About this blog…

I am employed by Netnod as head of engineering, research and development and am among other things chair of the Security and Stability Advisory Committee at ICANN. You can find CV and photos of me at this page.

As I wear so many hats, I find it being necessary to somewhere express my personal view on things. This is the location where that happens. Postings on this blog, or at Facebook, Twitter etc, falls under this policy.

The views expressed on this post are mine and do not necessarily reflect the views of Netnod or any other of the organisations I have connections to.

Security and things…

The polarized discussions related to “bad things on the net” continues. Everyone from the Prime Minister of Sweden talking about how powerful tool viruses controlled by the police would be, to the Anonymous attacking Daesh on the net.

I have been kind of silent the last week just because I have not had any idea where to start. To explain how naive and silly I think the discussion is. Unfortunately lead by advisors to lobbyists that have once again succeeded to make ministers say stupid things. And as we are in the situation we are, whatever stupidity is proposed will probably be implemented. So silly.

To know what tools are needed (and with tools I imply everything from legislative to technical) we must always start by looking at what problems we want to solve? What are the issues? And knowing that, we can start look at what tools are needed, what tools exists (and might have to be modified) and what new tools are needed.

I classify the need for tools in four categories:

1. Identify who is (was) communicating

The one that knows who is using an IP-address, logged into a social media service, did send an email etc is the one that provide the service in question. In some cases to get more data more than one provider must be contacted (mapping username to IP address, and then IP-address to location). In some cases when something has happened, there is the need for knowing not who is using an IP-address or was at a specific geographic location but who did use a specific IP address or were at a specific location.

Many people think this is the implementation of the data retention directive we have today, but I disagree. The data is to be stored for too long time, the wrong data is stored, and there is not enough qualification and oversight on the requests themselves.

I think data is to be stored for say 48 hours. All data. Then deleted. Requests can only come from law enforcement, and only with connection to crime of certain level. With oversight by third party to flag if the tool is misused. It is also required for law enforcement in one country to request data from provider of service in a different country, i.e. cross border exchange of data must be possible. Today, slow expedition of requests require data to be stored for much longer time.

2. Gather information about one party that communicates

Given a specific person, IP address or social media account is believed to be involved in certain activities, communication to/from that endpoint must be possible to be redirected to whoever requests that information.

This could be an extension or adoption of the current legislations and rules related to wiretap, and just like knowing who uses an end point, third party oversight over how the tool is in use is important.

The difference between [1] above and this is that in this case only information about one (of many) end points is collected, and that the end point is specifically suspected of having some relationship with some crime of a certain level. There must of course be requirements on crime level, what to do with overflow information, for how long time data can be collected and such.

3. Look at all communication

To find bad fish in the sea, it is interesting for some parties to look at all communication. No, this does not have to be intrusion of integrity. It all have to do with what and how the fishing is done. And what is done with the data collected. Some fishing might fall into other categories ([1] and [2] above), some might just look for changes in traffic pattern and instead result in suspicion that result in further work according to category [2] above.

The way to keep this under control is to just like other categories have third party oversight, and set specific rules for what fishing is allowed. Similar to fishing for, well, real fish in the Baltic Sea. Too small cod, and the fishing is illegal.

In Sweden we have the famous FRA Legislation but we have also seen that the oversight have in a number of cases hit on the fact the fishing has not followed the rules. That of course decreases the trust in the party providing the service.

4. Stop certain communication

If it is detected that some bad communication exists, the only really effective way of blocking that is to take down the service. To take down the service at the end point. Not to block! This requires, just like for [2], the ability for law enforcement in one State to communicate efficiently with law enforcement in another. And that rules and procedures are set up properly so that it is predictable on what happens if laws, rules, regulation and norms are different in the two states.

And of course that a third party is overlooking how the tool is used. Just like with the other mechanisms sought for.

Other comments

The proposed use of spying software at the end points is something I definitely do not believe in. We already have seen some impact on for example the Blue Coat incident explained by Citizen Labs. It is also the case that criminals always can use encryption software, voice messages inside games and what not. We will never be able to catch that. This implies forbidding encryption, requiring back doors, master keys and what not is just not useful. Steve Bellovin that have I have worked with in IETF a lot explains this really well in a CNN interview.

Instead, we must use the tools mentioned above and only those tools. And watch what happens. Catch the fish when they make mistakes. And use the tools we already have and can use. Like validating the biometric information in our passports. In USA they started checking biometric information, and validate passports are not lost, directly after 9/11, but in EU? In EU we talk about doing that at the Schengen border today. How silly is that?

It is also as mentioned above important to ensure third parties do have oversight over the use of these tools. This because the tools themselves are not by themselves dangerous. The use is. And because of this, it is important what rules exists for the use, what crime is to be required and who can request use of them. The data collected definitely have implications on privacy, so it is information not to be given out ad-hoc. The request must be authenticated and authorised.

Let me take a parallel example. The 112/911 service in Sweden, SOS Alarm, wanted to be able to send text messages to all cellphones in a specific area. This was suggested to be solved by having servers run by SOS Alarm into which all cellphone providers where to send location data. How dangerous is not that? The solution I now think is implemented is instead that SOS Alarm should be able to send a message plus a polygon that describes a geographical area to each cellphone provider. The cellphone provider send the message to all phones within that area, and report back to SOS Alarm how many phones received the message and how many phones where in the area. The information on what location each phone has do not leave the telco. Much better!

Conclusion

I am dead tired over having lobbyists and popular interest driving their agenda. That in many cases do not help us solving the issues we have in the society. I also do not think we are helped by people wearing tinfoil hats. I am also tired over politicians making statements without thinking of what words they are using, because if we in our country can use those words as arguments to change what tools are in use, then the same words can be used in more difficult states. Sure, there is a difference between our state and states where for example journalism and criticism is not allowed, but this must be taken into account when making official statements. I do not see that have been made.

There are definite steps that must be taken. Now. By Sweden, by countries in EU, by members in the Schengen agreement.

But having State controlled viruses is not the right solution. Forbidding encryption is not the right solution. Having back doors in soft- and hardware is not the right solution.

Giving the right tools to the right parties on the other hand, that is what we should do.

Can we please get a modern sound discussion about this?