The EU Cookie directive comes into force today – so happy cookie day to all. The ICO have issued a guideline document for website owners detailing strategies for dealing with the cookie directive. Now – I’m sure that I am being thick, but I’m struggling here :
The directives talk a lot about the requirements with regard to consumers, but I wasn’t sure were we stood…
- We’re based in the UK
- Running a .COM website
- Hosted in the States
so – are we affected? Would this also apply to US based .COM sites accessed from the EU?
We decided not to take the risk – and have therefore implemented a cookie control to ensure we are compliant, and will be implementing the same control onto all of our sub domains.
I just received a phone call from my MP – James Morris. My plans to provide an erudite and compelling argument as to why the current proposals may not have been as good as I would have liked. I was pretty much unprepared. I had prepared, but the phone call – when it came was so unexpected that I don’t think I was able to give as good and reasoned argument regarding the pitfalls of this proposal.
We talked about instant messaging – for example through facebook. I put forward my proposal that IM through face book is implemented through the facebook servers. Your browser sends a packet to the facebook server instructing the server to issue a message to a fellow facebooker. In this context, the communication here is between your machine and the facebook servers. Everything else – the message and it’s recipients is the content of that message to facebook – and would be outside the scope of these measures (as far as I understand them).
I mentioned that facebook has a SSL version of the site – which encrypts traffic between server and client. Now – it seems that the communication data can be protected by just using an SSL version of the site.
Despite my ramblings it he said that he was going to pass my concerns through the secretary of state – so I suppose that’s something.
I received the email from RS Components informing me that I now had the right to buy a raspberry pi device.
My plan is to take some video footage of the unboxing of the device and to write up what I find.
My goals are to experiment with what the device can do, possibly set it up as a set top box for my tv, or anything else I can think of.
For those of you not familiar with this, the royal mail bumped up the price of a first class stamp from 46p to 60p – a rise of 30%.
So I, like a fair proportion of the population decided to stock up on stamps ahead of the price rise.
Here we are finding the geocache “Clent Eastwood”.
We had a busy day yesterday, attempting to fix a belkin router which dropped all connections when the wireless mode wad set to auto sensing 802.11b/g/n.
Had to call Belkin who advised to turn on wireless protection, and force the modem into 802.11g mode.
Less than 24 hours after the ‘fix’ I heard that there were again problems – this time with the wired PC not getting access to the internet.
Belkin – you just made the list!
I sent an email to my local MP via the writetothem.com service. I had read with some alarm about sketchy plans to intercept communications summary information, so I started trying to research exactly what and how this surveilance was to be obtained.
Here is the email I sent to James Morris (MP).
Dear James Morris, I have read with alarm the reports regarding a proposal to implement a facility to provide real time monitoring of all communications covering email, social media etc. The same tired reasons keep getting trotted out...terrorism, organised crime. But the more I read, the more concerned I am that the only people affected by this will be the hardworking and law abiding majority. Real criminals will use secured vpn solutions, or technologies such a TOR. using such technologies would prevent any surveillance as the connection would be constant. Connections made from this proxy may not fall under the jurisdiction of the UK and would therefore be untraceable. How would this work with other proxy based solutions - for example gmail.com? Under this proposal I understand that the ISP would record that the user visited gmail.com. Finding out if a mail was sent or received would either require complete access to the web stream, which I would interpret as intercept, or complete cooperation of Google. Considering that Sky provide email from Google, then the answer for criminals is to sign up for sky, or gmail. Does this mean that users of gmail have something to hide? People like : Hon Margaret Hodge (hon....@gmail.com) Mr Mike Crockart MP (edin...@gmail.com) Mr Chris White MP (chri...@gmail.com) Given that the technology can potentially be circumvented through anonymity networks, or commercial vpn solutions then the perceived benefits look laughable compared to the potential cost associated with providing what is reported to be real-time access to the data. I will be looking at interest in the developments surrounding this proposal, and trust that as an advocate for the hard-working people of the black country, that you will be as equally concerned as I am. Yours sincerely Mike Hingley
and here is the response I got back.
I think it’s worth looking at what James has to say, so in this post I’ll be breaking down the content of his letter section by section. James’s comments are in italic.
The Government and I are committed to maintaining national security and protecting the public in the face of changing circumstances while continuing to protect civil liberties.
No – I think not. What is being discussed here is the erosion of civil liberties to facilitate a perceived threat in national security. The proposal is to record all communication between people. It is disingenuous to try and play both sides of the balancing act. This is all about taking from civil liberties and giving to national security. If the government were truly committed to both sides of that equation then something from national security should be bought back for civil liberties – might I suggest that the communication records between ministers be publicly available under this scheme.
Communications data – information such as who called whom and at what time – is already vital to law enforcement, especially when dealing with organised crime gangs, paedophile rings and terrorist groups.
These are the same tired reasons that get trotted out whenever the state want to do something “Won’t somebody think of the children”. Communications Data is available to a wide variety of bodies under the act :
- Charity Commission
- Criminal Cases Review Commission
- Common Services Agency for the Scottish Health Service
- a county council or district council in England, a London borough council, the Common Council of the City of London in its capacity as a local authority, the Council of the Isles of Scilly, and any county council or county borough council in Wales
- Department for Transport, for the purposes of:
- Marine Accident Investigation Branch
- Rail Accident Investigation Branch
- Air Accidents Investigation Branch
- Maritime and Coastguard Agency
- a district council within the meaning of the Local Government Act (Northern Ireland) 1972
- Department of Agriculture and Rural Development for Northern Ireland
- Department of Enterprise, Trade and Investment for Northern Ireland (for the purposes of Trading Standards)
- Department of Health (for the purposes of the Medicines and Healthcare Products Regulatory Agency)
- Department of Trade and Industry
- Environment Agency
- Financial Services Authority
- a fire and rescue authority
- Fire Authority for Northern Ireland
- Food Standards Agency
- Gambling Commission
- Gangmasters Licensing Authority
- Government Communications Headquarters
- Health and Safety Executive
- HM Revenue and Customs
- Home Office (for the purposes of the UK Border Agency)
- Independent Police Complaints Commission
- Information Commissioner
- a Joint Board where it is a fire authority
- Office of Fair Trading
- The Pensions Regulator
- Office of the Police Ombudsman for Northern Ireland
- Port of Dover Police
- Port of Liverpool Police
- Post Office Investigation Branch
- Postal Services Commission
- NHS ambulance service Trust
- NHS Counter Fraud and Security Management Service
- Northern Ireland Ambulance Service Health and Social Services Trust
- Northern Ireland Health and Social Services Central Services Agency
- Royal Navy Regulating Branch
- Royal Military Police
- Royal Air Force Police
- Scottish Ambulance Service Board
- a Scottish council where it is a fire authority
- Scottish Environment Protection Agency
- Secret Intelligence Service
- Security Service
- Serious Fraud Office
- the special police forces (including the Scottish Drug Enforcement Agency)
- the territorial police forces
- Welsh Ambulance Services NHS Trust
and the reasons don’t have to be national security.
From Big Brother Watch – Grim Ripa report we can see that Sandwell Council made 71 RIPA requests between 2009 and 2010. Between 2008 and 2010 135 RIPA requests were authorised by Sandwell Council, resulting in 13 prosecutions. A 9% prosecution rate. If you’re interested Sandwell made requests about the following :
- Trading Standards
- Anti-Social Behaviour
- Benefits Investigation
- Environmental Protection
It has played a role in every major Security Service counter-terrorism operation and in 95 per cent of all serious organised crime investigations.
It may well do, but the majority of cases published all seem to be relating to non counter-terrorism and organised crime.
But communications technology is changing fast, and criminals and terrorists are increasingly moving away from landlines and mobile telephones to communications on the internet, including voice over internet services like Skype and instant messaging services.
Interesting that you bought up Skype and IM. If you use IM such as Microsofts Live Instant Messaging solution – that can be accessed via a web frontend. To use Live Messenger via the web point your browser to Microsoft Live and messenger is available as an option on the webpage. Now all this IM communications data (such as establish a connection to so-and-so) is sent via page posts to the server. This proxy makes that communications data subject to intercept. In this instance the communications data would only show Windows Live.
Does IM mean IRC? if so that might not be tracked, as the connection is between you and the IRC server. Connecting to a channel is (I believe) content data.
In terms of Skype – this is a closed source proprietary solution. It might be that communications data can be recorded from the ISP – However as Skype is a peer-to-peer based network I would suggest that sending data from my machine to someone else’s machine does not mean that I established a connection to that machine. Such a connection could be established by the Skype software internally. For example: when I switch on Skype it establishes connections to all the contacts on my list to see what state they are in. I haven’t performed that communication.
The Government now estimates that it is now only able to access some 75 percent of the total communications data generated in this county compared with 90 per cent in 2006.
So the plan is to move towards total access of all communications data?
Given the pace of technological change, our future capability is very uncertain. That is why, in the Government’s Strategic Defence and Security Review it said it would “introduce a programme to preserve the ability of the security, intelligence and law enforcement agencies to obtain data and intercept communications within the appropriate legal framework.” It also made it clear that in seeking to ensure our law enforcement agencies continue to retain capabilities to protect us from harm, civil liberties would be respected and protected.
The Government therefore proposes to require internet companies to collect and store certain additional information, like who an individual has contacted and when, which they may not collect at present.
The information will show the context, but not the content, of communications. So we will simply have for internet based communications what we already have for mobile and landline telephone calls The data will be available only to designated senior officers, on a case-by-case basis, authorised under the Regulation of Investigatory Powers Act, and the process will be overseen by the Interception of Communications Commissioner. It will be available only if it is necessary and proportionate to a criminal investigation. It should be noted that the police and other agencies will have no new powers or capabilities to intercept and read emails or listen to telephone calls and existing arrangements for interception will not be changed.
This doesn’t work if the protocol you are capturing can be passed through a proxy. In these situations you would need to intercept the content to extract the communications data. Now imagine that the proxy is hosted in a foreign country – (gmail, Hotmail etc) – that could be difficult. You would have to make a request to the server operator (Google / Microsoft ) to retrieve this information, and as they don’t fall under UK jurisdiction.
What would be more interesting would be if the target was running their own webmail system on shared hosting. As the target would be running the server – does that mean that the security services would be making a request to the target to release their own logs?
No increase in the amount of interceptions is envisaged as a result of this.
As I said above -if communications data is sent as content to proxies, then to obtain this information will require more intercepts
Unlike the previous Government’s proposals there will be no government database and the data recorded will be strictly limited and regulated and will be destroyed after a year. The police and Security Service will not be able to intercept the content of calls and emails, except as now when it is necessary and proportionate as part of an investigation relating to serious crime or national security, and only when they have obtained a warrant signed by a Secretary of State.
Saying the Government isn’t storing all this data in a big government database is hardly reassuring. All this solution does is place trust in the ISP’s to guard the ‘browsing habits’ of its customers. I seem to recall a company (phorm) using a similar mechanism to target adverts which would be inserted into a web page. It may be a bit cynical, but I can see ISP’s informing customer that their browsing habits will be tracked, and their hand is being forced by the law makers. But while we’ve got this browsing information – lets try and sell you more targeted adverts.
As I’ve already raised above circumventing this ‘communications data only’ plan seems to be child’s play – for Email / IM a web based proxy turns all communications data into content data, making it inaccessible via these proposals. Linux format issue 158 even includes a live boot cover DVD containing tails – a debian based environment with added security.
Thank you again for contacting me.
Other points to raise :
- The Register raised an article here regarding Data Protection issues relating to this proposal to record communication data.
- Communications data is pretty much useless unless you can tie an individual to it – What good is there in knowing that charliebrown172@SomeISP sent an email to snoopydawg188@somewhereelse unless you can convert these email addresses to real identities?
- How would you do that? There’s no national register of email addresses
- The latest episode of Linux Format contains a boot-able Tor based linux distribution, along with counter surveillance techniques
- James’ letter seems awfully similar to one sent to Ben Everard from Peter Luff, the Conservative MP for Mid Worcestershire
- I have emailed my MP to arrange a surgery session, and got the following back :
Dear Mr Hingley
My colleague Samantha has passed me your email. If you are able to give me a telephone number then I will ask James to give you a call at a time that is convenient for you. It would be helpful to know your specific concerns regarding the proposals (and please do bear in mind that at this stage they are just that – proposals) so that James can speak to the relevant people before he answers your questions. Kind regards
- A thought occurs here – it’s a good job that the government and it’s representatives aren’t looking at the communication content – because it seems that despite the content of my email raising a few points that I thought were interesting , the questions raised within were not answered in his response.
- Content Packaging
- Dr who
- Open University
- Quickly Ebook Template
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010