nettime's_roving_reporter on 27 Jul 2000 15:01:23 -0000 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
<nettime> RIP |
<http://www.newscientist.com/news/news.jsp?id=ns224964> Britain is about to waste millions of pounds on an obsolete Internet snooping system INTERNET users can avoid having their e-mails intercepted by the British government if they follow some simple advice published this week by two leading Internet security experts. The advice is designed to highlight failings in the government's multimillion-pound plan to install "black box" e-mail recorders on the premises of Internet service providers (ISPs). Distributed to MPs earlier this week, the paper is a last-ditch attempt to explain why the Regulation of Investigatory Powers (RIP) Bill is unworkable. If passed by Parliament this week, RIP will give security forces unprecedented powers to snoop on Internet users and demand encryption keys. But Ian Brown, an Internet security expert at University College London, and Brian Gladman, a former Ministry of Defence information security expert, state in their briefing paper that the interception technology that the Bill requires is already obsolete. Rather than helping catch criminals, they say these recorders would be easy for criminals to evade. They describe the powers in the Bill as "technically inept", and list a number of ways in which someone with no technical know-how could circumvent black boxes installed at ISPs. They say the introduction of affordable "always-on" ultrafast connections, such as ADSL, will change the way people access the Internet, with more and more setting up their own mail servers. When this happens, says Brown, there is no reason why people shouldn't bypass ISPs and the government's snooping boxes installed there (click on thumbnail for diagram). This can't be done with dial-up connections because mail servers need to listen out constantly for new mail. Cut out the middleman: there's no reason why mail shouldn't be sent direct to a recipient, bypassing the Internet service provider's mail server--and prying eyes Snoopers want to tap ISPs' mail servers because they decrypt mail automatically. If e-mail is "session encrypted"--where keys are generated for each new session and discarded--snoopers can only read e-mail at the mail server. Because the server is an end point for session encryption, all mail is briefly decrypted there. Other more obvious methods for beating black boxes involve using prepaid mobile phones (bought with cash) and free, anonymous ISP accounts. Alternatively, users can access the Net through a British ISP but use a foreign mail server. The easiest method by far is to use a small ISP that doesn't use the services of larger ones: the government says it will only place black boxes on some of the larger ISPs. The emergence of a new Internet protocol, IPv6, also renders black boxes redundant. In IPv6, all packets of data sent over the Net will be machine-encrypted by default. This will make all Net communications untappable. Although it will be a few years before IPv6 is fully implemented, it is already spreading, Brown says. "Microsoft is introducing it in Windows 2000, and Cisco is introducing it to its routers." So far, the British government has set aside UKP20 million to help ISPs pay for the black boxes, says Caspar Bowden, director of the London-based Foundation for Information Policy Research. FIPR is publishing Brown and Gladman's briefing paper on its website (www.fipr.org/rip). Bowden says criminals will easily circumvent the devices. "I don't think ministers understand this," he says. Brown and Gladman say they have withheld less obvious box-beating ideas to avoid handing crooks ideas on a plate. # distributed via <nettime>: no commercial use without permission # <nettime> is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: majordomo@bbs.thing.net and "info nettime-l" in the msg body # archive: http://www.nettime.org contact: nettime@bbs.thing.net