Crypto Wars 2.0

I was invited to give a talk at Oxford University on Crypto Wars 2.0 for the Cyber Security DTC that is jointly ran by Oxford and Royal Holloway. I have given a talk on the Crypto Wars at Durham in the past but this talk was a combination of a revisiting the the Crypto Wars today, but also a look to the future. I have produced a podcast of the talk and the slides are available here.

Investigatory Powers Bill

The video below is a recording of Teresa May answering questions on the draft Investigatory Powers Bill. some interesting highlights (or low lights) for me where the following:

  • She essentially didn’t answer the question on why it is unhelpful to compare the retention of web history with that of an itemised phone bill. The two things are not the same. An itemised phone bill doesn’t record a version of the conversation that took place. Now, although I believe that the retention is not include the exact pages visited, it does include the IP address of the website. So even though that is not exact pages visited, it does give some idea of the content that might have been viewed as they could go and retrospectively visit the site. Importantly, this doesn’t include whether the site has changed in the meantime. Also it is not clear to me whether the IP address and the site are recorded. Obviously this is important as you can host a large number of websites on a single server… In short this comparison is supposed to be there for clarification, it doesn’t clarify anything.
  • Some of the wording seems to be vague to say the least. This is of some concern as it could allow for a degree of ‘mission creep’. Where the legislation is used for things that it was not really intended for. We have already seen the government use terrorism laws for strange things, the most obvious of which was them being used to freeze Icelandic bank accounts during the financial crash.
  • No sunset clause. So the bill will not time out on its own, and realistically unless the attitude of a future government is very difference from today. We might well be stuck with it forever.
  • I will also point out that there seems to be some scope for the weakening of encryption in the bill. We haven’t seen this since the May 2000 Electronic Communications Act, in which the Home Office left in a vestigial power to create a registration regime for encryption services. Basically the capacity to weaken/back door encryption. This did have a sunset clause which expired.

Security Algorithms Need to be More Transparent

I wrote a piece for The Conversation, “It’s time to shine a light on the unseen algorithms that power ‘Big Brother’”. I try to make the point that we as citizens know very little about the algorithms that power the security services (not to mention all sorts of other things too). Which is troubling as there is a great potential for them to discriminate, or plane get things wrong. This is both potentially damaging to us, but it also makes them less useful. I also draw a comparison between these analytical algorithms and cryptographic algorithms, which are often deliberately opened up to ensure there strength. Analytical algorithms that have the power to refuse someone entry to a country, or potentially assist with putting someone behind bars, should also be open.It’s time to shine a light on the unseen algorithms that power ‘Big Brother’

 

 

 

 

 

 

 

Here comes the two-tier internet?

The government want to control what we do on the internet. They want to make us all safe by controlling what we can see and recording everything that we do. Its for our own good, we need to be kept safe. Think of the children!

Ok, so that’s a rather flippant response to two big issues but I think there is a sinister truth within. Leaving aside the apprent fact that much of our online lives are either accessable to the security services, or being recorded, I want to focus more on David Cameron’s war on pornography. Or rather, the idea and practicalities of filtering the internet. Internet pornography is a particularly difficult subject in a number of ways. Child exploitation and abuse is without question horrible, and its right that every effort should be made to remove it from society and the Internet. Consensual pornography is a less clear cut issue, one that there has been a lot of debate about, and will continue to be debated perhaps forever. Is pornography always exploitative? If all parties are consenting what is the problem with its production and viewing? Should pornography be protected as a form of expression? Where is the line drawn between pornography and art? I want to leave these questions for others and move on instead about filtering the internet.

To me the Internet (or perhaps the whole World Wide Web) is a decentralised, uncontrolled, bastion of freedom. One that seems to be under threat in a number of different ways. More and more of the infrastructure of the Internet is control by a small number of large companies. Google, Facebook, Amazon, Yahoo!, Microsoft, Rackspace and others host, route or provide access to increasing amounts of the content on the Internet. The dream of a truly decentralised Internet of millions of servers providing hosting, mail, or search fertilities seems to be over or at least under threat. Filtering seems to be the next big assault on my bastion of freedom.

Filtering the Internet entails blocking users’ access to certain websites, either via host-name blocking, or perhaps IP blocking. This is what David Cameron is proposing to do, by default he wants UK ISPs to block porn sites and only allow access if people actively choose to opt-out of filtering. The problem with filtering (leaving aside the issues around freedom of expression etc) is that is rubbish and doesn’t work very well. Filtering can operate at the level of Domain Name Servers (DNS). DNS servers are essentially an index, when I try to reach google.co.uk I am requesting the IP address of the computer hosting google.co.uk off a DNS server. If filtering is in place, instead of getting the IP address of the computer I would be redirected to a page telling me that I was trying to reach naughty content that I am not allowed to see.

The other possibility is blocking access to particular IP addresses. I suspect that this would be done at the point of Network Address Translation (NAT), or while routing traffic. Essentially an ISP could keep a list of IP that are banned, and refuse to route you to that computer. This is more problematic because the IP address of a website can change independently of the host name. So even if the IP is blocked you could reach the site, or a ‘safe’ site could be blocked accidentally. Also, it is possible to host a number of websites on one computer, therefore all under the same IP address, block one you block them all. So IP filtering is a very blunt instrument.

These methods of filtering can be circumvented in a number of different ways. DNS filtering for example can easily be sidestepped by changing your DNS server. By default your home router will be set up to use your ISPs DNS servers, filtering and all. Don’t like it? Change it to one of the public DNS servers that are free. This can be done on your router, or just for individual computers or even browsers. You could also use a Virtual Private Network (VPN). This is slightly more difficult but not much. Here you establish an encrypted link between your computer and another one elsewhere (perhaps in a different country). All the network traffic out of your computer is then sent to this other computer that then deals with it, by forwarding it on to DNS servers etc. It looks like you are that other computer, and if that computer is outside of the filtering then you are unfiltered. You could also use TOR. TOR was designed to protect against network surveillance and traffic analysis. How it works is an article (at least) on its own, but needless to say if you use it you wouldn’t be filtered.

So filtering is rubbish… so what next? Perhaps governments will give up on filtering, trusting adults to make there own minds up about what they want to access, and instead focus on catching the people that are breaking the law and leave filtering children’s access to the internet to parents? Not likely. My fear is that in a quest for increasing control (to make us all safe) of what the Internet is they will create a two-tier internet.

What is this two-tier Internet? An island analogy will work here. If you leave on an island you can easily drive around on the island and visit all the shops, people etc. However if you want to go off the island you have to drive down the one bridge to the rest of the world. It could be possible to build an Internet island. By default this is what everyone is given access too and you aren’t allowed to cross the bridge. Under this model all the websites accessible on the island would have to be pre-registered and vetted, if you attempt to access any other website (or indeed computer) you would be blocked. Public DNS wouldn’t work, that would require going down the bridge, same for a VPN that is outside the island. You just can’t get there. Unless, that is, you have requested to be able to cross that bridge. It would be easy then to monitor who wanted to get off the island, and in some cases what they brought back with them. Just asking to get off would make you a person of ‘interest’. Why would any normal, law abiding person want to get off our safe internet island?

How likely is this? Well you would not need to alter the existing infrastructure of the internet. It could be implemented with existing technology, some countries have already attempted to unplug their entire population from the rest of the internet for periods of time. The model changes from one of allow with exceptions, to block with exceptions, ISPs could be forced to connect to what would essentially be a subnet of the of the WWW with a router controlling that bridge to the mainland. The only way round the filtering would then be building your own bridge!

International safe zones could be connected, with some sort of international body acting as oversight, deciding what makes the safe list. How is this different from what we have now? Well currently anyone can setup a DNS server and add hostnames to the index. There is no central control, DNS servers are distributed and hosting servers for websites pop up all the time. Anyone can get an IP address for an internet device and get access to other computers. That could easily change, its already changing.

What troubles me is that these changes could creep up on us. Some people will like the idea of a filtered internet. They would be happy to think that their children can’t get to unsavoury content while they are surfing in their bedrooms, or on their phones. What is more, they a could start getting upset when the filters fail, and start putting pressure on the government to change things, force the ISPs to do it better. Could this lead to vetting and a two-tier internet? I think it could, and it might not look like a bad thing for a while. Those who want to get down the bridge are allowed to do so, and what they do isn’t recorded without good reason. The problem is that good reason today might look very different in 10 years, and future governments might not be so benign (how benign are present day governments?).