RIPA: Passwords

RIPA: Demanding passwords for encrypted data

RIPA has been complained about by many commentators (this site included), mainly because the powers under RIPA have been repeatedly misused.

But the compaints are not just the liberals and the bloggers. Conservatives have complained, former spooks have complained, and there was an announcement that RIPA powers were to be reviewed by the government.

While complaints about the idiots in councils have been going for years, other parts of RIPA, Section 49, have been enacted, deployed, and people arrested and convicted.

Section 49 of RIPA allows police/law enforcement agencies/security services/military to demand access to encrypted data.  Section 53 allows people to be convicted if they  fail to disclose this information.

Because of the far reaching powers the laws have been considered a threat to civil liberties. While this site normally rallies against such abuses, sadly in this case, the goverment may have a point.

Encryption is easy to do. The phenonmenal tool TrueCrypt provides amazing security, with many major firms using it. The security itself is effectively impenatrable (by currently acknolwedged computering capabilities) but this does not mean that the data cannot be accessed by other methods, e.g. guessing the password, obtaining the password, etc.

In fact this tool is so easy to use that if you can’t use it you probably can’t use a computer and so don’t have anything on a computer to protect.

The security of tools like TrueCrypt, are not like the EFS, in Windows,  which is easily defeated. If the password and keys for TrueCrypt are secure then the data is protected from all eyse, the police included. Hence the invention of Section 49.

If a suspected criminal has encrypted data, and does not provide the password, then what should the police do.

Does this secenario require RIPA? (Much of the information below is based on a real case).

Two men moved into an area, where police intelligence showed that they were linked to a peadophile network. They had previous convictions for sexual assualt, ABH, GBH, and arson. One of the men’s fingerprints was found on a horrific child abuse video, recovered elsewhere.  There was nothing to show he owned it and the defence was they he could have handled it but not known what it was, e.g. at a car boot sale, in passing, at another persons house, etc.

The men were very survelliance aware. Their windows were all covered up, with paper or curtains, and had  good security systems installed. They changed their cars regulary, almost monthly. If anybody they did not know was seen in their street they would challenge them, and ask who they were. And they had toys. Lots of toys. Toys in the garden. Toys in the house. They had no children. They also met  and associated with convicted peadophiles

These men are nasty people, there convictions alone show this. But they are not, technically, doing anything wrong at the moment.

Should they be put under survellience, to see what else goes on, if anything? Should the police be pro-active or wait until there is a claim of rape by a child? The former would seem the most prudent, and this is what RIPA is for.

What if the police receive more  intelligence, prior to an actual assault, strong enough to allow a warrant on the house and the sieze a computer. While searching the computer they find the following:

  • Fragments of data showing searches relating to child abuse images
  • Use of data wiping tools
  • Fragments file names that imply child abuse images
  • A true crypt volume
  • No actual images of child abuse

At this point the police have no evidence to convict, nothing that can be used. But, if they could access the Truecrypt volume, they may have so much more.

This case is relativel clear cut, but still has moral delimas for some. They have not done anything, so why should they have to hand over information. There is an ingrained right to slience. There is a right to not self convict.  If they have to give up their rights to silence, we all have to.

The problem is that the police and councils, have individuals who chose to bend the laws, and push them to extremes, for their own agenda, and not what they were intended for.

The use of RIPA, and section 49, is not going to be wrong in all cases, but unfortunately too often it has been misused by too many people, that there is now a lack of faith in the law(s) and the government.


RIPA: Councils Powers to be Reviewed

It was announced on Thursday 16th April that councils were to be limited in the use of RIPA powers.  Sadly, there is no immediate restriction of the use of RIPA, as many sites have reported, but only a planned review, with the potentail to restrict the laws.

The fact that a review is occur comes after a major investigation in privacy and Surveillance by the House of Lords, which recommended exactly this, on the back of numerous misuses of  RIPA.

But, looking at the transcript of Jaqui Smiths statement, does not bode well for the future. Ms Smith stated, “I .. want to make sure that there is proper oversight of the use of these powers which is why I am considering creating a role for elected councillors in overseeing the way in which local authorities use RIPA techniques.”

In the same speechm she also stated “The government has absolutely no interest in spying on law-abiding people going about their everyday lives“, this statment comes from the Home Secreary of a government that introduced laws to monitor peoples emails, web activity, collect DNA, and fingerprints of innocent people, and created the most comprehensive CCTV survellience state in the world.

The idea that elected councillors, the very ones who allow this activity to occur in their councils, would provide any sort of oversight is ludicrous. Local councillors, on average, take home £4000 a year(that’s four thousand, not fourty thousand), this is hardly a financial incentive to behave responsibly, and councillors are elected with an incredibly low percentage of the public.  In fact the day after the Government stated it was going to review the use of survellience, there was a protest in Peterborough, as councillors were trying to force CCTV inside taxis.

Posted in RIPA. Tags: , , , . 1 Comment »

RIPA: Misuse contines….

According to the latest numbers reported about RIPA, the problem of counciles over stepping their remit, and possibly the law, is continuing.

This is despite the numerous reports and calls for the use of RIPA by counciles to be reduced, including: 

Some of the petty uses of RIPA include:

Some senior politicians and lawyers have even suggested that the councils use of RIPA could be illegal, but nothing changes

Data Retention: Email, Email Monitoring and ISPs

Following the recent news articles covering the issues of the government monitoring personal emails, storing personal data, and data retention,  numerous questions have arisen. This article attempts to answer these questions:

What powers does the UK government have to monitor emails at the moment?

Currently most of the powers for monitoring of data come from the Regulation of Interception Powers Act 2000 (RIPA). Which amongst, other things, allows for the interception of communications data.

RIPA requires that ISPs maintain the ability to allow for interception

The Anti-Terrorism, Crime and Security Act provides guidelines for data retention, though it is currently voluntary. The powers under this act have been condemned for overuse, even by the current government.

Do ISPs currently store data?

Yes, they do. There are two reasons for this.

Commercial reasons, obviously the more data they have about individual’s habits the better they can hone their service, and marketing.

Anti-Terrorism, Crime and Security Act. Currently the government has a voluntary code of practice, whereby the ISPs voluntarily collect the data

Who can currently authorize the monitoring of emails?

The authority to monitor emails and intercept communications comes from different people, depending on where the request comes from. For example, if MI5 or MI6 want to intercept communications need the permission of the Secretary of State (Home Secretary). The police, however, only require the permission of survelliance commissioner, under Section 36 of RIPA.

How are the emails intercepted?

Emails are currently intercepted via the ISP (Internet Service Provider). Technical details about this are not released. In the press the method of interception are referred to as “black boxes” at the ISP. In all probability these black boxes are an advanced a network tap/packet sniffer, which pulls out all of the required information for a given protocol. This data i  then probably stored/cached with the ISP and then sent to the government or maintained at the ISP for searching at the location. The latter model would be the more secure, so the government has probably gone for the former. The data is almost certainly indexed, which means that searches would be realtivley quick, seconds rather than days or months.

The ISPs are required under RIPA to provide the ability to maintain interception capability. This means that the government, when required, can monitor any person’s internet activity.

The police also have the powers to access personal computers directly, and covertly. This type of access would allow the monitoring of emails, as well as internet access, screen shots; even key strokes can be recorded.

What new laws are being created to monitor emails?

The government is not actually creating new laws, but rather a statutory instrument. This means that an act of parliament is not required

The statuary instrument, Data Retention (EC Directive) Regulations SI 2007/2199, issued in the UK is based on the EU directive 2006/24/EC which states, under Article 5, what data must be retained.

 EU directive 2006/24/EC, is a European directive the UK are required to transpose it into UK law.

6) What information will the government be collecting from the emails?

a. Currently the plans are to only collect the header information from the emails. i.e. The “To”, “From”, “BCC”, “Subject”, as well as information in the email about IP address it was sent from, how it was sent (Thunderbird, Outlook). This information is known as “traffic” data.

b. Article 5 of the EU directive states that content of the email should not be retained.

7) What is the difference between “traffic” and “communciations” data

a. Traffic” data is information about data that is being transmitted, e.g. IP addresses, phone numbers, to, from etc. This defined by RIPA and more information is available here

b. Communications” data is the actual body of the data package being sent.

c. Example. If an email was sent from Person A to Person B, the information about Person A, IP address, email address, subject of the email, and the email of Person B would be the “traffic” data. But the content of the actual email, the message, would be the “content”.

8 ) Will the government be reading the content of the email or header?

a. Currently the UK Government is only planning to store the “traffic” data, i.e. the header information. It should be emphasized that while only traffic data is stored both content and traffic can be intercepted and can be monitored

9) How long will the email data be retained for?

a. This email header information is to be detained for 12 months (1 year), minimum. But no more than 24 months (2 years).

b. This figure comes from the Data Retention (EC Directive) Regulations SI 2007/2199, which states that: [Email Traffic] data must be retained for a period of 12 months, in accordance with regulation 4(2). The data must be stored in accordance with the requirements in regulation 7.

10) Why did the government change the laws?

a. The government changed the laws for several different reasons, depending on your political perspective. Some of the documented reasons are below:

b. The EU Directive, in March 2006,  required nation states to have greater monitoring of email and internet traffic

c. Based on the EU Directive, the UK transposed this into UK law, via the statutory instrument 2007/2199

d. In December 2007 the UK government published a document entitled the Next Generation Telecoms Networks. This pointed out the failings of RIPA, because as networks have become more and more capable, it has been harder to monitor the communications traffic. The document states: “Under the Regulation of Investigatory Powers Act 2000,communications providers must allow lawful interception by police and intelligence services where reasonably practicable. This may become more difficult with NGNs. A phone call over the PSTN can be intercepted with a tap anywhere along the line dedicated to the call, but in an NGN, packets may travel along many different paths. However, there are points where traffic can be intercepted, and 21CN will allow lawful interception. The Home Office’s Interception Modernisation Programme aims to ensure that NGNs and other developments in communications do not impede lawful interception”

e. In short, the government feels it is losing control of the communications and want to able to tap into communications anywhere at anytime.

11) How much will this cost?

a. The current estimates for the Interception Modernisation Programme are estimated at £12 billion. But, as with all government projects, particularly IT projects, these figure can expect to increase radically. It will no doubt be closer to £20 billion before its finished

12) Has the government ever misused data it has collected before?

a. Yes, lots and regularly. In fact most databases appear to have been misused at sometime or another. Examples of data misuse are here.

13) Could the government lose the email data, or will it be secure?

a. It’s been reported on numerous occasions that the government has lost data many many times. Examples of data loss are here.

14) How much information can the government obtained from just the email addresses?

a. A lot. From the email subject, IP addresses, and email addresses the government will be able to generate a lot useful information. They will be able to build up who is talking to who, frequency of communication and link those to IP addresses.

b. Cross referencing the email addresses with searches on forums, social networking sites, and other databases will bring together greater information for the government to data mine.

c. The IP addresses alone can be used to great effect, and combined with entries in the search engine databases, i..e who has been searching for what, they can tell a lot about the user.

d. Finally, and perhaps most importantly, the email addresses, will build up a network of contacts for each person and so could be used for a fishing expedition.

e. The commonly held belief of a maximum “Six Degrees of separation” between any two pepople, which has been shown to be true on several occasions, could be used against any person using email. Based on the “6 degrees theory” it stands to reason that any person in the UK is linked to a “terrorist” by, at most, 6 other people. With the onset of huge social networking sites, mass emails, and bookmarking sites, its likely that many people will receive an email or be connected to a terrorist within a couple of steps. I.e. a perfectly innocent person may be just 1 step away from somebody involved with an extremist group. This would give the police the power to intercept the innocent individuals email, both content and traffic data as they are “linked” to the terrorsist.

15) How can I avoid my emails being read?

a. The technology to be put in place (or already in place). Allows the government to retain data on email traffic, but monitor email content as and when required. This cannot be stopped, but security can be put in place.

b. You can’t hide your email address nor can this be encrypted, it has to be sent in plain text (it’s the nature of the internet). But you can try using multiple email accounts, one for work friends, one for network friends, one for purchases, etc. Doing this makes it harder to link your different groups together; but not impossible

c. Encrypt your email content. You cannot encrypt the email traffic, but you can encrypt the content.

d. Use none-decrypt subject titles: The subject title will be an important part of the traffic data, but if you are use none-descript ones e.g “Test1” “Test2”, then this will make it harder to understand what you are talking about. Remove the “Re” or “Fw” from the subject title, this again limits the information available from monitoring the subject title

e. Change your IP address: Currently all the tools available to the public, e.g. Tor, only hide your IP address for web browsing not for email. Therefore your true IP address will still be recorded when you use your email. But, by hiding your IP address in web browsing it is harder to link your web browsing to your emailing.



How Can The Police Legally “Hack” Into Computers?

On 5th January 2009, the BBC published an article stating how the  police are to be encouraged to  “hack” into personal computers, for the purposes of investigation, following an EU report on the subject. This statement raises many questions, not least of which is:

“How can the police legally hack into my computer?”

Firstly the actual EU report,that the BBC mentions, its not quite as explosive as implied by the BBC. The report, entitled “Council Conclusions on a Concerted Work Strategy and Practical Measures Against Cybercrime” states that “If necessary, the European platform could be a tool for …….facilitating remote searches if provided for under national law” (emphasis added).

The EU does not provide for covert searches and surveillance,  but instead thinks this is an effective method of investigating computer crime, and suggests  member states use whatever laws they have available.

This still leaves the question of What laws are available to the UK Police for covert computer searches?

The UK Police don’t have much to say on the issue, with very little documentation produced by the advisory body  known as the Association of Chief of Police Offices – ACPO  – on the subject of . In 2005 ACPO did release the National Intelligence Model which only has this to say about covert operations:

Covert operational teams are regularly deployed within communities and in the investigation of  serious crimes. In addition to gathering operation-specific information, unrelated information will also be generated. This must also be recorded and evaluated following the principles for managing and sanitising confidential information

ACPO has even less to say on the subject of covert searches:

“Covert searches – surveillance authorities may be required – collection of personal data by covert means.”

In 1997 the at the reading of the Police Bill in the House of Lords the subject of covert searches was discussed:

Surveillance and covert searches are likely to be authorised if a chief constable thinks that they are necessary; they would then be approved by one of the commissioners

But the Police Bill was superseed by RIPA (2000), which allows for all sorts of methods survellliance, phone tapes, and intrusive survelleiance. It these survelliance power that allow  the police to search computers remotely (i.e hack computers),  as this law providers for covert and intrusive searches.

The Home Office document, Covert Surveillance – Code of Practice, produced as a guide for the police to use RIPA, states this:

5.6 In many cases, a surveillance investigation or operation may
involve both intrusive surveillance and entry on or interference with
property or with wireless telegraphy. In such cases, both activities
need authorisation. This can be done as a combined authorisation (see
paragraph 2.11).

It then goes on to state this about who can authorize this:

5.7 An authorisation for intrusive surveillance may be issued by the Secretary of State (for the intelligence services, the Ministry of Defence, HM Forces and any other public authority designated under section 41(l)) or by a senior authorising officer (for police, NCIS, NCS and HMCE).

5.10 The senior authorising officer should generally give authorisations in writing. However, in urgent cases, they may be given orally. Urgent oral case, a statement that the senior authorising officer expressly authorised the conduct should be recorded in writing applicant as soon as is reasonably practicable.

5.11 If the senior authorising officer is absent then as provided section 12(4) of the Police Act 1996, section 5(4) of the Police (Scotland) Act 1967, section 25 of the City of London Police or sections 8 or 54 of the 1997 Act, an authorisation can be given writing or, in urgent cases, orally by the designated deputy.

5.12 In an urgent case, where it is not reasonably practicable regard to the urgency of the case for the designated deputy to consider the application, a written authorisation may be granted  person entitled to act under section 34(4) of the 2000 Act.

There is no doubt that RIPA provides the police with much needed powers, but it has also been miused many times. Both by the police and more commonly by councils. In fact there were so many occurences of RIPA being misused at a local level, the central government had to warn the councils to stop misusing the powers in this way.

This is not the issue of if the powers are needed, or if they will be misused, we know the powers are needed, but we also know they will be misused. Whenever people are given access to data and survelliance, there will always misuse it, it is, sadly a fact of life.

The issue is do we want the goverments exectuve agencies (and councils) to have these powers, knowing they will misuse them? Is that a balanced risk?

RIPA: South Wales Police (2008)

The issue of councils misusing RIPA has been reported numerous of time.

However, the South Wales police have taken it one step further. In 2008 they spent around £100,000 on following one of their fellow officer’s, while he was at home, on sick leave. South Wales Police alleged that P.c. Mark Pugh, who was on sick leave, was not really sick and so was not entitled to all the benefits.

The surveillance conducted against Pc Pugh included filming him taking out bins from his house and going to rugby matches. A total of 11 officers from South Wales and Dyfed-Powys police forces were used to spy on PC Pugh for months. This work would have required RIPA to be used.

While nobody likes a lazy person claiming benefits (not that Pc Pugh appears to have been that), is it proportional to put vans outside of somebodies home, at a cost of £100,000? The police could only do this, because they had such an array capabilities at their disposal. No normal company would ever be able to consider such an operation.

What makes this worse is that Pc Pugh was off work as he had mental health issues. After being involved in a large scale riot he had been diagnosed with depression and had been suicidal, as such he was under the supervision of a psychiatrist.

While the video footage of PC Pugh showed that he had been playing rugby, and moving around normally, this did not show he was mentally well.

You can’t measure sanity with video taken by surveillance offices, any more than you can with a thermometer! The courts thought the same and said that evidence against PC Pugh was not valid.

Surveillance Ruling

On 1st July 2008 at the  European Court of Human Rights in the case of Liberty & Other Organisations v. the United Kingdom (case reference 58243/00) the court found against the UK Government.

The ECHR found that UK surveillance laws lacked the necessary clarity and accountability to prevent abuses of power when used to intercept cross-border communications.

The complaint brought by Liberty stated that:

Relying on Articles 8 (right to respect for correspondence) and 13 (right to an effective remedy), the applicants complained about the interception of their communications.

The court agreed with Liberty that both the surveillance and the practice of surveillance must be tighter to protect individual privacy rights.

Decision of the Court

Article 8

The Court recalled that it had previously found that the mere existence of legislation which allowed communications to be monitored secretly had entailed a surveillance threat for all those to whom the legislation might be applied. In the applicants’ case, the Court therefore found that there had been an interference with their rights as guaranteed by Article 8.

Section 3(2) of the 1985 Act allowed the British authorities extremely broad discretion to intercept communications between the United Kingdom and an external receiver, namely the interception of “such external communications as described in the warrant”.

Indeed, that discretion was virtually unlimited. Warrants under section 3(2) of the 1985 Act covered very broad classes of communications. In their observations to the Court, the British Government accepted that, in principle, any person who sent or received any form of telecommunication outside the British Islands during the period in question could have had their communication intercepted under a section 3(2) warrant. Furthermore, under the 1985 Act, the authorities had wide discretion to decide which communications, out of the total volume of those physically captured, were listened to or read.

Under section 6 of the 1985 Act, the Secretary of State was obliged to “make such arrangements as he consider[ed] necessary” to ensure a safeguard against abuse of power in the selection process for the examination, dissemination and storage of intercepted material. Although during the relevant period there had been internal regulations, manuals and instructions to provide for procedures to protect against abuse of power, and although the Commissioner appointed under the 1985 Act to oversee its workings had reported each year that the “arrangements” were satisfactory, the nature of those “arrangements” had not been contained in legislation or otherwise made available to the public.

Lastly, the Court noted the British Government’s concern that the publication of information regarding those arrangements during the period in question might have damaged the efficiency of the intelligence-gathering system or given rise to a security risk. However, in the United Kingdom, extensive extracts from the Interception of Communications Code of Practice were now in the public domain, which suggested that it was possible for the State to make public certain details about the operation of a scheme of external surveillance without compromising national security.

In conclusion, the Court considered that the domestic law at the relevant time had not indicated with sufficient clarity, so as to provide adequate protection against abuse of power, the scope or manner of exercise of the very wide discretion conferred on the State to intercept and examine external communications. In particular, it had not set out in a form accessible to the public any indication of the procedure to be followed for examining, sharing, storing and destroying intercepted material.

The interference with the applicants’ rights had not therefore been “in accordance with the law”, in violation of Article 8.

Article 13

The Court did not consider it necessary to examine separately the complaint under Article 13.

This ruling calls into the question that fact the the UK government can monitor any communication at any time, though this is positive ruling for privacy advocates it is unlikely to systems like Echelon.

Press Release by Liberty