A Snooper’s Charter

Most people by now will be aware of the Communications Capabilities Development Programme, A.K.A CCDP. Despite denials to the contrary this would appear to represent an expansion of the state and their powers to spy on us. The presumption of innocence disappears and we’re all treated as suspects.

What’s even more worrying however are the lies being told to Lib Dem MPs in order to get them to support these measures. One begins to wonder what lies have been told to conservative MPs in order to get them to behave and toe the party line. In addition to this we have policemen apparently conspiring with the media to spy on people, and SOCA getting involved in enforcing law for offenses that are not serious, organised nor criminal (copyright offenses come under civil rather than criminal law).

I would strongly urge people to sign this Number 10 petition and write to their MPs to voice their opposition to CCDP. This can be done by simply visiting the WriteToThem website and entering your post code. The details of your MP will then be shown and you will then be presented with the chance to fill out a form to send an email directly to them.

Some questions to consider asking:

  • How can making the police’s work impossible by encouraging people to encrypt *all* personal web usage be good for law enforcement?
  • They had one of the 7/7 bombers under surveillance *before* the bombing but had to stop watching him thanks to lack of resources. Isn’t data overload a bigger problem than insufficient access and won’t this sort of measure make things even worse?
  • How can we trust the authorities to act responsibly when they are already acting either outside of their remit or in a way that can only be described as corrupt?
  • Why is the ability to resist demands for information being removed when in the case of Google, almost 40% of demands are turned down and shown to be unnecessary or just plain wrong?
  • Who will have access to this information and when will they be able to use it?
  • Whose authority will be required to grant access to this information?
  • Under what circumstances would access be denied?
  • How much access will the ISP or their commercial partners have to personal data gathered for law enforcement purposes?
  • What will the ISPs or their commercial partners be allowed to do with it?
  • Who will pay for the extra hardware and expertise needed by the ISPs to comply with these new demands?
  • How would they counter the suggestion that this system will be ultimately damaging to the UK economy by discouraging tech companies to base themselves in the UK?
  • How can this system be realistically run without the cooperation of the US government when many of the systems used here are based in the US?
  • Is your MP certain that they have accurate information and not the same sort of warped assessment intended to ellicit a specific response that was sent to Lib Dem MPs?

UK mobile operator Three illegally intercepting and sharing traffic

I was recently lucky enough to be given a new phone, and also got a 3 PAYG SIM to use with the device. Shortly after starting to use the service however I noticed that my connection was being filtered and my attempts to establish VPN connections seemed to fail. It would appear from the brief explanation that I got from Three that this was being done to filter out adult content as they could not be certain of the age of customers on PAYG connections without further verification. To make matters worse however the page that showed the block advertised – yes, you guessed it – porn.

This is something that all mobile phone operators in the UK seem to do. For them the excuse ‘for the children’ seems to excuse any illegal behaviour that takes place as a result of this filtering. It’s a view that completely ignores the fact that sooner or later children will gain access to that sort of material. Furthermore a lot of the material actually originates from the children themselves (google the term ‘sexting’ to see what I mean). This user generated material will never be caught by the filter.

Hey Three, here’s an idea: if protecting children from smut on mobiles is so important then don’t sell them the handsets to start with!

Doing anything else is little better than paying lip service to the issue and done at the expense of the privacy of others.

Further investigation

One other mobile operator in particular already uses services provided by a US company called Bluecoat to filter traffic, so I was curious to see if the same was happening with Three. I tried visiting a custom page produced by somebody with an interest in privacy that had been designed to expose entries in the web server’s access log. Sure enough there was a couple of entries that were of particular interest:

Date/Time: 2011-11-30 17:35:56 (GMT)
Remote Address: 92.40.255.4
Remote Host: 92.40.255.4.threembb.co.uk
User Agent: Mozilla/5.0 (Linux; U; Android 2.3.5; en-gb; GT-N7000
Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile
Safari/533.1
Request URI: /stalker/[ID removed]/index.php?personal_guid=[ID removed]
Query String: personal_guid=[ID removed]
Referer Site:
Date/Time: 2011-11-30 17:35:56 (GMT)
Remote Address: 199.19.249.196
Remote Host: 199.19.249.196
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
InfoPath.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; MS-RTC LM 8; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)
Request URI: /stalker/[ID removed]/index.php?personal_guid=[ID removed]
Query String: personal_guid=[ID removed]
Referer Site:

 

The first IP address is owned by Three. The second IP address is owned by Bluecoat. More information on the IP address can be found here:

http://www.robtex.com/ip/199.19.249.196.html?tab=whois

The IDs in the log entries above have been removed by me, but they have identical values in all 6 cases. What would appear to be happening is that Three are sharing the requests I’m making to websites with Bluecoat. Bluecoat then visit the same site using the same credentials as me.

In addition I have also been visited by another Bluecoat IP address: 8.28.16.254.

This method of duplicating visits is sometimes referred to as a replay attack. This not just illegal, it can cause serious problems with the operation of websites too. Imagine for example the situation where visiting a given URL confirms payment for an item. If you were to visit the site through a Three connection then the payment could end up going through twice thanks to this unwanted extra visit.

This is the surprising part though: I tried complaining publically through Twitter and Three’s own blog as they seemed to be taking their time responding to emails. One of the moderators actually replied with the following:

Admission by 3 that they use Bluecoat

That particular response can be found here:

http://blog.three.co.uk/2011/11/21/data-data-everywhere/comment-page-1/

They seem to be quite happy to admit that they use Bluecoat. There is one glaring problem with their excuse of filtering for content listed by the IWF: if you go to the IWF website then you’ll see that Three are listed as one of the recipients of the IWF list. Why then send details of our online activities half way around the world to check against a list that they already have access to?

I tried to get more details from Three as to how they could possibly believe that what they were doing was legal. The best I could get from them was this:

Hi Patrick

Thank you for your emails.

Three’s policy with regards to filtering is intended to ensure that children are protected from inappropriate content when using the internet on their phones.  This is why we require our Pay As You Go customers to prove they are 18 before they can access sites that Three considers to be inappropriate for under 18s and/or which are classified as inappropriate by the IWF.  This is not about intercepting customer communications but is about the safety of children who use our network.

We do not accept your allegations that Three’s policy in this regard breaches any of the laws that you have mentioned in your correspondence. However, if you maintain your position that Three is in breach of RIPA, the DPA, the PECRs and/or the Computer Misuse Act, then you are at liberty to take this matter up with the police and/or the ICO, and we will fully cooperate with any investigations that they may wish to instigate.  Similarly, we note your comments regarding the SABAM/Scarlet case, but do not believe that we’re required to change our policy in light of this case.

With regards to your concerns about Bluecoat, I recommend that you take the matter up directly with Bluecoat.

I hope this clarifies our final position regarding this matter.

Regards

Nicki Macleod
Social Media Advisor – Executive Office

 

Observant readers will also notice how three have repeatedly tried to use the old excuse for breaking the law: ‘it’s for the children’. They appear to be trying to scare people into not complaining by raising the spectre of paedophilia.

This just isn’t good enough.

Three have decided to sell their phones to minors both through resellers and their own shops. It’s up to Three to find an acceptable solution without trampling over the rights of the entire general public to private communications. This is after all a problem that Three themselves have created by selling devices to children that are unsuitable for those children to use. It’s probably also worth pointing out at this stage that children are generating a lot of this unsuitable material themselves through so-called sexting, often as a result of bullying. No filter can ever stop this.

Stopping the sale of such devices to minors can, however, seriously limit this type of bullying and indecent exposure.

There is no age limit within RIPA, the DPA or the CMA. Everybody has the same rights to private communications. Even children. If Three were really committed to protecting children then they would stop any sale of their devices to minors, only allow them to be sold to adults and make the adult buying the phone make the decision as to whether filtering is required. The fact that they care so much about maximising profits at the expense of the privacy of their customers shows where their priorities really lie.

Back to Three and their use of Bluecoat’s systems: I asked Three why they were wasting money on Bluecoat’s services when any webmaster worth his salt knows how to tailor the response from the server based on the IP address of the PC making the request. They could produce a page full of innocent images for Bluecoat when they come calling, but save all the unsavoury material for the ‘real’ visitor. There is also the certainty that the service would not be of any use when SSL is used. I can’t emphasise this enough: if the site is protected by the use of SSL then Bluecoat’s services are rendered useless. The same page used to get the log entries included in this article doesn’t show any shadow visits from Bluecoat when the page is protected in this way.

The system as a whole is ineffective as a security measure.

It would also appear to be completely unnecessary given that other operators – notably Orange – don’t appear to need to share traffic in this way in order to filter it. This is the first time I’ve seen this excuse: ‘Bluecoat made us do it’. It really does beggar belief and does nothing to encourage people to believe that any filter is capable of doing it’s job satisfactorily. Anybody wanting an example of how badly filters can fail should look into TalkTalk’s HomeSafe product and how it failed to block access to one of the biggest porn sites on the internet.

I wonder if Three realise that anything sent to the US can always be accessed by the US government thanks to the PATRIOT act, with Three not even being notified that a request has been made, much less complied with? Don’t they see that allowing this sort of eavesdropping increases the chance of industrial espionage? US companies could quite easily end up having access to confidential information obtained through illegal means. The potential for losing confidential information or giving away intellectual property is huge.

Three are intercepting my requests without prior authorisation from both the sender and recipient parties to the communication. That’s illegal under the Regulation of Investigatory Powers Act. They’re sharing my information without consent with a 3rd party overseas and that is completely outside the reach of the regulators here. That goes against the Data Protection Act. They are interfering with the operation of a computer. That’s illegal under the Computer Misuse Act.

I suppose now I had better get that complaint to the police sorted out as I have no intention of putting up with this illegal interception and sharing of my personal communications.

UPDATE:

I’d like to welcome users from the British government accessing this website and others from the EU commission whose visits have been popping up in the server’s access log over the last few months.

It is interesting however that despite the wealth of evidence showing the abuse of personal data by companies in the private sector that pretty much nothing appears to be done about it. BT, TalkTalk, Vodafone, Three, the media  – the list goes on and on.

I hope somebody from the ICO is reading this because I’m sure I’m not the only one who would like an explanation as to why no substantial action has been taken over past transgressions when they involve the private sector.

Almost 100 times longer than the average

According to statistics the CPS currently takes an average of 8.6 days to come to a decision as to whether to prosecute. The CPS has had a case open on Phorm for 848 days now. If it takes much longer they will have taken as long as they would have on one hundred other cases. Of course the CPS claim that there has been no political interference, but this is very difficult to believe when these sorts of delays are involved.

And don’t expect an answer any time soon. They had previously promised to come to a decision by the end of last year, but at the last minute decided that this was no longer going to be the case.

No political interference? After 848 days spent doing virtually nothing? Do they honestly expect us to believe that?

Trying to have their cake and eat it

Senior judges are to review the Digital Economy Act following a complaint from BT and TalkTalk that it was rushed through Parliament before the election.

[…]

In particular, they claim measures in the new legislation designed to reduce copyright infringement via filesharing networks violate European rules including those on privacy and an ISP’s role as “mere conduit”.

[…]

The Register article

The hypocrisy here is simply astounding. On one hand they want to be treated as ‘mere conduits’, yet on the other they want to be able to ‘monetise’ their customers (gods I hate that term) by spying on their web traffic so that they can be served with targeted advertising. BT have Phorm, TalkTalk have Huawei and Virgin Media have CView.

They don’t deserve to be treated as mere conduits when they behave in such a deplorable way towards their customers.

Has anybody also noticed that big business always seem to get more attention than the general public? The privacy of tens of thousands of BT customers gets sacrificed to help BT’s bottom line. The ICO reaction to that? Nothing. The police’s reaction to that? Indifference. The home office’s reaction to Phorm? They tried to make sure that Phorm were ‘comforted’ by the advice they were giving out, rather than do their job.

Yet when the poor ISPs face losing being forced to hand over details and interfere with the service they provide they quickly manage to get a judicial review of the law.