| | 1.4 Supplier 03. Investigatory Powers Act | | |
---|
14.03 Investigatory Powers Act: | 1. In 2017 the UK Investigatory Powers Act becomes law and most other countries in the world are adopting similar laws that have been reported as the "Snoopers Charter". It is possible that some people voting for these laws are not technically aware enough to make a balanced judgement with some of the factors included as:- | 2. Every Internet Service Provider must record and index all Internet and telephone traffic. | 3. Every Internet Service Provider must grant many agencies access rights to all that data for at least 12 months. | 4. Many agencies have the right to collect and collate their own databases of Personally Identifiable Information. | 5. Many agencies have the right to install monitoring software on all computers and phones so cameras and microphones may be remotely controlled. | 6. The Internet and phones have evolved into a massive surveillance network for many countries to spy on one another. | ADDENDUM: | 1. In December 2018, Australia enacted their "Assistance and Access Bill" that takes investigory powers to an new level. | 2. The Government can serve a "Technical Capacility Notice" on any person to order them to develop a backdoor into the software they are developing and the order prevents them from notifing anybody including their employer. A person may serve jail time if the refuse to develop the backdoor or if they notify anybody that they have been ordered to develop a backdoor. A company can be fined ten million dollars if they are not able to break their own encryption when ordered to do so. | FIVE EYES: | 1. The governments of Australia, Canada, New Zealand, USA and UK operate a data sharing service where Australian orders as the weekest link with no human rights legislation, may be used against any software house. This includes communications monitoring of people like Angela Markel, John Lenon. Nelson Mandela, Jane Fonda, dian Princess of Wales, Charlie Chaplin and Strom Thurmond (1948 Presidential candidate). |
2. Monitoring Software: | 1. Many agencies in many countries have the right to install monitoring software on computers, tablets and phones. A key factor is that cameras and microphones may be remotely activated. Any stored data can be silently downloaded and collated for use against a person at a later time. | 2. Because it is legal for an agency to install monitoring software, it must be practical for a criminal to do the same. Personally identifiable information collated over a lifetime can only be used against a person - it serves no other purpose. | 3. What is a legal communication in one culture may become illegal in a different culture and a person could be found guilty in the future. What is free speech in one culture may be unacceptable by another culture and may be used against that person. | 4. How a person votes at one point in time may become terrorism by a future government that decides that support for an opposition party is against the national interest. When a nationalistic party gains political power, they may choose to disenfranchise those that did not vote for them. | 5. People who take precautions to prevent or disrupt surveillance may be assumed to be guilty of trying to hide something. To disagree with every government installing monitoring software on peoples computers may be an act of terrorism or criminality. |
3. Personally Identifiable Information: | 1. Every transaction to and from a computer, tablet or smart phone is being recorded, read, processed and indexed. Over a year or more, a compete profile of a person can be determined by artificial intelligence. Each person is classified into groups according to who they communicate with and what web sites they visit. | 2. A person who communicates with a person on a watch list may be added to that watch list. Each person needs to manage who calls them to prevent them becoming associated with a person of interest. | 3. The era of taking private photographs has ended and every photograph is automatically tagged with each persons name by artificial intelligence. Agency databases never forget and will be able to provide evidence of an association many years after people have forgotten about the incident. |
4. Business Information: | 1. Business transactions will be recorded and may be leaked to other parties. The concept of Intellectual Property may become hard to maintain if any part of the IP is ever communicated or documented in any way. The act of documenting normal business will be monitored and will end up in a database that may be sold to others. | 2. Many businesses still work using obsolete spreadsheets with no encryption - all that business data will eventually become available to competitors. Advance Persistent Threats (APT) may take up to five years to gain access to critical business information stored in spreadsheets, but competitors will find the results worth waiting for. The idea the companies like TalkTalk who have had their own data stolen three times will have to take responsibility for holding data about all customers is all about when will it be stolen. The idea the companies like Tesco bank lost many millions of pound in customer accounts because the computers were not monitored over the weekend, what will they do with much more valuable private customer information. |
5. Direction: | 1. While some try to get governments in all parts of the world to reduce their ability to install malware on every bodies computer and phone, it is clear that no one Government can afford to miss out on what all other Governments are doing. It is not about a local Government being nice and not infecting many computers - all Governments are doing the same thing to computers in all countries. The world has changed and ways to mitigate the impact are now mandatory. | 2. Excessive encryption is part of the solution - every document must be encrypted and replicated to a swarm of secure data centers. No business data must ever be stored on a local computer and must never be communicated by email - that is just giving it away. Password protected documents offer no security because millions of password attempts can be automated and even if it takes many hours, eventually an artificial intelligent assistant will guess the right password. | 3. Business information must not be communicated by email - it will be copied, will be read, will be processed, will be indexed and will eventually be sold to the highest bidder. Even if the business information is not stolen for a few years, when it is finally stolen and used by competitors, it could lead to significant loss of business. When the business information is not published but only used for competitive advantage, the idea of a trade secret or Intellectual Property will diminish as more and more information is leaked over many decades. | 4. Everybody will learn that whatever information they store on their mobile phone will eventually become public knowledge. A new era without any privacy has started, where everybody is profiled and everybody is suspected of being a terrorist, until they can prove otherwise. Private photographs cannot exist, only photographs that have not yet been stolen. Some photographs will be stolen in hours and some will take a few years, but eventually, it is hard to imagine that any private photographs can exist in the long term. Treat every email as if it is going to be broadcast on the local news - eventually it may be. | 5. It is already a legal requirement to give up social media passwords as a condition to enter certain countries. As the profile of every living person is built up, travel will be only available to those that match a certain profile. Goods may only be sold to people with a proven profile and people without a profile will not be trusted - may be rejected as a customer. Each person has a legal obligation to manage their social media profile, to only follow people that is considered safe to follow and only be followed by people who are not on a watch list. | 6. Never download any application program for any reason - some will be spiked with monitoring capabilities. Change computer and phone every month so an evidence trail cannot be accumulated - use many devices on different networks for different purposes at the same time. Change Internet Service Provider every month so the consolidation of network traffic is incomplete - rich people will have many ISP accounts with very low usage on each account. |
6. Summary: | 1. Every anti-virus product is a virus by another name that is designed to steal data - STOP downloading programs. | 2. Every downloaded application product from any app store is a virus designed to steal data - STOP downloading programs. | 3. Every email is copied, read, processed, collated and the results may eventually be sold to other parties - STOP using email. | 4. Every phone call is recorded, analysed, processed, collated and the results may eventually be sold to other parties - STOP using the telephone. | 5. Every document (that is not encrypted) will be copied and the contents may eventually be sold to other parties - STOP storing documents on any computer. | 6. Every camera and microphone may be used by others at any time for other purposes - STOP using devices with a camera and microphone. | 7. Every address book will be part of a persons profile to be used by some people against other people - STOP using an address book. | 8. Only criminals want privacy while innocent people are content to have no privacy and have their personal information shared with others - encrypt everything using hardened servers and fully comply with the law. |
Document Control: | 1. Document Title: Investigatory Powers Act. | 2. Reference: 161403. | 3. Keywords: Snoopers Charter, Investigatory Powers. | 4. Description: Press report regarding Investigatory Powers Act. | 5. Privacy: Public news shared with all approved people. | 6. Issued: 11 Nov 2016. | 7. Edition: 1.2. |
Part Two: | . Investigatory Powers Act (IPA) was signed into UK law in Nov 2016 - it applies to everybody in the world, but is only enforced in the UK. Many other countries are implementing similar laws that apply to everybody in the world. Many agencies are granted access to such data and each Government may use the data for their own local purposes. | Interception. | . The acts demands the interception and recording of all electronic communications, no matter what kind of communication and including text, audio and video. | Interference. | . The acts demands that any and all electronic equipment may have malware installed, may have monitoring software installed and data contents may be copied using any kind of interference, including back-doors. | . People may be monitored using a camera on a smart phone, using a microphone on a TV or using monitoring software on a laptop - Government agency installed malware is legal. | Retention. | . The acts demands the recording of every person-to-person conversation by processing all electronic communications. |
Communications Service Provider (CSP): | 1. Every company that provides a service that can transmit an electronic message from one person to another is a CSP. This includes every forum, online retailer, feedback company, call center and most games. | 2. Every CSP must by law create and retain Internet Communication Records (ICR) that detail every connection for the last year. This must include details of every web site visited and every person contacted. The CSP must suffer the cost of such data storage. | 3. Every CSP must expect to be served with a Data Retention Notice that orders a person to disclose specific ICR history. The notice will disclose how the data must be presented, what data can be ignored and what data can be merged into one record. The CSP must suffer the cost of such extract processing. | 4. Some CSPs must be prepared to be served with a Technical Capability Notice that orders the CSP to change or install interference equipment. A notice may be to reduce the level of encryption or to fit a back-door or monitoring capability. Every notice includes a non-disclosure order so the existence or scope of any notice cannot be published. It may be assumed that all equipment in the future shall be installed with legal monitoring capabilities. |
Security: | 1. A CSP who has been served with a Technical Capability Notice is not permitted to release a new service without giving advance notice. A CSP must expect that equipment that has a back-door installed cannot be replaced with new equipment without a similar back-door. | 2. A company undertaking network analysis may find that their work cannot be published where the scope of interference malware being distributed could be identified. Traffic management may not continue to be legal where a traffic report identifies interference and interception traffic that is being done by Government agencies in many countries. | 3. Every CSP must store ICR data according to a few rules as:- | (1) Secure data of the same integrity to be at least the same security and protection as the data from which it was derived. | (2) Secure by appropriate technical and organisational measures, that the data can only be accessed by specially authorised people. | (3) Secure by appropriate technical and organisational measures, against accidental and unlawful destruction, loss or alteration or unauthorised retention, processing, access or disclosure. | 4. Clearly a CSP is guilty if they fail with any of the above ICR security requirements. Governments will also include requirements regarding physical security, CCTV, firewalls, anti-virus software, security people, clearances, training and process controls. | 5. Government approved products and suppliers MUST be used to destroy hardware that has been used to store such ICR data. Every CSP will suffer considerable extra costs that are not a benefit, but must be paid for by the customer. Every hardware CSP can expect to be served with a notice to install some kind of back-door and monitoring equipment. Every software CSP can expect to be served with a notice to simplify encryption and provide a back-door. Encryption vendors must expect to be ordered to weaken, change or simplify their encryption methods. |
Counter: | 1. European Court of Justice has ruled that the UK Investigatory Powers Act is not a legal for of mass surveillance. The UK has appealed against the ruling, but things will change when UK leaves Europe. | 2. VPN networking circumvents some of the powers and this part of the market has gown 25% in the last year. Interception and Retention may be avoided by VPN, but equipment interference could see all VPN equipment installed with a back-door to capture the same data. | 3. It is not legal under GDPR to harvest and store data that does not have the formal consent of the owner and does not need to be stored. A legal conflict exists where IPA demands that a CSP must store data that is illegal to store according to GDPR. | 4. After UK leaves Europe, then the UK Government can add an exception to GDPR to permit IPA data to be stored. The UK is not alone with this legal conflict and some compromise will be found so mass surveillance can continue in the way that it always has continued. | 5. Entrance to the USA may require the handing over of social media details - a person without a social media existence may be excluded as undesirable. It may be illegal for a person from one country to disclose such personal information to USA as this causes a transfer of Personally Identifiable Information (PII) across national borders. |
Thought: | 1. Network equipment may become not-fit-for-purpose. A network router and firewall may become the primary access path that a criminal has to access business data. It is important to deploy an Intrusion Detection-Prevention Server (IDPS) on each Internet connection. | 2. It is proposed that the IDPS is a simple hardened Linux machine with an input Ethernet port and an output Ethernet port. The software running on the server is simple with all services switched off - it only permits known traffic from known IP addresses to get through to the LAN. It is not the web servers that are the weakest part of the service, it may be the router firewall. | 3. It is proposed that a bespoke anti-virus software tool is acquired and deployed. The primary objective is to avoid the need to install any other anti-virus software because no other anti-virus software can be trusted - it will eventually contain monitoring software. The anti-virus software is run on the IDPS Internet connection server to block every type of message that has not been formally approved to be needed. Artificial intelligence can work with the anti-virus software to learn what is needed and what can be blocked - overall performance can be improved by removing all the garbage. | 4. An internal Local Area Network (LAN) to drive home automation and local application services can be air-gapped and not normally connected to the Internet. For specific Internet connections to services such as Amazon, then the IDPS can provide a very restricted, safe and secure connection. | PURPOSE: As criminals follow the route taken by Government agencies, then business requirements will become more exacting to prevent data theft. As ASP, we must be one-step ahead with solutions proven in a home environment that are capable of being used for business commercial gain. |
1. Investigatory Powers Act 2016: | 1. Every company that provides a service that can tranmit an electronic message from one person to another is a Communication Service Provider (CSP). | 2. Every CSP must create and maintain Internet Communication Records (ICR) that detail every connection. | 3. Every CSP must retain ICR data is a safe and secure environment for at least one year. |
2. Your Message: | 1. Thank you for your electronic message that has been recorded in compliance with Investigatory Powers Act 2016. | 2. Your message has been copied to a support request where it can be shared with all interested parties. | 3. Your reply and any related correspondence shall be confined to that support request in a safe, encrypted and secure environment. |
3. Security Briefing: | 1. All public communication is recorded by many agencies in many countries. | 2. Private, confidential and sensitive personal and business information should not be communicated by public Internet services. | 3. Telephone and email services shall not be used for business purposes. Security awareness training is recommended for people who communicate private, confidential and sensitive business information using public communications. | 4. The DPO advokes Replicated Encrypted Data (RED) as a technical method to mitigate the security journey. |
Assistance and Access Bill: | 1. It would not be logical to employ a person who could be ordered by the Australian Government to develop a backdoor in a software package they were involved with. | 2. It would not be logical to deploy any software where its developers included Australians who may have been ordered to build an encryption backdoor into the software. | 3. It is likely that all software will evolve to include Government ordered backdoors that will eventually be discovered by criminals. | 4. People who do not care about security will continue to use software applications that leak private, confidential and sensitive information. People who care about privacy and security will NOT use software applications that is likely to be a data leak. |
Solution: | 1. Programming and software development was replaces with knowledge engineering many years ago so software vulnerabilities are not practical. | 2. No one person is permitted to undertake any development without many other people to contract what can be changed, to verify evey change and to only change business requirements that cannot leak encrypted data. | 3. Technical changes and business changes are fragmented so a change to one cannot impact on the other. | 4. Business changes take place daily as knowledge evolution. | 5. Technical changes are very infrequent and based on an architectural model that cannot be corrupted by any one person. People making technical changes do not know what applications are involved. Executives approving technical changes do not know how to make a change that could breach encryption. | 6. 100% of all business data is encrypted so it is not possible for a person to make a technical change to assist an agency to read any business data. An encryption key is not used, rather many thousands of encryption algorithms that are managed by an artificial intelligent assistant that cannot be ordered to disclose how it works. |
|
|