Communications Data Bill Committee publishes report

by sjmurdoch | December 10, 2012

The UK parliamentary committee considering the Draft Communications Data Bill, to which I gave evidence on behalf of The Tor Project, has now published their report (PDF version). The committee is highly critical of the draft bill, and calls for the government to consult technical experts, industry, law enforcement bodies, public authorities and civil liberties groups before re-drafting the proposed legislation. The committee's recommendations for this revised bill are summarised in section 8 of the report.

Tor is not explicitly dealt with by the report other than noting that systems that use encryption, including Tor, will pose a problem (paragraph 99) for proposals to ask communications service providers to record third party's data traversing their network. The report does however address numerous points which were raised in The Tor Project's written and oral evidence (and other organisation's submissions), including the over-broad powers the bill would hand over, the sensitivity of “communications data”, limited oversight, the challenge of storing sensitive data securely, and the rather dubious cost/benefit justification.

The committee has now completed its duties, and has consequently disbanded. The committee's report will now be considered by the government and we will be very interested in their response.


Please note that the comment area below has been archived.

December 13, 2012


"93. Several witnesses questioned whether valuable communications data could be retrieved-from encrypted services. Services encrypt not only content but much of the communications data too, and the UK CSP whose network the encrypted service is crossing will not be able to decrypt the package, nor could they legally do so because to do so would be to intercept content. As Everything Everywhere put it, “even if we were able to decrypt, you would have to open the whole packet, and then you are looking at the content”.66 UK CSPs will not be able to hand over the whole encrypted package to law enforcement or the Home Office because to do so would be to hand over content."

Interesting. It seems the UK authorities are advocating that communication data and content data should be treated separately, and packet encryption makes separating the two pieces of data nearly impossible. I think it's fairly obvious that in the future, practically everything that travels over communication channels will be encrypted.

The only weak part about Diffie–Hellman key exchange is that the transmission of public keys between individuals, without a man-in-the-middle attack occurring and impersonating those public keys, is difficult. Public Key Infrastructure (PKI) such as X.509 isn't really reliable, because the Certificate Authorities are susceptible to government subpenas and would be forced to hand over private keys.

Quantum networking would most likely solve man-in-the-middle attacks, because a photon packet can't be observed without altering it's quantum state (Qubit), but that's still a long ways out.

Thermal-dynamic encryption is interesting, and would solve the man-in-the-middle attacks.…

Phil Zimmermann's ZRTP authentication protocol is another interesting way to exchange public keys, and minimizes the chance of a man-in-the-middle attack occurring during key exchange.

Tor probably gets around these problems by distributing the Authority server's public key inside Tor's installation package. I don't know for sure, I'm just guessing.

Anyways, I hope encryption technologies continue to evolve at a fast pace, because it's obvious that Governments are attempting to accelerate their surveillance technologies on citizens. I enjoy my privacy as a law-a-biding citizen. I don't think citizens should be required to forfeit their privacy rights in order to use the internet.

I've also been reading about quite a few UK citizens being dragged into court, for simply expressing their views on Twitter. The thought of being prosecuted for simply speaking my mind is most troubling, and scary.