phones, which they have access to at present.
It is also unclear if this error applies
to not only 12 month old Retained Communications Data (which the Home Office
have never been able to cite a single criminal case where this led to the
investigative breakthrough in identifying the criminals c.f. the previous Spy Blog article) but to any demand for
Communications Location Data. even narrowly targeted, very recent or real time
Location Data demands.
Perhaps the Home Office sophists will
try to claim that this is all still somehow covered by the broader 2009
Regulations definitions, but these are repealed by the 2014 Regulations and the
new more restricted Schedule in the Provisional Regulations (if passed) must be
what "Parliament intended".
https://en.wikipedia.org/wiki/IMSI-catcher
N.B. If
these "fake mobile phone base stations" are used for "man-in-the-middle"
interception attacks, they can and do interfere not just with telephony Voice calls, but also with Data e.g.
·
SMS text messages
·
Internet IP connectivity which is possible
even with "old" tech GSM phones and is certainly so with 3G or 4G
SmartPhones or data dongles
i.e. their
"legal" use falls foul of the amendments brought in to the Computer
Misuse Act 1990 by the Serious Crime Act 2006 which criminalise Denial of
Service attacks, even "reckless" ones
Unauthorised
acts with intent to impair, or with recklessness as to impairing, operation of
computer, etc.
http://www.legislation.gov.uk/ukpga/1990/18/section/3
3A.Making,
supplying or obtaining articles for use in offence under section 1 or 3
http://www.legislation.gov.uk/ukpga/1990/18/section/3A
These
devices also seem to be radio devices operating without a licence on heavily
regulated parts of the radio spectrum reserved for the Mobile Phone Network
monopolies i.e. their use is an offence under the Wireless Telegraphy Act 2006
The
Metropolitan Police have so far refused FOIA requests on the topic of IMSI
catchers using the "Neither Confirm Nor Deny" trick
The
refusal by the Police to answer any questions about IMSI catchers gives rise to
the suspicion that they are being operated illegally, without a proper Licence
in contravention of the
Wireless
Telegraphy Act 2006
http://www.legislation.gov.uk/ukpga/2006/36/contents
Incredibly
the Interception of Communications Commissioner's office claims that IMSI
catchers (which can only work by actively intercepting the communications
between a Mobile Phone network Base Station and a mobile phone handset) is
somehow the responsibility of the
Office of
the Chief Surveillance Commissioner
c.f. the
twitter thread:
https://twitter.com/josephfcox/status/499870790507331585
especially
@josephfcox
@rj_gallagher the @metpoliceuk could be
breaking #RIPA
& #CMA
(DoS) Where is @iocco_oversight
inspection of IMSI catchers ?
@spyblog
@josephfcox @rj_gallagher such
equipment (if used) would not be authorised under P1 RIPA - so not IOCCO role
to oversee
@spyblog
@JoCavan @rj_gallagher @iocco_oversight
Jo told me it was the office of surveillance commissioners under RIPA 2
The use
and authorisation of such powerful interception and denial of service
technologies, which are not operated
by the Communications Service Providers
but by the Police and others themselves directly, needs to be brought within a
revised RIPA.
In the
very few, narrowly defined circumstances where these IMSI Catchers need to be
used operationally (e.g. in a real time, tactical hunt for suspected Mobile
Phone activated explosive devices), then a revised RIPA needs to amend the
Computer Misuse Act and the Wireless Telegraphy Act accordingly and there needs
to be:
1.
Proper, proportionate authorisation, for the
Police, intelligence agencies and the UK Military
2.
A ban on Foreign (allied) Military or
(friendly ?) Intelligence Agency or Police IMSI catcher snooping in the UK
unless under the control and responsibility of named UK officials.
3.
A Statutory Code of Practice
4.
Auditing of every use of IMSI Catchers by a
RIPA Commissioner, ideally before they are used, but with the provision for
immediate notification after their emergency tactical deployment and use.
5.
Reporting on any collateral damage effects
e.g. disruption of 999 Emergency Service telephony or the Mobile Phone Internet
service of people not being specifically targeted
6.
Financial compensation for such disruption
N.B.
flying IMSI Catchers in aircraft or drones in secret, like the Metropolitan
Police Service appear to do, is not proportionate,
even for terrorism investigations.
The SS7 worldwide telecommunications standards allow mobile phone
locations to be tracked in secret, from anywhere in the world, with a little
cooperation from telecommunications companies.
http://berlin.ccc.de/~tobias/25c3-locating-mobile-phones.pdf
There are also commercial companies which offer this service.
The RIPA Interception of Communications Commissioners' public Reports do
not mention this at all, so the public and Parliament do not know to what
extent the Police and Intelligence Agencies and other Public Bodies try to get
around or evade the supposed Single Point of Contact (SPoC) system and
automated gateways for handling official requests for Communications Data.
The Police
in Germany and the Netherlands use the technique of sending "silent SMS
pings" to locate target mobile phones, hundreds of thousands of times a
year.
http://en.wikipedia.org/wiki/Short_Message_Service#Silent_SMS
It is inconceivable
that the UK Police and Intelligence agencies do not do the same.
This is not the same as the RIPA Communications
Data record requests for Retained Call Detail Records which are partially
audited by the Interception of Communications Commissioner.
The public
must assume that this practice is used to evade and circumvent the very narrow
RIPA audit criteria used by the Interception of Communications Commissioner, who
has never reported on these practices in public.
Technology has moved on since 2000 and there are now millions of Global
Positioning Satellite devices in the hands of ordinary consumers, be they dedicated
GPS devices for hikers or sportsmen, or in car navigation systems or are built
in to various models of SmartPhone etc.
There does not seem to be any laws or regulations which cover the use or
abuse of GPS devices or data.
Vehicle attached GPS bugs are used by the Police and by Private
Investigators and by jealous ex-spouses, stalkers and other criminals to track
their targets or victims.
There is no clarity from the Chief Surveillance Commissioners' public
Annual Reports as to how often such devices are used, or if their use is
audited at all.
There are no criminal penalties for the abuse of GPS tracking data, which
there should be.
SmartPhone Apps can make use of the Accelerometers built in to many
models of handset , used primarily to flip the display between portrait and
landscape, depending how you orientate the phone.
However they are also used by the health conscious in the form of running
or cycling Apps often linked to online maps and to GPS.
The potential for intrusion and tracking of innocent people is
illustrated by the aggregated data from one of these Apps which was published
in the aftermath of the recent earthquake near San Francisco, which showed
thousands of subscribers being woken up early in the morning.
The Police or other investigators must not be allowed to exploit such
data without a framework of regulation, which RIPA currently does not provide.
·
WiFi MAC addresses
tracking
·
WiFi Access Point
automatic connection attempts
·
BlueTooth MAC
address tracking
·
NFC tracking
·
IMSI tracking via
Software Defined Radios
These radio based technologies are built in to many models of SmartPhone
and they can all be time, date, location tracked and mapped.
e.g. The City of London had to ban the enterprising scheme by Renew
London which tracked and mapped (without their explicit prior permission) the
MAC addresses and movements of SmartPhone users passing by 200 or so WiFi enabled rubbish / recycling
bins
http://www.bbc.co.uk/news/technology-23665490
http://qz.com/112873/this-recycling-bin-is-following-you/
The tracking of SmartPhone handsets using these technologies should not
be a "legal grey area", it should be clearly defined by an amended RIPA
Fingerprints
are used on some models of Mobile Phones and Laptop Computers as an extra
locking mechanism.
Where such
biometrics are used they may sometimes be checked against a central data base
via data communications protocols. e.g. the Police's own Project Lantern
roadside fingerprint scanners
RIPA &
DRIPA must be amended to make it very clear that access to any non-telephonic
Communications built in to SmartPhone hardware or downloadable software Apps,
should not be treated as Communications Data but as Intercept.
Google Glass demonstrates the power of internet connected wearable
computers with built in camera , microphone and other sensor technology.
The public rightly objects to the sneaky use of such Body Worn Video
for personal privacy and for commercial copyright reasons.
The technology also has the potential for Facial Recognition and Automatic
Number Plate Recognition, but RIPA is incapable of dealing with such multi-use
technology , especially if the systems are pointed at crowds of people
- is a Direct or Intrusive Surveillance authorisation needed ?
The RIPA Surveillance Commissioners themselves have raised, in more than
one Annual Report, the question of whether Directed Surveillance authorisations
are required for CCTV traffic cameras and those fitted with Automatic Number
Plate Recognition software
RIPA needs to be amended to provide clarity, backed up by legal penalties
for misuse, which the powerless (non-RIPA) Surveillance Camera Commissioner
does not provide.
https://www.gov.uk/government/organisations/surveillance-camera-commissioner
Mobile
Phone Location Data is immensely privacy intrusive, it is exactly the
technology used by the Home Office in electronic tagging of offenders on bail
etc.
Some
Public Bodies such as Fire and Rescue Services should be allowed to have
instant, real time access to Mobile Phone Location Data to locate genuine 999
emergency callers and to try to filter out or alert themselves to fake 999
calls. Fire engine crews all too often come under physical attack, either from
bored "ASBOids" or by criminals especially during riots.
However
Fire & Rescue Services should not be allowed to have access to the
back history of locations which can be revealed by Mobile Phone Location Data,
as used by electronic tags etc.
RIPA is
currently all or nothing in this regard: either a Public Body has full access
to every kind of Communications Data, including Location Data and Friendship
Trees or it is restricted to just Subscriber Details or to no access at all.
Communications
Data is at least as intrusive / useful as Intercept and sometimes even more so,
especially against real criminal or terrorist or spy targets who use
pre-arranged verbal codes or rare foreign dialects.
The 2
years in prison criminal penalty for illegal Intercept should also apply to
abuse of Communications Data. There must be no automatic exemption from this
for Police or Intelligence Agency or Military or other Central or Local Government
or other Public Body officials.
The
Interception of Communications Commissioner spends considerable time and
resources inspecting various Prisons, and so he should.
However
there is no statutory basis whatsoever for him to do so under RIPA or
DRIPA, it is just mission creep which started when Gordon Brown was Prime
Minister.
IoCC
inspections of Prisons and Detention Centres should also, by law, report on the
numbers of illegal Mobile Phones seized in each Prison and on and on the effectiveness
of any visitor and staff body scanners and on any phone jamming systems
installed. They should also report on any collateral damage to the surrounding
areas, especially regarding emergency 999 calls, which such jamming or
shielding may cause.
It is no
wonder that there is little or no public confidence in the transparency of the
secretive RIPA Commissioners i.e.
Intelligence
Services Commissioner
Interception
of Communications Commissioner
Chief
Surveillance Commissioner
Surveillance
Commissioners
when they
are exempt from the Freedom of Information Act,
in spite of meeting not just one, but both of the Conditions for
listing in Schedule 1 of the FOIA.
http://www.legislation.gov.uk/ukpga/2000/36/section/4
There are
massive exemptions under FOIA which would allow them to protect any sources and
methods which need to remain confidential, but there are plenty of
non-sensitive FOIA requests about e.g. their own budget and staff resources
etc. and number of complaints dealt with etc. which the public should be
allowed to request under FOIA.
The
Freedom of Information Act should also apply to the secretive Investigatory
Powers Tribunal
Other
Government Departments have continued to use or abuse their own Statutory
Powers when conducting Investigations.
The most
notorious example is the Department for Work and Pensions, which uses the
Social
Security Fraud Act 2001 (passed after RIPA)
http://www.legislation.gov.uk/ukpga/2001/11/contents
to gather
Communications Data, mostly Subscriber Details, without going through the
Single Point of Contact (SpoC) system set up for the Police and other consumers
of Communications Data.
They seem
to do this out of sheer bureaucratic empire building and to avoid having to pay
the small handling fee which the CSPs charge.
It is
vital that DWP and others are forced to use RIPA and the hopefully new, better
Regulation and Audit scheme which your Review will precipitate.
Amended
RIPA should forbid DWP from using the Social Security Fraud Act 2001 and force
it to use RIPA instead, as they refuse to do this voluntarily.
Before
they were abolished, the Financial Services Authority head was supposed to be
"consulted" if a lowly Police Constable threatened the "economic wellbeing of
the United Kingdom" (i.e. a threat to National
Security) by disproportionately issuing a RIPA section 49 Notice for the
secret cryptographic key(s) of say an Internet Bank 's secure web server.
These have
thousands or millions of customers whose details would be affected, leading to
loss of business confidence, a possible run on the bank and perhaps large scale
financial fraud.
This
cannot be proportionate, even for a potential mass murder plot terrorism
investigation.
The
current replacement Financial Regulators, the Financial Conduct Authority and
the Prudential Regulation Authority should be formally given a role and a veto in such RIPA Part III section
49 Notices aimed at regulated financial institutions.
Astonishingly, the RIPA Commissioners' Reports, where they do deal with
RIPA Part III Investigation of electronic data protected by encryption
etc.
http://www.legislation.gov.uk/ukpga/2000/23/part/III
never seem
to be able to compile up to date figures for the (rare) use of this power,
there is always some delay or the Prosecution or the Court system does not pass
on the details in time etc.
This is not the way to instil public trust in
the RIPA system.
All the
RIPA Commissioners should publish running totals monthly of their statistics, on their public websites, which they
can then revise if necessary, just like the Financial Regulators do.
Your
Review should take expert evidence about the RIPA section 49 secrecy powers and
the section 54 Tipping Off offences
http://www.legislation.gov.uk/ukpga/2000/23/section/54
and the
implications of the extension of territoriality brought in by the rushed
"emergency" DRIPA legislation, which do
not seem to me to be limited to just RIPA Part 1, but also apply to RIPA Part
III Encryption keys.
Foreign
companies, especially those in the USA , may operate a Warrant Canary
http://en.wikipedia.org/wiki/Warrant_canary
RIPA /
DRIPA needs to provide legal clarity as to the legality of this in the UK or
else we will suffer economic damage.