Monday, May 12, 2014

TICS after Snowden

Last year, the government passed the Telecommunications (Interception Capability and Security) Act 2013. Ostensibly this was about ensuring the police continued to retain a "lawful intercept" capability over ISPs, but the Act also gives the GCSP a central role in "network security, requiring ISPs to register with them and giving them the power to micromanage procurement and even staffing decisions.

The internet industry has been suspicious of these changes and their breadth, and so in order to reassure them the GCSB today released its Guidance for Network Operators. And in the wake of the Snowden revelations, the guidance they give on exactly how they interpret the areas of specified security interest is truly frightening. Here's what GCSB wants to know about:

  • parts of the network which store aggregated information about a significant number of customers means "Databases which store data in bulk, such as call records or network traffic data". In other words, your metadata. GCSB wants to micromanage decisions around its storage or access. I wonder why?
  • parts of the network which store aggregated authentication credentials of a significant number of customers means "Areas of the network which store authentication credentials & encryption keys". So, they want your password, and they want your ISP's SSL keys. Again, I wonder why?
  • parts of the network where data belonging to a customer or end user aggregates in large volumes means "Large databases which reside in the core of the network and customer Voice Mail Systems (VMS), large email or message systems" and "Points of interconnection or intersection with other networks, and other areas over which a significant proportion of the traffic on the network travels" - so, your ISP's mailserver and key switches. Again, I wonder why?

Basically, the purpose of this part of TICS isn't to help protect us - its to allow the GCSB to build themselves a target list, and to direct procurement towards insecure systems which give them or their foreign "partners" access to our metadata, communications, and online identities. And this simply isn't something we should accept.