Spy Blog - SpyBlog.org.uk

Given the vast amount of public money spent by MI5 the Security Service, especially on new computer systems, it is asonishing that they have allowed the SSL Digital Certificate for https://www.mi5.gov.uk to expire:

Subject: CN=www.mi5.gov.uk, OU="Member, VeriSign Trust Network", OU=Authenticated by VeriSign, OU=Terms of use at www.verisign.co.uk/rpa (c)05, O=MI5 Security Service, L=London, ST=London, C=GB

Issuer: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network

Serial Number: 5BD3 998F 7FFC 7F10 E1AF 83C6 A91C 6028

Valid from: 16-Apr-2009 01:00:00 BST

Valid Until:16-Apr-2012 00:59:59 BST (EXPIRED)

Public Key: RSA (4,096 bits)

SignatureAlgorithm: SHA1withRSA

SHA-1 Fingerprint: BA:02:E2:20:5A:4E:96:31:0B:47:8E:07:EF:DF:D8:3D:47:9C:C3:AE

MD5: A4:BA:FA:B5:81:71:F5:39:6F:BE:52:75:6F:02:9E:1D

Why was a new Digital Certificate not installed last week ?

Since the MI5 website re-directs to an SSL / TLS https:// only version, they have effectively created a Denial of Service attack on themselves.

This Connection is Untrusted web browser warnings do not give the impression of professional competence and respect for confidentiality, which potential users of their
Reporting Suspected Threats web form should expect..

Last weekend there were some suspiciously timed Distributed Denial of Service attack against the Home Office website (offline for about 12 hours until Sunday morning) and to a lesser extent the Ministry of Justice and the Prime Minister's Number 10 Downing Street (about an hour's disruption each, on and off) .

None of these websites are vital to the running of the country, especially not on a Saturday evening on a Bank Holiday weekend, when nobody is visiting them, but they are symbolic targets.

The organisers of this supposed "hactivism" were some self appointed faction under the hydra headed #Anonymous twitter hive mind.

See the Twitter hashtag #OpTrialAtHome

The "justification" they claimed was to somehow "support" the controversial Extradition cases of Gary McKinnon, Richard O'Dwyer and Chris Tappin, something which they have not achieved..

Nevertheless these people declared the event a success and then, on the Sunday, they threatened to do the same to the GCHQ website , starting at 8pm GMT on Saturday 14th April 2012.

This "news" has been reported by IT trade publications and picke dup by the national newspapers and broadcast media, especially following the arrests of a couple of teenagers in the West midlands, who may be the vaguely associated with the #teampoison attacks on the Metropolitan Police Anti-terrorism hotline.
(misreported by the "hackers" and far too many other online "news" sources as somehow being MI6 the Secret intelligence Service, who have nothing to do with any public hotlines whatsoever)

As with MI5 and the MI6/SIS websites, only http://www.gchq.gov.uk is valid, not http://gchq.gov.uk on its own

A few hours before the announced attack time, the default GCHQ web page started to be re-directed down a level to:

http://www.gchq.gov.uk/Pages/homepage.aspx

At about 19:40 BST i.e. 18:40 GMT British Telecom , on whose servers this public website appears to be running, put a temporary 302 redirect to e.g.

http://213.121.151.40/TPpRO/c3aba573/43de84c1/www.gchq.gov.uk/

instead of the previous IP address of http://195.171.165.115 which was advertised ahead of time on a Twitter Twitpic graphic:

http://twitpic.com/97d6yn

Note the ambiguous slogan: "Fight Online Privacy" - are the anonymous organisers / manipulators behind this DDoS attack actually on the same side as GCHQ - both of them appear to be fighting against your right to online privacy.

Note also the inevitable confusion - many of the "script kiddies" and gullible journalists will not have read the announcement properly and will assume that 8 PM British Summer Time is somehow the same as 8pm Greenwich Mean Time. (9pm BST)

Much more seriously, the published comment on this web page is actively encouraging the "hactivists" to download a scritpt kiddy "point and click" Denial of Service attack tool called "High Orbit Ion Cannon" - hence the "pew pew pew - fire your Laz0rs" instructions to the exploited cult followers.

There are no warnings whatsover about the fact that participating in this DDoS attack or even just downloading the HOIC tool is a criminal offence in the UK, with up to ten years and two year in prison respectively.

See the control freak Labour government's amendments to the Computer Misuse Act 1990 which came into force in October 2008 and which claims worldwide legal jurisdiction:

• 3.Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc. - up to 10 years in prison for paricipating in the DDoS attack

• 3A.Making, supplying or obtaining articles for use in offence under section 1 or 3- up to 2 years in prison for downloading the HOIC tool
  

The timing of these DDoS attacks appears to have been deliberately (or utterly incompetently) chosen to minimise any political impact on the Government or civil servants i.e. on a Saturday evening when nobody in the Government department concerned is likely to have anyone ringing up to complain that their website is unavailable, and well past the print run deadlines for the Sunday newspapers.

If people want to protest by accessing a Government website, then they should be able to, but they must also be made aware of the risks of legal prosecution and potential punishments.

The fact that the organisers of these attacks have not done so, smells of Entrapment by Agents Provocateurs, perhaps like the notorious #Sabu, who are under the control of an intelligence or law enforcement agency and who are actually helping to jusify the repressive Communications Capabalities Development Programme being promoted by the securocrats in Whitehall to the bumbling Coalition politicians.
.

20:05 BST - the GCHQ website seems to be running smoothly

Nick Pickles of BigBrotherWatch has done a good job of analysis of the letter signed by Home Secretary Theresa May and Justice Secretary Kenneth Clarke, sent via the Tory Whips to Conservative MPs, regarding the Communications Capability Development Programme enhanced snooping plans.

Minister's letter fails to answer key questions

The text of the letter is published by the ConservativeHome blog:

http://conservativehome.blogs.com/files/mayclarkeletter.pdf (.pdf)

It really is shocking how little detailed grasp of the technological and social impact Government Ministers and MPs seem to have.

The Special Political Advisors / spin doctors who draughted this letter seem to have deliberately omitted key features of the both the Communications Data Development Programme and of the Green Paper on Justice in this briefing letter to MPs.

HOUSE OF COMMONS

4 April 2012

Dear Colleague

There has been a lot of press coverage in recent days about two of our key policies to maximise public protection: on communications data capability and the Justice and Security Green Paper. We are committed to maintaining national security and protecting the public in the face of changing circumstances whilst continuing to honour our commitment to protect civil liberties.

1. Communications data capability

The need to act

Communications data - information such as who called whom and at what time - is vital to law enforcement, especially when dealing with organised crime gangs, paedophile rings and terrorist groups. It has played a role in every major Security Service counter-terrorism operation and in 95 per cent of all serious organised crime investigations. Communications data can and is regularly used by the Crown Prosecution Service as evidence in court.

But communications technology is changing fast, and criminals and terrorists are increasingly moving away from landline and mobile telephones to communications on the internet, including voice over internet services, like Skype, and instant messaging services. Data from these technologies is not as accessible as data from older communications systems which means the police and Security Service are finding it increasingly hard to investigate very serious criminality and terrorism. We estimate that we are now only able to access some 75% of the total communications data generated in this country, compared with 90% in 2006. Given the pace of technological change, the rate of degradation could increase, making our future capability very uncertain.

We estimate that we are now only able to access some 75% of the total communications data generated in this country, compared with 90% in 2006.

Politicians may be easily fooled by statistics, but we are not.

Theresa May and the Home Office need to publish the actual evidence and assumptions on which they have based these figures.

One place where these figures should have been available from, but they are not, is from the censored Annual Report of the Interception of Communications Commissioner.

That is why, in the Government's Strategic Defence and Security Review, published in 2010, we said we would "introduce a programme to preserve the ability of the security, intelligence and law enforcement agencies to obtain data and to intercept communications within the appropriate legal framework."

We therefore propose to require internet companies to collect and store certain additional information, like who an individual has contacted and when, which they may not collect at present. The information will show the context - but not the content - of communications. So we will have for internet-based communications what we already have for mobile and landline telephone calls.

It is simply not technologically possible to obtain the "certain additional information, like who an individual has contacted and when" from social networking websites like Facebook or Twitter, without Intercepting the Content of these web based services

Safeguarding civil liberties

When we published the Defence and Security Review, we also made clear that we would "put in place the necessary regulations and safeguards to ensure that our response to this technology is compatible with the Government's approach to information storage and civil liberties." In seeking to ensure our law enforcement agencies continue to retain capabilities to protect us from harm, civil liberties will be respected and protected.

The data will be stored by the industry to enhanced standards which we shall set and which will be overseen by the Information Commissioner. The data will be available only to designated senior officers, on a case-by-case basis, authorised under the Regulation of Investigatory Powers Act (RIPA), and the process will be overseen by the Interception of Communications Commissioner. It will be available only if it is necessary and proportionate to a criminal investigation.

If sufficiently "juicy" or "newsworthy", such material has been handed over for free or sold to politically favoured media journalists or sold corruptly to private investigators / information traders , many of whom are former police or intelligence agency employees.

It is also sent, without any effective safeguards whatsoever, to foreign governments.

The majority of the data will be retrospective not real time (an exception might be the tracking of a communications device during a terrorist operation or kidnapping) and will be used as part of an investigation to identify key facts, including as evidence in courts.The police and other agencies will have no new powers or capabilities to intercept and read emails or telephone calls and existing arrangements for interception will not be changed. We envisage no increase in the amount of interception as a result of this legislation.

So what ? The new proposals have nothing to do with the existing system of email and phone interception.

The new proposals will try to extend this existing flawed RIPA regime to social media like FaceBook and Twitter, to Voice over IP telephony, video conferencing and chat like Skype orthe various Instant Messaging protocols, to search engine searches like Google and to Peer to Peer filesharing like Bittorrent

The impression being given is that this snooping will only be available for terrorism or serious crime investigations, but the exisiting RIPA allows Communications Data to be grabbed for much less serious alleged crimes as well.

Differences with Labour's proposals

Despite what has been claimed by some, this is very different to the scheme proposed by the last government. They wanted to build a Big Brother database with all communications data held in one place by government. Under our proposals, there will be no government database and the data recorded will be strictly limited and regulated and will be destroyed after a year.

The data will not be stored by the police or government but by communications service providers who already store some of this data for their own business purposes and under the EU Data Retention Directive. They will be paid by government for this service. But the costs incurred are a fraction of those we would face if we had to try to find an alternative way of developing the very significant evidence that this data provides us; indeed there is no like-for-like alternative.

Labour's original proposals were for a centralised database, which they then changed to a distributed database held by the Communications Service Providers, after their Intercept Modernisation Programme had been ridiculed by everyone who was expected to make it work in practice.

The Conservative / Liberal Democrat Government's vague plans for Communications Data Development programme sound identical in practice to those discredited Labour fantasies.

We have already made changes to limit who can access communications, and how they can access it, and we intend to make further changes in future. Local authorities will now have to get a magistrate's approval to see communications data and they will not be permitted to see more than simple data, such as subscriber to a mobile phone.

There are some clauses in the so called Protection of Freedoms Bill, which is still not on the statute books, over a year after it was introduced.

It is therefore a lie to claim that they have "already" done anything or that "Local authorities will now have to get a magistrate's approval" - these legal powers have not yet been been passed into law, let alone commenced !

We intend to ensure that all departments who can get access to any data will only be able to do so under one legal framework, set out in RIPA.

The previous Labour government lied about doing this as well.

Instead they let the arrogant Department for Social Security / Department for Work and Pensions abuse their "legacy" powers i.e. Section 109B of the Social Security Administration Act 1992 (as amended by the Social Security Fraud Act 2001) passed after RIPA, to grab Communications Data for free, without having to pay the nominal processing fee of around £15 to £25 pounds for a targeted Name and Address Subscriber request form British Telecom etc. and without having to undergo any RIPA training or to submit to even the cursory RIPA Interception of Communications Commissioner oversight scheme.

The importance of forcing junior bureaucrats to actually get their bosses and accounts departments to sanction the auditable expenditure of public money, when they make such Communications Data snooping requests cannot be overemphasised. It is effectively the only mechanism which prevents excessive demands for "all Communications Data" in a certain geographic area or during a certain time period from being demanded, over and over again by inexperienced or lazy or corrupt investigators.

As soon as data is slurped "in bulk, in real time" into secret, unaccountable databases for "data mining", then the risks of corruption, abuse and false positives ruining the lives of innocent people, at great expense, without actually catching any more criminals as a result, increases dramatically.

Access to communications data will be overseen by the Interception of Communications Commissioner. So this is not, as some have tried to suggest, a transfer of power from the judiciary to the state.

There is currently no judicial involvement at all (the secretive Interception of Communications Commissioner and the Intelligence Services Commissioner are both retired senior Judges, but they do not approve or decline any Interception warrants (rubber stamped by a Secretary of State or an anonymous senior civil servant)

The police and Security Service will not be able to intercept the content of calls and emails, except as now when it is necessary and proportionate as part of an investigation relating to serious crime or national security, and only when they have obtained a warrant signed by a Secretary of State.

A balanced approach

For the first time in more than a decade, we have a government that respects civil liberties.

The previous Labour control freak government used to claim that they also "respected civil liberties", but they literally used Orwellian newspeak to redefine the meaning of such words.

It is up to the Coalition government to prove through action, not just words, that they are really different from their Labour predecessors.

We have abolished ID cards, cut back government databases and limited pre-charge detention. But we must not allow the internet to become an unpoliced space, with criminals
free to go about their business with abandon.

The Government's Strategic Defence and Security Review - in which we announced our intention to update communications data capability in October 2010 - can be found here.

Green Paper on Justice and Security

The Government also faces a problem with challenges to executive decisions, for example when it refuses British citizenship or excludes from the UK an individual believed to be involved in activities which threaten national security. These decisions are made on the basis of sensitive intelligence. In judicial reviews of such decisions, again, there is no statutory basis for closed material procedures to be available to the court. This means the Government is unable to fight the case and may have to allow British citizenship to an individual believed to be engaged in terrorism-related activity, for example, because the courts have no secure forum to handle the appeal process.

How many times has such a refusal of British citizenship ever happened ?

There is no problem if there is some actual prima facie hard evidence, of actual terrorist activity against British interests.

If all there is is "intelligence" consisting of unfounded rumours, gossip, anonymous denunciations, false positive identifications etc. then this should rightly be ignored by a Court , just like Hearsay "evidence" for exactly the same common sense reasons.

The recent MI5 investigation into Ekaterina Zatuliveter, showed how incompetent and superficial such "investigations" can be.

That case also shows that there already is a "secure forum to handle the appeal process" "national security" and Immigration and British citizenship executive decisions - the Special Immigrations Appeals Commission (SIAC)

Our proposals

These examples illustrate the compelling case for changing the current rules so that these sorts of cases can be properly heard in a Closed Material Proceeding (CMP) by a judge, where a judgment can be reached on the basis of all

The circumstances in which a CMP would be triggered would be exceptional and rare. They will not apply at all to criminal proceedings and would only apply in compensation cases, or other civil cases based on highly sensitive intelligence material.

The proposals in the Green paper also attempt to "nobble" the Inquests into deaths caused by the Police or by UK or Foreign Military forces, especially by USA "friendly fire".

The Daily Mail is claiming today, via some anonymous Whitehall briefing, that this aspect of the Green Paper, which is not mentioned in this letter, may perhaps be dropped:

Climbdown on secret inquests: Victory for the Mail's open justice campaign

Alongside these proposals to extend judicial scrutiny over Government actions, we also want to give Parliament greater powers of scrutiny by increasing the status, remit and powers of the Intelligence and Security Committee. One option in the Green Paper is for the ISC to be made a statutory Committee of Parliament, to allow it to hold public evidence essions and to give it the power to require information from the security and intelligence agencies.

Spy Blog has been following the inadequate scrutiny provided by the Intelligence and Security Committee for years.

The overall effect is that the Security Service will be more accountable to Parliament and to the courts than at present and that more sensitive evidence will be considered by courts than is possible now.

The Green Paper can be found here.

https://update.cabinetoffice.gov.uk/sites/default/files/resources/green-paper_1.pdf (.pdf)

Further information

We will listen to those who have made suggestions as we develop our plans. If you require any more information, please do get in touch with our PPSs Edward Timpson MP and Ben Wallace MP.

Theresa May Kenneth Clarke

Where is the important topic of Intercept as Evidence for use by either the prosecution or defence in Court (currently forbidden by the Regulation of Investigatory Powers Act 2000 section 17 exclusion of matters from legal proceedings), which is entirely relevant to both the CCDP and CMP proposals ?

The anonymous media briefings ahead of next month's Queen's Speech are continuing today, lead by the Sunday Times and followed by the Press Association, with broadcasters like the BBC joining in, second hand.

The Sunday Times has published a rather meagre front page article on the Coalition government's revival of Labour's All Your Internet Are Belong To Us snooping plans:

Instead of just passively waiting for another NuLabour style fait accompli, please contact your local MP and / or join or support cross party groups like NO2ID Campaign or the Open Rights Group

Sunday Times
Sunday 1st April 2012

Government to snoop on all emails
David Cracknell

David Cracknell used to have several "anonymous" sources within Government and was briefed "off the record" by Whitehall spin doctors

Is the poor quality of this article the result of the anti-Murdoch press "cover your own backsides" attitude which now prevails in Whitehall , following the "phone hacking" / corruption scandals which closed the News of the World and which are tainting even the Sunday Times ?

The government is to expand hugely its powers to monitor email exchanges and website visits of every person in Britain.

Under plans expected to be announced in the Queen's speech next month, internet companies will be told to install thousands of pieces of hardware to allow GCHQ, the government's eavesdropping centre, to scrutinise "on demand" every phone call made, text message and email sent and website accessed in real time.

They already have this legal power which does not require any sort of judicial warrant, under the notorious Regulation of Investigatory Powers Act 2000. All that GCHQ needs is a "catch all" Warrant or Certificate signed by a Secretary of State i.e. normally, in their case, the Foreign Secretary William Hague.

This introduced the legal power to install "black box" snooping hardware at the major Telecommunications companies and Internet Service Providers, overseen by the Technical Advisory Board.

The amount of money the the Labour government was willing to pay for this snooping infrastructure was a paltry sum, which is why it took so long for any agreement with the ISPs. N.B. the interests and priorities of ISPs and Telecomms companies are not the same as those of their customers.

The volume of internet data flowing today is orders of magnitude more than that envisaged back in 2000, so If the new plan is to really going to install "thousands of pieces of hardware", then this plan will cost billions of pounds.

An effort by Labour to introduce a similar law was shelved in 2006 after fierce opposition from the Tories, Liberal Democrats and pri­vacy campaigners.

The useless Jacqui Smith threatened us with a Communications Data Bill, but that was in 2009, not 2006

While the new law would not allow GCHQ to monitor the content of communica­tions without obtaining a warrant, it would permit the intelligence agency to trace whom a person or group had contacted, when, for how long and how often.

That is no different from the existing RIPA law then

Members of the Internet Service Providers' Associa­tion, which represents more than 200 businesses including BT, Virgin Media and Google, were given some details of the proposals last month and were alarmed by what they were told.

So why does this Sunday Times article not mention the Communications Capabilities Development Programme (CCDP), which is what the ISPs were briefing other journalists on last month ?

See Spy Blog: Whitehall risks public and internet industry revolt against their secretive Communications Capabilities Development Programme (CCDP) internet and phone snooping plans

A senior industry official said: "It's mass surveillance.
The idea is that the network operator should effectively intercept the
communications between, say, Google and some third party

"the network operators are going to be asked to put probes in the network and they are upset about the idea ... It's expensive, it's intru­sive to your own customers, it's very difficult to see it's going to work properly and it's going to be a nightmare to run legally."

The association said: "It is important that proposals to update government's capabili­ties to intercept and retain communications data... are proportionate, respect freedom of expression and the privacy of users."

Why doesn't the Sunday Times name the "senior industry official" or even the "Internet Service Providers' Associa­tion" spokesman ?

Under the current law, companies must keep records for some traditional types of phone and electronic commu­nication for a year.

Hold on, the European Union Data Retention regulations e.g.

The Data Retention (EC Directive) Regulations 2009

are about forcing ISPs and Landline and Mobile Phone companies to keep Communications Data unnecessarily, which they would otherwise have been obliged to delete under the Data Protection Act, since they themselves no longer have any legitimate use for it, especially if the internet or mobile phone bills have been pre-paid. Data Retention is not about access to such retained data.

The new legislation would extend this provision to cover a much wider field, including social media sites such as Facebook and Twitter and online video games.

Perhaps the Sunday Times is actually writing about CCDP then.

N.B. CCDP is not not just a GCHQ project (which has its own "Mastering the Internet" investment programme) but is being "coordinated" by the technologically inept Home Office.

It is not physically possible to get Communications Traffic Data form foreign based social media websites like FaceBook or Twitter without actually using techniques such as Deep Packet Inspection and perhaps even Man-In-The-Middle Attack SSL / proxies i.e. it requires actual Interception of the Content of these websites to do this.

The only countries which attempt to do this at the moment are repressive regimes like Iran, China, Saudi Arabia etc.

Dominic Raab, a Tory MP who has campaigned for civil liberties, said: "If over-zealous officials are trying to resuscitate Labour's flawed paln for 'big brother' monitoring, ministers need to nip this in the bud."

MI5 and GCHQ have been lobbying hard for the wider powers which, they believe, are a crucial tool to combat terrorism and serious crime.

Serious Crime is not within the remit of either GCHQ or MI5

The Police cannot cope properly with the vast amount of data they already gather, so why will "searching for a needle in a haystack, by throwing in several more haystacks", be cost effective ?

There is no evidence that holding 6 month or 1 year old Communications Data of hundreds of millions of innocent people in the European Union, has been of any use in catching criminals or terrorists. Where it has been of use, e.g. in the recent Toulouse serial killer / extremist case, the Communications Data has been very recent and the searches have been narrowly targeted to a suspects known phones or email addresses or to a victim's web advert etc.

At present GCHQ can use probes to monitor the content of calls and emails sent by specific individuals who are the subject of police or security service investigation, provided it has ministerial approval.

For "ministerial approval" read "ministerial or senior official rubber stamp"

There should actually be independent Judicial warrants for such intrusive interception surveillance, not rubber stamping by politicians.

The Home Office said it would introduce new legislation "as soon as parliamentary time allow" but stressed that the data to be monitored would not include content.

Why does the Sunday Times not name this anonymous Home Office spokesman ?

Which part of the phrase "Deep Packet Inspection = Interception of Content" does the Home Office not understand ?

Have all the civil servants and SPADs who embarrassed themselves and the Home Office over the BT / Phorm scandal now been promoted to other jobs, leaving their inexperienced "generalist" replacements to magically formulate "policy" without any technical experience or knowledge ?

Incredibly this article does not really mention Mobile Phones and especially Mobile Phone Location Data.

This, like other forms of Communications Data is available via automated gateway computer systems to authorised Police and Intelligence Agency investigators, but it is meant to be narrowly targeted and proportionate, under a combination of the Regulation of Investgatory Powers Act 2000 (which permits such agencies to make such requests) and the Data Protection Act 1998 (which exempts the Telcos and Mobile Phone Networks and ISPs from prosecution for handing such data over to them)

Is this Sunday Times article, a high quality briefing / leak by Whitehall mandarins ?

Is it safe to interpret the omissions like Soviet era Kremlinologists, and read between the lines that some of the previously evil plans which have been touted, have been watered down ?

Our opinion is that no, this is a flawed article, which has either had many important details removed by the editors for front page space reasons, or which is being deliberately deceitful by omission.

Unfortunately, as is so often the case with today's "news" industry, this article has been re-published by , for example, the Press Association, with even fewer important technical and legal details:

The Independent
Sunday 01 April 2012

Expansion of GCHQ internet monitoring proposed

Gavin Cordon

[...]

The Home Office confirmed that ministers were intending to legislate "as soon as parliamentary time allows".

"It is vital that police and security services are able to obtain communications data in certain circumstances to investigate serious crime and terrorism and to protect the public. We need to take action to maintain the continued availability of communications data as technology changes," a spokesman said.

Why does the Independent not name this anonymous "spokesman" ?

"Communications data includes time, duration and dialling numbers of a phone call, or an email address. It does not include the content of any phone call or email and it is not the intention of Government to make changes to the existing legal basis for the interception of communications."

[...]

Note the (deliberate ?) omission of Mobile Phone Location Data in this alleged definition of Communications Data. This does not include Tweets or Facebook "likes" , which do require interception of the content of a web browsing session (also deliberately not mentioned ?)

David Davis, one of the few Conservative MPs who stood up for civil liberties when in opposition to Labour, has rightly criticised this plan in this BBC video clip, in which he does mention some of the things omitted by the Sunday Times:

Email and web use 'to be monitored' under new laws

However, we are not sure where the "retention for 2 years" comes from and despite the mention of "magistrates and courts", none of that has applied since 2000 - the only "warrants" are those rubber stamped by politicians or officials for Interception, and "self authorised" requests by the Police and Intelligence Agencies. There is no involvement of independent Judges or Magistrates at all in the UK, with either electronic (or postal) communications Interception or with Communications Data or with Intrusive Surveillance (planting of bugging or tracking devices, use of Confidential Human Intelligence Source informants etc.)

The "data rape" of the notorious London Congestion Charge system appears to be set to get even worse.

Not only are all drivers snooped on all of the time, day and night and at weekends (even when there is no Congestion Charge to pay), but the photos and number plate / time / date / ANPR checkpoint location data is handed over, in secret, in bulk, in real time, to theMetropolitan Police and to other "national security" agencies , both in the UK and in foreign countries like the USA, thanks to the Ministerial Certificates signed by the then (useless) Labour Home Secretary Jacqui Smith.

See the previous Spy Blog articles:

• More secrecy over the London Congestion Charge and Low Emission Zone CCTV and ANPR spy cameras - data on innocents handed over to USA spooks - April 2008

• Home Secretary Jacqui Smith cripples the Data Protection Act regarding the London Congestion Charge ANPR Mass Surveillance scheme October 2007
  

Today the Guardian / Observer reports that:

Private data on British drivers will be stored offshore

Secret move by IBM, which runs London's congestion charge, will allow access to sensitive DVLA information

Daniel Boffey, policy editor
The Observer, Sunday 18 March 2012

The government has secretly agreed that the "particularly sensitive" personal data of all 43 million drivers in the UK can be contracted offshore to India in a move that will allow the private firm running London's congestion zone to cut costs and make more money.

Unecessary risks to our "particulary sensitive" personal data is bad, but this should not to be confused with the Data Protection Act 1998 section 2 Sensitive Personal Data, none of which should be collected by the London Congestion Charge at all, but which probably is, if you are registered disabled etc.

Data from the Driver and Vehicle Licensing Agency, including addresses, dates of birth and registration plate numbers, along with credit card details, will now be accessible to staff outside the UK following a review by ministers.

Since many people pay the Congestion Charge via mobile phone, these phone numbers willalso now be at increased risk of abuse.

Which Coalition Government Minister signed off on this privacy unfriendly policy ? Was it Justine Greening, Theresa Villiers, Mike Penning (all Conservatives) or Norman Baker (Liberal Democrat) ?

Why has this unecessary risk to Londoners privacy and security not been vetoed by the Mayor of London Boris Johnson, who is supposed to be in control of Transport for London ?

The prohibition was rescinded after IBM, which runs the congestion charge zone for Transport for London (TfL), lobbied for a change. The company has been repeatedly fined since it took over the contract from Capita in 2009, making the £60m deal less profitable than it had hoped.

The Labour party supporting C(r)apita (the former boss of which Rod Aldridge "loaned" the Labour party £1 million) failed to run the scheme as budgeted for. It was meant to provide £60 million a year "profit" to be used to improve the rest of London's transport infrastructure, but it never did and Ken Livingstone simply handed them extra cash and increased the daily charge, reneging on his election promises (quelle suprise).

However the move to relax the rules around the sensitive data, which has not been publicly announced, raises concerns in the build-up to the London 2012 Olympics about the increased risk of fraud.

It is understood that a risk assessment carried out within IBM has also identified a potential threat to London's reputation should the changes lessen the ability of staff to deal with problems in the congestion zone IT systems. It also warned of the risk to the security of sensitive data.

The move also appears to contradict ministers' recent insistence that they would resist any work on government contracts going abroad.

The transition allowing staff abroad access to the data is expected to be completed by 18 May. An internal email sent by IBM's commercial manager earlier this month, and seen by the Observer, says: "Since go live, TfL has directed that we retain within the UK certain support roles with access to data that they considered particularly sensitive... TfL has recently completed a risk assessment with the DVLA and the Department for Transport and has concluded that they no longer require this additional level of control... As a result we have commenced a transition exercise to manage the changes to our support organisation over the next three months."

If some people's data is considered to be "particularly sensitive" and is not to be allowed out of the UK, then why should any of it be put at risk ?

[...]

A DVLA spokesperson said: "All IT systems must be managed to the same standard as if they were in the UK. We will ensure that all appropriate controls for data protection are in place."

The DVLA have an appalling record on data protection - they have allowed millions of driver motoring test records to be sent to the USA and they have sold vehicle keeper names and addresses for as little as £2.50 a time to private sector companies , including those run by criminals

The tendering process by the joint West Midlands and Surrey Police forces, dangling the prospect of up to £3.5 billion of contracts over 10 years to private companies, has been handled ineptly.

Given the amount of public money at risk, it has reluctantly had to publish the vague tender document in the Official Journal of the European Union.

The Guardian has published Key extract of contract note for bidders for police services

Instead of concentrating on uncontentious areas to potentially save money on, such catering or motor vehicle maintenance, they have idiotically included a list of "services" which impinge on what should be the core functions and duties of the Police, whilst at the same time not actually promising the private sector that an unspecified number of these service areas are not actually up for being privatised.

The activities involved are covered by the 'Police Activity Glossary' (PAG), which identifies the activities each police force conducts. Bidders should note that not all these activities will necessarily be included in the final scope, and that each police force will select some activities from these areas where they see the best opportunities for transformation. A revised version of the PAG is as follows

Without a clear definition of exactly what they want, is it any wonder that billions of pounds of public money is wasted by public bureaucrats when awarding contracts to the private sector ?

• Assure Service - Manage performance, maintain professional standards, assure compliance, manage risk, provide legal services
• Bring Offenders to Justice - investigate crimes, detain suspects, non-judicial disposal, develop cases, support prosecution
• Deal with Incidents - Respond to incidents, manage scenes of incidents, investigate incidents, manage major incidents, support victims and witnesses
• Lead Service - Support the Leadership of the organisation to develop strategy, policy and plans, manage change, and manage partnerships
• Manage Public Engagement - Patrol neighbourhoods, manage public relations, manage customer relationships, report on performance, manage contact
• Manage Resources - Manage suppliers, manage finance, manage people, manage ICT, manage fleet and livestock, manage equipment, manage facilities
• Protect the Public - Manage high risk individuals, improve communities, protect vulnerable people, disrupt criminal networks, manage planned operations, protect vulnerable places, manage licensing, manage road safety

The only vaguely acceptable area on this list for the use of private sector partners is the "Manage Resources" activity.

West Midlands Police have also been spinning nonsense like "front line services will be preserved" or "the Chief Constable will still be accountable" etc.

West Midlands Police Explore The Value of Business Partnership to the Police Service

The regular, sworn Police constables, are barely trusted by the public to conduct do these tasks competently, honestly and impartially, why should anyone trust a private company to do so at all ?

What profit motive is there for a private company to actually reduce crime and therefore the the need for their services ? N.B. the same can be asked of any of the public sector Police bureaucracy as well - they have no effective interest in reducing their own budgets and empires either.

What public accountability is there for when, not if, things go badly wrong with a private sector contractor, which inevitably must look to its own profits first, before any "public service" ethos comes into play.

The Association of Chief Police Officers (the publicly funded, but unaccountable private company whose current or former members might might well be tendering for "Lead Service" activity contracts ) has weighed in with a Press Release:

ACPO comments on private companies taking a role in the delivery of policing

[...]

While there are a number of tasks in a criminal investigation, such as gathering CCTV evidence or checking phone records, which do not necessarily need to be done by a police officer, the investigation itself would always be overseen by a police officer in much the same way as a doctor oversees treatment of a patient although other healthcare professionals carry out particular tasks

Yes these tasks such as "checking phone records" absolutely must be done only by proper Police constables. Private sector companies or even civilian police employees should not be trusted with access to such potentially sensitive personal data.

Abuses of Communications Data by Police officers are already bad enough - letting presumably lower paid civilian workers or private sector company employees have access to these systems will make it even easier for "News of the World" / private investigators style abuses

UPDATE: 1630 Friday 2nd March 2012 - the BBC appears to have now censored the 5 seconds or so of the Wireless Networking screenshot in the iPlayer clip, but the web page article does not (yet) mention this update.

---

Can being interviewed by a mainstream news media journalist put your life in danger ?

The BBC website has an interesting video clip, presumably from Reuters, judging by the copyright logo, which can be viewed via the BBC iPlayer:

How Syrian activists have become citizen journalists

1 March 2012 Last updated at 16:02

Two Syrian activists have spoken about how they have become citizen journalists in their bid to get footage of the government crackdown out of the country.

Speaking from the town of Al Qusair, near the border with Lebanon, the men, who gave their names as Mohammad and Abu Abdallah, said slow internet speeds were hampering their efforts.

However for about 5 seconds , about 1 minute into the video clip there is a shocking
potential betrayal of Sensitive Personal Data, which could be used by the Syrian dictatorship to help to hunt down these activists exact current location or identities.

These Syrian activists (three people shown, only two speaking) are not hiding their faces or voices from the camera, but that is still does not excuse either Reuters or the BBC, for failing to recognise the potential anonymity, privacy , security and personal safety dangers of filming and broadcasting / publishing online, the unique and easily trackable MAC Address of a Mobile Phone obviously used by these activists.

[MAC address censored by Spy Blog in the image above]

JoikuSpot is a smartphone applet which allows the (slow and expensive) mobile phone internet connection of a Nokia mobile phone to be "tethered", thereby sharing it out to local personal computers etc. via the (faster, free) WiFi Wireless Networking built into the phone handset.

By default (unless the mobile phone application software and / or the phone settings are amended) the MAC Address of this mobile phone WiFi Access Point includes the mobile phone handset in its WiFi SSID (Service Set identifier) the "name" of the WiFi network spawned from this phone.

Obviously this could be used to help track down the physical location of the Syrian activists hideout (either directly by triangulating from the WiFi signals from the named WiFi Access Point SSID, or by cross referencing the phone's MAC Address with Mobile Phone records). If any of these activists , or anyone else, is arrested and found to be in possession of this particular phone, then the BBC / Reuters will have provided prima facie evidence against them of their involvement in this "underground news" organisation (i.e. "foreign spies" so far as the dictatorship is concerned)

Surely this breaks, probably through ignorance and carelessness, rather than malice, the BBC's Guidelines on Fairness and Anonymity ?

6.4.12

Effective obscuring of identity may require more than just anonymity of a face. Other distinctive features, including hair, clothing and voice may need to be taken into account. Blurring rather than pixellation, which can be reversed, is the best way of ensuring anonymity in pictures. When disguising a voice, using a 'voice-over' by another person is usually better than technically induced distortion, which can be reversed, but audiences should be told what they are hearing.

To avoid any risk of 'jigsaw identification' (that is, revealing several pieces of information in words or images that can be pieced together to identify the individual), our promises of anonymity may also need to include, for example, considering the way a contributor or source is described, blurring car number plates, editing out certain pieces of information (whether spoken by the contributor or others) and taking care not to reveal the location of a contributor's home. Note that, in some circumstances, avoiding the 'jigsaw effect' may require taking account of information already in the public domain.

We may need to disguise the identity of international contributors to meet our obligations of anonymity or if their safety may be compromised. Third party websites may reproduce our content globally without our knowledge or consent.

See also : BBC Editorial Guidelines - Anonymity Guidance

There is also nothing about the dangers broadcasting or the internet publishing of such screen shots of computer credentials in the Reuters Handbook of Journalism either.

The Detainee Inquiry, headed by Rt. Hon. Sir Peter Gibson, was supposed to have investigated the allegations of complicity in torture and "extraordinary rendition", by the British government, especially its secret intelligence agencies - MI5 Security Service, SIS Secret Intelligence Service, GCHQ and possibly DIS the Defence Intelligence Staff.

However the Detainee Inquiry has been shut down before it even got started formally, even after 18 months delay, supposedly because of the suspiciously lengthy and ineffective Metropolitan Police Service and Crown Prosecution Service investigations into old allegations and the effect of the "smoking gun" documentary evidence discovered in Libya last autumn.

In order to probe exactly how potential witnesses and whistleblowers to the Detainee Inquiry might be protected from vengeful secret bureaucrats, Spy Blog requested, under the Freedom of Information Act 2000, the full, detailed text of the latest draft(s) (or the final version) of the promised undertakings from the Attorney General and the Cabinet Secretary and the heads of the intelligence services.

These Undertakings were promised by Prime Minister David Cameron when he set up the Detainee Inquiry over 18 months ago: The Prime Minister's Letter to Sir Peter Gibson 06 July 2010 (.pdf)

See the Spy Blog - FOIA request blog for the text of these FOIA disclosures:

Detainee Inquiry "undertakings" by the Attorney General and the Cabinet Secretary

Attorney General's Office disclosure

Attorney_General_to_Detainee_Inquiry_03Nov2011.pdf

This seems to be a reasonable level of legal immunity, especially for criminal offences which the Attorney General himself decides whether to prosecute or not e.g. Official Secrets Act cases.

The Detainee Inquiry is not a Tribunal or Court of Law (despite being chaired by a retired senior Judge) and it was not set up as an inquiry under the Inquiries Act 2005 and so it has no legal power to compel any witnesses to give evidence,

How can it can enforce any prosecutions for giving, or conspiring to give it any "false evidence", which the Attorney General's undertaking explicitly does not give immunity for ?

Cabinet Office disclosure

Sir_Gus_O_Donnell_letter_21Nov2011.pdf

As expected by Spy Blog, the Cabinet Office letter by the then Cabinet Secretary Sir Gus O'Donnell (now Lord O'Donnell of Clapham) and its "overarching principles" seem suitable for protecting witnesses who are current or former intelligence agency staff members who espouse the official line e.g. by treating evidence given within the Terms of Reference of the Detainee Inquiry, as having been given "lawful authority" for the purposes of the Official Secrets Act 1989 section 7 Authorised disclosures

However the letter does not really provide the necessary guarantees for any whistleblowers who might contradict their current or former bosses.

Neither is it clear what whistleblower guarantees the vast array of private military contractors, defence industry suppliers and sub-contractors etc. who are not civil servants, but who will fear that their security clearances and government contracts could be at risk if they make allegations, or provide evidence which contradicts the official intelligence agency briefing positions, which those agencies might have provided to the Detainee Inquiry or which they might do so to a future inquiry.

There is no explicit prohibition on using the self authorised legal powers, human and technological resources available to each intelligence agency, to prevent them from snooping on the members and staff of the Detainee Inquiry itself (and their friends and families), so as to try to obtain advance notice of the identities of potential whistleblowers and the information or evidence which they might be offering to the Detainee Inquiry.

Spy Blog correspondence with the Detainee Inquiry

Spy Blog letter to the Detainee Inquiry re: lack of whistleblower anonymity protection and immunity from prosecution - August 2011

Reply from the Detainee Inquiry, regarding anonymity protection for whistleblowers, surveillance targeting against the Inquiry itself etc. - September 2011

It appears that one of the previous, hated, Labour government schemes for even more, very expensive, snooping on millions of innocent people's internet and phone activities, is being resurrected by the Coalition government with the misleading title of the Communications Capabilities Development Programme (CCDP)

The Open Rights Group has a useful wiki about CCDP and its predecessor schemes.

They also have a Petition against the CCDP for you to sign.

Dear David Cameron, Nick Clegg and Theresa May,

I do not want the government to try to intercept every UK email, facebook account and online communication. It would be pointless - as it will be easy for criminals to encrypt and evade - and expensive. It would also be illegal: mass surveillance would be a breach of our fundamental right to privacy. Please cancel the Communications Capabilities Development Plan.

It is almost as if the out of touch politicians and bureaucrats in Downing Street, Whitehall and Marsham Street have not bothered to notice the recent public and internet industry backlashes against legislative attempts to further snoop on and inconvenience innocent internet users, such as the SOPA bill in the USA or the ACTA treaty in the European Union (which this Coalition Government, shamefully, did not veto), which only served the private interests of lobby groups and not the wider interests of the general public.

Why have none of the Whitehall policy advisors learnt anything from the amount of ridicule, that their unworkable and repressive knee jerk reaction, to somehow ban or censor the use of mobile phones and social network messaging systems, after they were used by some, but not all of the rioters in August last year ? Exactly the same systems were also used, by more sensible people, simultaneously with the riots, to help innocent people stay away from riot affected areas and to help to organise the cleanup of the damage.

With the Government's utter failure to make out any evidence based business case for further intrusive legislation, they risk a public backlash which could limit their existing, overbroad, easily abused powers, with which they already fail to catch terrorists or serious organised criminals with, under the controversial Regulation of Investigatory Powers Act 2000, but which appear to have been corruptly used to snoop on celebrities and innocent people at the behest of certain mainstream media news organisations.

NO2ID press release: Home Office prepares to announce total surveillance plan

Guy Herbert, General Secretary of NO2ID said:

It looks like the Home Office is setting out to leapfrog China and gain the UK an unenviable position as the most monitored society in history. The automatic recording and tracing of everything done online by anyone - of almost all our communications and much of our personal lives, shopping and reading - just in case it might come in useful to the authorities later, is beyond the dreams of any past totalitarian regime, and beyond the current capabilities of even the most oppressive states.

This Daily Telegraph report is what seems to have re-ignited this weekend's outcry against this scheme:

Phone and email records to be stored in new spy plan

Details of every phone call and text message, email traffic and websites visited online are to be stored in a series of vast databases under new Government anti-terror plans.

By David Barrett, Home Affairs Correspondent

9:00PM GMT 18 Feb 2012

Landline and mobile phone companies and broadband providers will be ordered to store the data for a year and make it available to the security services under the scheme.

The databases would not record the contents of calls, texts or emails but the numbers or email addresses of who they are sent and received by.

For the first time, the security services will have widespread access to information about who has been communicating with each other on social networking sites such as Facebook.

Direct messages between subscribers to websites such as Twitter would also be stored, as well as communications between players in online video games.

The Home Office is understood to have begun negotiations with internet companies in the last two months over the plan, which could be officially announced as early as May.

The Home Office appears to be showing its usual contempt for the general public and for our fundamental rights of privacy and free association, by only bothering to consult with tame "communications industry" representatives, who have no commercial interest in protecting the public's privacy, so long as they do not have to pay for the data retention and snooping equipment themselves.

[...]

A Home Office spokesman said: "It is vital that police and security services are able to obtain communications data in certain circumstances to investigate serious crime and terrorism and to protect the public.

Unless those "certain circumstances" are very, very tightly controlled, with criminal penalties which can be used against any Government official or agency or private sector sub-contractor who abuses them, we will expect the worst.

Access to Communications Data should no longer be allowed to be self authorised, a judicial warrant should be obtained first.

The current Interception of Communications Commissioner, Rt. Hon. Sir Paul Kennedy, has no real powers and cannot cope with more than a tiny fraction of the existing email interception warrants and is not consulted at all, on most of the hundreds of thousands of self authorised Communications Data demands for mobile phone records and location data

There is no hope that he can provide any public reassurance whatsover when CCDP extends such Data Retention and snooping to Twitter, Facebook and to online games etc. i.e. systems which are not run by Communications Providers (fixed line Telecommunications, Mobile Phone and Internet Service Provider companies)

We meet regularly with the communications industry to ensure that capability is maintained without interfering with the public's right to privacy.

The commercial interests of the "communications industry" and the pressure applied to them through the threat of losing their Government monopolies and spectrum licences means that they are not the only people who should be consulted about upholding the public's right to privacy.

Where they can get away with it, they also try to exploit the public's communications data privacy for commercial gain.

The Government should be protecting the public from the privacy invasive excesses of the "communications industry", such as Deep Packet Inspection based advertising, not conspiring with them cosily in secret, to further reduce the privacy of millions innocent members of the public.

How many of these "regular meetings" have there been to discuss CCDP ?

How many meetings have there been with civil liberties and privacy or consumer watchdog groups to discuss CCDP ? We suspect that there have been none.

[Time for a few Freedom of Information Act requests to the Home Office to see if they have bothered to "consult" with anyone except the vested interests]

As set out in the Strategic Defence and Security Review we will legislate as soon as Parliamentary time allows to ensure that the use of communications data is compatible with the Government's approach to civil liberties."

c.f. Securing Britain in an Age of Uncertainty: The Strategic Defence and Security Review (808 Kb .pdf)

The Conservative / Liberal Democrat Coalition Government's "approach to civil liberties" is nothing to be proud of. They have yet not reversed, as promised, any of the repressive Labour legislation, apart from the Identity Cards Act.

They still have not sorted out the legislative disasters created by Labour, such as the Extradition Act 2003 or the plethora of repressive but often unworkable or actually counter-productive Terrorism and Serious Crime legislation.

All that can be said of their legislative dithering so far, is that they have not yet made things much worse, with more technically inept, catch-all Labour style legislation.

The United Kingdom Security Service MI5 has an interesting little Quiz, to help pre-screen potential Intelligence Officer recruits,

https://www.mi5.gov.uk/careers/investigative-challenge-quiz.aspx

Spy Blog disagrees with several of the "correct" answers to this Quiz. If these really reflect the MI5 Security Service Intelligence Officer mindset, then there needs to be some retraining as soon as possible.

N.B. if you have gone to the MI5 website, or have arrived at this Spy Blog web page through, say, a Google web search or through Twitter or a blog RSS feed and you have not bothered to take any precautions to hide or fake your computer's IP address and web browser details, cookies etc. from foreign companies and governments, then you should have, in our view, already failed the MI5 Intelligence Officer recruitment procedure.

Discretion is vital. You should not discuss your application, other than with your partner or a close family member.

Unfortunately, we suspect that MI5 still does not take "cyber security" / privacy and anonymity as seriously as it should.

The Quiz need Adobe Flash to be installed on your computer to run and imposes an artificial time deadline,

You can examine the source material and the questions (with the "correct" scores for each option) at your leisure, at our Spy Blog answers - MI5 Investigative Challenge Intelligence Officer Quiz web page.

This fictional scenario involves some alleged foreign intelligence officers operating from their Embassy in London (see the Spy Blog London Diplomatic List archive). However, in real life, Counter-intelligence operations against foreign intelligence officers under "diplomatic cover" in London takes up only a small proportion of MI5's resources compared with Counter-Terrorism..

---