Archive for the ‘privacy’ Category

Ah! Found it: although Yates told the House he had the mobile operators inform the hacked, and named Vodafone and Orange, he didn’t. Specifically, Orange identified about 45 victims but didn’t tell anyone. Vodafone identified 40 and only told a few who were considered VIPs. T-Mobile UK claims not to have found any. 3UK isn’t mentioned. Only O2 is known to have informed all of theirs without waiting to be asked. I therefore presume that the operator that has logged all the lawful intercept requests back to 2009 is O2, although I don’t have any further evidence for this deduction.

Am I right in understanding the legal comments in the NYT piece to mean that the only way to get the police to disgorge whether or not your phone was monitored is to sue the Screws and serve a notice on the Yard for disclosure of relevant documents?

It seems that the primary barrier to getting an actual list together is that you have to sue the paper (or the police), and you can’t sue the paper unless you have good cause to think you were spied upon. The police, for their part, have been managing the row down by only telling some of the people on the list that they were spied on. Unless you have some other evidence that you were spied on, you can’t force the police to tell you if you’re on the list.

All clear so far? Frankly, the 2,978 names weighted by the number of calls to each would be a truly classic document of our society.

Let me count the ways.

If you think Phorm – the evil advert-spooking system practically all the UK’s eyeball ISPs want to force on you – isn’t so bad, I’ve got news for you. First of all, let’s have a look at this Grauniad Tech article.

BT’s 2006 trials certainly involved some sort of interception, because the data streams had extra Javascript inserted into them – which puzzled a number of people at the time. Two examples can be seen at the forums of raisingkids.co.uk and progarchives.com. In both, the Javascript and other tags inserted by the 121Media system are clearly visible, with one showing the referring page and possibly “interests” of the member. Both contain links to sysip.net – the 121Media-owned site through which BT sent browser requests during the 2006 trials and later ones in summer 2007.

OK. So not only were they snooping, but Phorm actually injects not just data – like a cookie – but code into your URL requests, so their customer websites react differently as a result. It’s especially worrying that what they are adding is JavaScript; it’s not just data, it’s program logic. It does things. And, as any user of modern Web 2.0 services should realise, you can do all kinds of things with it – for example, you can call other web servers from within a web page without reloading. There is no way for you – the person whose BT, Virgin or Carphone Warehouse billing record stands behind the IP address that stands behind the identifier Phorm assigned – to know what such code does until after the fact.

Now, consider this; the good people of F-Secure unpicking the latest trend in security threats, the iFrame injection. It works like this – a lot of websites catch the search requests they receive and cache them, either to speed up the search process or to provide suggestions with the search results. This means that the search string…appears in a web page on their servers. So, if you fire enough popular search terms (which you can get from their website…) in, and append your attack code, there’s a chance it’ll get cached. And then, a visitor who uses the same search terms will get a page that contains the attack code; JavaScript is executed in the client side – i.e on the visitor’s computer – so you’re in.

So, let’s put them together; if you’re a Phorm customer, you can get the interests and web habits (and billing data?) of everyone in the UK delivered to your dodgy website in real time, and then you can reload anything you damn well like in their browser based on that information. Suddenly – let’s back off here. It’ll be someone unpopular. At first. So bnp.co.uk or alghuraabah.co.uk sends you to http://www.sweeticklekiddiesandtentacles.203vggngh65t7.biz.cn; and there’s fuck all you can do about it, except try to explain the concepts of “deep packet inspection”, “iFRAME SEO injection”, and the like to a court of law.

Paranoia, right? Not so much.

You think that’s scary? Here’s some more F-Secure for you. There is at least one exploit out there, which could be delivered through the lines we just discussed, that writes dubious code to the BIOS – the low-level insect brain of a computer, the bit that lights up the screen, spins up the hard drive, and explains how to read the boot sector and start the operating system. The only fix there, I think, would be to format the fucking lot and install something completely different – or throw the damn thing in the sea.

But here’s where it gets bad; the thing nicks your online banking passwords. And then what does it do? It puts money into your bank account. Feel free to speculate.

Update: Now that’s what I call an April Fool from F-Secure. A cracker. This is of course without prejudice to the rest of the post, but I should have realised there would be no way they’d have included a live link to the exploit if it was real. If you were brave enough to follow it, well…you’d get the joke.

This is interesting. Jim Bates, an expert witness for the defence in some of the Operation Ore cases we discussed, has been accused of misrepresenting his qualifications. Specifically, the charges relate to whether or not he claimed to be an electronics engineer, despite not being one, and to his career in the Royal Air Force. I frankly have no idea what he may or may not have done in either of these, but I would like to be the first to point out that neither of them change the facts of the case. Bates is not the only person to have reviewed the data; and anyway, he wasn’t asked to carry out any electronic engineering.

You do not need a degree in electronic engineering to use the Unix grep command, which is all you need to check if the IP addresses in list A (the alleged buyers) appear in list B (the Visa merchant terminal log). Further, I fail to see how this changes anything about the 54,348 stolen credit cards; we even know which company they were stolen from (Levenger, Inc.) and that they were stolen from their MS Access database.

Further, it is something of an IT industry tradition that not everybody who knows anything about computers has a “Computer Engineer By Royal Appointment” coat-of-arms; we think this is something akin to freedom. Hell, I’ve got an MSc in International Relations, and so has the CEO of British Telecom.

I’m not at all surprised to see this bit of the story:

‘It is critical that those who serve as expert witnesses are credible on an ethical basis and do not have any alternative agendas which may affect their independent status,’ said Jim Gamble, chief executive of the Child Exploitation and Online Protection Centre, which brought the case against Bates.

Indeed, indeed. How’s the Forest Gate case coming on, fella?

All right, I said I’d held Sir Ian’s comments on the Today programme on Christmas Eve for treatment. What he did this time was to complain at length about the extra paperwork a cop has to complete after making an arrest. He reckons it’s increased by a factor of three since his wild youth. But I’m not arguing about that.

He claims it’s all down to stricter requirements on the prosecution to disclose unused evidentiary material to the defence. But what concerns me is that he proceeded to blame this on the Regulation of Investigatory Powers Act. RIPA is the legislation, much criticised itself, that sets the conditions under which the police can spy on you – phone taps, surveillance, that sort of thing.

The duty on the prosecution to hand over all the evidence the police collect is, in my humble opinion, entirely right (why, if they find information that suggests you didn’t do it, should they be allowed to keep it a secret?). But it ain’t RIPA that determines it. It’s the Criminal Investigation and Procedure Act, 1996. Not just that, but it’s also a pre-existing principle of Common Law (see the Crown Prosecution Service legal guidance, here).

What I would like to know is whether he simply got it wrong, or whether this was a wilful misrepresentation. I have absolutely no doubt he’d love to get rid of the provisions of RIPA that require him to get authorisation from the Surveillance Commissioner to do various forms of spying (not that this gentleman has ever refused) – it would fit near-perfectly with the pattern of behaviour he has shown over the past few years, and a pattern of behaviour is admissible evidence these days. If Sir Ian had checked the CPS guide, he would have noticed that, in fact, RIPA actually limits the scope of advance disclosure:

There is no duty to disclose either at Common Law or under CPIA:-

* material for which a claim of public interest immunity is upheld by the court
* material which falls under statutory exceptions: section 2 Interception of Communication Act 1985, section 17 Regulation of Investigatory Powers Act 2000.
* material which attracts Legal Professional Privilege;
* material which is detrimental to the credibility of someone who might be called as a defence witness..

Did I say I loved the Financial Times?

When everyone else was frontpaging with Princess Diana, the paper had the following stories on the front: the BAE investigation kibosh (this was the lead), Blair grilled by the rozzers (number two, opposite the lead and separated by a photo of the man), then the OPEC meeting and Vodafone’s €67 million fine in the Greek snooping case.

Spyblog, via Iain Dale, carries a table of journalists using illegal “data brokers” to get at private information. It’s fascinating that the more illegal snooping was done, the less actual news. Here’s the data. The left column shows the total transactions, the right the number of individual hacks involved.

Daily Mail 952 58
Sunday People 802 50
Daily Mirror 681 45
Mail on Sunday 266 33
NOTW 182 19
Sunday Mirror 143 25
Best Magazine 134 20
Evening Standard 130 1
The Observer 103 4
Daily Sport 62 4
Sunday Times 52 7
The People 37 19
Daily Express 36 7
Mail Weekend mag 30 4
Sunday Express 29 8
The Sun 24 4
Closer Magazine 22 5
Sunday Sport 15 1
Mail Sunday mag 9 2
Sunday Business 8 1
Daily Record 7 2
Express, Sat 7 1
Sunday MirrorMag 6 1
Real Magazine 4 1
Woman’s Own 4 2
Daily Mirror Mag 3 2
Mail in Ireland 3 1
Daily Star 2 4
Marie Claire 2 1
Personal Mag 1 1
Sunday World 1 1

Do you see a pattern? Quality is inversely proportionate to bastardness. This even holds for the Guardian Media Group papers – The Grauniad isn’t in there with even one request, but its super-Blairite stablemate the Obscurer put in a performance worthy of the Daily Beast. It’s also noticeable that the Murdoch press was almost restrained compared with Rothermere and Northern & Shell titles.

“How would a Galileo-based road pricing scheme fit into the code of practice requirement of a direct relationship with the user?” Good fucking question. We’ve got David Smith, the deputy information commissioner, and among others Richard Clayton of the Cambridge Computer Lab’s security engineering group – that’s right, the guy from Light Blue Touchpaper – to argue the point.

Clayton: “We mistake data protection for privacy and vice versa. We mistake statistical data mining for precise knowledge of events. Most of all, the politicians and the systems builders must realise that when it matters, people cheat.”

Now, Bowden asks a question from the floor regarding user notification on behalf of Ben “Badscience” Goldacre, thus soaring in my estimation.

Gareth Crossman of Liberty: “The only way the National Identity Register can fight terrorism is if the amount of information on it is increased to make profiling possible.” Next up: Simon Watkin. Former head of David Blunkett’s private office at the Home Office, he now runs the HO’s Covert Investigations Policy team and the ACPO steering group on covert investigation. To put it another way, he’s responsible for all the stuff I despise. We shall try to be civil.

“I am currently looking into an anecdote in which a member of a public authority acted in their own interest rather than the public interest,” he says. What can he mean? “Public authorities are constantly coming to us, wanting to spy on the public. We say, have you done so in the past? No. So why do you want to? Because, well, we might, they say. That isn’t enough.”

Interestingly, he suggests that a much more serious criminal offence of abusing private data is needed. That might actually happen; it involves a new crime and more powers, after all.

We now have a panel discussion chaired by Casper Bowden of Microsoft. “We need to think of a new kind of personal data, this behavioural, tracking data, and how we can bring it in front of the user, create an interface for the user to reach into their data shadow,” he says. This is a running theme – Hailes also mentioned the lack of a user interface to the embedded systems world.

Watkin suggests that public authorities ought to be subject to a “privacy impact assessment”. Not a bad idea. Bowden remarks that it’s been tried in Canada, but it will have to be carried out by experts – and independent experts, or perhaps a statutory “privacy regulator.” He also points out that with a weak regulatory environment, there is no incentive to make the kind of investment in security engineering required to make embedded, self-organising networks both secure and private.

When I asked him if he thought such an assessment should be required by the government’s procurement process, and if in that case he thought the NIR would have passed Main Gate Review, Watkin stated that he tried not to talk about ID cards and that he was not responsible for them, and refused to speak on-the-record.

I’m currently at the Royal Society’s “Privacy: A Fine Balance” conference, a DTI-sponsored shindig for eggheads, ubergeeks, cash grabbers and Home Office/defence industry control bureaucrats to thrash out digital rights issues. First speaker is Stephen Hailes of UCL, who’s talking about embedded computing. He says that we need to realise that statistically, most multicellular life is insects – and it’s the same with computing. 90 per cent of processors are microcontrollers – there are seven billion on the things on earth, rather more than there are people. And now they are getting networked.

As an example, he points to a device including a 250Kbits/s IEEE802.15.4 transceiver, a microcontroller, and a dab of Flash memory – a complete computer – the size of a one euro coin. But things get really interesting when you look at actuators. Karl Marx said that philosophers had analysed the world in different ways, but the point was to change it – which is what they do. “You can have a glucose sensor and an insulin pump connected by a wireless network – there are some interesting security implications from that. And it’s not the future – here’s the product,” says Hailes.

“Fear of loss of control, the increased possibility of surveillance, profiling and security risks, new opportunities for crime, and the complexity of decision making processes within embedded systems” are the main concerns Hailes’ research has raised. “Individuals are completely transparent – they feel they are not in control of these technologies but are controlled by the circuits in the car they buy from Ford. The power structures tend to be opaque.”

MIT researchers gathered data on 100 students using Nokia 6600 phones and Bluetooth. Based on the lunchtime state of the database, it was possible to predict their activities for the rest of the day with 79% confidence – and their social group affiliations with 96%.

Right. I’m sure I said somewhere that the man shot by police in the now-infamous Forest Gate raid, who was then charged with possessing child porn, would never be prosecuted for it. Well, whaddya know. CPS concludes there is insufficient evidence to proceed. Something tells me this won’t be on the front page of the Scum or the News of the Screws this weekend, unlike the charges, which the Met predictably leaked to the ‘bloids.

Let’s be clear: on the unsupported word of a man with an IQ of 69, the Metropolitan Police brought up 200 cops and stormed the house of an innocent man, shot him in the arm because “my hand slipped”, tore the place apart over several weeks of searching for a “chemical dirty bomb suicide vest”, having declared an aerial exclusion zone overhead presumably in case the CDBSV leapt up out of the foundations and – as stunned bobbies watched – mutated into a surface-to-air missile before hurtling skywards, attempted to seize his savings, alleged that the suspect was a paedophile, having tipped off the biggest-circulation newspaper in the country, and finally confessed that he was nothing of the sort.

This is after they managed to botch a surveillance operation so completely that they shot an innocent man dead in a tube train – and then briefed the press first that he was really a terrorist (a lie), then that he was an illegal immigrant (technically true, but irrelevant), then that he was a rapist, which was a direct lie, and also that he was a cocaine dealer, also a lie.

Is there any reason to think Sir Ian Blair should not be sacked at once? For some reason, despite all this, he is still seen as a trustworthy political eminence by the Government. And this is the worst of it. The senior police officers are increasingly becoming a political force in their own right, usually but not always aligned with the Government’s “security agenda.” ACPO, for example, is behaving with a shocking degree of quasi-legislative arrogance. Very serious changes are being made to the political culture on which no votes are taken. For some reason, the pundits who were outraged that General Dannatt saw fit to speak publicly about his concerns seem unconcerned at ACPO monitoring all vehicle movements on the motorway system by executive (or should that be extra-executive?) whim.

It’s even more worrying, by the way, that the CPS spokesman’s explanation of Kahar’s exoneration does not sound very satisfying. I have in the past blogged on the worryingly flaky evidence used in Internet child-porn cases and the painfully slow realisation of same. I still think it’s a suspiciously convenient charge in this particular case. But what is this supposed to mean?

Of the total, 23 had been “embedded” images – which could have been inadvertently downloaded on the back of other computer files – and 21, on the external hard-drive and a Nokia 3G mobile, had been “deleted”.

The spokesman said: “To transfer to the phone, the suspect would have to have specialist knowledge.

“There was no evidence that Mr Kahar had possession of, or access to, equipment or the technical knowledge to do so.”

What, a USB cable? Bluetooth? As it was a UMTS device, it wouldn’t have been impractical to send images or video to it as an e-mail attachment. This is dangerously clueless for the supposed experts, although there is a strong possibility that the spokesman is talking rubbish.