| nettime's_roving_reporter on 27 Jul 2000 15:01:23 -0000 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| <nettime> RIP |
<http://www.newscientist.com/news/news.jsp?id=ns224964>
Britain is about to waste millions of pounds on an obsolete Internet
snooping system
INTERNET users can avoid having their e-mails intercepted by the
British government if they follow some simple advice published this
week by two leading Internet security experts. The advice is designed
to highlight failings in the government's multimillion-pound plan to
install "black box" e-mail recorders on the premises of Internet
service providers (ISPs).
Distributed to MPs earlier this week, the paper is a last-ditch
attempt to explain why the Regulation of Investigatory Powers (RIP)
Bill is unworkable. If passed by Parliament this week, RIP will give
security forces unprecedented powers to snoop on Internet users and
demand encryption keys.
But Ian Brown, an Internet security expert at University College
London, and Brian Gladman, a former Ministry of Defence information
security expert, state in their briefing paper that the interception
technology that the Bill requires is already obsolete. Rather than
helping catch criminals, they say these recorders would be easy for
criminals to evade. They describe the powers in the Bill as
"technically inept", and list a number of ways in which someone with
no technical know-how could circumvent black boxes installed at ISPs.
They say the introduction of affordable "always-on" ultrafast
connections, such as ADSL, will change the way people access the
Internet, with more and more setting up their own mail servers. When
this happens, says Brown, there is no reason why people shouldn't
bypass ISPs and the government's snooping boxes installed there (click
on thumbnail for diagram). This can't be done with dial-up connections
because mail servers need to listen out constantly for new mail.
Cut out the middleman: there's no reason why mail shouldn't be sent
direct to a recipient, bypassing the Internet service provider's mail
server--and prying eyes Snoopers want to tap ISPs' mail servers
because they decrypt mail automatically. If e-mail is "session
encrypted"--where keys are generated for each new session and
discarded--snoopers can only read e-mail at the mail server. Because
the server is an end point for session encryption, all mail is briefly
decrypted there.
Other more obvious methods for beating black boxes involve using
prepaid mobile phones (bought with cash) and free, anonymous ISP
accounts. Alternatively, users can access the Net through a British
ISP but use a foreign mail server. The easiest method by far is to use
a small ISP that doesn't use the services of larger ones: the
government says it will only place black boxes on some of the larger
ISPs.
The emergence of a new Internet protocol, IPv6, also renders black
boxes redundant. In IPv6, all packets of data sent over the Net will
be machine-encrypted by default. This will make all Net communications
untappable.
Although it will be a few years before IPv6 is fully implemented, it
is already spreading, Brown says. "Microsoft is introducing it in
Windows 2000, and Cisco is introducing it to its routers." So far, the
British government has set aside UKP20 million to help ISPs pay for the
black boxes, says Caspar Bowden, director of the London-based
Foundation for Information Policy Research. FIPR is publishing Brown
and Gladman's briefing paper on its website (www.fipr.org/rip).
Bowden says criminals will easily circumvent the devices. "I don't
think ministers understand this," he says. Brown and Gladman say they
have withheld less obvious box-beating ideas to avoid handing crooks
ideas on a plate.
# distributed via <nettime>: no commercial use without permission
# <nettime> is a moderated mailing list for net criticism,
# collaborative text filtering and cultural politics of the nets
# more info: majordomo@bbs.thing.net and "info nettime-l" in the msg body
# archive: http://www.nettime.org contact: nettime@bbs.thing.net