CDB tl;dr (for early leavers...) ● New law that allows any agency so authorised to order your ISP to collect ALL meta-information about everyone's internet activity, retain it for a year and supply it to them for arbitrary analysis. ● Almost impossible to repair in a way that preserves citizen digital rights. ● Needs your input now. ● Needs you to start supporting ORG
The Topic Of The Hour ● Previously rumoured as “Interception Modernisation Programme” under Labour ● Announced as “Communications Capabilities Development Programme” in Queen's Speech ● Now “Communications Data Bill” (CDB) ● Colloquially, “Snooper's Charter”
Didn't The Coalition Say No? ● When the coalition was elected, they promised that: – “We will end the storage of internet and email records without good reason” ● Nick Clegg added: – "We won't hold your internet and email records when there is just no reason to do so." ● Seems someone had a “Yes, Minister” moment...
CDB Is A Zombie Bill ● It gets killed ... It keeps coming back to life ● Source is deep inside Home Office ● Same outcomes sought repeatedly ● This will probably not be the last time we need to defeat it...
CDB Structure ● Part 1 creates a new power to order ISPs to collect communications data ● Part 2 creates a system for assorted public bodies to get access to this data. ● Part 3 adjusts other laws to reflect the new powers and establishes who has oversight.
What Data? ● Modelled on existing powers (“may read the envelope”): postal, phone records ● Any traffic data, use data, or subscriber data ● But not the message itself ● Kept for 12 months by default ● Any civil, criminal or military proceedings can trigger indefinite retention ● No requirement for any citizen to be told
Delivered-To: [email protected] Received: by 10.68.48.163 with SMTP id m3csp12715pbn; Thu, 26 Jul 2012 07:11:49 -0700 (PDT) Received: by 10.60.168.230 with SMTP id zz6mr41583709oeb.11.1343311909082; Thu, 26 Jul 2012 07:11:49 -0700 (PDT) Return-Path: Received: from mail-ob0-f182.google.com (mail-ob0-f182.google.com [209.85.214.182]) by mx.google.com with ESMTPS id r4si21118589obz.27.2012.07.26.07.11.48 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 26 Jul 2012 07:11:48 -0700 (PDT) Received-SPF: pass (google.com: domain of [email protected] designates 209.85.214.182 as permitted sender) client-ip=209.85.214.182; Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates 209.85.214.182 as permitted sender) [email protected] Received: by mail-ob0-f182.google.com with SMTP id un3so2755750obb.41 for ; Thu, 26 Jul 2012 07:11:48 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=/Z6B9ypN63nfDMrE4IT82Mugj6vTi/XfrBaT+4V2X8k=; b=mMYeUXuUVFvFbZx/JQwHHxef13P++yjuvrq2HdidgokubuMCiwg7ewtoaFnhLYCDNZ M7Cv0Zxl719jP3qS0DeCZQXwIQY5LZe5B4ouEKbQ4UQFR8jTaOpha1jkdhL6QyzEJcnk N1kbfidqqg8NMo6bVJEG0+mGsItSvnDfxsGaepb2lux1ehDlTDNnxY/XIsgo5KQP0Ipk +J1zqQh3zjXS1c7LJ4cL3giX5QTo0driOOvnz/LAjp/cMTzidDnPjaUDAO6vfZ31JvUl ieIYIKB8s3PQguKIPDhwhBKDmpduaMXZUmRK9RjiHTVJgTpj+D9taNeC2byohcLV8C8r bwLg== Received: by 10.182.116.2 with SMTP id js2mr42185754obb.38.1343311908355; Thu, 26 Jul 2012 07:11:48 -0700 (PDT) Return-Path: Received: from [10.168.10.10] (cosm4.all-cosme.info. [173.192.35.87]) by mx.google.com with ESMTPS id qv2sm10759032obb.11.2012.07.26.07.11.44 (version=SSLv3 cipher=OTHER); Thu, 26 Jul 2012 07:11:47 -0700 (PDT) Subject: Re: Speaking At OggCamp Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: multipart/alternative; boundary=Apple-Mail-3--67519763 From: Simon Phipps In-Reply-To: Date: Thu, 26 Jul 2012 15:11:40 +0100 Cc: Jim Killock , Peter Bradwell , Ryan Jendoubi , Mark Johnson Message-Id: <[email protected]> References: <[email protected]> <[email protected]> [email protected]>
To: Dan Lynch X-Mailer: Apple Mail (2.1084) X-Gm-Message-State: ALoCoQmaq4J5AUU0LXmhSdsgSViBrM1WrP9ho/r7yY512bu2pMzZY3z4mqwCSX5L5HlRmLOTgRdI --Apple-Mail-3--67519763 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Looking forward to being there again :-) S. -- Simon Phipps, http://webmink.com/ Meshed Insights & Knowledge Mobile: +1 415 683 7660 New office line: +44 238 098 7027 OK Not OK
Exactly What Data? ● Information about how the service is used by people, except for the contents of communications ● Any information that a telecoms operator has about people who use their service ● Traffic data: Anything associated with a communication for the purpose of facilitating transmission, which also satisfies at least one of these criteria: – Identifies any person, apparatus, or location which the communication is being sent to or from – Identifies apparatus involved in sending the communication – Controls apparatus involved in sending the communication – Identifies the time when something relating to the communication occurs – Identifies data that is associated with the communication ● For postal operators: anything the postal service uses to transmit the communication, anything about how people are using the postal service, and any other data that the postal service has about people who use the service
That's a lot! ● Yes, and for a long time & a lot of eyes ● Enormous volume of data ● Can be data mined, heuristically analysed & triangulated with other data ● Can be managed by a central service ● Can be shared with wide range of users ● With friction of mechanical records removed, offers unprecedented ability to deduce anyone's location, actions, opinions and associations
Who can request? (a) a police force, (b) the Serious Organised Crime Agency, (c) Her Majesty’s Revenue and Customs, (d) any of the intelligence services, (e) any public authority designated for the purposes of this Part by order of the Secretary of State,
For What Purpose? (a) in the interests of national security, (b) for the purpose of preventing or detecting crime or of preventing disorder, (c) for the purpose of preventing or detecting any conduct in respect of which a penalty may be imposed under section 123 or 129 of the Financial Services and Markets Act 2000 (civil penalties for market abuse), (d) in the interests of the economic well-being of the United Kingdom, (e) in the interests of public safety, (f) for the purpose of protecting public health, (g) for the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department, (h) for the purpose, in an emergency, of preventing death or injury or any damage to a person’s physical or mental health, or of mitigating any injury or damage to a person’s physical or mental health, (i) to assist investigations into alleged miscarriages of justice, or (j) where a person (“P”) has died or is unable to identify themselves because of a physical or mental condition, to assist in identifying P, or to obtain information about P’s next of kin or other persons connected with P or about the reason for P’s death or condition. The Secretary of State may by order amend this subsection so as to add to or restrict the permitted purposes.
Who & For What Purpose ● Anyone the Secretary of State wants. ● Anyone to whom the Secretary of State delegates ● For any purpose the Secretary of State wants.
Justifications ● “We have to keep up with the technology criminals are using” ● “It's meta-data that contains no personal details” ● “We'll ask OfCOM first” ● “We will make sure the data is used properly” ● “It will only cost £1.8bn”
What's Wrong With That? ● “Keeping Up” – This is not the postal service – There's no public accountability or judicial oversight ● “No Personal Data” – Meta-data allows triangulation – Mass data allows heuristic analysis ● “Ask OfCOM/Data Protection” – Already ineffective on behalf of citizens ● “Used properly” – Mission creep will happen – Home Secretary can arbitrarily extend without oversight
Mission Creep ● Congestion charge cams ● Traffic status cams ● Routine police tool ● Car park cams ● Routine business tool ● Once created, any resource can be repurposed in response to a popular crisis
Summary ● CDB makes us all a suspect. ● Instead of being under surveillance when there is evidence of wrongdoing, you will be under suspicion by default. ● Once created, this resource can only grow in scope & use
What shall I do? In order of engagement: ● Join Open Rights Group – http://openrightsgroup.org ● Read ORG materials – https://wmk.me/TMvWns ● Respond to consultation THIS WEEK – http://www.parliament.uk/business/committees/committees-a- z/joint-select/draft-communications-bill/news/call-for-evidence/ ● Join (or start) a local ORG chapter
webmink
ganota
lmi
nttcom
yayoi_dd
k1low
line_developers
kako351
orgachem
korodroid
jacopen
hirokiotsuka
odasho
shpigford
deanohume
danielanewman
thoeni
jonyablonski
keithpitt
lara
bcantrill
phodgson
holman
skipperchong
geoffreycrofte