Thanks to Mike R for kicking me about the formatting.
23 August 2012
In response to the call for written evidence on the Communications Data Bill, I submit the following:
My name is Alec Muffett. I have worked in Information Technology since 1988, and I specialise in system and network security.
Notably for the period 1992 to 2009 I worked for Sun Microsystems, a major hardware manufacturer now owned by Oracle; for the final 10 years of that employment I rose to be Principal Engineer and Chief Architect for Security for Sun’s European "Professional Services" team – selling, designing and implementing complete solutions for financial services organisations and internet services providers including the likes of CRESTCo, Deutsche Bank, Credit Suisse, RBS, Ericsson, and the UK, Spanish and Portuguese subsidiaries of Vodafone.
I now work diversely as an independent cybersecurity consultant, a part-time security officer for a social software SME, blog on security issues both personally and at Computerworld UK, and I am a director of the Open Rights Group.
In light of this diversity I submit this work on my own behalf.
I have read the submission made by Glyn Moody, which he has reprinted in Computerworld  and I see no value in addressing the points that have already been covered in that submission, other than to recommend them most highly as correct and worthy of consideration.
Following a cue from other discussion of the bill, I shall use the term Content Service Providers (CSPs) broadly, including firms that would more typically be referred to as Internet Service Providers (ISPs) – as well as including the likes of Google, Yahoo, Microsoft, etc, under that umbrella.
anti-competitive business landscape
negative impacts of regulation
small/medium enterprise communications providers
inhibiting business agility and growth
conflict of strategic interest
I would like to submit the following evidence:
On the Risks of CCDP Architecture
1. That in abandoning the former architecture suggested by the Interception Modernisation Programme (IMP) – that of building an Orwellian "centralised" database – in favour of a more media-friendly but equally Orwellian "distributed" database, the Communications Capabilities Development Programme (CCDP) greatly magnifies the information security management risks inherent in that system.
2. Therefore the costs are at least equally magnified; where once there was a nominally "single" database with centralised information security management there may now be a hundred with independent management and access controls; therefore the risks are multiplied by at least a hundred, and the cost of managing those risks will increase by a proportional factor.
3. Therefore it seems highly implausible that the Home Office quoted £2bn to implement IMP and yet now quotes a lesser figure of £1.8bn to implement CCDP.
4. So my answer to question 9 (Is the estimated cost of £1.8bn over 10 years realistic?) is "No, most definitely not, even allowing for Moore’s Law because that will simultaneously be working to aid communicators and interceptors both".
On the Equality of CCDP to its forebear
5. Of course it is facile to sketch the IMP implementation as having ever been designed around a truly centralised database; to do so would require that for every N gigabits of network bandwidth between two arbitrary points in Britain (Glasgow and Edinburgh, say) there would have to be a second, equally-sized, dedicated N gigabits of network bandwidth just to carry a copy of that data to Cheltenham
6. So for IMP a copy of the entire British Internet would also have to flow to Cheltenham, an architecture which would not be tenable.
7. Therefore IMP must always have been based upon deploying distributed sensors performing data reduction and filtering before passing the data back to a controller, a system structurally identical to CCDP, putting the lie to the suggestion that they are in any way significantly different proposals.
8. So my answer to question 3 (How do the proposals in the draft Bill fit within the wider landscape on intrusion into individuals’ privacy?) is that "CCDP is the same as IMP, and should be entirely thrown out in the same way and for the same reasons."
On CCDP’s impact upon CSP technical implementation and profit margin
9. So the proposals are now for distributed databases at each Communication Service Provider (CSP), somehow at a reduced cost; the only way to achieve this is to gradually pass costs of the hardware onto the CSPs. This will lead to three obvious scenarios:
10. Large, well-funded CSPs will absorb the costs and manage their responsibilities towards a the interception devices with reasonable care, including locked hardware cages, restricted access to interception equipment hardware, security-cleared staff, etc.
11. Virtual CSPs (for instance, Tesco’s ISP service) resell the services of large CSPs and therefore will be "covered" for compliant interception capability somewhat automatically – so long as we can assume that mechanisms exist that can tie a Tesco user’s information to the identity of traffic traveling upon the underlying CSP network.
12. Small to Medium CSPs will be faced with a challenge: the cost of obtaining and installing interception hardware and of setting up special controls – hardware cages, restricted access, security clearances – will be a burden on capital and operational expenditure, making significant impact upon business margins.
13. This is because security costs money to implement properly.
14. But once installed at the Small/Medium CSP, the interception hardware will also impact upon creative network architecture; in a microcosm of the "Edinburgh/Glasgow" point above, a copy of all of the CSP’s traffic will have to flow to the interception devices.
15. To an enterprise network architect this is akin to entering a boxing ring with a ball-and-chain secured to one ankle; it impacts your ability to make optimal use of the hardware that you have budgeted for and purchased because you are handicapped by government mandate – always having to bear in mind that one must not tithe but in fact wholly duplicate traffic flows so that the interception box may have its due; and that you must integrate your shiny new hi-tech network with inherently "legacy" (ie: somewhat archaic) approved interception hardware.
16. Also: Moore’s Law does not (yet) stand still, so technology deployed to permit sufficient interception today will be overwhelmed in a year, perhaps three; so the ball-and-chain will have to be regularly replaced even if we quit boxing and instead take up the 4x400m Men’s Relay – in which case multiple balls-with-chain will be suddenly required, and possibly disposed of if the architecture is backed-out due to failure.
17. So my answer to question 24 (Are the proposals for the filtering arrangements clear, appropriate and technically feasible?) is that irrespective of their feasibility the proposals are not appropriate and will negatively impact innovation at some of the places where Britain needs it most, viz: the SME Communications Sector.
18. The large CSPs understand this and are somewhat proof against it by virtue of their maturity and size, and thus are more than happy for the Government to deploy this inherently anti-competitive measure against those who might replace them by virtue of technical innovation in service provision.
On the Cost to the Consumer
19. So it should be clear that the costs of CCDP are eventually borne fourfold by the consumer: in extra service charges, in extra tax upon the same, in lost innovation and in lost competition.
On Intercept Data Remanence and Leakage
20. To return to the many interception devices; even if they become "virtual" devices that are somehow "in the cloud" they must still store their data somewhere, and through this diversity and frequent upgrading and replacement of interception devices it is inevitable that the data will eventually fall into the hands of the general public – either by error (selling old hard disks on Ebay) or malice (paying-off a supposedly trusted employee).
21. It goes without saying that such data is valuable; the fact that a particular IP address – corresponding to a famous footballer – repeatedly visits a particular pornographic website is easily a tabloid headline and therefore of value.
22. It is possible of course to mitigate some of these risks through encryption, but then the question becomes one of where are the encryption keys kept? – if on the same hard disks then the decryption of the footballer’s pornography habit is open to any journalist.
23. Or alternately "Hardware Security Modules" and other "Trusted" devices could be deployed to keep the keys, but this pushes up the cost of each interception device, and the complexity of managing it also – so once again we look askance at that £1.8bn figure and wonder where the cost of doing security "properly" is hidden?
24. So my answer to question 22 (Does the technology exist to enable communications service providers to capture communications data reliably, store it safely and separate it from communications content?) is "Perhaps, but my suspicion is ‘not at that price point’, and "not with this distributed architecture and ownership", and further repeat that it is not necessary to see the actual content in order to write, blog or tweet a story that Footballer X is visiting Porn Site Y every Friday Night"
25. And my answer to question 23 (How safely can communications data be stored?) is "Very safely, but you’ll have to pay rather more than £1.8bn to do it properly, and you would have to inhibit any change, progress or innovation within the CSP industry because the churn of technology will throw up the chaff of disposed interception equipment, ripe for amateur analysis."
On Technical Measures to Crack Encryption on behalf of Snooping
26. My answer to question 26 (Are there concerns about the consequences of decryption?) would include "Would Parliament assent to the security services decrypting and taking a copy of all HTTPS/SSL-encrypted web traffic leaving the Houses of Parliament?", but that might be considered flip, so I’ll just say "yes" and note that others than members of Parliament might feel similarly; see also the Select Committee report referenced below.
On the capability to circumvent Interception
27. My answer to question 25 (How easy will it be for individuals or organisations to circumvent the measures in the draft Bill ?) is "Trivially easy; the technologies already exist, are widely deployed, essential tools for the liberty of citizens of repressive regimes, and will only get better and more numerous with time."
28. To ban these tools would be highly retrogressive, technically infeasible,   set a bad precedent globally, and be disastrous for liberty.
On New Privacy Technology
29. Thus: because of the two scenarios outlined below I appeal to the committee to please revolt against the notion that there is ever a situation where security measures taken by individuals and organisations can ever be "too good".
31. It is of course very easy to have "too much" security – a suffocating problem that one might encounter at (say) an American airport; but that is not the same as security which is "too good".
32. Security can never be too good.
33. Underscoring CCDP (and its brethren) is the assumption that the Government needs to, indeed must have visibility not only of the fact of communication between two computers, but also that it needs to / must have visibility of (some) content of that communication, howeverso protected.
34. This assumption is evidenced by the very fact that question 26 (re: decryption) was asked in this call for evidence.
35. This assumption is misconceived, and in fact unwise.
36. The Internet – cyberspace – is a digital, on-or-off, one-or-zero, do-or-not-do place, where one’s ability to attack another’s system is largely a function of knowledge, understanding, competence and luck rather than logistics, and where natural defences such as the English Channel do not exist. In Westminster’s cyberspace one is as far from Tobermory as Moscow, and individual actors may appear as large and relevant as nation states.
37. Thus I am concerned that beyond the Government’s helping itself to any data that is now openly available on the Internet, and/or any data which it might coerce from regulation of Internet business, its next logical step would be to prohibit adoption of technologies which restore absolute privacy to individuals and organisations.
38. We have seen such attempts before, with "Mandatory Key Escrow" in the late 1990s, demanding that everyone surrender copies of their SSL keys so that the security services could peep into everyone’s encrypted transactions.
39. So it strikes me that the future will contain an either/or scenario:
40. Either the security services learn to adapt to a world where there simply are some forms of data which they are not in a position to know, learn or demand, and thereby evolve alternative strategies to work around this – just as they did previously with the failure of Mandatory Key Escrow, and could do with the abandonment of CCDP.
41. Or else the Government to some extent bans its citizens from having strong security and privacy – from having security that is too good – thereby undesirably reducing the resistance of the British populace as a whole to cyberattack from the rest of the world, with the inevitable side-effect that the security services never evolve their skill set beyond "how to demand data from third parties".
42. The third option, of course, is to muddle along somewhere in the middle, trying to ignore the inevitable rise of internet privacy tools that are effectively interception-proof by virtue of being too good.
43. But that’s what we’re currently doing, isn’t it?
 See: The Googlisation of Surveillance blogs.computerworlduk.com/open-enterprise/2012/08/submission-on-uk-governments-snooping-bill/index.htm
 See: How the Great Firewall of China is Blocking Tor www.cs.kau.se/philwint/pdf/foci2012.pdf
 See: How governments have tried to block Tor www.youtube.com/watch?v=GwMr8Xl7JMQ (video of public lecture)
 See: Select Committee on Trade and Industry Seventh Report www.parliament.the-stationery-office.co.uk/pa/cm199899/cmselect/cmtrdind/187/18713.htm which from 1998 strongly reflects much discussion that now surrounds IMP/CCDP