Andreas Fink wrote:
Folks,
I will be interviewed on radio today about my letter to EJPD and my view on the new "law" on surveillance. I'm putting all arguments together now and sorting them by priority (not enough time to say everyting)
There is just one point: futility.
People who don't want to be caught by the things that the law implies will just circumvent the measures: encrypt their data / use VPNs.
As such the only thing they can monitor with it is the normal people who have no real intent in doing anything bad and the bad guys will just keep on doing what they want, with a lot of effort and money spent on a completely futile exercise.
One thing which is missing is the cost of such equipment to completely automated wiretap. Does anyone have some figures there? I can only estimate what kind of work it would take us to do it ourselves.
Grabbing data of the wire is cheap and easy (unless you are talking 10GE+++ :) but the big issue is STORING the stuff. I know several storage-vendors who are very happy with these proposals.
Even if you only do NetFlow (which does not tell you anything when the kiddieporn site is hosted on the same IP as the Disney website) the storage requirements will be gigantic.
Also my BIGGEST argument against this kind of monitoring from being useful is much easier:
The documents of these kind of 'taps' tend to describe that they transport the data from the ISP to the government in a 'secure' way. In this case they just define OpenVPN, as that is 'secure'. As such, anybody using OpenVPN is 'secure'. Thus if the people being monitored also just use OpenVPN (or any other such tool) then the tap is useless as that data is secure.
HTTPS (SSL/TLS) is a *VERY* simple thing to setup and works universally and is in use globally deployed and heavily in use. As such, anything (web, jabber, smtp, doesn't matter what) which uses encryption in one way or another is unable to be monitored by these tools.
With NetFlow they would only see source+destination IP+port+proto. Thus if I run www.disney.com at the same IP as www.kiddyprn.com then there is no way to tell from the NetFlow which is which, as the person using those services could be watching the real version of Cinderella, but also the one containing the really young actors.
As such, any kind of this monitoring is futile. The people who want to get to the data will employ encryption or VPNs and they won't be able to be monitored.
Another big issue of course is also that the bad things just can get lost in the noise: you watch Cinderella, Shrek, Shrek 2, Shrek 3 and then just before bed you watch that naughty edition of Cinderella 2. Several of gigabytes transfered over a nice SSL pipe, and nobody can tell what it is, just bits and bytes, nothing else.
Greets, Jeroen