Category Archives: Legal issues

Security-related legislation, government initiatives, court cases

What's worrying the spooks?

Internet censorship, Legal issues, News coverage, Politics

As I mentioned a few days ago, the security services have some concerns about the Digital Economy Bill:

If evading blocking systems becomes a mainstream activity (and there’s said to be 6-7 million illegal file sharers in the UK) then it will be used, almost automatically, by subversive groups — preventing the spooks from examining the traffic patterns and comprehending the threat.

There seems to be some confusion about quite what is worrying the security services. Last October, The Times reported that “both the security services and police are concerned about the plans, believing that threatening to cut off pirates will increase the likelihood that they will escape detection by turning to encryption”, and this meme that the concern is encryption has been repeated ever since.

However, I think that Patrick Foster, the Times media correspondent, got hold of the wrong end of the stick. The issue isn’t encryption but traffic analysis.

Continue reading What's worrying the spooks?

A wrecking amendment ?

Internet censorship, Legal issues, News coverage, Politics

For the past few months the Digital Economy Bill (DEB) has been quietly making its way through the House of Lords. As is the way of these things, large numbers of amendments have been proposed, their lordships have had a series of mini-debates on each set of issues, and the Government have been busily amending the Bill in an attempt to fix all the things that they didn’t think through properly.

The main thrust of the DEB’s approach to dealing with unlawful file sharing of copyright material has been a “three strikes” policy. That is, should you be detected to be sharing some popular beat combo’s music without permission, then on the first two occasions you’d receive an admonishing letter, and on the third time then you would be subject to “technical measures” (ie: very slow Internet speeds) or disconnection, the latter doubtless annoying the rest of your family as they would be unable to visit DirectGov / keep up their social life / catch-up TV shows / do their homework / avoid being sacked from their work-from-home job!

However, the Government are concerned that this won’t be enough, and that unlawful sharing of copyright material might occur in new ways in future. So in clause 17 of the DEB they set out a scheme for amendment (in ways that would be decided as future circumstances required) of the Copyright, Designs and Patents Act 1988 through secondary legislation.

It is unusual to grant such open ended powers to amend primary legislation, because Parliament would be presented with an unamendable statutory instrument and invited to vote for it — no such SI has been defeated in the House of Lords since 2000, and the time before that was in 1968.

There was an outcry over the breadth of clause 17, and so the Government set out amendments to restrict it — but last week peers voted for an opposition amendment (120A) to have an alternative arrangement altogether, a regime of High Court injunctions that would force ISPs to block websites.

This is such a dumb (and dangerous) idea that it has all the characteristics of a wrecking amendment, added to the Bill just to eat up parliamentary time so that the whole Bill will fall at the dissolution for the upcoming election.

Continue reading A wrecking amendment ?

More on the SCR

Legal issues, News coverage, Politics

Two weeks ago I posted about the Summary Care Record, a project to centralise medical records in England and Wales under the pretext that central records might be useful in emergency care. At the time, I wrote to the Cabinet Secretary asking whether it was appropriate to use taxpayers’ funds to leaflet millions of homes on a politically sensitive topic during an election campaign; I haven’t yet got a reply.

Doctors’ leaders are now alarmed. Patients are being misinformed, and opt-out is being made difficult.

The information being given to patients is false and misleading. The SCR promotional leaflet says anyone who has access to your records … must be directly involved in caring for you. However, large numbers of officials will have access. And as I already noted, the SCR isn’t as helpful in emergencies as it’s spun. Its purpose is actually different: to provide the basis for a centralised electronic patient record for everyone.

Doctors have noted that in the pilot areas, seven out of ten patients are unaware that an SCR was created for them. The patient information packs don’t contain an opt-out form; you’re supposed to phone the call centre for one. Over two hundred thousand people have downloaded an opt-out letter from www.thebigoptout.org; now the NHS says it wants doctors to ignore this and get everyone who wants to opt out to use this form instead (which GPs can’t order in bulk).The roll-out is rushed and displays typical incompetence: for example, some patients have been sent other patients’ letters. I am sure this story will run and run.

Reliability of Chip & PIN evidence in banking disputes

Academic papers, Banking security, Legal issues

It has now been two weeks since we published our paper “Chip and PIN is broken”. Here, we presented the no-PIN attack, which allows criminals to use a stolen Chip and PIN card, without having to know its PIN. The paper has triggered a considerable amount of discussion, on Light Blue Touchpaper, Finextra, and elsewhere.

One of the topics which has come up is the effect of the no-PIN vulnerability on the consideration of evidence in disputed card transactions. Importantly, we showed that a merchant till-receipt which shows “PIN verified” cannot be relied upon, because this message will appear should the attack we presented be executed, even though the wrong PIN was entered.

On this point, the spokesperson for the banking trade body, the UK Cards Association (formerly known as APACS) stated:

“Finally the issuer would not review a suspected fraud involving a PIN and make a decision based on the customer’s paper receipt stating that the transaction was “PIN verified”, as suggested by Cambridge.”

Unfortunately card issuers do precisely this, as shown in a recent dispute over £9,500 worth of point-of-sale transactions, between American Express and a customer. In their letter to the Financial Ombudsman Service, American Express presented the till receipt as the sole evidence that the PIN was correctly entered:

“We also requested at the time of this claim, supporting documents from [the merchant] and were provided a copy of the till receipts confirming these charges were verified with the PIN.”

Requests to American Express for the audit logs that include the CVR (card verification results), which would have shown whether or not the no-PIN attack had been used, were denied. The ombudsman nevertheless decided against the customer.

The issue of evidence in disputed transaction cases is complex, and wider than questions raised by just the no-PIN attack. To help bring some clarity, I wrote an article, “Reliability of Chip & PIN evidence in banking disputes”, for the 2009 issue of the Digital Evidence and Electronic Signature Law Review, a law journal. This article was written for a legal audience, but would also be suitable for other non-technical readers. It is now available online (PDF 221 kB).

In this article, I give an introduction to payment card security, both Chip & PIN and its predecessors. Then, it includes a high-level description of the EMV protocol which underlies Chip & PIN, with an emphasis on the evidence it generates. A summary of various payment card security vulnerabilities is given, and how their exploitation might be detected. Finally, I discuss methods for collecting and analyzing evidence, along with difficulties currently faced by customers disputing transactions.

Opting out of health data collection

Legal issues, News coverage, Politics

The Government is rolling out a system – the Summary Care Record or SCR – which will make summaries of medical records available to hundreds of thousands of NHS staff in England. Ministers say it will facilitate emergency and unscheduled care, but the evidence in favour of such systems is slight. It won’t be available abroad (or even in Scotland) so if you are allergic to penicillin you’d better keep on wearing your dogtag. But the privacy risk is clear; a similar system in Scotland was quickly abused. Colleagues and I criticised the SCR in Database State, a report we wrote on how government systems infringe human rights.

Doctors have acted at last. The SCR is being rolled out across London, and the Local Medical Committees there have produced a poster and an opt-out leaflet for doctors to use in their waiting rooms. The SCR is also political: while Labour backs it, the Conservatives and the Lib Dems oppose it. Its roll-out means that millions of leaflets will be distributed to voters, pardon me, patients in London extolling its virtues. A cynic might ask whether this is a suitable use of public funds during an election campaign.

Measuring Typosquatting Perpetrators and Funders

Academic papers, Legal issues, Security economics

For more than a decade, aggressive website registrants have been engaged in ‘typosquatting’ — the intentional registration of misspellings of popular website addresses. Uses for the diverted traffic have evolved over time, ranging from hosting sexually-explicit content to phishing. Several countermeasures have been implemented, including outlawing the practice and developing policies for resolving disputes. Despite these efforts, typosquatting remains rife.

But just how prevalent is typosquatting today, and why is it so pervasive? Ben Edelman and I set out to answer these very questions. In Measuring the Perpetrators and Funders of Typosquatting (appearing at the Financial Cryptography conference), we estimate that at least 938,000 typosquatting domains target the top 3,264 .com sites, and we crawl more than 285,000 of these domains to analyze their revenue sources.
Continue reading Measuring Typosquatting Perpetrators and Funders

Chip and PIN is broken

Academic papers, Banking security, Legal issues, News coverage, Politics

There should be a 9-minute film on Newsnight tonight (10:30pm, BBC Two) showing some research by Steven Murdoch, Saar Drimer, Mike Bond and me. We demonstrate a middleperson attack on EMV which lets criminals use stolen chip and PIN cards without knowing the PIN.

Our technical paper Chip and PIN is Broken explains how. It has been causing quite a stir as it has circulated the banking industry privately for over 2 months, and it has been accepted for the IEEE Symposium on Security and Privacy, the top conference in computer security. (See also our FAQ and the press release.)

The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it’s doing a chip-and-signature transaction while the terminal thinks it’s chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists’ cards. The transactions went through fine and the receipts say “Verified by PIN”.
Continue reading Chip and PIN is broken

How online card security fails

Academic papers, Banking security, Legal issues, Politics, Security economics

Online transactions with credit cards or debit cards are increasingly verified using the 3D Secure system, which is branded as “Verified by VISA” and “MasterCard SecureCode”. This is now the most widely-used single sign-on scheme ever, with over 200 million cardholders registered. It’s getting hard to shop online without being forced to use it.

In a paper I’m presenting today at Financial Cryptography, Steven Murdoch and I analyse 3D Secure. From the engineering point of view, it does just about everything wrong, and it’s becoming a fat target for phishing. So why did it succeed in the marketplace?

Quite simply, it has strong incentives for adoption. Merchants who use it push liability for fraud back to banks, who in turn push it on to cardholders. Properly designed single sign-on systems, like OpenID and InfoCard, can’t offer anything like this. So this is yet another case where security economics trumps security engineering, but in a predatory way that leaves cardholders less secure. We conclude with a suggestion on what bank regulators might do to fix the problem.

Update (2010-01-27): There has been some follow-up media coverage

Update (2010-01-28): The New Scientist also has the story, as has Ars Technica.

Mobile Internet access data retention (not!)

Legal issues, Security engineering

In the first article in this series I discussed why massive use of Network Address Translation (NAT) means that traceability for mobile Internet access requires the use of source port numbers. In the second article I explained how in practice the NAT logging records, that record the mapping from IP address to customer, are available for only a short time — or may not exist at all.

This might seem a little surprising because within the EU a “data retention” regime has been in place since the Spring of 2009. So surely the mobile phone companies have to keep the NAT records of Internet access, even though this will be horribly expensive?

They don’t!

The reason is that instead of the EU Directive (and hence UK and other European laws) saying what was to be achieved — “we want traceability to work” — the bureaucrats decided to say what they wanted done — “we want logs of IP address allocation to be kept”. For most ISPs the two requirements are equivalent. For the mobile companies, with their massive use of NAT, they are not equivalent at all.

The EU Directive (Article 5) requires an ISP to retain for all Internet access events (the mobile call itself will require other info to be retained):

(a)(i) the user ID(s) allocated;
(a)(iii) the name and address of the subscriber or registered user to whom an Internet Protocol (IP) address, user ID or telephone number was allocated at the time of the communication;
(c)(i) the date and time of the log-in and log-off of the Internet access service, based on a certain time zone, together with the IP address, whether dynamic or static, allocated by the Internet access service provider to a communication, and the user ID of the subscriber or registered user;
(e)(ii) the digital subscriber line (DSL) or other end point of the originator of the communication;

That is, the company must record which IP address was given to the user, but there is no requirement to record the source port number. As discussed in this series of articles, this makes traceability extremely problematic.

It’s also somewhat unclear (but then much more of the Directive is technically unclear) whether recording the “internal” IP address allocated to the user is sufficient, or whether the NAT records (without the port numbers) need to be kept as well. Fortunately, in the UK, the Regulations that implement the Directive make it clear that the rules only apply once a notice has been served on an ISP, and that notice must say to what extent the rules apply. So in principle, all should be clear to the mobile telcos!

By the way … this bureaucratic insistence on saying what is to be done, rather than what is to be achieved, can also be found in the Digital Economy Bill which is currently before the House of Lords. It keeps on mentioning “IP addresses” being required, with no mention of source port numbers.

But perhaps that particular problem will turn out OK? Apple will not let anyone with an iPhone download music without permission!

Practical mobile Internet access traceability

Legal issues, Security engineering

In an earlier article I explained how the mobile phone companies are using Network Address Translation on a massive scale to allow hundreds of Internet access customers to share a single IP address. I pointed out how it was now necessary to record the source port as well as the IP address if you wanted to track somebody down.

Having talked in detail about this with one of the UK’s major mobile phone companies, I can now further describe some practical issues (Caveat: other companies may differ in how they’ve implemented their details, but all of them are doing something very similar).

The good news, first, is that things are not as bad as they might be!

By design, NAT systems provide a constant mapping to a single IP address for any given user (at least until they next disconnect). This means that, for example, a website that is tracking visitors by IP address will not serve the wrong content; and their log analysis program will see constant IP addresses when the user changes page or fetches an image, so that audience measurements will remain valid. From a security point of view, it means that provided you have at least one logging record with IP address + port number + timestamp, then you will have sufficient data to be able to seek to make an identification.

As a quick aside, you may be thinking that you could do an “inference attack” to identify someone without using a source port number. Suppose that you can link several bad events together over a period of time, but only have the IP address of each. Despite the telco having several hundred people using each IP address at each relevant instant, only one user might be implicated on every occasion. Viewers of the wire will recall a similar scheme being used to identify Stringer Bell’s second SIM card number!

Although this inference approach would work fine in theory, the telco I spoke with does not keep its records in a suitable form for this to be at all efficient. So, even supposing that one could draft the appropriate legal request (a s22 notice, as prescribed by the UK’s Regulation of Investigatory Powers Act), the cost of doing the searches and collating the results (and those costs are borne by the investigators), would be prohibitive.

But now it’s time for the bad news.

Traditional ISP IP address usage records (in RADIUS or similar systems) have both a “start” and “stop” record. The consistency of these records within the logging system gives considerable assurance that the data is valid and complete. The NAT logging only records an event when the source port starts to be used — so if records go missing (and classical syslog systems can lose records when network errors occur), then there is no consistency check to show that the wrong account has been identified.

The logging records that show which customer was using which IP address (and source port) are extremely large — dozens of records can be generated by viewing just one web page. They also provide sensitive information about customer habits, and so if they are retained at all, it will only be for a short period of time. This means that if you want traceability then you need to get a move on. ISPs typically keep logs of IP address usage for a few weeks. At the mobile companies (because of the volume) you will in practice have to consult the records within just a few days.

Furthermore, even when the company intends to hold the data for a short period, it turns out that under heavy load the NAT equipment struggles to do what it’s supposed to be doing, leave alone generate gigabytes of logging. So the logging is often turned off for long periods for service protection reasons.

Clearly there’s a reputational risk to not having any records at all. For an example which does not have anything to do with policing: not being able to track down the sources of email spam would demean the mobile company in the eyes of other ISPs (which in practice will be seen by ever more aggressive filtering of all of their email). However, that risk is rather long-term; keeping the system running “now” is rather more important; and there is a lot that a mobile company can do to block and detect spam within their own networks — they don’t need to rely on being able to process external abuse reports.

In the third and final article of this little series I will consider the question of “data retention”. Surely the mobile phone company has a legal duty to keep traceability records? It turns out that the regulators screwed it up — and they don’t!