Internet surveillance - how officials may boost their powers By Jane Wakefield

Technology reporter Published duration 5 April 2012

We do not know much about GCHQ. A journalist once jokingly asked one of its staff if they could tell her the colour of the sky - they declined. But we do know that the officers spend a good deal of their time listening.

Now it seems that they want to listen to a little bit more as the issue of extending internet surveillance raises its head again.

It is an issue that all governments grapple with at some point. The spooks would argue that they need greater powers in the ongoing fight against terrorism. The police would add that such powers could help their battle with organised crime.

Details of what the government wants are vague at this stage but appear to be two-fold - to extend the current laws about internet service providers (ISPs) holding data to cover social networks such as Facebook, and to increase the ability for real-time snooping.

"The chaps in Cheltenham think this is a good idea and every time there is a new minister they twist their arm into agreeing with them. If they can collect more data it will build bigger haystacks when they are looking for needles," said Richard Clayton, a security researcher at the University of Cambridge.

He is clearly not a huge fan of such surveillance but, as someone who has sat on many parliamentary consultations about the issue, he is an expert.

And there is plenty of technology available to help the government achieve its objective, he said.

Website monitoring

Deep Packet Inspection equipment is basically black boxes which sit on the network and watch the traffic go by.

It is currently used by ISPs for traffic management - for example spotting file-sharing activity and slowing down a connection that is engaging in the activity. However, it could be adapted for more intrusive purposes.

"It is possible with this sort of kit to see if someone is using Hotmail, to pull out a list of their emails, who it is from, the date and how big the email is," said Mr Clayton.

He added that the government could also turn to NetFlow, an add-on to routers which collects data about which websites someone has visited.

"It can see what IP address has visited which site, and can tell you how many bytes they have viewed," he said.

In theory it would enable someone using it to see, for example, which stories a user had viewed on the BBC website by comparing the number of bytes used with the size of stories on the site.

None of the technology is new but what might be different this time around is the way the government collects the data.

When the previous Labour government mooted a similar idea the greater controversy hinged on the giant database it planned to create.

"I suspect what they will propose this time is that Cheltenham has a log-in to one of the data centres that ISPs already use," said Mr Clayton.

Encryption

ISPs are already required to keep data logs for 12 months under a 2009 EU directive. Extending this responsibility to firms such as Facebook would not be a huge change or "particularly onerous because it keeps everything anyway," said Mr Clayton.

Facebook has declined to comment on current government proposals, saying it would rather wait until there was more detail of exactly what it wants to do.

But it has made no secret a security feature launched last year which allows all Facebook communications to be carried over a secure connection known as HTTPS, which could render government snooping plans useless.

The tool basically encrypts data. Currently it is an option that people have to sign up to but the firm hopes eventually to make it default.

Noa Bar Yosef is a senior strategist at security firm Imperva. She thinks the government needs to think harder about encryption.

"How will monitoring be performed for encrypted communications?" she asked.

"It is reasonable to assume that the information that the government is interested in - and for which this initiative has been put forward - will not appear as public communication, but rather encrypted. This quite defeats the purpose of monitoring the suspicious communications," she said.

Mr Clayton agrees.

"Encryption makes it very much harder," he said, "But the biggest stumbling block is likely to be the cost."

When Labour considered greater surveillance powers the Home Office estimated it would cost around £2bn. Even without a huge data centre costs are likely to run into millions, and in such cash-strapped times it may mean the idea is put to bed for another few years.

"When the cost is revealed the politicians tend to slink away. I don't think we can afford it," said Mr Clayton.

Data requests rise

Whatever the government ultimately proposes the measures are effectively an extension of what is already happening, rather than a break with the past.

2010's annual report from the UK's interception of communications commissioner, published last June, revealed that the UK's police, intelligence agencies and other public authorities submitted 552,550 requests for information about users' data over the year

Furthermore it noted that requests had risen by a rate of about 5% year-on-year since 2008.

Two thirds of the queries related to information about subscribers, which could be used to identify who owned a particular mobile phone.

But officials could also ask for a user's incoming and outgoing call data, web activity logs and the contents of emails, faxes and web pages visited if the information was deemed to be in the interests of national security.

If ISPs do not already store the information, they can be forced to secretly fit surveillance equipment in specific cases.