back to article ICO probes Home Office refusal to reveal Snooper's Charter details

The Home Office could face legal action over its failure to explain the "Request Filter" system buried in its Communications Data Bill. That's the draft law that allows spooks and cops to massively ramp up surveillance of British citizens online. Critics have already lambasted the cryptically named “Request Filter” agency, …

COMMENTS

This topic is closed for new posts.
  1. Paul Crawford Silver badge
    Big Brother

    When the Home Office has cited "national security" for not disclosing how a system they want to introduce at our expense should work, and when they start talking up terrorists and paedophiles and are not talking clearly about just who needs the information and why, it is time to can the lot and seriously review who is working there and just what sort of relationship they have with potential suppliers of said spook kit.

    I smell a rat.

    1. Peter Gathercole Silver badge

      @Paul Crawford - I understand your concerns about who pays

      but as the entirety of UK Government expenditure comes from taxes or sales of national assets, everything that the government does, including many things that are directly for "national security" are at our expense.

      I totally agree that "national security" is hugely overused without the correct justification. I suspect that this is because some MPs are prepared to rubber-stamp anything that mentions the term without asking whether it is being correctly used.

      Of course, if you do a global substitution to replace "national" with "Government", you may get a different picture.

  2. OpenIndiana

    This despicable, vindictive cow called Theresa May really shouldn't have any place in protecting either the state or it's people.

    1. John Smith 19 Gold badge
      Unhappy

      "This despicable, vindictive cow called Theresa May really shouldn't have any place in protecting either the state or it's people."

      You appear to think she had the brains to think this one up herself.

      A quick count showed eight Home Secs in 4 governments have parroted the same BS.

      She's just the latest sock puppet for the group of current and former senior spookocrats that want this.

  3. Crisp

    Paedophiles, Terrorists

    Two words that are practically guaranteed to strike fear into the hearts of Daily Mail readers everywhere!

    1. Loyal Commenter Silver badge

      Oh,

      won't somebody think of the children!*

      I'm surprised she hasn't tried to work illegal immigrants into her post-facto rationalisation too.

      *except you, paedos

    2. DJV Silver badge
      Big Brother

      Two words

      Two words that strike fear into me are "Theresa May"

      --- shudder ---

      1. Will Godfrey Silver badge
        Unhappy

        Re: Two words

        This ^

    3. Yet Another Anonymous coward Silver badge

      Re: Paedophiles, Terrorists

      Not fear but it does make them foam at the mouth.

      Really the Daily Mail is just a psychology experiment that got out of hand.

  4. Hayden Clark Silver badge
    Unhappy

    Why doesn't someone call Ms May out on her untruths?

    She keeps moaning on about "national security", and "saving lives" when so many of the organisations that have requested access to the information are not security related.

    Local Councils

    HM Revenue and customs

    Food standards Agency ??

    1. Anonymous Coward
      Anonymous Coward

      Re: Why doesn't someone call Ms May out on her untruths?

      Local Councils

      The system will allow local councils to check for mentions of their local bins in case someone's planning to plant a bomb in one. They'll also be able to check whether any sickos Pedo's are talking about the local park.

      HMRC

      This one's obvious - if Pedo's are selling abuse pics, they should be paying tax on the proceeds. More tax = more money to fund the system and save lives through other routes.

      Food Standards Agency

      There might be a terrorist plot to replace all our beef with horse, or worse, to replace our meat with MRM. The danger it might pose to our fragile constitutions (as we're all rich Tories, used to Goose) is very real and could cause massive queasiness.

      Yours sincerely

      Mrs May

    2. John Smith 19 Gold badge
      Unhappy

      Re: Why doesn't someone call Ms May out on her untruths?

      Or how about the big one.

      The 100s of £m of pounds of savings this systems is meant to produce every year.

      There appears to be no definition of this yet it's the reason this has a +ve cost/benefit

      Saving 1 7/7 event every year? Big time tax dodgers bought to book?

      I don't know and it's not clear if that's just a number someone has pulled out their back passage.

    3. Yet Another Anonymous coward Silver badge

      Re: Why doesn't someone call Ms May out on her untruths?

      >Food standards Agency ??

      In the US, after 9/11, all the government agencies involved with public safety came under the DHS.

      Which stopped commie pinko anti-business schemes - like inspecting meat plants for salmonella - to concentrate on taking 2.1.oz tubes f toothpaste from you at the airport.

      Leading to several hundred extra deaths

  5. IT Hack

    Democracy

    Not sure why this is an issue. After all our politicians are only doing their part to ensure that we have a functioning democratic state that values its citizens, that believes Britain is a bastion of freedom, democracy and the rule of law. That, despite some quirks, is an egalitarian country from which the rest of the world can learn from.

    Oh wait...

  6. WonkoTheSane

    Dear Liz,

    Skip over this bit, will you?

  7. MrXavia
    Big Brother

    National Security? rubbish, the only people this will catch are the petty thieves, illegal downloaders, benefit cheats, that kind of thing, the people we really barely care about... BUT who it wont catch are the terrorists, the murderers, the child molesters... because they will use encrypted email, they will use means to communicate that cannot be monitored...

    I am pissed that they are even considering this... ONLY the police, MI5/MI6 should be able to monitor connections, and then ONLY with a warrant, fishing expeditions from councils should be shot down...

    also every email from Theresa May should be made public!

    I really hope people read/watch 1984 and start to realise where we are heading, as soon we will be in a police state!!!!

    1. Justice
      Joke

      O'RLY?

      'soon we will be in a police state!!!!'

      Regrettably due to the cutback and restructuring of the police force, we would more likely be a Community Support Officer State.

    2. Anonymous Coward
      Anonymous Coward

      "I am pissed that they are even considering this... ONLY the police, MI5/MI6 should be able to monitor connections, and then ONLY with a warrant, fishing expeditions from councils should be shot down.." as should the civil _servants_ who draft such proposals. (Please remove the word down if you wish.)

  8. bag o' spanners
    Devil

    As Orwell might never have said "They danced around the MayPol"

    I'd be more concerned for my sanity if May and her securitech lobbyist acolytes weren't such a bunch of useless wasters. I wouldn't be surprised to find that they've only spent ten quid creating a consultation document, and the rest has gone on team building exercises and lunches at Jamie's.

  9. Frankee Llonnygog

    Will the Cabinet Office insist on an Open Source solution?

    After all, that's official Government IT policy now. I look forward to downloading the source from GitHub and contributing one or two enhancements

  10. Anonymous Coward
    Anonymous Coward

    back to basics

    Aren't freedom of speech and and freedom to listen two sides of the same coin?

    Surely the UK agreed to CCTV and national databases in principle a long time ago, some are just tuning the user requirements, and/or hoping it will be another public IT project that will fall on its nose.

    anon, because a true word can be undesirable.

    1. Ru

      Re: back to basics

      Surely the UK agreed to CCTV and national databases in principle a long time ago

      No.

  11. Anonymous Coward
    Anonymous Coward

    The plan is redundant

    Multi endpoint VPNs are so numerous and cheap that anybody who is anybody (and mostly anybody wanting to avoid bandwidth throttling) can run one and have a secure network to an end point. It may have been a useful idea 5 years ago but now it's just a waste of money.

    Increased surveillance, restrictions and, intrusions will just make such services far more popular and wide spread rendering sensible crime investigation all the more difficult in the face of a mountain of useless data and a sea of encrypted links.

  12. Anonymous Coward
    Anonymous Coward

    I've talked off-the-record to several of the nice persons in the responsible departments for all of this snoop stuff (the Home Office, the Security Service, Government Communications Headquarters (GCHQ), major UK-based network Communications Service Providers (CSPs) BAE Systems Detica, and a few other UK agencies that I'll forget about)

    I believed everything that everyone told me except a fairly bland message from the H.O. that Britain never has snooped, currently does not snoop and never will snoop on it's citizens.

    1. John Smith 19 Gold badge
      Unhappy

      "I've talked off-the-record to several of the nice persons in the responsible departments for all of this snoop stuff (the Home Office, the Security Service, Government Communications Headquarters (GCHQ), major UK-based network Communications Service Providers (CSPs) BAE Systems Detica, and a few other UK agencies that I'll forget about)"

      Translation. Someone (who won't name themselves) has talked to a bunch of people involved in this and most of them can be trusted.

      Hello Mr BAE Systems Detica PR person. I think you're trying to reassure us.

      You're not.

      1. Anonymous Coward
        Anonymous Coward

        nope' sorry I'm not Detica - I'm completely neutral - just accidentally privileged in a way that I have met Tridea Works 'consultants'. (some more on Tridea here http://cryptome.org/isp-spy/tridea-spy/tridea-spy.htm ) The 'consultants' and the UK end of the data-grab industry are typified by the fact that they're all nice, serious, motivated people. They are solving problems to ease the capture of the citizen data, 50% of which should be intelligence related telecoms data product and 50% of which should be police criminal related matters product in the UK.

        Unfortunately, due to a long and complicated history in the UK, all 100% of the data-grab under ICA,RIPA,IMP/CCDP et al is for intelligence use, it never seems to appear in court - tho' admittedly sometimes in the Daily Mail. Other countries are different, Italy has the centralised DPI already but nobody knows about it. France has the decentralised DPI already but nobody talks about it. Bulgaria has the DPI and Oops ...http://www.novinite.com/view_news.php?id=149787

        Under the best system that could be envisaged - with rampant DPI (which is obviously going to be eventually installed anyway) throughout UK telecoms - some of the data would be really useful to the UK Police - so be given to them & used in court; Some of the data product would be really useful for national security & give detentions or direct actions; But the rest of our entire future data is also going to be stored forever and analysed for things we can't yet we suppose -: pre-crime or future-oxygen taxes!?

        Unless, for example we insist the the UK DPI boxes are installed physically in German - then we might appeal to the German constitutional court to access, audit and modify the 'filter list'. It'd be cool to be able to do that in the UK. if one EU nation's citizens could do that - then why would we be denied that possibility?

  13. Dr Dan Holdsworth
    WTF?

    Suppose two terrorists wanted to talk to each other...

    Quickest and easiest way is how the 9/11 terrorists did it. They pre-shared a password to an online email account, and wrote messages to each other and saved them as drafts (i.e. never actually sent the message). The drafts folder thus acted as a classic dead drop, one which everyone in on the plot could get at, and which would not be monitored by this method.

    Second method is to trust modern twin-key encryption to do what it claims to do and simply post encrypted messages from one cell member to another on a usenet binaries group. For added giggles, do so on a regular basis interspersing actual messages with random gibberish so not even the frequency of messages from one member to another varies.

    Third method is for the cell members to phone each other up via telephone boxes, lots of different ones, using a pre-shared list of times for communication.

    There's three methods of dodging this legislation off the top of my head right now. The first method has actually been used successfully, and was not spotted by the authorities (and indeed wouldn't be spotted even now). Dodging this sort of silliness is remarkably easy, even without resorting to overseas email hosting and VPN software. Precisely why is is being enacted? Hasn't the government got enough lame-duck pseudo-terrorists to lock up, and wants to trawl for some more morons?

    1. John Smith 19 Gold badge
      Unhappy

      Re: Suppose two terrorists wanted to talk to each other...

      " Precisely why is is being enacted? "

      Exactly.

      Like Tony Blair calling for ID cards when the IRA (the only serious long term indigenous terrorist group the UK has every faced) had just about shut up shop.

      This is about being able to spy on everyone 24/7/365 forever.

      In a real democracy you cannot be sure someone will not turn into a terrorist, but you do trust that the police force (because terrorism is a crime) will catch them first.

      That is the price of real freedom.

      Police work is only ever easy in a police state.

      1. Magister
        Black Helicopters

        Re: Suppose two terrorists wanted to talk to each other...

        This is about being able to spy on everyone except the politicians, civil service, and mates of these 24/7/365 forever.

        FIFY

        1. John Smith 19 Gold badge
          Unhappy

          Re: Suppose two terrorists wanted to talk to each other...

          "This is about being able to spy on everyone except the politicians, civil service, and mates of these 24/7/365 forever."

          Wrong.

          In a police state only the police are above the law.

          Besides that would deprive the more corruptible staff of a ready source of income from News International.

        2. dephormation.org.uk
          Big Brother

          Re: Suppose two terrorists wanted to talk to each other...

          "everyone except the politicians"

          I think you'll find they are being thoroughly spied on too. See;

          https://www.whatdotheyknow.com/request/surveillance_of_internet_use

    2. Anonymous Coward
      Anonymous Coward

      Re: Suppose two terrorists wanted to talk to each other...

      1) I noticed recently that my gmail was synchronising my 'drafts' folder on all my devices - such that my draft emails were travelling across whatever DPI systems exist. This presumably is a function to please the previous UK HomeSec who said that he "didn't just want the ability to read people's emails - but to read their draft emails as well" (same happened with a commercial mail enterprise package, default IMAP remote Drafts folder - twice is a co-incidence!!)

      2) Steganography is OK, tho' I think rather a lot of research has been done in this area to detect covert channels . who watches some obscure Music Channel 897 on Sky? - do they have a TXT line with messages on screen? Recent Russian spies/handlers have used both your methods 1 & 2. presumably they'll have moved on to something else by now.

      3) phone boxes have probably been arranged for 'special handling' of their messages for literally decades back to the old GPO days...

      I don't want the big criminals to be able to communicate freely, I just seek that the powers thatbe should invest a little more effort/training/money into their spook agencies to allow fighting criminals in the traditional ways....or we'll all start - not to encrypt - but worse - using many different flavors of traffic dilution. Yes, testing to teh max your data-mining algorithms that you paid so much for!

      dilution of the normal citizen data-footprint with reallyrandom stuff is unbeateable as a technique.

    3. JaitcH
      FAIL

      Re: Suppose two terrorists wanted to talk to each other...

      @Dr Dan Holdsworth

      Ex-US General Petreus and his married hot squeeze Paula Broadwell used this draft e-mail method and the FBI found about their affair.

      My employer owns his own server and we ignore Third Party requests. We also use Silent Circle facilities.

  14. Anonymous Coward
    Anonymous Coward

    two sides to this, neither very good

    She cannot answer this for two reasons.

    1: They have no idea how its going to work, they have envisaged what they want but have no idea if/when/ever it can be done.

    2: By being vague it allows for mission and budget creep.

  15. Alister

    "So, it's astonishing that Home Office bureaucrats are risking contempt of court by trying to cover up the most basic information on how the scheme will operate in practice."

    No, it's not astonishing, they haven't got a clue how it's going to operate in practice.

  16. PyLETS
    Boffin

    One reason it will break

    So who is a communications provider within the terms of this legislation ? Every one of the students I teach how to do client server programming ? Is a UDP echo test outside of this elaborate monitoring scheme, but once you use a pair of UDP calls to exchange texts typed in at a console you have to tell plod who called whom and when ? Presumably not - because someone learning how to write to a client-server API is too small to be a communications provider within the terms of the legislation ? So they expect to be able to use the black boxes to pick up the traffic anyway in plain text ? Fine until budding programmer learns to do the same trick using TCP over SSL. The black boxes on large network nodes won't catch this traffic now as it's encrypted, so obtaining the metadata described would then mandate changes to every installed socket API library. That's when there really would be a spy in every box, and somehow I don't see that happening - except perhaps on boxes and OSs where you can't see, change or recompile your source code and you get the software from big bad corps which do deals with nasty government agencies behind closed doors. That's a good reason to use open source on anything still capable of running a compiler and/or installing a different kernel as if there wasn't reason enough already.

  17. This post has been deleted by its author

  18. Anonymous Coward
    Devil

    The default "request filter"

    ...will of course be "*.*"

    (although this will be obfuscated a bit, to keep the minister blissfully ignorant and so much more useful as a public front. Like McNamara being so volubly proud of how the introduction of electronic locks on nuclear weapons had ensured political control - only after many years of retirement did he learn that a single fixed code was being used: no way that SAC was going to let democracy interfere with their defense of freedom)

  19. BlueGreen

    enough chat, what do I do about it?

    Who do I write to, where do I apply pressure in a useful way?

    (anyone who bleats "don't bother it won't make any difference" can fuck off to, say, North Korea and live out their life where it's true and they don't have to try)

    1. John Smith 19 Gold badge
      Thumb Up

      Re: enough chat, what do I do about it?

      First stop is your MP with a well thought out letter (no ranting) explaining it will cost a fortune for little obvious gain. Google they work for you for their address and email. I suggest a hard copy.

      MI5 said they had about 2000 suspects At the claimed £5Bn over 10 yrs That's £2.5m per suspect (or about the cost of a prisoner for 71 years). Or perhaps they think it will save another 7/7. That's £175k per life saved (including the bombers and the Argentinan electrician who discovered wearing a heavy jacket on a hot day on the tube carries the death penalty).

      And 70 odd people die as a result of a)Farming accidents and b)Home DIY accidents (many get injured, few actually end up in the morgue).

      You might also look up the what review stage this bill is at and contact the chairman of any relevant committees.

      1. Yet Another Anonymous coward Silver badge

        Re: enough chat, what do I do about it?

        Brazilian - and he wasn't wearing a heavy jacket, they made that bit up later,

        Congratulations you could be home secretary!

      2. BlueGreen

        Re: enough chat, what do I do about it?

        Thanks, will do.

  20. Anonymous Coward
    Anonymous Coward

    The nature of the filter

    We are informed that The proposed request filter will further protect privacy by discarding all data not directly relevant to an investigation, which implies some clever (and I dare say impossible in practice) data processing before the info is handed out.

    I would hope that the filter is really a human being who will say "fuck off you're a local council and are operating way beyond your brief". Or something like that.

  21. John Smith 19 Gold badge
    Big Brother

    The CCDP has "accepted the substance of the full recommendations"

    But we just don't give a s**t.

    Politicians. They think somehow they are in charge.

    (Signed ) The Communications Capabilities Development programme Unit

  22. Anonymous Coward
    Anonymous Coward

    The 'request filter' is signature driven

    the Detika DPI boxes will be loaded with todays's signature list i.e. immediately pass on all data which contains the following hex block "C3 P0 R2 D2..." with the boxes then encrypting the intercept packets and sending it down a port to whichever group owns the big hard-disks to then start collating the data. Is that Utah or Ohio or Chelyabinsk - is IMP/CCDP just an NSA front-end?

    Who will provide the hit-list of hex signatures to load into the Detika DPI boxes? i.e. is IMP/CCDP just another NSA front-end?

    This graphic example of an IMP/CCDP shows PhD students best guess on their national system based on documents leaked to Sveriges Radio http://upload.wikimedia.org/wikipedia/commons/b/b6/Trafikdata-en.png (nice picture that puts much of the "filtering" in context)

    I don't think there will be that many humans involved in the filtering, and the rejection ratio will depend on how big the UK's strategic national hard-disks are as they'll always be nearly but not quite full. Assuming a big enough storage - then you can assume total traffic capture and forwarding.

    Access to the 'Analysis' & 'report' databases would hopefully have some accounting and auditing - but UK has until quite recently denied that there was much/any illegal snooping inside snoop databases by privileged users.

    What to do about IMP/CCDP part One?

    ★well you can try understanding it, we need sociologists!

    ★write a letter to your MP explaining in simple terms what could happen.

    ★You can write a fictional novel about a future UK where IMP/CCDP misuse is rampant. (for guidance: you can read the short e-book "From Dictatorship to Democracy" that the US State Department seems to use as a guidebook when 'colourfully' overthrowing regimes in Serbia/Thailand/Ukraine.....Egypt/Syria/Iran? link: http://www.aeinstein.org/organizations/org/FDTD.pdf

    ★Perhaps someone should write the corollary e-Book "From Democracy to Dictatorship" on the demise of thousand years of UK freedoms based on the introduction of IMP/CCDP to a sleeping UK population?

    The BIG problem is that the slightly future internet will have IMP/CCDP just as an intelligent app built-in to the network - the power and flexibility of the software defined networking (SDN means that all the TCP/IP routers will be trivially able to rule-based filter - the internet is no-longer a slightly drunk postal worker that reliably delivers all data packets - the modern internet is evolving to a massive distributed control tool with heavy political/social/societal consequences that will be able to spy, change or deny data packets as it sees fit. It might sometimes allow the packets through unchanged - but that could be a rarity!

    What to do about IMP/CCDP part Two? Things to do:

    ★Data Canaries: 'I have received no IMP/CCDP warrant'

    ★a working SSL - CA system that is really trustable (sorry GCHQ)

    ★Signed webpages, all webpages (BBC News to Eastenders.co.uk) the IMP/CCDP will be trivially able to CHANGE the content of any requested webpage transparently and in real time. Maggie might not be yet dead in some future NORK-UK undemocracy.... all news & web-content needs to be trustfully signed and live verified at no cost to the user

    ★random data generators, random traffic flows, leave your PC browsing on its own whilst you go to the park

    introduce some plausible deniability into traffic and data-patterns

    this hopefully should keep the average person safe in the UK for the next 20 years

    {273af410edcc864642d4e51c6c777d3f3a30a4d765e63e5b334346b41414cf25} SHA256 message hash

    1. charlie-charlie-tango-alpha

      Re: The 'request filter' is signature driven

      "random data generators, random traffic flows, leave your PC browsing on its own whilst you go to the park"

      Interesting idea. Now how, exactly, would you get your PC to "randomly browse" in a way that would look anything other than stupidly robotic and predictable?

      1. Anonymous Coward
        Anonymous Coward

        Re: The 'request filter' is signature driven

        Moore's Law theoretically is supplying the wherewithal to allow us to communicate with Cetacea in the next 5 years. (Whether that will be a fruitful or short discussion remains to be seen) I reckon to be able to keep a constant volume data interchange envelope based on that level of computing power, with the true usage Internet bursty data traffic packets subsumed when I'm not typing with pink-data-noise, also bursty, with a dab of random word-association-football and other tricks, aiming for a high probability of detection/high probability of intercept, but this is irrelevant as there should be no 'criminal' content as currently defined, hence wasting the time of data-profilers both natsec and advert driven. A data consumption spectrum a bit like http://www.tscm.com/dtvwave328.gif, but that's a USA atsc DTV waveform.

        I envisage quite a few accelerated cores & appliances would be needed in the home infrastructure, including maybe an unpatched XP VM glorypot, a dating website chatbot repurposed for advertising click-thrus, a few dd-wrt router/switches chirping away and regular supplies of browning motion generators, Replay of elements of last Thursday's data packets as exchanged by Mrs. Goggins down the road - as P2P seeded to Mumsnet could also contribute but It'd probably evolve to a heterogeneous app family on a smartphone. If the opponent could sample/filter/store 'm' packets per second it'd be neat to be able to generate m+1 occasionally fake packets. Work in progress!

  23. JaitcH
    Happy

    Old, basic, technology works best

    Directional infrared communications work - how will Witch Two be able to tap that?

    Another method, already used, and observed by the police, is for two people needing to communicate to go to a park, lie on the grass facing each other and with their mouths covered with their hands, is almost assured of confidentiality. But impractical.

    The other method is to overload the system so it can't handle all the information.

This topic is closed for new posts.

Other stories you might like