United Kingdom: Phone and email records to be stored in new spy plan

United Kingdom:  Details of every phone call and text message, email traffic and websites visited online are to be stored in a series of vast databases under new Government anti-terror plans.

Landline and mobile phone companies and broadband providers will be ordered to store the data for a year and make it available to the security services under the scheme.

The databases would not record the contents of calls, texts or emails but the numbers or email addresses of who they are sent and received by.

For the first time, the security services will have widespread access to information about who has been communicating with each other on social networking sites such as Facebook.

Direct messages between subscribers to websites such as Twitter would also be stored, as well as communications between players in online video games.

The Home Office is understood to have begun negotiations with internet companies in the last two months over the plan, which could be officially announced as early as May.

It is certain to cause controversy over civil liberties – but also raise concerns over the security of the records.

Access to such information would be highly prized by hackers and could be exploited to send spam email and texts. Details of which websites people visit could also be exploited for commercial gain.

The plan has been drawn up on the advice of MI5, the home security service, MI6, which operates abroad, and GCHQ, the Government’s “listening post” responsible for monitoring communications.

Rather than the Government holding the information centrally, companies including BT, Sky, Virgin Media, Vodafone and O2 would have to keep the records themselves.

Under the scheme the security services would be granted “real time” access to phone and internet records of people they want to put under surveillance, as well as the ability to reconstruct their movements through the information stored in the databases.

The system would track “who, when and where” of each message, allowing extremely close surveillance.

Mobile phone records of calls and texts show within yards where a call was made or a message was sent, while emails and internet browsing histories can be matched to a computer’s “IP address”, which can be used to locate where it was sent.

The scheme is a revised version of a plan drawn up by the Labour government which would have created a central database of all the information…

Labour shelved the project – known as the Intercept Modernisation Programme – in November 2009 after a consultation showed it had little public support…

But the security services have now won a battle to have the scheme revived because of their concern over the ability of terrorists to avoid conventional surveillance through modern technology.

They can make use of phone tapping but their ability to monitor email traffic and text messages is limited.

They are known to have lobbied Theresa May, the Home Secretary, strongly for the scheme. Their move comes ahead of the London Olympics, which they fear will be a major target for terror attacks, and amid a climate of concern about terrorists’ use of the internet.

… Sources said ministers are planning to allocate legislative time to the new spy programme, called the Communications Capabilities Development Programme (CCDP), in the Queen’s Speech in May.

But last night privacy campaigners warned the scheme was too open to abuse and could be used for “fishing trips” by spies.

Jim Killock, executive director of the Open Rights Group, a civil liberties campaign organisation, said: “This would be a systematic effort to spy on all of our digital communications.

“The Conservatives and Liberal Democrats started their government with a big pledge to roll back the surveillance state.

No state in history has been able to gather the level of information proposed – it’s a way of collecting everything about who we talk to just in case something turns up.”

There were also concerns about the ability of phone and Internet companies to keep the information secure.

And the huge databases could also be used by Internet service providers, particularly to work out which advertising to target at users.

Broadband firms including BT came up with a scheme almost three years ago to target advertising, but it did not get off the ground.

However, if companies were able to exploit the information they will be compelled to keep for the CCDP, they would be much more capable of delivering advertising to computers and even mobile phones based on users’ past behaviour.

Gus Hosein, of Privacy International, said: “This will be ripe for hacking. Every hacker, every malicious threat, every foreign government is going to want access to this.

“And if communications providers have a government mandate to start collecting this information they will be incredibly tempted to start monitoring this data themselves so they can compete with Google and Facebook.”

… from the Telegraph

A document from 39 years ago: Western Concern for Privacy in the age of Computers

Common Concerns

[ This was in 1973, 39 years ago, when “when computers ran on steam and the internet was still largely mechanical”. I was led to this document from a message posted by Karl Auerbach in the At Large mailing list today ]

Most of the advanced industrial nations of Western Europe and North America share concerns about the social impact of computer-based personal data systems. Although there are minor differences in the focus and intensity of their concerns, it is clear that there is nothing peculiarly American about the feeling that the struggle of individual versus computer is a fixed feature of modern life. The discussions that have taken place in most of the industrial nations revolve around themes that are familiar to American students of the problem: loss of individuality, loss of control over information, the possibility of linking data banks to create dossiers, rigid decision making by powerful, centralized bureaucracies. Even though there is little evidence that any of these adverse social effects of computer-based record keeping have occurred on a noticeable scale, they have been discussed seriously since the late sixties, and the discussions have prompted official action by many governments as well as by international organizations.

western concern for privacy in the 70sConcern about the effects of computer-based record keeping on personal privacy appears to be related to some common characteristics of life in industrialized societies. In the first place, industrial societies are urban societies. The social milieu of the village that allowed for the exchange of personal information through face-to-face relationships has been replaced by the comparative impersonality of urban living. …

Concern about the effects of computer-based record keeping appears to have deep roots in the public opinion of each country, deeper roots than could exist if the issues were manufactured and merchandised by a coterie of specialists, or reflected only the views of a self-sustaining group of professional Cassandras. The fragility of computer-based systems may account for some of the concern… There are few computer systems designed to deal with the disruption that deliberately lost or mutilated punched cards in a billing system-to give a simple example-would cause. Thus, the very vulnerability of automated personal data systems, systems without which no modern society could function, may make careful attention to the human element transcend national boundaries.

The Response in Individual Nations

WEST GERMANY

On October 7, 1970, the West German State of Hesse adopted the world’s first legislative act directed specifically toward regulating automated data processing. This “Data Protection Act” applies to the official files of the government of Hesse; wholly private files are specifically exempted from control. The Act established a Data Protection Commissioner under the authority of the State parliament whose duty it is to assure that the State’s files are obtained, transmitted, and stored in such a way that they cannot be altered, examined, or destroyed by unauthorized persons…

Thus, the Data Protection Act of Hesse seems designed more to protect the integrity of State data and State government than to protect the interests of the people of the State…

SWEDEN

When strong opposition to the 1969 census erupted in Sweden, public mistrust centered not so much on the familiar features of the census itself as on the fact that, for the first time, much of the data gathering would be done in a form specifically designed to facilitate automated data processing. Impressed by the possibility that opposition might be so severe as to invalidate the entire census, the government added the task of studying the problems of computerized record keeping to the work of an official commission already studying policies with respect to the confidentiality of official records.

After a notably thorough survey of personal data holdings in both public and private systems, the commission issued a report containing draft legislation for a comprehensive statute for the regulation of computer-based personal data systems in Sweden.2 The aim of the act is specifically the protection of personal privacy. Its key provisions are these:

  • Establishment of an independent “Data Inspectorate,” charged with the responsibility for executing and enforcing the provisions of the Data Law.
  • No automated data system containing personal data may be set up without a license from the Data Inspectorate.
  • Data subjects have the right to be informed about all uses made of the data about them, and no new use of the data may be made without the consent of the subject.
  • Data subjects have the right of access without charge to all data about them, and if the data are found to be incorrect, incomplete, or otherwise faulty, they must either be corrected to the subject’s satisfaction, or a statement of rebuttal from the subject must be filed along with the data.
  • The Data Inspectorate will act as ombudsman in all matters regarding automated personal data systems.

The Data Law has been passed by the Swedish Parliament and will become effective on July 1, 1973. A transition period of one year will be allowed to implement all the provisions of the law.

FRANCE

Article 9 of the French Civil Code states plainly, “Everyone has the right to have his private life respected. 3 As legal scholars in all countries have noted, however, it is very difficult to define the precise limits of privacy in every case that comes before a court, and in spite of such explicit protection, the privacy of the French, both inside and outside of automated personal data systems, seems in practice no better defended than that of most other people…

One other development on the French scene deserves mention. The 1972 annual report of the Supreme Court of Appeals went considerably out of its way, after reviewing a case of literary invasion of privacy, to comment on the subject of computers and privacy:

… The progress of automation burdens society in each country with the menace of a computer which would centralize the information that each individual is obliged to furnish in the course of his life to the civil authorities, to his employer, his banker, his insurance company, to Internal Revenue, to Social Security, to the census, to university administrations, and, in addition, the data, correct or not, which is received about him by the various services of the police. When one thinks about the uses that might be made of that mass of data by the public powers, of the indiscretions of which that data might be the origin, and of the errors of which the subjects might be the victims, one becomes aware that there lies a very important problem, not only for the private life of everyone, but even for his very liberty.

It appears to us that this eventuality, an extremely probable one, ought to be made the object of consideration of the public power, . . .and that this consideration should take its place among the measures of precaution and of safeguard which should not lack for attention.7

To sum up, the situation in France is complex. The subject of computers and privacy has been given serious attention by a relatively small group of experts, but that group has an influence in government far out of proportion to its numbers. The attitude of the present government is strongly colored by another aspect of the privacy problem: It has been caught in a wiretap scandal, and its defensiveness in that regard appears to be influencing its actions on the computer front. The official report of the present working group is due before the end of 1973, but it does not seem realistic to expect that there will be any definitive action in France before, perhaps, mid-1974.

GREAT BRITAIN

Britain is unique among the countries reviewed in having recently completed a thorough study of the entire subject of privacy.8 Although the committee in charge of the study, the Younger Committee, was restricted in its terms of reference to private, rather than public, organizations that might threaten privacy, the committee’s report is a model of clarity and concern. In brief, the Committee found that both the customs of society and the Common law had evolved defenses against the traditional intrusions of nosey neighbors, unwelcome visitors, door-to-door salesmen, and the like. Against the new threats of technological intrusions-wiretaps, surveillance cameras, and, of course, computerized data banks-the Committee recognized that the traditional defenses are inadequate. To help deal with the threat of the computer, the Committee recommended specific safeguards to be applied to automated personal data systems, although it left the method of application up to the government to decide. The main features of the safeguards are:

  1. Information should be regarded as held for a specific purpose and not to be used, without appropriate authorization, for other purposes
  2. Access to information should be confined to those authorized to have it for the purpose for which it was supplied.
  3. The amount of information collected and held should be the minimum necessary for the achievement of the specified purpose.
  4. In computerized systems handling information for statistical purposes, adequate provision should be made in their design and programs for separating identities from the rest of the data.
  5. There should be arrangements whereby the subject could be told about the information held concerning him.
  6. The level of security to be achieved by a system should be specified in advance by the user and should include precautions against the deliberate abuse or misuse of information.
  7. A monitoring system should be provided to facilitate the detection of any violation of the security system.
  8. In the design of information systems, periods should be specified beyond which the information should not be retained.
  9. Data held should be accurate. There should be machinery for the correction of inaccuracy and the updating of information.
  10. Care should betaken in coding value judgments.9

CANADA

In its report, published in late 1972,11 the Canadian Task Force concluded that computer invasion of privacy is still far short of posing a social crisis. However, the rapidly rising volume of computerized personal data and the equally rapidly rising public expectation of a right to deeper and more secure privacy threaten to converge at the crisis level. To forestall that crisis, the Task Force recommends that a commissioner or ombudsman be established in a suitable administrative setting, that carefully prepared test cases on cogent issues be brought before the courts, and that the operation of government data systems be made to serve as a national model.

from http://aspe.hhs.gov/datacncl/1973privacy/appenb.htm

 

S0PA: 387 Indian ISPs must block 104 piratical websites

Indian ISPs ordered to block 104 Websites image from arstechnica.comThe recent Stop Online Piracy Act (SOPA), considered and eventually abandoned by the US Congress after rancorous debate earlier this year, proposed giving judges the power to cut off American access to particular websites. Under the initial version of the bill, judges would have been able order Internet service providers to use only crude tools like DNS blocking to make piratical websites harder to access. The proposal was criticized strongly on grounds of practicality, due process, and free speech, but major rightsholders want such approaches implemented worldwide. In India, they have succeeded.

A Kolkata court has ordered all 387 Internet providers in the country to block a list of 104 websites after the Indian Music Industry (IMI) filed suit against them. Indian Music Industry officials filed information with the court showing that each of the 104 sites hosted at least some infringing material; the judges ruled that site blocking was a proper way of dealing with the issue. Four injunctions—on January 27, February 6, March 1, and March 2—implemented the blacklist.

Every one of the sites targeted by the music industry was ordered blocked. IMI officials have insisted to local media that they are targeting only the worst offenders, saying that they began their process with 300 websites and eventually narrowed it down to 104 of the most flagrant infringers.

As for how the blocks will be implemented, the court has allowed Internet providers three options: blocking by DNS name (“arstechnica.com”), blocking by IP address (“75.102.3.15”), or URL blocking by deep packet inspection (which can do things like block specific links like “arstechnica.com/bollywood”).

But site blocking on the Internet, though it sounds so seductively easy, comes with its own set of problems. Blocking by DNS can be circumvented simply by entering a site’s actual IP address instead of its name. Blocking by IP address can be bypassed by moving a site to a new server that carries a new IP address. URL blocking has little effect when an existing site simply changes its name.

These are hardly esoteric technical secrets. One of the first sites to be blocked, “songs.pk,” has rebranded itself “songspk.pk.” Confused users who turn to a Google search for answers will already find that link number one for “songs.pk” directs them to the new site.

Truly blocking sites from the Internet in this fashion remains difficult, though as usual the goal is more about making infringement more difficult than curtailing all illegal activity. European courts have on occasion required specific sites to be blocked, but those rulings have tended to target one site at a time, and have often been applied only to a single Internet provider. The Indian approach is far broader, and Internet companies like Facebook and Google are coming under legal pressure to censor far more material, including obscene images of gods and goddesses.

The first list of 104 sites largely focuses on regional music; it includes sites like apunkabollywood.com, bollywoodmp4.com, and lovepaki.com. IMI promises that its next targets will include more general-purpose file-sharing sites, however.

Reproduced from arstechnica

IFPI, the international music trade group, welcomed the ruling—but insisted that even such measures did not go far enough. “The court ruled that blocking is a proportionate and effective way to tackle website piracy,” said IFPI chief executive Frances Moore. “The Indian government should build on this progress by moving forward legislation to effectively tackle all forms of digital piracy to enable the country’s digital music market to reach its full potential.”

 

 

India to set up agency to scan tweets, emails and updates

India to scan tweets, updates and emailThe government is setting up an internet scanning agency which will seek to monitor all web traffic passing through internet service providers in the country. The scanning agency to be called National Cyber Coordination Centre (NCCC), will issue ‘actionable alerts’ to government departments in cases of perceived security threats.

… According to the minutes of ameeting held on February 3, 2012, at the National Security Council Secretariat under the PMO, the National Cyber Coordination Centre will ‘scan whole cyber traffic flowing at the point of entry and exit at India’s international internet gateways’. The web scanning centre will provide ‘actionable alerts for proactive actions’ to be taken by government departments.

All government departments will now talk to the Internet Service Providers such as Bharti Airtel, RCOM, BSNL, MTNL and Tata Communications through NCCC for real time information and data on threats.

More at Techgig

Locking up cyberspace in Pakistan

Bytesforall says this: The Government of Pakistan has repeatedly exhibited the obsession to lock up the Pakistani cyberspace at every given chance. The reasons for doing so are myriad and diverse, but mostly, they revolve around the same unjustifiable excuses like upholding national security, war on terror and/or religious morality. In order to do these, the government continuously impose and compromise citizen’s fundamental rights including freedom of expression, opinion and access to information hampering all socio-economic activities connected with the Internet. In an under-developed country like Pakistan this becomes the sheer wastage of resources and tax payers’ hard earned money. Unfortunately, there are no legal protections available for citizens or any mechanisms to regulate such actions by the Government & civil society’s engagement for transparency and accountability.

In a recent development, on 23 February 2012, the National ICT R&D Fund has placed an advertisement in the press, calling relevant national and international service providers, companies to submit proposals “for the development, deployment and operation of a national level URL Filtering and Blocking System”.

Little words are required to describe the magnitude of this disastrous move if it gets implemented. Quoting one requirement from the National ICT R&D Fund website, “Each box should be able to handle a block list of up to 50 million URLs (concurrent unidirectional filtering capacity) with processing delay of not more than 1 milliseconds” shows that what kind of capacity Government is planning to acquire for filtering the Internet content in Pakistan. Most interestingly, this filtering will be governed by one very vague terminology that is ‘undesirable content’.

Read more at bytesforall