The UK government's proposal to separate communications data from content, as part of new plans to allow intelligence services to monitor all internet activity, is unfeasible according to a panel of technology experts.
Speaking at the 'Scrambling for Safety' conference at the London School of Economics yesterday, Ross Anderson, professor of security engineering at the University of Cambridge Computer Laboratory, said that the distinction between traffic data as being harmless and content as being sensitive is becoming less and less relevant.
“Now that people are living more and more of their lives online, the pattern of who you communicate with and in what order gives away pretty well everything,” he said. “This means that, in data protection terms, traffic data is now very often going to be specially sensitive data.”
Earlier this month it was revealed that ministers are preparing a major expansion of the government's powers to monitor the email exchanges and website visits of every person in the UK. The Home Office claims that it is vital for police and security services to be able to obtain communications data in certain circumstances to investigate serious crime and terrorism.
Communications data is defined by the government as the time, duration and dialling numbers of a phone call, or an email address. “It does not include the content of any phone call or email and it is not the intention of government to make changes to the existing legal basis for the interception of communications,” said the Home Office in a statement.
According to digital evidence and cyber-security consultant Peter Sommer, however, it is no longer possible to separate communications data from content. He explained that, in the case of a phone call, things are fairly clear cut – the phone bill constitutes the communications data and the conversation that takes place is the content.
On the Internet, however, data travels in packets that contain the IP addresses of the originator and recipient, as well as mixture of communications data and content. Penetrating the packet to separate out the communications data from the content requires Deep Packet Inspection (DPI) technology, for which scripts have to be written to define which bits of data will be collected.
If the lines of data are clearly labelled with the type of content they contain, as in the case of traditional email, separation can be quite straight-forward. However, many webmail applications convert messages into HTML, which removes the labels that distinguish content from communications data.
In this case, web “scraping” software is needed to extract the communications data from messages. But web scraping tools need to be defined individually for every different page, making the process extremely laborious.
Anderson added that, once DPI “black boxes” have been installed on the networks, the scripts could easily be changed to monitor content as well as traffic data, enabling intelligence agencies to carry out industrial-scale surveillance.
Search monitoring raises its own issues. Some people define a URL's communications data as “anything up to the first backslash”, while others suggest that the file name should also be classified as communications data.
The URLs of Google search queries offer a far more detailed view of the web user's activity, such as the search terms entered, the country they are in, and the type of browser they are using. While these details may seem insignificant, they can be used to build up a very sophisticated profile of the web user over time.
“A lot of unintrusive data, when you put it together, becomes intrusive,” said Douwe Korff, professor of international law at London Metropolitan University.
Applications like instant messaging, social media and voice-over-IP all introduce their own complexities, and Sommer warns there is a risk that the government will end up spending a lot of money trying to overcome these problems, without identifying any cyber criminals.
Meanwhile, Trefor Davies, co-founder and CTO of mobile Service provider Timico, points out that anyone using the web for serious crime or terrorism will be five steps ahead of whatever legislation comes into place. If the government starts monitoring email communications, cyber criminals will simply use another application like Dropbox to get around the surveillance.
Anderson believes that the government's proposal will fail, because once society and police understand what is going on, there will be an outcry against it. However, he predicts that the next move will be to approach service providers like Facebook and Google and ask them to install monitoring technology.
“The interesting political question is, if privacy comes down to the relationships that the government has with a small number of our service providers, then how on earth can you regulate that, and how on earth can we trust the government's arrangements that emerge,” he said.
The new legislation is expected to be introduced in next month's Queen's Speech.