2012-11-01

Theresa May - in need of remedial math

As regular as 'flu season, and about as welcome and good for society's health, the UK Home Office is trying to justify data retention and web snooping:

Plans to monitor all Britons' online activity are needed to help society fight crime and "save lives", Home Secretary Theresa May has said.
"Save lives", you say, Theresa? Oh yes, and she has the figures to back it up:
Of the 30,000 estimated cases last year where the police made an urgent request for communications data, between 25% and 40% of them resulted in lives being saved.
Let's take the low end of that estimate. That's 7500 lives. The most plausible way to save lives with information is to prevent suicides. In 2009 the UK had 6.9 suicides per 100,000 persons, or just over 4100 for the population of 60mm. So Theresa is saying that without this information (which they already have the rights to), the suicide rate would have tripled? My arse.

I would love to know if this is a Home Office press officer mangling the figures, or a deliberate overstatement to try to press the Home Office case. Either way, it's a completely bullshit stat. So what nefarious plans are they trying to justify?

Under draft plans, service providers will have to store details of all internet use in the UK for a year.
But Mrs May said the police would only see the details if they had a "clear case" and investigative justification.
It was a myth it would allow the government "to read everyone's e-mails", she added.
Well, not mine, that's for sure. I use Gmail and I use https for everything. But what does "all internet use" mean?
  • headers of all IP packets originating from UK-based IPs?
  • URLs and parameters from all (unencrypted) HTTP GET requests?
  • all DNS requests passing through UK ISP DNS servers?
In terms of data size, this isn't huge. If you're only logging a (2 x 2 byte) IPv4 source + destination for each TCP packet, at an MTU of 1500 bytes that's 2.5KB per 1MB of transmitted data. With, say 10mm daily Internet users in the UK, with an average of 20MB downloaded and a 1:10 upload:download ratio that's 50GB of data. But that information is no use to you, in practical terms; for web browsing and webmail, which is the only behaviour that really tells you anything, you need to know the HTTP GET request (URL and parameters) which can easily be 250 bytes a time. For, say, 50 GETs a day for your 10mm users, that's 125GB. So that's pretty practical to store and search through.

What they actually intend to log is hinted at:

... the scope of the proposed powers would be limited to the "who, when, where and how" of communications.
So that's source IP ("who"), timestamp ("when"); "where" is a bit fuzzier. Do they mean "where the request is being sent" (i.e. destination IP) or "where the sender is" (physical address or phone number tied to the sending IP)? I suspect "both" is the answer here. And "how" could mean protocol (http/https/ftp etc.) but in practice I think it means "requested URL and parameters".

What I do find interesting is the justification:

She said the authorities' ability to keep track of suspects was being increasingly "degradated" by the use of new technology such as social media and encrypted messaging services.
because these proposals do nothing to solve the problem that Facebook, Google+, Twitter, GMail, Outlook.com can and usually do operate under https protection. This is, in practical terms, unbreakable without either a) a huge computational effort, b) planting a keylogger or other snooper on the suspect's computer, c) compromising a root certificate authority and perpetrating a man-in-the-middle attack on SSL connections or d) serving a warrant on the relevant serving company to obtain the unencrypted content. None of the proposals address this.

I'm sure Ms. May is merely repeating the talking points given to her by the weasels at the Home Office, but they are frankly risible. Her alleged concern for the public's worries is also rather thin:

In response, Mrs May said the public was "justifiably" concerned about who had access to the data and they should be a second stage of "extra scrutiny" by Parliament for other public bodies.
If the only thing standing between me and my privacy was the technical expertise of Parliamentary scrutiny, I'd pull off my clothes and stand at Speaker's Corner.

No comments:

Post a Comment

All comments are subject to retrospective moderation. I will only reject spam, gratuitous abuse, and wilful stupidity.