A government plan to allow the intelligence services to monitor all UK web communications is technologically impossible, according to experts from the London School of Economics.
The Interception Modernisation Programme (IMP) calls for internet service providers to record the traffic details of all web communications. They must also present those details to the intelligence services and other public authorities in a way that establishes the links between different pieces of data associated with, for example, an individual's phone, email address or user IDs.
Professor Peter Sommer and Gus Hosein, an LSE visiting fellow, published a report on Wednesday that criticised the government scheme. Sommer told ZDNet UK that the requirements are technologically impossible, due to the way data is transmitted on the internet.
"Existing law is based on the old telephone system, where it was easy to separate out communications data," Sommer said on Tuesday. "The problem with the internet is that it's all basically data bits."
The problem is made more complex by the blurring of boundaries in web communications between traffic data and content, and by the number of protocols used. Not only are a multiplicity of web protocols used by different companies, Sommer said, but those protocols are changed periodically, making interception as proposed by the government very difficult.
"If Microsoft rewrites Windows Live, [the government] would have to rewrite the [interception] protocol," said Sommer.
The government has proposed that ISPs use deep packet inspection, in which every data packet is opened and examined, to derive a picture of who is communicating with whom at any one time. In the report, Sommer and Hosein wrote that the devices used for deep packet inspection, known as 'black boxes', will have to collect large amounts of traffic associated with each internet user, discard whatever appears to be content, and combine the different streams of traffic to create the interlinked data picture of the individual. "This is an impossibility," Sommer said.
In the report, Sommer and Hosein also criticised the scheme for its extension of intelligence-service powers.
"If the boxes were under the control of GCHQ, then the entire existing fabric of warrants, authorisations and judgements over 'necessity' and 'proportionality' would collapse," wrote the authors.
Crunching the numbers
Sommer also told ZDNet UK that the LSE is concerned about the cost of the scheme, which the government has projected at £2bn over 10 years. "The figure of £2bn leads to endless questions about how the figures were derived, and where the costs are borne," he said.
The Home Office on Wednesday declined to give details about how the scheme's costs would break down. The programme will be cross-government, but will be funded by the Home Office, said a spokesperson.
The Home Office said it needed the capability to track all communications.
"Communications data plays a vital role in tackling serious crimes such as child sex abuse, kidnap, murder and drug related crime, as well as in public protection," the Home Office said in a statement. "Technology is evolving, and new innovative forms of internet-based communications are emerging. If we do not make changes now to maintain existing capabilities and look ahead to the future, the police, security and intelligence agencies will no longer be able to use this data to fight crime."
In terms of privacy, the Home Office said that it will "ensure there are stringent safeguards inbuilt into any future proposals", and added that it had launched a consultation on the matter.
"We know that this is a complex and sensitive subject, with a fine balance to be made between protecting public safety and civil liberties. Because of this we have launched a public consultation to seek views from interested parties, including communication service providers," said the Home Office statement.
ZDNet UK understands that the Home Office believes there are sufficient privacy safeguards in place for the work of both the intelligence service and other security services. These include Ripa, the Human Rights Act and the Data Protection Act.