gmane.law.cryptography.uk

Re: BBC News - 'Fresh proposals' planned over cyber-monitoring

Ben Liddicott — 2013-05-23T22:52:38

On 23/05/2013 22:43, Roland Perry wrote:

I am really not sure what your point about "practicality" is here. I am 
sure a court order can be given in terms such as "as far as reasonably 
practicable". In any case the judges who give the orders, and the people 
who ask for them, will be well versed in what is practical. This is a 
nothing-nothing objection.

As to the rubber stamp objection: The fact that the request is seen by a 
person means that person can make enquiries either before or after 
granting the request - which makes all the difference. Who knows when a 
judge or Magistrate will suddenly decide to ask a lot of questions? They 
sometimes do, presumably just as a spot-check. Judicial review will find 
few abusive requests because abusive requests which might be made, will 
simply not be made. Even post-hoc reviews like the FISA courts will have 
that effect. But if the request will be fulfilled automatically and 
reviewed by no-one at all, ever, why not put in unnecessary, marginally 
necessary,

Re: BBC News - 'Fresh proposals' planned over cyber-monitoring

Roland Perry — 2013-05-23T22:02:01

In article <519E8AF0.7060605-zQGKLn5Wc3Lby3iVrkZq2A< at >public.gmane.org>, Ben Liddicott 
<ben-zQGKLn5Wc3Lby3iVrkZq2A< at >public.gmane.org> writes

What "new abilities" are these? [1]

The system which was decided upon (and known as RIPA) isn't that much 
different from the above, and involves verbal authorisations, followed 
by paperwork as soon as you get a Superintendent out of bed.

A question for the lawyers here: In practice, can someone in the force 
control room really ring up a judge themselves (no other intermediaries) 
in the middle of the night? What sort of standard of proof would the 
judge want that the request was genuine and necessary?

[1] The BBC is talking about new forms of data being logged
    (specifically de-anonymising carrier grade NAT), not new routes to
     obtain disclosure.

     It seems to me unrealistic to expect BT's broadband customers, who
     are about to be stuck behind CGNAT, to become untraceable overnight;
     and while BT could log the mappings on their own accord I susp

Re: BBC News - 'Fresh proposals' planned over cyber-monitoring

Roland Perry — 2013-05-23T21:43:59

In article <519E6D76.8060203-zQGKLn5Wc3Lby3iVrkZq2A< at >public.gmane.org>, Ben Liddicott 
<ben-zQGKLn5Wc3Lby3iVrkZq2A< at >public.gmane.org> writes
 >>And if every request required the police and the telco to physically 
 >>attend court (which is likely to be some distance from the telco's HQ) 
 >>and then be required to respond to a non-urgent request in a week 
 >>rather than a month, then the costs would spiral out of control (for 
 >>all parties involved).

Of course the vast majority can wait until the next day (or even the 
next week), but the other aspects remain. Unless you think it's a good 
idea for these court orders to be issued without any comment from the 
telcos about the practicality, and any more than a rubber stamp from the 
judge regarding the necessity.


You seem to be wanting a special "telecoms court" to deal with these 
things both quickly and by remote participation. The volume of enquiries 
(which are overwhelmingly reverse-DQ) would be challenging to 
accommodate.


There's no DPA 1998 exem

Re: BBC News - 'Fresh proposals' planned over cyber-monitoring

Ben Liddicott — 2013-05-23T21:32:32

On 23/05/2013 20:32, Francis Davey wrote:
So the reality is if you have an emergency, you have two officers on the 
phone:

Officer 1 gets on to the ISP and says "I need some info urgently, court 
order is on it's way. Can you look it up and have it ready to give as 
soon as the order comes through?" The chap at the ISP does so, looks up 
the info and has it ready.
Officer 2 gets on to the Judge and says " I need a court order for 
this...".  As soon as the order is given, the word is passed to officer 
1 along with (presumably) some reference number. ISP chap hands over info.

This happens in parallel, and in reality the court order plus request 
takes barely longer than the request alone.

If that's the case, what is the real reason these new abilities are 
being asked for? Are the people who insist they are necessary lying or 
merely ignorant? Why aren't they being called on it?

Hmm... Cheers, anyway.

Ben

Re: BBC News - 'Fresh proposals' planned over cyber-monitoring

Francis Davey — 2013-05-23T19:32:52

2013/5/23 Ben Liddicott <ben-zQGKLn5Wc3Lby3iVrkZq2A< at >public.gmane.org>


You can get an order over the telephone. There's a 24/7 "duty judge" system
that means you can always get a judge (possibly out of bed) for an urgent
order. Clearly you have to have a pretty good reason to do that but the
system is there.

If this was going to happen a lot then I am sure the court service could
(if it was told to) set up a system that made this work.

Re: BBC News - 'Fresh proposals' planned over cyber-monitoring

Ben Liddicott — 2013-05-23T19:26:46

On 23/05/2013 15:31, Roland Perry wrote:

Well, that's a good summary of the argument, but not actually a good 
reason, and it's not actually what happens.

It's not what happens because the vast majority of such requests are for 
things which could perfectly well have waited to the next working day 
and been dealt with in bulk.

It's not a good reason firstly because there is no technical reason why 
a court order has to be slow. IANAL, but AFAIK a court order or warrant 
can be given by telephone, fax or email if need be - I don't believe 
there is any legal requirement for the judge to be in the same room as 
the petitioner - and if there is, why not just change that rule for 
emergencies?

Even if it was the case that court orders are too slow, there is no 
reason not to have a post-request review requirement like the US Federal 
FISA courts.

It is impossible to avoid the conclusion that the reason for removing 
review altogether (as opposed to having an emergency procedure plus a 
post-request review)

Re: BBC News - 'Fresh proposals' planned over cyber-monitoring

Ian Mason — 2013-05-23T17:50:34

On May 22, 2013, at 11:12 PM, Peter Fairbrother wrote:


[snip]


I'm not convinced that the 'bad old days' have gone away. I find  
little difference in the actual attitudes of coppers that I talk to  
socially nowadays to the ones I used to share curry and beer with back  
then.


The heaviest users of these will be enquiry officers - usually DCs and  
PCs. Bear in mind that nowadays there are many civilian staff inside  
police stations - largely invisible to the general public. These are  
not limited to obviously clerical roles (e.g. I've come across at  
least one civilian evidence/exhibits 'officer'). In the case in point  
I was present as a non-police civilian and had free access to the  
incident room in question for several weeks - often outside office  
hours when it was not in operational use.

Interestingly, the actual cases I have heard of where staff were  
disciplined/prosecuted for improper use of police records have often,  
possibly even primarily, been civilian staff and have often been

Re: BBC News - 'Fresh proposals' planned over cyber-monitoring

Roland Perry — 2013-05-23T14:31:14

In article <519D42DC.5080800-1HOZaDBbGgxaa/9Udqfwiw< at >public.gmane.org>, Peter Fairbrother 
<zenadsl6186-1HOZaDBbGgxaa/9Udqfwiw< at >public.gmane.org> writes

Briefly, the issue is that when it's really important (for example an 
estranged father rings his ex-wife to say he's committing suicide and 
taking the children with him, now) then court orders are too slow.

And if every request required the police and the telco to physically 
attend court (which is likely to be some distance from the telco's HQ) 
and then be required to respond to a non-urgent request in a week rather 
than a month, then the costs would spiral out of control (for all 
parties involved).


The emergency services are allowed to know where people are calling from 
(including mobiles, which is why so many these days have GPS because 
that's a USA requirement). Perhaps you'd rather wait for them to get a 
court order??

Re: BBC News - 'Fresh proposals' planned over cyber-monitoring

Roland Perry — 2013-05-23T14:22:52

In article <519D3BB9.3060403-1HOZaDBbGgxaa/9Udqfwiw< at >public.gmane.org>, Peter Fairbrother 
<zenadsl6186-1HOZaDBbGgxaa/9Udqfwiw< at >public.gmane.org> writes

Perhaps you are making the mistake of thinking that the worst crimes are 
committed by the cleverest people? April Jones and Tia Sharp might 
disagree (to quote only two recent examples).


For Morse there are the books to read. Or use the "catch-up" services on 
the Interweb.

 >I don't want one in the house, I'd just sit and watch it and get 
 >nothing done

The more that things can be viewed later, the less I watch. Getting a 
VCR (in the early 80's) cut my viewing considerably. In the last month 
(and despite having the biggest and best TV ever) all I've managed to 
watch regularly are Endeavour and Dr Who.


I think we must make it possible when it's necessary. Cue RIPA debate, 
cont'd p94.

Re: BBC News - 'Fresh proposals' planned over cyber-monitoring

Peter Fairbrother — 2013-05-22T22:12:44


That's good and bad security - good because access would be broadly 
limited to policemen who could enter the room, bad because there would 
be no logging of who asked. For the "bad old days", it's not that bad.

Limiting access to policemen, preferably at least sergeant level, and 
logging of who asked, and why (with occasional for-real checkups) is 
probably all that is needed for RDQs and electoral roll enquiries. They 
are not really very intrusive.

It's when they get into more intrusive matters. like phone and internet 
logs, that more severe restrictions are warranted. The intrusion is 
different, and more severe - so why not more severe restrictions? Like a 
Court-issued warrant?

That would cos for the Court time, but it would be balanced by not 
needing to go through a SPOC for most enquiries.

Might even end up cheaper - suppose Plod get a warrant, costs £800,  and 
get a list of 50 people the suspect called. If a SPOC RDQ enquiry costs 
£20, a non-SPOC RDQ enquiry costs £2, and a SPOC log en

Re: BBC News - 'Fresh proposals' planned over cyber-monitoring

Peter Fairbrother — 2013-05-22T21:42:17

That's true enough, but if they use the end of catching the 
harder-to-reach fruit in order to justify the means, but those means 
will not let them reach that fruit ...


I'd read it.


I don't have a TV.

(people think that's strange - it was my birthday yesterday, and my 
sister asked if I wanted a TV for a present, as she has every year for 
the last ten years - but I don't want one in the house, I'd just sit and 
watch it and get nothing done).


A legitimate investigative technique, most likely - but that does not 
mean we must make it possible, especially at any cost.

Re: BBC News - 'Fresh proposals' planned over cyber-monitoring

Ian Mason — 2013-05-22T17:24:52

On May 22, 2013, at 9:26 AM, Roland Perry wrote:


I can state from personal direct knowledge that in the early 90's that  
one non-metropolitan police force had unfettered online access access  
to BT's reverse-DQ and unlisted number databases. In the instance I  
directly observed no procedure or justification was required - just  
physical access to the terminal connected to BT (which in this case  
was situated in a suite of offices normally used as a major incident  
room alongside a PNC terminal and one connected to a database of all  
electoral rolls - both with similar lack of access controls or  
procedures).

Re: BBC Moneybox - contactless hiccups

Roland Perry — 2013-05-22T08:28:42

In article <20130521170923.GD20185-v7oSnKn4qNcd8cy4ZZikoQ< at >public.gmane.org>, Jon Ribbens 
<jon+ukcrypto-JgzTmhv+UHffC7kMvaharFpr/1R2p/CL< at >public.gmane.org> writes

And last week I had a Debit Card transaction "declined", when what they 
meant was "we can't seem to contact your bank at the moment, so hard 
luck".

But I suppose they'd say it was the POS machine declining to take the 
card, not the bank declining to authorise the funds. They really should 
have two different expressions for that.

Re: BBC News - 'Fresh proposals' planned over cyber-monitoring

Roland Perry — 2013-05-22T08:26:34

In article <519BFD2D.5070102-1HOZaDBbGgxaa/9Udqfwiw< at >public.gmane.org>, Peter Fairbrother 
<zenadsl6186-1HOZaDBbGgxaa/9Udqfwiw< at >public.gmane.org> writes

Her government does. But it's never a good argument that you should give 
up picking the low-hanging fruit, just because there's some harder to 
reach fruit elsewhere.


I could write a book about it.

Did you watch 'Endeavour' (the 'Morse' prequel). I've not seen the whole 
series yet, but they've done reverse-DQ phone numbers in two of the 
plots so far.


There's two elements to this. One is whether the access is required at 
all (and checking who a suspect has been in contact with is normally 
regarded as a legitimate investigative technique), the other is to what 
extent it's "pretty much unrstricted".

I won't re-run the RIPA [vs DPA 29(3)] debate for the nth time.


Which is why there's the tailpiece in RIPA s2(9)

Re: BBC News - 'Fresh proposals' planned over cyber-monitoring

Peter Fairbrother — 2013-05-21T23:03:09

Hmmm - suppose I download a game which takes an hour (or a day) to play, 
and want to see the result. Will the ISP keep the 5-tuple NAT active?


Of course throwaway dongles, unsecured WIFI, free public wifi, TOR, and 
so on need no mention here. But I wonder if Her Majesty knows about them?



Does anyone know the history of how and why telephone logs became fair 
game for Plod?

I mean. it's not obvious that Plod should have pretty much unrestricted 
access to comms data logs anyway.

Even then there is a big difference between telephone logs and internet 
logs, which are much more revealing.

Re: BBC Moneybox - contactless hiccups

Jon Ribbens — 2013-05-21T17:09:23

I've personally seen a POS machine print me a "declined" receipt
for a transaction that was actually approved.

Re: Fwd: BBC News - 'Fresh proposals' planned over cyber-monitoring

Roland Perry — 2013-05-21T20:22:09

In article 
<CAJ0hfotvuxk1zV1ipj4scutwLFnCnc4xsM4Jd3KKi-jiKWTvEw-JsoAwUIsXosN+BqQ9rBEUg< at >public.gmane.org>, 
"k.brown-+9tF5d9GpIpaa/9Udqfwiw< at >public.gmane.org" <k.brown-+9tF5d9GpIpaa/9Udqfwiw< at >public.gmane.org> writes


And in the recent Queen's Speech!

ORGCon 2013 June 8 London

Jim Killock — 2013-05-21T15:05:16

Hi all,

Hopefully you know about ORGCon 2013

http://orgcon.openrightsgroup.org/

- but in case you don't it has a lot to offer you all. Hope to see some of you there!

Jim

A sample:

http://orgcon.openrightsgroup.org/2013/programme

Snoopers' Charter: What's the situation now?
 -Jim Killock, ORG Executive Director
- Peter Sommer
- Others TBC

Digital Arms Trade
-Hauke Gierow, Reporters without Borders
-Eric King, Privacy International

Regulating Code
- Ian Brown and Chris Marsden on their book and its conclusions

How to wiretap the Cloud (without anybody noticing)
-Caspar Bowden, independant privacy expert
Speaking on the threat of the US FISAA (Foreign Intelligence Surveillance Ammendments Act)

Fwd: BBC News - 'Fresh proposals' planned over cyber-monitoring

2013-05-21T14:52:21



And those that were desirable were really only problems for people who
write software for routers. Not for end users. Or even people who run
computers for end users. Or even people who configure networkds for
people who run computers for end users.  And they have pretty much
been solved in the last twenty years by those people who write
software for routers.

And "simplified address structure" is only true if you are writing
software for routers.  To everybody else IPv4 looks simpler because
its just about possible for the average person to remember four
decimal numbers in a row, most people can't hold eight 4-digit hex
numbers in their head, which means they can't *read* them, which
means they are basically machine-readable-only for the average punter.

Basic nerdview mistake. Describing things from the point of view of an
insider,  so making it harder for anyone without the rignt background
to follow. (Other classic bits of nerdview in this field might include eduroam,
Freeradius and Shibboleth installa

Re: BBC News - 'Fresh proposals' planned over cyber-monitoring

Roland Perry — 2013-05-21T07:15:09

In article <518CB006.8000604-BPqP8yNAJjH10XsdtD+oqA< at >public.gmane.org>, Peter Tomlinson 
<pwt-BPqP8yNAJjH10XsdtD+oqA< at >public.gmane.org> writes

And an article looking more deeply into the technical details of CGNs, 
in this context:

http://www.potaroo.net/ispcol/2013-05/cgns.html

Re: BBC Moneybox - contactless hiccups

Tony Naggs — 2013-05-20T14:44:03


Many door locks simply try to read the unique Id (UID) of a card, &
search for it in an access rights table. The ones I've encountered are
unable to cope with multiple cards presented together.

Credit & debit cards may have random or fixed Ids, and the card
function is identified by further information on the card. If there
are multiple cards a terminal could simply charge the card it
identifies with credit/debit functionality - this may still not be the
expected behaviour.

--
Tony