call +44 20 7096 1079

Blog


September 06, 2013 | Jim Killock

The security services are stripping us of basic Internet security

The latest revelations from the Guardian give good evidence of why they have recently been the target of government harassment, and also why this is entirely unjustified.

NSATheir reports of NSA and GCHQ attacks on fundamental Internet security really matter. These are the basics of trust on the Internet; they are the reason you trust your bank, your credit card payments or Virtual Private Networks not to leak this information to criminals, blackmailers or governments.

Thus the real impact will not just be about security, it is about economics.

Of course we all expect for NSA/GCHQ to try to break encryption systems from time to time, it's their job. The problems arise when they make us all vulnerable as a result.

From the Guardian article, it appears they use threats and secret orders given to commercial companies to insert backdoors that must now undermine our trust in very common software products. They covertly insert vulnerabilities that weaken security of technical systems for everyone, not just their targets.

The idea that this won't be abused by yet unknown parties can only be naïve optimism, plain stupidity or complete disregard for anything other than the NSA and GCHQ's mission.

How it works

This isn't about breaking the maths - at least not usually - it's about exploiting the 'joins' between the pieces of software, introducing flaws in the implementation of cryptology, and more general 'backdoors' to the communications, which don't rely on the cryptology. Schneier gives some good examples.

Basically, the NSA asks companies to subtly change their products in undetectable ways: making the random number generator less random, leaking the key somehow, adding a common exponent to a public-key exchange protocol, and so on. If the back door is discovered, it's explained away as a mistake

The agencies seem to be doing this directly with companies and standards bodies, on a very wide basis. Many of the exploits are better thought of as exploiting software vulnerabilities.

Thus their strategy relies on people trusting big companies, or not paying attention to the work of standards bodies choosing security protocols.

However, the focus on what cryptographic weaponry the NSA and GCHQ might have in their toolchest risks distracting from the far more pressing problem of poor operating system and application security. When it is possible for teenagers to own botnets containing hundreds of thousands of compromised machines, why would spy agencies waster their time and effort on the hard problem of attacking cryptographic protocols? It is far easier to simply take control of their targets' computers. All the crypto in the world will not save you if there's a virus on your machine - and one thing we know for sure is that it is very easy to attack most computers. No speculation about esoteric mathematics is required to see the truth of that. As Snowden says:

"Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it."

The weak point the agencies in practice seem to be using is software security, rather than crypto.

What this means: Economic and rights implications

Vulnerabilities and backdoors are open to anyone, potentially, to exploit. While the NSA and GCHQ may benefit, other foreign intelligence or criminal gangs could use some of the same exploits. For instance, VPN technology is relied on by businesses for security.

This pushes the whole policy outside of the realm of national security and into economics and competition, with important consequences for the UK government, given its role in the affair.

As long as the NSA/GCHQ surveillance scandal remained within the framework of national security, EU rules would make it the exclusive competency of member states. The UK could tell the European Commission to back off.

But given the clear economic implications for the wellbeing of millions of European citizens, it will be hard to argue that this remains a UK issue. We will have to push hard to get the EU to acknowledge this when so many of the member states are complicit. The others are not necessarily critical, either. Only the economic consequences are likely to help us make the EU take this up and investigate.

Our rights to privacy are important for many reasons, including as a back up to free speech. They are a bulwark against abuses of the state and a means to retain our personal freedom on a day to day level. But we know at times they can be compromised, for reasons of state security. Programmes like these, however, take matters even further than mass data collection, as they compromise our rights in a pervasive way without knowing who exactly might wish to remove our privacy and security. It is both a massive overstepping of government power, and simply irresponsible.

What we can do about it

Standards bodies seem to be one place where the security services have deliberately tried to introduce vulnerabilities. The Guardian say:

[a} secret document …shows the agency worked covertly to get its own version of a draft security standard issued by the US National Institute of Standards and Technology approved for worldwide use in 2006. "Eventually, NSA became the sole editor," the document states.

In the USA, according to Pro Publica the NSA Commercial Solutions Center invites vendors to submit their software for assessment, but this in fact seems to be a mechanism to compromise their products.

Even agency programs ostensibly intended to guard American communications are sometimes used to weaken protections. The N.S.A.’s Commercial Solutions Center, for instance, invites the makers of encryption technologies to present their products and services to the agency with the goal of improving American cybersecurity. But a top-secret N.S.A. document suggests that the agency’s hacking division uses that same program to develop and “leverage sensitive, cooperative relationships with specific industry partners” to insert vulnerabilities into Internet security products.

There is a clear conflict of interests in allowing intelligence services to specify other people's security standards.

In the UK, the Communications-Electronics Security Group (CESG) approves communications technologies for government or people contracting to them. They are a civil arm of GCHQ: the rationale previously being that they should know about security. Their website lists several commercial certification products. Some of these are geared to companies trying to sell to government, but others are about simply giving approval to technologies and processes.

We have a simple question to CESG: have CESG approved any product that is known to be compromised by GCHQ or the NSA? And if they have, why should anyone take their security approvals seriously in the future?

They need to be made into fully transparent, public interest bodies that run independently of the security agencies, and perhaps government. Information Assurance and signals intelligence simply cannot be associated roles.

For yourself, use Open Source security technologies: if you can't read the code, you don't know how the software might actually operate. If the code is open, then it can be reviewed - if not by you, then by people you trust. Use transparent and interoperable encryption wherever you can, as Schneier recommends, to make it as hard as possible for the security services.

[Read more] (3 comments)


September 05, 2013 | Jim Killock

Nudge censorship: questions for ISPs and government

Back on 18 June, Maria Miller MP brought Internet companies to her office to talk about what can be done about various types of undesirable, offensive, adult or illegal online content.

d Vaizey, cc-by Policy ExhchangeA few weeks earlier, she wrote to some of these companies to shake them down, asking what money they could promise for an education campaign that nobody had specified, discussed or designed. 

Behind this was the Prime Minister David Cameron's wish to announce something in a forthcoming statement.

We all know about that statement; in it he announced Nudge Censorship plans and that all the major Internet companies are going to install network level filtering.

At the time that Maria Miller was meeting Internet companies, we wrote with Index on Censorship, Big Brother Watch and English PEN to insist that civil society organisations be involved in discussions about any kind of censorship – including nudge censorship. This is because the impact on free expression of unintended censorship is there whatever the original intent. Our concern is about content that is legal and that the government should not restrict.

These problems are of course much worse with the proposed "adult filtering". As we know, the categories of content will be extremely wide.

However, Maria Miller did not invite us to those meetings. At the time we heard that they were very heated, and dominated by Claire Perry MP, who works as advisor on these issues to David Cameron. As we know, she thinks problems with false positives are "a load of cock", which rather emphasises the need for groups like ours to be present to ask the difficult questions.

As the government had seemingly failed to look at the difficult issues, we sent twenty questions about implementation to the major Internet Service Providers. They concentrate on privacy, liability for mistakes, correction of mistakes, transparency for website owners, the set up process and what precisely is filtered other than http (normal website) traffic.

We asked the ISPs to provide us with answers last month. They have all promised us responses. We haven’t received any yet. BT say they will give us an answer today, we expect Virgin and TalkTalk's shortly and we are waiting to meet with Sky to discuss their answers.

Today we are meeting with Ed Vaizey MP, the Minister at DCMS responsible for the Internet, to discuss these issues. That meeting is today: we will ask Ed’s officials whether they have considered any of the questions we have asked and explain why they are so important

[Read more]


September 03, 2013 | Jim Killock

Music industry try to revive the Digital Economy Act

There must be an election coming: the Prime Minister is listening to the demands of the music industry for new clampdowns on file sharing

According to the Drum, music industry group the BPI will sit down with him at a breakfast meeting on 12 September. 

Simultaneously, Internet Service Providers (ISPs) are being asked by the BPI to implement 'voluntary' letter writing schemes, including databases of alleged downloaders, at the behest of rights holder groups.

Such schemes will have the same problems they did some years ago when ISPs rejected the idea. The principle of harvesting data without consent is extremely hard to accept. Back in 2010, the European Data Protection Supervisor Peter Hustinx made it clear that he does not think it is reasonable or proportionate as an approach within EU law.

ISPs should be very cautious about being made to adopt a law enforcement and content curation roles: they risk their position as neutral providers of a network.

As ISPs take on increasing duties over what content flows over their network, then it becomes possible to argue that they should be liable for that content, in specific circumstances, for instance, if they had failed to meet certain policing duties. This is the approach that we were left with in ACTA; private policing in return for a "safe harbour" or limitation on liability.

There is also the question of cost. The BPI could today implement a letter writing scheme, by requesting customer details through the courts, and then asking them to prevent further downloading or risk court action. The costs would have to be met by the BPI in full of course, and that presumably is why the BPI is not keen to use this route. Yet no doubt their claims of economic damage will be very large. If the costs of infringement are really so high, why isn't the BPI able to make a positive economic judgement to pay for letter writing themselves?

Online music revenues are increasing. Companies are learning to adapt to file sharing, by making their films and TV shows available online quickly, when viewers want to watch them. Despite the rhetoric employed by the BPI and others during the DEA debates, it was not necessary to provide warnings and threats of legal action in order to entice people to use Spotify, iPlayer or Netflix. Rather, the content and the services had to be compelling, and then, unsurprisingly, people started to use them, and to pay, directly or indirectly.

The real lesson of the DEA is that it was not justified. Punitive measures in relation to copyright enforcement will always seem over the top, and smack of failing to appreciate how their businesses need to work for customers to provide great user experiences.

Why are the BPI going after heavy-handed enforcement measures? Why do they still insist they need them? It is beginning to feel like the BPI are simply having to justify their existence, and think this is a way of doing it.

[Read more]


August 15, 2013 | Ed Paton-Williams

Open Data Update

August is proving a busy time for open data. There are several initiatives and consultations that end in the following weeks.

Postcodes licensing

Hundreds of ORG supporters joined many others, including Tim Berners-Lee, in asking minister Michael Fallon not to privatise the Postcode database. Our pressure was not enough to stop the sell-off, but we managed to get Fallon to offer an olive branch in the form of free access for “micro-firms”.

This is clearly not enough, and we need to continue reminding the government that the Postcodes are part of the core national data the government plans to open up.

We have an opportunity to raise this issue once again. There is a consultation on new licensing for the Postcode database.

The consultation closes at 5pm on Friday 20th September.

UK Transparency: National Action Plan for the Open Government Partnership

The UK government has published its second Open Government Action Plan, a multilateral initiative that aims to secure concrete commitments from governments to promote transparency, empower citizens, fight corruption, and harness new technologies to strengthen governance.

Civil society groups - including ORG - have been contributing to drafting this plan over the past few months. The process has been positive, but we feel that many critical issues are not included. These have been listed in the Annex.

The draft plan is available for consultation here. But a quicker way to engage is to simply comment online on this interactive platform.

Both channels are equally valid. Consultation responses will be analysed jointly by the Cabinet Office Transparency Team and members of the civil society network.

This draft plan is now open for consultation until 19 September 2013.

The plan will be presented at the OGP summit in London on the 31st of October. ORG is organising some sessions at the summit on privacy and surveillance, and we will keep you posted nearer the date. You can pre-register here.

Public Administration Select Committee calls for evidence on open data

The Public Administration Select Committee (PASC) of the UK Parliament is conducting an inquiry into statistics and open data in Government, with a focus on the progress of the Government in implementing its Open Data strategy. This is part of PASC’s programme of work on statistics and their use in government.

Further information is available here. The deadline is 12 noon on Tuesday 3 September 2013.

HMRC consultation on data sharing

HMRC wants to be able to share more non-identifying information, including general and aggregate data as well as anonymised data sets. HMRC also seeks views on proposals to share VAT registration data, either publicly or under controlled conditions for specified purposes, for example, credit rating.

There are concerns that the proposals don’t go far enough from an open data perspective, and may end up simply funnelling valuable public data to large data brokers such as Experian that already know a lot about us. There are also obvious privacy risks involved in any mass sharing of anonymised data.

The consultation closes on 24 September 2013.

Data sharing is looking to become a big issue in the near future. ORG had a meeting with the Law Commission on this topic in July. They are planning to consult on changing the legal grounds for data sharing within government. Currently, departments have to prove the sharing serves a specific purpose linked to their mission. The proposals will make sharing the default.

[Read more]


August 14, 2013 | Lee Maguire

Virgin and Sky blindly blocking innocent sites

The blind over-blocking of innocent sites by UK ISPs apparently continues.

As reported by PC Pro, the systems implemented by both Virgin and Sky to stop access to websites blocked by the courts appear to be blocking innocent third-party sites with apparently little or no human oversight.  For example the website http://radiotimes.com was reported to have been blocked.

In order to understand why this specific issue happened, you need to be familar with a quirk in how DNS is commonly used in third-party load-balanced site deployments.

Many third-party load balanced systems, for example those using Amazon's AWS infrastructure, are enabled by pointing CNAME records at names controlled by those third-party systems. For example www.example.com may be pointed at loadbalancer.example.net.  However, "example.com" usually cannot be directly given a CNAME record (CNAME records cannot be mixed with the other record types needed such as those pointing to nameservers and mailservers). A common approach is to point "example.com" to a server that merely redirects all requests to "www.example.com".

From forum posts we can see that it's this redirection system, in this specific case an A record used for "http-redirection-a.dnsmadeeasy.com", that has been blocked by the ISPs - probably a court-order-blocked site is also using the service - making numerous sites unavailable for any request made without the "www" prefix.

These incidents strongly suggest that the opaque approach to website blocking by ISPs, and the apparent lack of oversight, has the potential to be hugely damaging to the internet. Open Rights Group calls for greater transparency in this area, beginning with making the court orders available for public inspection.

[Read more] (6 comments)


August 09, 2013 | Lee Maguire

Website blocking measures lead to inadvertent censorship

A technical decision made by Sky in implementing website blocking has lead to the blocking of news site TorrentFreak

TorrentFreak reports today that Sky is currently blocking access to their site. Not as a deliberate act of censorship, but as an entirely predictable by-product of its system for complying with court-ordered website blocks.

When the owner of EZTV (a site ordered blocked on the 25th of July) automatically pointed UK visitors to torrentfreak.com, Sky's blocking system (which from court documents we believe to be codenamed "Hawkeye") apparently automatically added TorrentFreak's IP address to its blacklist.

Inadvertent denial-of-service by pointing DNS records at innocent third-parties is an entirely predictable possibility for anyone attempting to implement blocking systems. If this explanation for blocking proves to be the case, we'd be extremely surprised if the possibility had not occurred to the engineers responsible.

Open Rights Group continues our call for more transparency in the ways these blocks are performed, including access to the orders that would presumably limit the legal scope of blocking. If merely blocking the handful of sites that have received blocking orders in the past 12 months results in collateral damage (such as the blocking of promobay.org) we hold little confidence in the ISPs being able to implement David Cameron's default network filtering plans without causing significant disruption.

[Read more] (4 comments)


August 09, 2013 | Javier Ruiz

Tackling “thorny issues” of open government at the OGP London summit

A look at some of the tricky issues and tensions in open government being discussed at the upcoming OGP summit.

The Open Government Partnership summit in London is gaining momentum, as evidenced by the growing engagement from civil society organisations. The OGP is reaching an important milestone, with the closure of its first cycle of country commitments and independent assessments.

The summit will be an inclusive space where governments can announce inspiring projects and collaborate with civil society. But this does not have to mean shying away from tackling difficult questions around open government.

Last week, UK civil society organisations held a meeting to discuss the summit. One proposal was making these areas of potential conflict explicit by creating a specific track for “thorny issues”. This would show the OGP is a confident process that takes these matters seriously.

The following areas would be suitable for inclusion. Some have already been proposed as a concrete session, while others are just an idea looking for more partners:

1. Transparency and private public services

Private companies have an important role to play in many of the areas covered by the OGP, such as the extractive industries and fiscal transparency. But this session will focus on the increasing provision of public services by private companies.

These companies tend to be excluded from “Right to Information” laws. Where there is information available, this is normally limited to narrow terms of contract delivery, making it difficult to assess overall performance and value for money.

2. Openness and privacy

Open data and transparency programmes can have privacy impacts, which could also lower acceptance and engagement from citizens. From a different perspective, we may also find that privacy can be used as an excuse to hinder transparency.

In some cases these tensions will involve personal data that is published in the public interest, such as subsidies, taxes, registers, judicial documents, etc. Another potential conflict is the publication of data from public services - schools, hospitals, welfare, etc. This kind of data is normally “anonymised”, but there are growing concerns about the risks of re-identification of individuals by combining different data sources.

An international workshop on this topic will have to analyse how to balance diverse regulatory approaches with upholding fundamental principles on privacy and the protection of personal data.

Privacy International and Open Rights Group are coordinating this session.

3. Surveillance and national security

The recent confirmation of the existence of mass internet surveillance programmes by several industrialised nations is a game-changer that brings into question some of the assumptions that have underpinned the relations between open government, surveillance and national security.

Few will question that there is a role for secrecy and special powers. But the blanket exemptions for national security from most transparency programmes and right to information laws may have gone too far. In some countries there is no basic information on the legal basis of surveillance programmes, or the size of their overall budget. Many civil society organisations are demanding more targeted surveillance and better accountability.

More fundamentally, we may need to revisit the unspoken presumption in open government circles that there is no need to justify collecting increasing amounts of data on citizens because eventually something good will come out of it.

Open Society FoundationsOpen Rights Group and Tactical Technology Collective are coordinating this session.

4. Protection for whistleblowers

There are growing concerns that despite an increase in commitment to openness, many OGP countries are actually ratcheting up the persecution of whistleblowers. Besides several high profile cases withinternational resonance there are many less known cases throughout the world.

Several organisations, including OSF, have expressed interest in organising sessions on this important topic. Please get in touch.

5. Citizens’ rights, practical tools and government commitments

Groups involved int he OGP have alternative approaches to openness. This has been characterised in simple terms as involving on one side Right to Information veterans, who have focused for a long time on getting government to implement legislation. One the other side would be Open Data activists that, instead of driving policy, develop practical technology solutions to provide access to public information. Of course the reality is a more complex. Nowadays most people in the field will agree that transparency and accountability require both laws and tools, plus citizen engagement and infomediaries.

There are concerns, however, that the OGP may be skewing this balance with its focus on voluntary commitments by the executive branches of government that lack legally enforceable mechanisms. The problems arise when the same governments that propose national plans with excellent aspects are simultaneously weakening Right to Information legislation or the role of civil society.

The Campaign for Freedom of Information are coordinating this proposal.

The proposals above are all in a shared online document that attempts to collate all the sessions proposed by civil society groups. Please add the details of any proposals you are developing to that spreadsheet, and get in contact with anyone who is developing an idea you would be interested in supporting.

It is important to get international collaborations to shape the sessions. Particularly, let us know if you know of any government representatives from your country who are coming to the summit and may be interested in participating in these panels.

There is a growing consensus that the summit should reflect the diversity and multistakeholder nature of the OGP. A criteria for acceptance into the programme should be that panels are gender balanced and include representation from the majority world.

The deadline for presenting complete proposals to the OGP summit team is the 1st of September.

This blog was also posted to the Open Government site.  

[Read more]


August 08, 2013 | Peter Bradwell

Nominet trying again with .uk proposals

Nominet are again consulting on their idea to introduce .uk domain registration. But the proposals are little better than before.

Nominet's new .uk proposals, described in more detail on their website, include:

  1. The ability to register .uk sites. The proposals would mean, for example, that if you run reallyamazingwebsite.co.uk that you could also register reallyamazingwebsite.uk
  2. An effort to verify registrants' details for second level registration through checks against a third party database, and a requirement to supply a UK address for service.
  3. Reserving names for a period so that those who first registered a domain name string have priority over the .uk registration. So, for example, if I registered reallyamazingwebsite.co.uk in 2003, and nobody registered reallyamazingwebsite.ltd.uk or reallyamazingwebsite.me.uk and so on before me, then I would have the first opportunity to register reallyamazingwebsite.uk
  4. Charging a wholesale price of £4.50 a year for multiple year registrations or £5.50 for single year registrations.

Nominet are effectively arguing that they will make a lot more money through these proposals, and this is good because they will then be able to do more of their work improving the trust and security of the .uk namespace. I'm paraphrasing Nominet's argument. (See Leslie Cowley's blog on the Nominet website for more on the thinking behind the changes).

However, they make little or no case for this. There are no details about how much they expect the proposals to raise, or how they plan to use the extra money to improve trust and security in the .uk namespace.


Haven't we been here before?

This is the second consultation Nominet have run on this idea. The first was at the end of last year. They received lots of negative feedback last time. We responded and were critical of the proposals, and recommended they be dropped. We argued that the plans would lead to:

1. the creation of a 'walled garden' that would undermine confidence in the rest of the UK domain space including .co.uk
2. the imposition of additional cost burdens on website operators, which are likely to be particularly significant for SMEs
3. the positioning of Nominet in an inappropriate role, by setting them up as arbiters of trust online and giving them additional and somewhat unchecked powers. This would effectively create for Nominet a monopoly over 'trust' and security in the UK domain space.

What has changed from the last consultation?

Not a whole lot. Two main things:

  1. dropped the some of the security services that would have offered exclusively to those with .uk sites.
  2. changed the charging structure, changing the fee from £20 in the original consultation to a wholesale price of £4.50 a year for multiple year registrations or £5.50 for single year registrations

Why do Nominet think this is a good idea?

The shortest answer: because they will make an awful lot of money from it. Nominet say this proposal will 'keep the namespace competitive', and that the namespace needs to 'develop and innovate to remain competitive and relevant.' Further on in the consultation document Nominet specify four benefits:

  1. Maintain the relevance of the .uk name space in a rapidly developing market;
  2. Provide additional choice for registrants in the .uk space and meet market demand;
  3. Fulfil Nominet's public purpose by increasing security and trust in the .uk name space; and
  4. Progress Nominet's commercial development.

We have serious doubts about whether the proposals for greater verification of registrants' details will have any effect on consumer confidence. For example, it seems like it will still be fairly easy for somebody to simply register using a 'real' name and address that is not theirs. Nominet certainly provide no evidence of the likely effects of the new process.

The key argument Nominet make seems to be this: the commercial development of Nominet is a good thing because it will enable them to do more to make the .uk domain space more trusted and secure. I asked Nominet about this on Twitter:

@peterbradwell: @Nominet thanks! is the idea that nominet's commercial growth via new .uk sales will improve nominet's ability to meet its public purpose?

@Nominet: @peterbradwell yes or at least help us to maintain the ability in the face of the changing domain name landscape.


The lack of a justification for the .uk proposals

Figures, estimates or otherwise, of the costs and benefits of the proposals are absent from the consultation document or background paper. There is no estimate of the extra income this will generate for Nominet or the registrars, and no estimation of the costs to businesses. There are no proposals for exactly what Nominet will do with the extra money to further their public purpose work. Nominet say there is no reason to provide a business case. 

All of this makes it hard if not impossible to consider whether this is the best way to improve the trust and security of the .uk namespace. The relationship between Nominet's continued commercial growth and improvements in trust and security of .uk namespace seems to be taken as given. 

The WebMastering.co.uk blog estimates Nominet could make upwards of £25m from the proposals - doubling their revenue - and lists a number of important questions that have not been addressed.

Nominet's .uk plans still represent an effort to exploit their position to create new online 'real estate'. We're currently putting together our formal response to Nominet, which we'll post on the website as soon as possible.

More detail on the consultation and information on how you can respond are on the Nominet site.

 

[Read more]


google plusdeliciousdiggfacebookgooglelinkedinstumbleupontwitteremail