back to article Spy chiefs size up net snoop gear

The security minister has confirmed officials are considering installing technology that could enable on-demand wiretapping of all communications passing over the internet by the intelligence services and law enforcement. Lord West told Parliament on Monday that civil servants working on the Interception Modernisation Programme …

COMMENTS

This topic is closed for new posts.
Bronze badge

Let's cut to the crunch

If this equipment is installed, it will be abused. Not by the police, not by the security services, but by people who gain access to it either by hacking or bribery.

It would be simple to assess which connections are used by preteens and then to eavesdrop on those specifically. Or to assess which connections are used by company directors and intercept sensitive data. Emailed a holiday firm? Cool, joe housebreaker will pay for that information...

The government does not need this to be easier. The bad guys do and will benefit greatly from these plans.

0
0
Stop

DOES NOT WANT!

When will this government realise that the solution to anything (with the possible exception of a budget underspend) is not to throw computers and money at it?

If GCHQ/MI6 want to catch 'terrorists'* then they should go out and do some damn work and not wait for the Master Computer Programme to flag up suspects automatically.

Roll on GE Day ...

* terrorists here is in inverted commas because the only actual terrorists, i.e. someone who rules through fear and instills terror in the general poplus is infact the current government (and possibly the Daily Mail).

0
0
Unhappy

OK then

This is all beginning to make sense now. Phorm, the BT trials, government officials with shares in the company, it all fits. The UK government would never have been able to take any meaningful action against Phorm/BT because that would be admitting that their own plans for the technology were unethical. Very interesting indeed. It would seem that BT and other other ISPs considering this technology are the least of our worries.

0
0
Alert

Well, this confirms what I thought

Why wasn't legal action taken against Phorm/BT for the illegal trials of DPI? It's obviously because the government want to use the same technology, but with someone else paying for testing.

0
0
Jobs Horns

Encryption! Encryption! Encryption

*runs around a stage shouting Encryption like that big ape from Microsoft*

Dont the Goverment know. We are become more and more suspicious of them as they do more to keep an eye on us. We will be moving more to encryption. The whole of web traffic at some time will be encrypted in a way it cant be snooped on.

Now we know why they wont do anything about Phorm.

Why they will push the Uberdatabase

0
0
Anonymous Coward

And so...

the spy chiefs give birth to massive increases in encrypted internet traffic.

0
0
Alien

one for all, all for one

What would happen to the use of VPN where the server itself is outside of UK jurisdiction? As this could mean that no real address is visible from outside and all communication address pattern would have to be got at through DPI?

What if the VPN uses high level encryption? Yes I understand that this could be broken with time.

What if this usage of VPN become the norm as a result of people not wishing to have a willy nilly easy access study of their personal communication behaviour. Would there be resources to match the inevitable raise of speed of development of encryption technologies that would follow? Yes so it is assumed that people will have to give up their encryption keys. Will everyone have to give up their encryption keys etc as due diligence in their everyday surfing - just in case they would turn out to be criminals later? Or would it be required to give away encryption keys as a result of court order? Would this not be of rather limited use as it would be unhelpful "after the fact" (try to ask some suicide bomber for the encryption key - especially after they blown themselves up; or ask a criminal for their encryption key after they left the country etc).

and so on... it appear to be difficult to see the real value for any justified intervention in many cases. Although there would appear be a significant risk for the societal abuse and harrasment of the common and innocent member of society.

0
0
Flame

<title>

"The equipment can monitor everything in each data packet passing its location in the network, allowing both "the lawful acquisition of communications data" and the "the lawful interception of communications"."

Ha ha ha ha ho ho ho ho ha ha ho ho ha ha ha <repeat>

0
0
Black Helicopters

Worth reading

James Bamford's book Shadow Factory covers the secret implementation of deep packet inspection by the NSA - is quite an interesting book. He was one of the first authors to write about the NSA (Puzzle Palace, 1983).

http://www.amazon.co.uk/Shadow-Factory-Ultra-Secret-Eavesdropping-America/dp/0385521324

more reviews on the amazon.com link:

http://www.amazon.com/Shadow-Factory-Ultra-Secret-Eavesdropping-America/dp/0385521324

0
0
K
Bronze badge

lol ...

You guys only now crying foul with Phorm, your a bit slow.. this has been on the cards since day 1.

0
0
Anonymous Coward

Nobody wants this but Stasi Smith

MI6 and GCHQ staff are often caught leaking embarrasing secrets, so they must be the most watched people of all. I bet they don't want their home emails and web watched too.

So no, I bet they DON'T want this, I bet it's just a few power hungry leaders at the top that want this.

I bet ordinary people don't want it either, I bet even trying to scare them about exaggerated threats isn't enough to make them want it. That's why JS claims it is 'to maintain capability' as though they ever had such a device of mass surveillance.

I think this belongs in the Soviet Union and in China and corrupt dictatorships modelled on the Stasi, not the UK. When the Stasi existed, they could only collect information they could store on paper, now Stasi Smith can collect millions of times more data and index it much more efficiently, and she seems to want to.

In the short space of NuLabour, the largest databases have gone from 100Gb to Petabytes. None of this is pre-existing.

When CCTV cameras become high resolution and face recognition improves, and spy cams in the home become possible (already happens that software secretly records your webcam), everything you do and everywhere you go and every person you meet and everything you say and perhaps even your thoughts at the time can be monitored for compliance with some batty old cow's view of a 'good citizen'.

At what point do we draw the line?

0
0
Anonymous Coward

Surprised

No-one has come up with a Firefox plugin that automatically looks to see if a site is running SSL and defaults all connections to use it.

0
0
Stop

Legal my arse...

"The equipment can monitor everything in each data packet passing its location in the network, allowing both "the lawful acquisition of communications data" and the "the lawful interception of communications"."

Legal?!?!? Erm Europe don't think so...

Are you getting the same mystery legal advice as BT?

0
0
Joke

spam :-)

Suddenly, the fact that 85% (or 97% or whatever it is) of email is spam does not seem so bad.

0
0
Anonymous Coward

Re: surprised

NoScript can be set up so that all requests are made on https.

0
0
Black Helicopters

Repetition don't make it so

Anyone else noticed how this mob repeatedly stress the word "lawful" as though just saying it often enough'll make it so?

0
0
Black Helicopters

Good luck monitoring my mail server

3 million emails a month. 500 are genuine, the rest are spam. If GCHQ/MI5 want to trawl through that lot let alone store it then good luck to them.

0
0
Black Helicopters

Hmmmm

Sounds familiar

1984 anyone?

0
0

While we are at it...

have a look here

http://www.statewatch.org/

regarding the data retention directive

and pull this one down

http://www.statewatch.org/news/2009/apr/eu-council-swedish-iInitiative-guidelines-8083-09.pdf

ans search for the word census, on page 107

0
0

@AC and https

HTTPS is meaningless. With control of the network it's easy to MitM it. You really need a proper client-certificate based VPN to somewhere sensible. Like china...

0
0
Gold badge
Flame

MI5/^ and GCHQ *want* the database as well?

Despite the US research (I think it was the NSF) indicating that the idea that by using previous known terrorists contact pattern (contacts, calling patternt and duration) and running it against the database (and remember that full web page addresses can get very long and must be stored) is both shaky in theory (the whole 6 degrees of seperation meaning nearly everyone can fairly easily be linked to a "terrorist") and logistically impossible. A's only known call is to B. Is A just very sad? Just got a phone (of any kind)? How paranoid do you want to go here?

Does this mark the first actual on-the-record statement about the Govt. IMP?

Of course if your objective is a system of communications tapping (mobile, land, email) on demand then its just what you want.

And remember that £12bn is only an estimate, not a budget. Or roughly £3m per each of the 4000 MI5 say they are watching. Pre 7/7/5 this system might have saved the 57 people who died, including one completely innocent Latin American electrician who would not be being followed by armed police with orders to shoot to kill. About £210m a life.

0
0

On a hiding to nothing

"3 million emails a month. 500 are genuine, the rest are spam. If GCHQ/MI5 want to trawl through that lot let alone store it then good luck to them."

Seems to me that the real criminals/terrorists could use that to their advantage. What better place to do a bit of steganography?

0
0
Stop

@Surprised

As I understand it, SSL is only as secure as the root key of the signing company. If the government has that, they can Man-in-the-middle your @ss off, and you'd never know. So. How much do you trust verisign et al to keep it secret?

0
0
Stop

Perspective

Not long ago, in the pre-digital age (50% of El Reg readers switch off ), all international telephone calls went through specific exchanges in London where the calls were easily tapped by GCHQ.

We should be cautious but not completely resistant to Government monitoring.

Of more concern is Phorm who are uncontrolled and will sell the data to the highest bidder.

Phorm seem to have influenced the ICO that Opt Out is OK rather than explicit Opt In. Watch for real rebellion by those who know the implications of this.

We will never be able to stop GCHQ / the NSA from monitoring what we do, we should just be cautious and make sure there are good measures.

We should do all we can to stop private companies snooping on what we do.

0
0

Comparisons are odious

""It does not happen with letters or telephones and it will not with emails."

What does not happen with letters or telephones (sic) is the long-term storage of their contents for later examination.

Lawful? In China, maybe. Oh, I forgot, China's what me old china - Brown - is modelling Britain on.

0
0
Thumb Up

re: spam :-)

They can't possibly think about looking through all of the spam that goes about

..so put "viagra" as the subject to every email you send, then they'll all end up in their spam bin :-D

0
0
Unhappy

Backwards to go forwards.

Fuck this for a game of toast, between Phorm and the Gov I'm going to start using the internet by pigeon from now on.

AC -What else?

0
0

Shills.

The MI5/6 guys and their Home Office shills have struck pure gold with the current Home Secretary. Never before have they had such a gullible and obliging minister to do their bidding for them. It is well- documented that previous incumbents of this office when presented with the latest loony wish-list from the scaremongers would send them packing with an admonition to "fucking grow up", or words to that effect. As a former minister said when he took control of the HO, "It's not fit for purpose". The only thing that has changed since then is that we now have a minister who isn't fit for any purpose on this planet.

As per usual there is no rationale or real world justification for this level of intrusion into people's lives, just the same old NuLabour bullshit spin tactics to cover their abysmal ignorance and stupidity. Everyone knows that the business of seeking out the statistically insignificant few who wish to do us harm is like looking for a needle in a haystack. But we feel nothing but utter contempt when we see those who are charged with protecting us busily engaged in trying to build the biggest haystack in the world.

0
0
Joke

@John Smith

It wouldn't have saved the latin american electrician unless he used his mobile to check his totally-not-terrorist-linked account. Then there would have been a few hours of processing and a week or so for the data to pass down to the guys with the guns.

Given that he was shot when they thought he was someone else, having his own communications on file would have been utterly useless. It'd not have saved anyone with half a brain as they could use a billion and one untraceable or untraceable-for-all-practical-purposes methods of communication. Stenography. Sneakernets with people carrying microSD cards full of plans in jacket buttons. point-to-point microwave (or directional Wifi) links. Pre-arranged codes. Or just using encryption on their emails, which would defeat this; they'd perhaps know that these people matched a pattern that could almost match up with the limited profile of a terrorist (all the more limited pre 7/7/5 as we felt pretty safe).

So it could have possibly saved a single life. Maybe. If it went outside it's spec.

So you're talking about £12Bn (estimated, which means £48Bn) to save no lives and which can be defeated by using an HTTPS connection or talking in code. Or creating a spam email and hiding the message inside the image or an MP3 file. Or shining a laser from building to building.

You've got to wonder exactly what benefit they're getting for their £12Bn- anyone stupid enough to be caught would probably blow themselves up months before they wanted or would be so blatant that they could get caught pretty easily. So either they've got a way to break the common strong encryptions or they're just spying on the normal day-to-day activities of Joe Public. Which is both boring and a waste of time from a security POV. It's only good if you're conducting mass surveilance for some other reason.

Joke alert because it is a joke. Just a very bad one.

0
0
Silver badge

Keystone Cops, SE1 1BD ?

With any luck, they might be able to find some Intelligence at work and then consider purchasing it .... although that could be someone Grooming them and showing them the ropes to this Total Information Awareness Game, where Win Win if you Care to Dare is de Rigeur and Guaranteed if you have the Right Stuff or a Smart Algorithm Leading.

They could certainly do with the Instruction considering the Present Level of Virtual Incompetence .... and yes that is a Specific Direct Criticism. The Cap fits... Wear it.

However, it will always be a case of ..“Reports that say that something hasn’t happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns — the ones we don’t know we don’t know.” ...... Donald Rumsfeld.

And they're the important ones you would need to, but probably definitely on a Need to Know basis.

0
0
Thumb Down

It's the first time the government has publicly acknowledged its interest

Next up in the news. We've had capability of doing this for years and someone just let slip that we've been hand in glove with the NSA snoopers. Ooops!

Anyway, you can bet that any LEGAL VPN will be vetted by the gubmint to make sure there is a back door for them to snoop. Ditto for the rest of your software, mate. Email - got it. Phone - got it. Computer - got it. Encrypted - got it. VPN - got it.

We don't have it; you'll be giving up anyway unless you want some time in chokey.

0
0
Silver badge

Nudge, nudge, wink, wink ... say no more, Squire. It is just too painful for words.

"[In MODified Phorms, Mutual Intelligence, MuI7] " .... Virtual Reality and ITs AIMMORPGaming Protocols/NEUKlearer Trigger Secrets. ... http://theregister.co.uk/2009/04/21/oracle_sun_open_source/comments

Not quite so crazy now, eh? :-) Are you Guilty of Misunderestimating what has freely shared with you? Have you any idea how far behind that has left you ...... and one imagines El Reg readers are towards the brighter end of the Trained Animal/Virtual Machine Program.

0
0
Stop

Oh really

"The intelligence agencies have neither the inclination nor the resources, nor the legal ability to monitor the massive amounts of electronic communications that flow through the UK every day."

"Nine years later, the DPI equipment being considered by the government would allow exactly that."

Except it wouldn't.

They can grab them from the ether and they can store them but they can't read all of them, they just don't have enough staff.

...and if they DO decide to start monitoring, how long will it be before thier IP range gets made public? They could end up monitoring nothing except DOS attacks from Botnets all round the world...

0
0
Silver badge

@Perspective

There is a difference between being able to tap a limited number of international calls manually and a completely invasive fishing system.

Visit a website that had a GreenPeace ad AND your cell phone was in London duirng an Earth Day protest = better flag you as a possible anti-government activist.

Then we can check up if you apply for a government job, or log your car number plate if you go within 100mi of a nuclear power station.

0
0
Thumb Down

RE: Perspective

"We will never be able to stop GCHQ / the NSA from monitoring what we do"

That's the spirit! Now hold still so I can implant this tracking chip in your brain.

0
0
Anonymous Coward

@Perspective

"We should be cautious but not completely resistant to Government monitoring."

The principle of warrant first, judicial check, then surveillance in that order is the protection that is being removed here. Governments ARE a threat to their people, as dictatorships around the world show. The principle has a purpose, to protect the people from oppressive government.

The argument that we face some mega threats that justify it is bollocks. Like Iraq WMDs.

The argument that they already had this power is also bollocks, like the Stasi were limited by the amount of paper and number of spies it had in the population, the Government was limited by the number of ears on headsets. Technology is removing those limits. Imagine a Stasi with todays technology.

"We will never be able to stop GCHQ / the NSA from monitoring what we do, we should just be cautious and make sure there are good measures"

They are us! They are not some separate race of people, they are not bacteria we fight with antibiotics. If we decide that enough is enough and this needs curbed then its not for GCHQ to decide to do it anyway, they should also not take sides with JS even if she rewards them with a big budget to spend.

0
0
Black Helicopters

Minor rewrite required

Surely rather than

> The equipment can monitor everything in each data packet passing its location in the network, allowing both "the lawful acquisition of communications data" and the "the lawful interception of communications".

it should read

> The equipment can monitor everything in each data packet passing its location in the network, allowing both "the lawful interception of communications" and the "the unlawful interception of communications".

Pass me one that time pad, could you ...

0
0
Gold badge
Happy

AC@16:01

Well I did say "probably"

The £12bn figure is the onel ElReg has quoted and was also reported in the Independent on Sunday. It seems to have been an off the record Cabinet briefing. As I have said before it gives *no* indication of what part of that is the interception hardware (possibly to be supplied by Dettica, formerly "Smith Associates," a BAE subsidiary of whom the head of the SOCA is a non-executive director. By a bizarre coincidence SOCA is also lead agency for implementing IMP and BAE walked away from the Identity Card scheme) and which is the database.

The numbers I gave were an estimate of what it would cost to save 1 life. If that sounds ruthless its what any government should do whenever it's going to put that kind of loot on the table. I previously worked out (When the MI5 Director said they had about 2000 suspects under observation) that it would by 24/7 surveillance (3 shifts, 4 person teams, £40k average cost per staff) of *12* years. RoSPA says annually more people kill themselves through botched DIY.

To be clear. I am not against the core IMP in principle. However its implementation without *very* careful safeguards will enable on-demand surveillance of anyone in the UK at very short notice on the sort of pretexts the Home Secretary used to get a Police investigation of a Shadow Minister. It will do so without any help from those nice people at Fort Mead. I am totally opposed to the Wackiness of this central database. Mixing it in with the IMP is deliberate spin. It is neither mandated under the EU data retention directive (which was written in UK) nor needed to carry out the storage for the Directive (which is specifically for matters of national security). It's main feature would be to make policing a police state easier. It will also help make IMP the *biggest* IT project in British government history. And you know the track record for success in the British governments averagely large IT projects.

0
0
Silver badge
Stop

The intelligence agencies have neither the inclination nor the resources...

He missed out the operative word "... yet".

Now they have the inclination and they'll probably very soon have the resources.

All they need after that is a pet Home Secretary who thinks that introducing Stasi-like monitoring of everyone is a good idea...

... oh s$$t, they've already got Wacky Jacqui...

0
0
Coat

The price of privacy and democracy

Will apparently be that of heavily encrypted VPN to servers in countries who either respect both or do not get on with the UK, so a fair choice of locations beyond Europe then. These will be the choices of the sane and the criminal, with the less clued up left debating whether it is wise to vent their spleen about the Labour party via email, messenger, or just about anything that isn't a face to face chat in a large field during a storm.

My only satisfaction is having discussed this with my local (Labour) MP and assured her that I will never, ever vote for her or her party again under any circumstances.

Mines the one with the Rough Guide to Outer Mongolia in the pocket.

0
0
Silver badge

Scarlett Bitches or Pink Poodles are hardly Sterling Assets, are they?

The Real Smart Virtual Operator doesn't waste Time and Resources on Invasive Monitoring of Communication Sources Searching for Alternate and/or Foreign Intelligence, IT Places in the Open Market Place, Intelligence of ITs Own, which Everyone can Follow and Lead with.

However, that does Require that they have the Intelligence to be AIReal Smart Virtual Operation ....... although that is Significantly Simplified and Assisted whenever the Service can be Easily Purchased Tailor Made/Fit for Future Purpose Off the Peg.

British Intelligence Services? Are there any? Or are they Outsourced to Foreign Agents and/or Private Enterprises which are Sub-Prime Retailers/Phantom Resellers of Recycled Toxic Waste?

It is just not good enough, Ole Bean/Ole Chap/Ole Boy. Be AIdDear, and Fix IT, Darling, while/if you can, or do the Honorable "I am just going outside and may be some time" Thing .

0
0
Anonymous Coward

Encryption = waste of time

SSL encryption offers no security v's the intelligence services. All US manufacturers/developers are required to provide the encryption keys to the US Government and I'm sure that the UK is similar.

0
0
Alert

@Encryption = waste of time

*** By Anonymous Coward Posted Wednesday 22nd April 2009 08:04 GMT; SSL encryption offers no security v's the intelligence services. All US manufacturers/developers are required to provide the encryption keys to the US Government and I'm sure that the UK is similar. ***

What are you talking about?

1. Quite often encryption keys are not created as static keys by manufacturers or even determined by a manufacturer. In many cases encryption keys are determined by the user. So how would a manufacturer be able to know what the users of their products will use as encryption key?

2. Perhaps you are referring to "backdoors" etc? Or encryption protocols? Manufacturers in the USA may very well be required to do this - however you can be sure that any such product from the USA will not be accepted for use by public servants in other countries. Remember the recent debacle on BlackBerry? So there is a problem for manufacturers here - create a way for one government to snoop and other governments will refuse to have your products accepted. After all the French for example are not exactly fanatic about having their communication snooped on by agencies from the USA etc - and they are not alone! It also may come as a surprise to you but the USA is not the only source for high tech IT solutions.

3. Encryption is a waste of time - that is the whole point. Usually clued up people do not expect that encryption will keep things secret "forever "- commonly the purpose with encryption today is "to waste time" - basically to postpone the time when what is "secret" will be "discovered". And for the snooping done "in passing" it might not be worth the resources required to spend energy to "crack" messages which are irrelevant.

0
0
Thumb Down

Of course they do !!!!

"The intelligence agencies have neither the inclination nor the resources, nor the legal ability to monitor the massive amounts of electronic communications that flow through the UK every day."

BULLSHIT !!!!!

Under the agreement signed between Australia, Canada, USA and Britain in 1946 ish, Each Country is 'obliged' to do just that.

The Legality comes by 'asking' one of the others to provide the data. Clever huh ? See Menwith Hill / GCHQ

EVERY (yes EVERY !!!) phone call is monitored by DICTIONARY computers 24/7 and has been for decades.

It's only the Data bit they need now.

0
0
Anonymous Coward

@@Encryption = waste of time

I stand corrected - I do refer to encryption protocols.

Agreed that governments do not want to use encryption systems where another government would have the keys but that is not what we are talking about here. We're talking about bog standard consumer grade encryption used every day. Government networks protecting genuinely secret information do not rely on this for their security. Blackberry encryption has only recently been accredited for use with 'restricted' data, not secret data.

I have no doubts that government security services would have very little problem cracking SSL traffic within milliseconds. There is also a quid pro quo for governments to make this information available to each other in the consumer space (although I agree not for more serious systems)

My point is that those commenters who believe that they would be protected from snooping by using SSL/https are most probably wrong.

0
0
Anonymous Coward

Encryption

***My point is that those commenters who believe that they would be protected from snooping by using SSL/https are most probably wrong***

I agree, those protocols have a relatively low lever encryption as they were not designed to protect the privacy of the consumer from governmental agencies. However as organised crime becomes more and more well equipped to bypass these protocols their relevance would be expected to be diminished. The perfectly reasonable assumption is that the more widespread security technology becomes available for "advertised" purposes the more widespread it will be for more "sinister" purposes. This in itself would lead to a consumer led demand for change of protocols...

*** We're talking about bog standard consumer grade encryption used every day ***

You are correct ofcourse. But the market has not been very developed as consumer demand for advanced encryption has been limited so far. What people commonly use and what they could use is not necessary the same. The argument of continued weak "consumer grade encryption" assumes that you are specifically talking about USA consumer grade encryption; these are the consumers who are legally restricted to what encryption they are allowed to use. But also in the world outside of the USA; highly advanced encryption protocols and algorithms are developed. Just because the most commonly accessible consumer solutions (in Windows and Mac OS) today are not that secure does not mean that highly secure solutions and encryption system do not exist outside of the control of governmental agencies (a few are even made available by non-US researchers in the Linux community for example). Just because the issue has not been popularised as people in general perhaps naively have not thought about them. People might not have known about the invasion of their privacy and personal integrity and so not really looked for a safeguard. As people get more and more concerned about these matters the more the market for solutions will expand. There is no reason to believe that some of the experimental and research based results currently only available within the Linux sphere outside of the USA would not found themselves transferred into everyday software solutions in Windows and Mac OS. At least into non US consumer applications...

0
0
This topic is closed for new posts.

Forums