Europe Already Has Draft Standard For Real-Time Government Snooping On Services Like Facebook And Gmail

from the not-that-we'd-ever-use-it dept

As the old joke goes, standards are wonderful things, that's why we have so many of them. But who would have thought that ETSI, the European Telecommunications Standards Institute, has already produced a draft standard on how European governments can snoop on cloud-based services like Facebook and Gmail -- even when encrypted connections are used?

ETSI DTR 101 567, to give it the full title, was pointed out to us by Erich Moechel, who has written an excellent exploration of its elements (original in German). Here's the summary from the draft standard (Microsoft Word format):

The present document provides an overview on requests for handover and delivery of real-time information associated with cloud/virtual services. The report identifies Lawful Interception needs and requirements in the converged cloud/virtual service environment, the challenges and obstacles of complying with those requirements, what implementations can be achieved under existing ETSI LI [Lawful Interception] standards, and what new work may be required to achieve needed Lawful Interception capabilities. Cloud Services in whichever forms they take (Infrastructure, Software, Platform or combinations of these) are often trans border in nature and the information required to maintain Lawful Interception (LI) capability or sufficient coverage for LI support may vary in different countries, or within platforms of different security assurance levels. This work aims to ensure capabilities can be maintained while allowing business to utilise the advantages and innovations of Cloud Services and was undertaken cooperatively with relevant cloud security technical bodies.
As that makes clear, this is being presented as "maintaining" interception capabilities in a world where cloud computing makes previous approaches inapplicable. The new standard specifically mentions social networking, file sharing and video conferencing as new areas that need to be addressed.

One key section spells out how this is to be achieved:

If the traffic is encrypted, the entity responsible for key management must ensure it can be decrypted by the CSP [Communication Service Provider] or LEA [Law Enforcement Agency].

In order to maintain LI coverage the cloud service provider must implement a Cloud Lawful Interception Function (CLIF). This can be by way of Applications Programming Interface (API) or more likely ensuring presentation of information in a format recognisable to interception mechanisms. Deep packet inspection is likely to be a constituent part of this system.
As this makes clear, along with the intercepted information, the standard envisages encryption keys being handed over routinely. Just to make things complete, DPI -- deep packet inspection -- is also regarded as a likely element of the system.

Since this is currently a draft, the threat it represents might be seen as purely theoretical; but a recent article in the Guardian confirms that the UK government "quietly agreed to measures that could increase the ability of the security services to intercept online communication" -- a reference to the ETSI draft. The Guardian also provides us with some explanation of why this draft just happens to be available at precisely the moment when the UK government is announcing a plan that seems likely to use it:

Etsi has faced criticism in the past for the pre-emptive inclusion of wiretapping capabilities, a decision that critics say encouraged European governments to pass their wiretapping laws accordingly. According to Ross Anderson, professor in security engineering at the University of Cambridge Computer Laboratory, the institute has strong links with the intelligence agencies and has a significant British contingent, along with a number of US government advisers.
It's a classic case of policy laundering; here's how it will probably work.

The British government insists now that it will "only" gather communications data, and not content. At the same time, it will require that ISPs adopt the new ETSI cloud interception standard (once it's been finalized) in the "black boxes" that they must install under the proposed snooping legislation. That will put in place all the capabilities needed for accessing encrypted streams -- since those providing cloud services will be required to hand over the encryption keys -- and hence the content. The UK government may not intend accessing content today, but thanks to the wonders of function creep, when it decides to do it tomorrow the facility will be there waiting for it.

Meanwhile, European governments will be able to point to the UK's adoption of the ETSI standard as just "good practice"; they will ask their own ISPs to implement it, while insisting that they too have no intention of accessing the contents of people's Internet streams either. Until, that is, the day comes -- probably in the wake of some terrorist attack or pedophile scandal -- when the governments will note that since the capability is available, it would be "irresponsible" not to use it to tackle these terrible crimes. The US government will then bemoan the fact that Europe is taking better care of its citizens than it can, and will therefore pass laws requiring US ISPs to install similar real-time access to their systems, and for cloud-based services to hand over the encryption keys. Luckily, there will be a well-tried European standard that can serve as a model....

Follow me @glynmoody on Twitter or identi.ca, and on Google+



Reader Comments (rss)

(Flattened / Threaded)

  •  
    icon
    gorehound (profile), Aug 3rd, 2012 @ 9:39am

    More Spying

    Another day and another tale of governments using Tech to spy on people.And of course we will see more Draconian Bills either passed or Voted upon in our own Nation.We just had one that thankfully did not pass.Not because of the Content so much as because of the Dysfunctional Congress.
    Thank You this once for being so Dysfunctional, US Gov.
    The new saying to replace the "Save The Children" will be "We Must Stop Cyberwhatever" .

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Aug 3rd, 2012 @ 9:46am

    If the traffic is encrypted, the entity responsible for key management must ensure it can be decrypted by the CSP [Communication Service Provider] or LEA [Law Enforcement Agency].

    There's no better justification for the abolishment of centrally meted keys. What ETSI proposes is changing their role from trusted security service provider to "man in the middle".

    You can bet the farm that if they implemented their man-in-the-middle approach, using standard government bull-in-china-shop protocol, they would leave doors swinging wide open on their hinges.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Not an Electronic Rodent (profile), Aug 4th, 2012 @ 3:45pm

      Re:

      You can bet the farm that if they implemented their man-in-the-middle approach, using standard government bull-in-china-shop protocol, they would leave doors swinging wide open on their hinges.
      First thing I thought on reading the article was "So, if they're holding all the encryption keys ready to hand over to the government on demand, then what happens when that store (inevitably) get hacked?"

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    Zakida Paul (profile), Aug 3rd, 2012 @ 9:49am

    What happens if governments succeed in wiping out all terrorists/pedophiles/pirates/criminals? Who will they use as justify their brain fart legislation?

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Aug 3rd, 2012 @ 11:02am

      Re:

      Their laws are designed not to succeed in their stated goals. Instead, they drive the problems further underground, making them more resilient.

      As such, they'll never run out of excuses.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    John Doe, Aug 3rd, 2012 @ 9:50am

    Who knew the digital age would be the end of our liberties?

    Who would have suspected that the digital age would bring such a rapid end to what few liberties we have left?

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Zakida Paul (profile), Aug 3rd, 2012 @ 9:59am

      Re: Who knew the digital age would be the end of our liberties?

      Yep, what should be a golden age of information and freedom is becoming an age of government oppression, all because the dinosaurs have no understanding of technology. It's sad really.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        weneedhelp (profile), Aug 3rd, 2012 @ 10:09am

        Re: Re: Who knew the digital age would be the end of our liberties?

        A Nation of Sheep Breeds a Government of Wolves.

         

        reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Aug 3rd, 2012 @ 10:09am

        Re: Re: Who knew the digital age would be the end of our liberties?

        ... what should be a golden age of information and freedom is becoming an age of government oppression...

        And thusly, techno-utopianism gives way to techo-dystopianism.

         

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous Coward, Aug 3rd, 2012 @ 10:13am

          Re: Re: Re: Who knew the digital age would be the end of our liberties?

          ... techno-utopianism gives way to techo-dystopianism.

          Oh, and that would be a really cool name for a band:
          The Techno-Dystopians


           

           

          reply to this | link to this | view in chronology ]

    •  
      identicon
      Anony., Aug 5th, 2012 @ 9:14am

      Re: Who knew the digital age would be the end of our liberties?

      Its not the end friend. only the beginning.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    OMG PirateMike Guy, Aug 3rd, 2012 @ 10:00am

    If you have nothing to hide, you have nothing to fear.

    C'mon guys, this is the government - they're here to serve us. Except for Pirate Mike and all the freetarding pirates here.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      gnudist, Aug 3rd, 2012 @ 10:03am

      Re:

      Yes, no one here except freetards pirating privacy.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      weneedhelp (profile), Aug 3rd, 2012 @ 10:04am

      Re:

      "If you have nothing to hide, you have nothing to fear."

      Taking the Adolf Hitler approach to the situation huh?

      Good to know.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      John Doe, Aug 3rd, 2012 @ 10:04am

      Re:

      I assume, maybe incorrectly, you are being sarcastic? If not, then maybe you should re-read what you wrote, the government is here "to serve us", not the other way around. Why is it they feel they can snoop on us when we can't even see advance text of international trade agreements? Seems they are the ones with something to hide.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Aug 3rd, 2012 @ 10:01am

    out of curiosity, who was the arse hole that started all this crap? the UK used to be a responsible place to live. it is fast becoming a 'democratic China' with more and more privacy and freedom violations executed by the Government and more and more new laws being introduced that remove privacy and freedoms already established, all in the name of protecting the people. if what is happening is 'for the people', dont they think that perhaps the people need to know what is going on, why it's going on and be allowed to have a say in whether or not to let it continue going on and whether we need protecting from it? i dont think the government should have such control anyway, particularly when they use the 'security of the nation' as the excuse, when what they are really after is to keep a closer watch on what their own citizens are doing. it's also not right for certain powerful people in the US with their distorted view of the world to keep influencing what happens elsewhere just to try to spread that view. it's even worse for stupid idiots to go along with that distorted view by doing what they want.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Seegras (profile), Aug 4th, 2012 @ 2:33am

      Who started it?

      Difficult to tell. There was some trend in the nineties to go into that direction, more prohibitions, more surveillance, all over most countries, and all over most political parties.

      There were/are certainly some drivers of it, NeoCons for instance, but the general mentality has shifted. Everyone had and has its pet-issue which he wants prohibited. From alcohol and drugs to prostitution and pornography, to pollution to guns.

      9/11 was of course the first high, but the trend hasn't subsided since then. None of the draconian laws in the US (and elsewhere!) enacted in the aftermath were ever repelled.

      I'm tempted to write a book about "The Rise of Fascism in the 21st Century". Because that's exactly what is happening.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    SAG, Aug 3rd, 2012 @ 10:58am

    Cue the encryption devs...

    One thing this might lead to is an increase in pre-encrypted traffic that is then sent over the back-doored encrypted cloud service. What good will the monitoring be when they discover that they need more keys to actually see what the content is...?

    Something to think about in this ridiculous game of whack-a-mole intelligence gathering.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Ninja (profile), Aug 3rd, 2012 @ 11:25am

      Re: Cue the encryption devs...

      And the real criminals will be further pushed underground becoming further untraceable. But hey, it's for the children!

      If I were a kid, I'd be asking the Govt to fuck off and leave my future alone. A pity, I really feel for our kids.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Jake, Aug 3rd, 2012 @ 12:14pm

    I don't think the problem is having the capability to conduct this kind of surveillence operation; I can remember enough of the Troubles to recognise that being completely unable to intercept the communications of people who are planning on blowing shit up on a large scale is a problem.

    But if we're going to have this capability, there needs to be some fairly strict rules on what it it can be used for. Rules that cannot simply be made to go away the first time something bad happens, and more importantly, carry actual serious penalties for breaking them. Otherwise, not only does function creep guarantee that everyone will have their every thought and deed taken down to be used as evidence against them any time the state (or a sufficiently unscrupulous tabloid newspaper, aided and abetted by some script kiddies), but there'll be so many false positives to wade through that the actual bad guys get lost in the background noise.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      John Fenderson (profile), Aug 3rd, 2012 @ 2:38pm

      Re:

      I don't think the problem is having the capability to conduct this kind of surveillence operation


      I do. This type of capability has always been abused, often widely, regardless of what rules or oversight is put into place. There is no reason to think that the future will be any different.

      I understand that this capability can be used to prevent great harm, but it is also used to cause great harm, so that argument doesn't hold as much weight with me as it otherwise might.

      But I do make a distinction: it's one thing to allow police access to information that is gathered as a side-effect of engaging in an activity. It's an entirely different thing to require that activities be conducted in a way to specifically allow for such surveillance. The latter is, in my opinion, simply despotic.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    arcan, Aug 3rd, 2012 @ 2:46pm

    i think there should be a clause that says the first time this law is misused under it's original purpose parliament and the PM will be hung, drawn, quartered, and then be lethally injected.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Andyj, Aug 4th, 2012 @ 2:22am

    Failure of Law.

    The passage reads:
    "Lawful Interception"

    WRONG!!
    It's not lawful, its "LEGAL Interception".
    The paper has no legal validity. Or should I say, will fail in a court of law.

    What these clowns do not realise if anyone uses any form of peer to peer communication without reference to any central server using encryption (suitably adjusted) then there is no simple real time perusing documents/audio/video.

    For instance. The west readying for war have done their best to cut out the real Syrian news agency (sana.sy) from the public eye but if you go there using the IP# you have a direct route to the other news, keeping the eye of Sauron off your back.

    "Fascism should more properly be called corporatism because it is the merger of state and corporate power." -- Benito Mussolini

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Aug 4th, 2012 @ 4:55am

    if the government, any government, were in power to serve us, why is it that we are the last ones to know what the fuckers are up to, particularly when whatever it is they are up to affects us the most? everyone else in whatever country seems to know what's going on, except us. why is it that we never get the opportunity to even give opinions on what they are up to? why is it the first we know of something is when some poor sod gets thrown in jail on some trumped up charge that no one knew existed?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Dave, Aug 4th, 2012 @ 10:10am

    Last one to leave the planet, turn the lights out.

    This is all getting rather beyond the pale, beyond a joke and any other hackneyed phrases you can think of to apply to government snooping. Why the hell should this be allowed to happen? Private mails and conversations are meant to be just that - PRIVATE! Do you hear that, governments of the world? I just hope that even stronger encryption will ensue but the government would probably then make that illegal. Guilty if encrypted. I gather it's already happened in a way with at least one person refusing to hand over encryption keys. I would support anyone refusing to reveal personal details. It would be like the Post Office opening and reading each and every letter they handle, although nothing would surprise me these days! Extremely depressing situation.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Androgynous Cowherd, Aug 4th, 2012 @ 1:27pm

    The US government will then bemoan the fact that Europe is taking better care of its citizens than it can, and will therefore pass laws requiring US ISPs to install similar real-time access to their systems, and for cloud-based services to hand over the encryption keys. Luckily, there will be a well-tried European standard that can serve as a model....


    Luckily, there will be TOR.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Aug 7th, 2012 @ 7:26pm

    Decrypt VPNs' traffic.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Phil S, Aug 9th, 2012 @ 2:34am

    A Workable Solution?

    Seems we already have a convenient "solution" - micro DS and Carrier Pigeons. Old Tech meets New Tech!!

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This