UK ISP Boss Highlights Technical Stupidity Of The Snooper's Charter Proposal
from the surveillance-magic dept
There’s just something absolutely nutty when politicians with no technical knowledge whatsoever try to make technology policy, and it often crosses over into out-and-out slapstick when that technology policy involves surveillance. It’s why we see things like talk of “golden keys” for encryption that somehow wouldn’t be “backdoors” (even though they are). Over in the UK, they’re going through something similar with the current “debate” (if you can call it that) over the latest Snooper’s Charter bill, officially known as the “Investigatory Powers Bill” or the “IPBill.”
A key element in the bill is the demand for “internet connection records.” The draft bill has a whole section on these “ICRs” which it defines as:
A kind of communications data, an ICR is a record of the internet services a specific
device has connected to, such as a website or instant messaging application. It is captured
by the company providing access to the internet. Where available, this data may be
acquired from CSPs by law enforcement and the security and intelligence agencies.
An ICR is not a person’s full internet browsing history. It is a record of the services
that they have connected to, which can provide vital investigative leads. It would not reveal
every web page that they visit or anything that they do on that web page.
That definition, by itself, seems somewhat self-contradictory, but we’ll leave that aside for now. Adrian Kennard, the head of a small UK ISP, Andrews & Arnold, has filed some comments highlighting how technically clueless this idea is:
The explanatory notes, and one of the clauses in the bill, make use of the term “Internet
Connection Record”. We are concerned that this creates the impression that an “Internet
Connection Record” is a real thing, like a “Call Data Record” in telephony.
An ICR does not exist – it is not a real thing in the Internet. At best it may be the collection of, or
subset of, communications data that is retained by an operator subject to a retention order which
has determined on a case by case basis what data the operator shall retain. It will not be the same
for all operators and could be very different indeed.
We would like to see the term removed, or at least the vague and nondescript nature of the
term made very clear in the bill and explanatory notes.
From there, it goes even further, pointing out that the justification for needing these non-existent ICRs was a statement from UK Home Secretary Theresa May about how useful such info would be in finding a missing girl:
“Consider the case of a teenage girl going missing. At present we can ask her mobile provider for
call records before she went missing which could be invaluable to finding her. But for Internet
access, all we get is that the Internet was accessed 300 times. What would be useful would be to
know she accessed twitter just before she went missing in the same way as we could see she
make a phone call”
Except, as Kennard points out, that’s not how the internet actually works. You don’t “connect” to Twitter like that, because you’re constantly connected to Twitter:
…in yesterday’s meeting I, and other ISPA members immediately pointed out the huge flaw
in this argument. If the mobile provider was even able to tell that she had used twitter at all (which
is not as easy as it sounds), it would show that the phone had been connected to twitter 24 hours a
day, and probably Facebook as well. This is because the very nature of messaging and social
media applications is that they stay connected so that they can quickly alert you to messages,
calls, or amusing cat videos, without any delay.
It should be noted that it is quite valid for a “connection” of some sort to last a long time. The main
protocol used (TCP) can happily have connections for hours, days, months or even years. Some
protocols such as SCTP, and MOSH are designed to keep a single connection active indefinitely
even with changes to IP addresses at each end and changing the means of connection (mobile,
wifi, etc). Given the increasing use of permanent connections on mobile devices, it is easy to see
how more and more applications will use such protocols to stay connected – making one “internet
connection record” which could even have passed the 12 month time limit by the time it is logged.
Connections are also typically encrypted and have some data passing all the time, so it would not
be practical for an ISP, even using deep packet inspection, to indicate that the girl “accessed
twitter” right before she vanished, or even at all (just that there is a twitter app on the phone and
This seems like a rather important point: the people who put together the Snooper’s Charter for spying on the internet don’t seem to understand the first thing about how the internet actually works. And yet we’re supposed to give them sweeping powers to spy on it? How does that make any sense?