Archive | May, 2015

UK to escalate the war on encryption

The announced UK Investigatory Powers Bill is said to “force some of the world’s biggest internet companies including Google, Apple and Facebook to hand over encrypted messages from terror suspects”. (The Telegraph »)

To be fair, it should be pointed out that this specific part of the bill is said to be limited to “suspects under investigation”. So it’s not about blanket mass surveillance. But I’m sure that is being covered in other parts of the same bill, said to…

…”address ongoing capability gaps” that are hindering the ability of the security services to fight terrorism and other serious crime. (…)

A Home Office spokesman said the bill was a “landmark piece of legislation to cover the whole investigatory powers landscape in modern communications”.

I guess it’s going to be pretty bad. But back to the encryption issue. Ars Technica points out that…

In the face of these demands, some companies might decide to re-design their systems such that it would be impossible for them to break the encryption even if required to do so by law. This facility is already available from companies offering peer-to-peer encryption. If the UK government goes ahead with this plan, we are likely to see this approach being adopted by more communications providers and messaging apps, which would undermine the effectiveness of the proposed law.

So, the effect of far reaching legislation might actually be that it will be harder for authorities to obtain the information they want. Even in legitimate cases.

In the UK, you can be put in prison if you don’t surrender your encryption key to the authorities. But that isn’t much use when it comes to covert surveillance, is it?

With P2P encryption you can legislate as much as you want. It will not work.

This leaving the UK government with one option: To demand all P2P encryption to – somehow – be corrupted by back doors.

That would be a terrible idea. And if at all possible, it would only work with big, commonly used communication apps and systems. I cannot see how anything other than traditional and time consuming code breaking could be used against open source encryption software in P2P communications.

The only option left for the UK government might be to make such encryption illegal. And trust me, this is an option that will be taken under consideration…

The war on encryption is now entering the madcap phase.


The Telegraph: Google and Whatsapp will be forced to hand messages to MI5 »
Ars Technica: New UK law would give government access to encrypted Internet messaging apps »
Ars Technica: The new war on encryption is based on a lie »


Queens Speech and Big Brother

BBC summons up the Queens Speech from todays opening of the British Parliament. Here is what to expect when it comes to Big Brother-related bills…

Extremism Bill

This includes measures to tackle broadcasting of extremist material. The government wants to strengthen watchdog Ofcom so that it can take action against channels that transmit extremist content. The legislation will also propose the introduction of banning orders for extremist organisations who use hate speech in public places, but whose activities fall short of proscription. A new power to allow police and local authorities to close down premises used to support extremism will also feature. And employers will be able to check whether an individual is an extremist and barring them from working with children.

Investigatory Powers Bill

“New legislation will modernise the law on communications data,” the speech said. An Investigatory Powers Bill will revive plans to give intelligence agencies new tools to target communications data – branded a “snooper’s charter” by critics. The government says it will equip the police intelligence agencies with the tools to keep people safe.

…and what is not in the Queen’s Speech?

Although it appears in the Queen’s Speech, there is no legislation, either in full or draft form, on a British Bill of Rights. Instead, ministers will consult on the pros of replacing the Human Rights Act with a new legal framework of rights and responsibilities.

Read more at BBC Queen’s Speech 2015: Bill-by-bill »


Is the NSA to shut down bulk surveillance programs? Maybe not.

The NSA bulk surveillance program is hanging by a thread — as the controversial Patriot Act expires and as US Senate did not manage to adopt a replacement bill (the USA Freedom Act) before its week-long recess.

The Associated Press reports…

“In a chaotic scene during the wee hours of Saturday, Senate Republicans blocked a bill known as the USA Freedom Act, which would have ended the NSA’s bulk collection but preserved its ability to search the records held by the phone companies on a case-by-case basis. The bill was backed by President Barack Obama, House Republicans and the nation’s top law enforcement and intelligence officials.”

There will be an emergency session scheduled for Sunday, May 31st.

This is a cliff hanger. But even if the replacement bill will be adopted, bulk mass surveillance will not end. It will only change form.

The USA Freedom Act obliges telecoms meta data to be kept by the phone companies. This is the same model as in the EU Data Retention Directive. Even though this directive has been invalidated by the European Court of Justice for breaching human rights, it is already implemented in most EU member states.

In many EU countries authorities use data retention on a massive scale and in a rather indiscriminate way. There are even attempts to give the police direct online access to meta data held by the telecoms, in some countries.

So even if the Freedom Act might be adopted it will not be the end of bulk collection of telecoms data in the US. It will not be as bad as the Patriot Act, but still it will be pretty bad.

However, it will be interesting to see what happens if the Freedom Act is not adopted before the Patriot Act expires. In that case the NSA might have to shut down parts of their operation. At least for some time. (For all the public is allowed to know…)

• NSA is getting ready to shut down bulk surveillance programs in response to failed Senate vote »
• NSA winds down once-secret phone-records collection program »

Update: Julian Assange: Despite Congressional Standoff, NSA Has Secret Authority to Continue Spying Unabated »



Mixed US messages on cyber security

In South Korea US Secretary of State John Kerry gave a speech on cyber security and international law earlier this week. Some quotes…

“As I’ve mentioned, the basic rules of international law apply in cyberspace. Acts of aggression are not permissible.”

“First, no country should conduct or knowingly support online activity that intentionally damages or impedes the use of another country’s critical infrastructure. Second, no country should seek either to prevent emergency teams from responding to a cybersecurity incident, or allow its own teams to cause harm. Third, no country should conduct or support cyber-enabled theft of intellectual property, trade secrets, or other confidential business information for commercial gain. Fourth, every country should mitigate malicious cyber activity emanating from its soil, and they should do so in a transparent, accountable and cooperative way. And fifth, every country should do what it can to help states that are victimized by a cyberattack.”

The obvious question is: Does that include the NSA?

Is the alleged NSA attack on the SWIFT bank transfer system a “malicious cyber activity”?

What about all the mischief documented in NSA:s own Powerpoint presentations, revealed to the world by Edward Snowden? Does that count as “malicious cyber activity”?

Might the British GCHQ:s attack on Belgacom and the EU institutions be considered as a “malicious cyber activity”?

The Swedish government (Swedens FRA is a very close partner with NSA and GCHQ) has proposed that Swedish military should be allowed to conduct “active” surveillance — i.e. cyber attacks. (The Snowden files have reviled that Swedish FRA already are involved in such activities, in cooperation with GCHQ. So this is just about adjusting the law to what is actually going on.) Would that count as “malicious cyber activity”?

When John Kerry calls for international rules — would they apply to all countries?

Probably not.


Link: Kerry: Internet ‘Needs Rules to Be Able to Flourish and Work Properly’ »


Pirate Bay domains seized by Swedish court

Today a Swedish district court decided that Pirate Bay founder Fredrik Neij no longer can control the domains and – as they have been used for “illegal activities”.

However – the court does not give the government control over the domains. They stay with the domain top level administrator, the foundation.

On the one hand, it is strange that domain names can be seized. It is like if a street adress would be seized, because of illegal activities carried out there.

On the other hand, it is interesting that the court does not accept the prosecutors demand for the domain names to be handed over to the Swedish government. This still gives top domain administrators some leverage – and indicates that they are not liable for how a domain is used.

But the most important lesson to be learned from todays verdict is that we need to build a decentralised system for domain names — where they cannot be seized or taken down.


Read more: Key Pirate Bay Domains Must Be Seized, Court Rules »


Reframing the surveillance debate

Fighting mass surveillance is somewhat overwhelming.

But it’s not only a matter of laws, legal issues and government policies. It’s also a matter of mindset.

Too often society focus on the negative, just making things worse. The war on terror seems to have created more terrorists. The war on drugs seems to have caused us more drug related problems. And so on.

So, maybe we ought to shift focus from mass surveillance to privacy.

Instead of fighting a flood of new laws, sneaky intelligence organisations, panic-stricken politicians and bully-boy security contractors on details — maybe we ought to take more time to explain why privacy is so important. Instead of primarily focus on specific elements in legislation — maybe we should fight more often on principle.

Of course we will have to fight at both these front lines. But, seriously, it might be a good thing to put more time and energy into the positive side of this issue.

Politicians, security bureaucrats and the security industry will always have an advantage when we fight by their rules, arguing over details in their schemes. But they will have a much harder time defending mass surveillance if the debate is more about respecting or denying the people its right to privacy.

It’s all about reframing the debate.

One way to do this might be to campaign for various parliamentary assemblies to introduce bills and resolutions declaring that there shall be no surveillance aimed at people who are not suspected for breaking the law.

That might put the shoe on the other foot.

It would place politicians in a situation where — instead of pretending to protect the public from some vague dangers — they will have to explain if they are willing to respect citizens fundamental right to privacy or not.

Such an approach could actually make politicians listen, as it might affect peoples willingness to vote for them.



Wikileaks exposes: Bundestag Inquiry into BND and NSA

From Wikileaks…

“Today, Tuesday 12 May, WikiLeaks releases ten months of transcripts from the ongoing German Parliamentary inquiry into NSA activities in Germany. Despite many sessions being technically public, in practice public understanding has been compromised as transcripts have been withheld, recording devices banned and reporters intrusively watched by police.”

“WikiLeaks is releasing 1,380 pages of transcripts from the unclassified sessions, covering 34 witnesses – including 13 concealed witnesses from Germany’s foreign intelligence agency, the Bundesnachrichtendienst (BND). The transcripts cover from the start of the inquiry in May 2014 through to February 2015.” (…)

“One of the biggest scandals to emerge from the inquiry so far is the recent “selector” spy target list scandal where a BND official revealed that the agency was expected to spy on thousands of targets at the instruction of the NSA. These targets included members of the French government and European industry. This put into question Germany’s suitability in taking a leadership role in the European Union. It also showed that international co-operation on mass surveillance, which has been marketed in public as a counter-terrorism measure, is in practice also used by the United States for the purposes of industrial espionage and geopolitical advantage vis-a-vis members of the European Union.”

Wikileaks »

Glyn Moody at TechDirt: Wikileaks Releases Transcript Of German Inquiry Into Growing NSA Spy Scandal »