A conference Cuban networking officials and informal networkers should attend -- meet MikroTik

MikroTik is manufacturer of wireless communication systems that ETECSA, the Ministry of Communication, schools, universities, Infomed, etc. should be aware of. They will have a chance to meet MikroTik at a full-day conference in Havana on January 15th. (The conference is free, but pre-registration is required).

I had never heard of MikroTik until they informed me of the upcoming conference. It turns out MikroTik is a Latvian company that has been making WiFi equipment since 1996 and, while they have some home and small office routers, their focus is on wireless ISP and industrial installations.

As shown below, they have world-wide distribution (they run conferences in 8 languages), but have focused much of their effort in developing nations:

MikroTik distributors -- in Havana one day?

After looking at some videos of past conferences and perusing their Web site, it is clear that MikroTik is an engineering-driven company and attendees can expect engineering and case-study content at the conference. Here are some of the presentations:

• Como evitar los ataques de seguridad más frecuentes
• Integracion de Mikrotik en la implementacion de WISP
• Ingenieria de Tráfico con Mikrotik
• Internet en alta mar - conectividad, seguridad y prevención de averías solucionados con Mikrotik
• Alimentacion autónoma y control de clima para equipamiento inalámbrico
• Estudio sobre pruebas de estrés en una red Wireless 802.11a/b/g/n

They do a lot of these conferences and archive videos of the presentations on YouTube. For example, here are the 12 presentations at their conference in Spain this year.

MikroTik conference in Madrid, October 2015

I began this post with a list of government organizations that might be interested in MikroTik, but this conference will also be of interest to the hobbyists and others who are working on informal local area networks and members of the Cuban tech startup community.

I have argued in a number of posts that Cuba should look for ways to introduce competition in the provision of Internet connectivity and software development, while remaining self sufficient. The same applies to the provision of equipment. From what I gather, it seems that Huawei is Cuba's dominant infrastructure equipment supplier -- the government and perhaps the informal networking community should take a look at MikroTik.

#IPBill Christmas Quiz

[Updated 1 January 2016 with answers at foot of page]

Now that everyone has sent in their submissions to the Joint Parliamentary Committee scrutinising the draft Investigatory Powers Bill, here is a little Christmas quiz to alleviate the withdrawal symptoms.

For most of the questions you need only study the draft Bill. One requires the Explanatory Notes. For one other you have to go slightly further afield. Answers may be indeterminate.

1. When is a person not a “person”? 
2. What is an internet communications service? 
3. How many times does ‘proportionate’ appear? 
4. How does generation of data differ from obtaining data by generation? 
5. What may identify an identifier? 
6. When might you have to grapple with the meaning of meaning? 
7. How many times is encryption mentioned? 
8. Can general be specific? 
9. Which two differently worded provisions describe the same thing? 
10. When is data not itself?

Answers

Q1.When is a person not a “person”?

In Part 2.

“Person” is defined in Clause 195(1) to include “an organisation and any association or combination of persons”. But that does not apply to Part 2 (dealing with targeted and thematic interception and other types of lawful authority for interception).

Q2. What is an internet communications service?

Anyone’s guess, as was the case with DRIPA and the CTSA 2015.

Clause 47(4)(b) of the draft Bill describes one of three grounds on which the authorities may access an internet connection record. It rests on the critical undefined term “internet communications service”, which is neither a legal nor a technical term of art. 

The Explanatory Notes (paras 120 and 122) give the impression that “internet communications service” might mean a human to human messaging service, such as e-mail or text messaging. In her statement to Parliament introducing the draft Bill the Home Secretary said that law enforcement would be able to access records about a “communications website”, but not a “mental health website, a medical website or even a news website”. But the Guide to Powers and Safeguards (para 46) mentions mapping services. If a mapping service would be included, where is the intended dividing line?

Q3. How many times does ‘proportionate’ appear?

Forty-eight.

Q4. How does generation of data differ from obtaining data by generation?

We know they must be different because Clause 71 (the data retention power) mentions both:

“The requirements or restrictions mentioned in subsection (7)(d) may, in particular, include … (b) requirements or restrictions in relation to the obtaining (whether by collection, generation or otherwise), generation or processing of— (i) data for retention …”. (emphasis added).

How do they differ? Hmm.

Q5. What may identify an identifier?

Communications data.

Clause 71(9) refers to “communications data which may be used to identify, or assist in identifying … (f) the internet protocol address, or other identifier, of any apparatus to which a communication is transmitted for the purpose of obtaining access to, or running, a computer file or computer program.” (emphasis added).

Clause 71(9) also tells us that “identifier” means an identifier used to facilitate the transmission of a communication.

Q6. When might you have to grapple with the meaning of meaning?

When considering what constitutes the content of a communication.

The definition of “content of a communication” (Clause 193(6)) refers to elements which reveal “anything of what might reasonably be expected to be the meaning of the communication”. We can perhaps see what this is getting at when considering a message that one human being has written to another; but what is meant by the ‘meaning’ of a machine to machine communication, or of the background exchanges between device and server that take place when we access a website? Do we have to consider what “meaning” means to a computer?

Q7. How many times is encryption mentioned?

By name, once (in Clause 169, oversight functions of the Investigatory Powers Commissioner).

In addition Clause 189 (technical capability notices) affects encryption. But similarly to the existing interception capability regulations made under RIPA the clause refers to removal of “removal of electronic protection applied by a relevant operator to any communications or data”.

Q8. Can general be specific?

The draft Bill (e.g. Clause 111(4)) says that the “specified operational purposes” stated in a warrant cannot merely recite the statutory purposes such as national security, but may still be general purposes. However the Home Office Guide to Powers and Safeguards refers throughout to a “specific” operational purpose.

Q9. Which two differently worded provisions describe the same thing?

Clauses 47(6) and 71(9)(f), apparently.

Clause 47(6) defines an “internet connection record”. According to the Explanatory Notes (paras 120 and 190) Clause 71(9)(f) also describes internet connection records. The two provisions are significantly different. 47(6) refers to data identifying a destination “telecommunications service” whereas 71(9)(f) refers to communications data identifying a destination “internet protocol address, or other identifier, of any apparatus”.

Q10. When is data not itself?

When it includes “any information which is not data” (Clause 195(1)).

Press coverage a year after we moved to restore relations with Cuba

Today marks a year since President Obama issued his statement on Cuba policy changes. (You can see a statement of our policy and his 15-minute speech announcing the day he announced the policy shift here).

It is also a year since Alan Gross was freed and he reflects upon his time in prison and US policy in this interview. You can read the complete interview, but here are a couple of things I picked up on:

• Gross has "absolutely no bitterness whatsoever toward the people of Cuba" -- he feels like they are his "family."
• He would visit Cuba "in a heartbeat" if the government would promise not to arrest him.
• He says normalizing relations between Cuba and the US will take years, both governments are working towards that end and "we need to be patient to see this relationship evolve."
• Gross considers the U.S. trade embargo "stupid" and "a complete failure."
• His broken teeth have been repaired and he has regained 40 of the 110 he lost while in prison.

If you'd like to read more, check out the posts I've written on the technology and politics of the Alan Gross case.

Alan Gross arriving home a year ago and today

Of course, Alan Gross is just part of the story. The most extensive Cuba coverage I have seen on the anniversary of our policy change is a week-long series of posts on Yahoo U. S. and Cuba, One Year Later.

The series features dozens of posts on various aspects of Cuban culture and the political situation. Most are human interest stories on tourism, fashion, baseball, etc., but the following are three Internet-related posts you might want to check out.

Cuba Unplugged: An Island Still Stuck in Airplane Mode -- a look at the public WiFi hotspots and the ways people are using them. There is nothing that would be new to readers of this blog, but the post is well written and accompanied by a short video and photos. My favorite snippet was this exchange between the interviewer and an about 65 year-old Cuban woman who uses Airbnb to rent rooms in her house:

“What if I told you that in America we use the Internet mostly to watch videos of cats?” There was a long awkward silence. “How terrible,” she said.

The 21st Century Is Coming to Cuba, One Hotspot at a Time -- an overview of the present state of the Cuban Internet and plans for expansion. It covers the WiFi hotspots, home connectivity plans, the presence of US companies in Cuba, early Internet-based efforts of American companies, Cuban tech startups, political and economic barriers to Cuban investment and modernization, etc. Again, nothing we have not covered on this blog, but well written for a general audience.

Despite obstacles, Instagram offers a new window into Cuba -- the way Cubans and, to a greater extent, expats are using Instagram to document life on the island. You can see a slide show here and there are links to the Instagram accounts of Cubans and foreign journalists and professional photographers. My favorite is the account of Havana-based Reuters photographer Desmond Boylan, but I'd recommend checking them all.

Strolling in Havana by Desmond Boylan

The series does not focus on the Internet, but the Internet figures in many of the stories. In general, this is timely news coverage of an important story a year after it began. The posts are not detailed or technical, but they are well written for a general audience -- like newspaper readers. (Remember newspapers)?

Cuban Internet infrastructure ownership and regulation alternatives

It is too soon and too simple to say that Google was turned away out of simple ETECSA greed.

I have suggested a number of things Google might do in Cuba, including providing Internet connectivity. Last summer it was widely reported that Google had offered free connectivity in Cuba, but the proposal was rejected, perhaps because of mistrust in Google or the US government.

Google has refused to share their proposal with me, but I have a guess as to what it may have been and, if my guess is correct, why it was rejected.

My guess is that they proposed a fiber backbone for Havana (and perhaps other cities) as part of their Project Link. Project Link is serving two metro areas in Uganda, including the capital, Kampala and is deploying fiber in three metro areas in Ghana, including the capital, Accra.

Meshed (i. e. reliable), open, wholesale Project Link fiber backbones

It is important to note that Google is not selling retail service, but providing capacity to competing Internet service providers and mobile operators. As African Internet pioneer Steve Song points out, the Ugandan service providers have come to trust in Google -- realizing that they are not competing at the retail level and that they are offering transparent, flat-rate pricing to all comers. It is noteworthy that Google is not subsidizing Project Link -- the backbones are self-sustaining.

Until now, the wholesale customers have been Internet service providers and mobile operators, but things became a bit more interesting earlier this month, when Google announced that they had deployed a wholesale WiFi network with 120 public access hotzones in Kampala and more to come. They have signed up their first retail WiFi provider Roke Telkom.

Google WiFi antenna on a Kampala rooftop, BBC News

The service is only a few days old (I could not find mention of it on the Roke Web site), but I found a first-impression review. The reviewer did not say how many people were online, but the speed was fairly low -- about 100 Kbps. On the other hand, the sign-up process was painlessly handled using his mobile phone and the key "feature" is Roke's flat rate prices: 29 cents per day, $1.44 per week or $5.17 per month.

Well, that is my guess as to what Google proposed -- now for my guess as to why Cuba declined the proposal.

I do not know what ETECSA charges for access to their Havana fiber (or how they price it internally for themselves), but I would be amazed if it were nearly as low as what Google is charging in Africa. But I do know what ETECSA is charging for WiFi access -- about $2 per hour. Two dollars would buy more than a week in Kampala and it would not be necessary to stand in lines or pay scalpers to purchase time.

(You can check out a two-minute BBC News clip on the Fiber backbone and WiFi deployment here).

I wish Google's proposal was rejected for reasons of political mistrust, because political trust is growing among the Cuban people and distrust will fade, but mistrust seems a less likely cause than fear of competition for ETECSA. As I've said, I do not understand ETECSA's ownership structure, but I have been assured that it is government controlled. If the Cuban government insists upon protecting ETECSA's profit and maximizing government revenue, Kampala will leave Havana in the dust.

But, it is too soon and too simple to say that Google was turned away because of ETECSA greed.

Kampala has a Google backbone, but it also has competing retailers and there are no competing retailers in Cuba. Attracting retailers to a Google backbone in Havana would require the sort of trust that has developed in Kampala. They would have to be convinced that everyone, including ETECSA retail, would be paying the same price. (I would expect ETECSA retail to do quite well in a competitive Cuban market -- they have assets, employees, Cuban experience, brand recognition, etc.).

It is a lot easier to dig trenches and light fiber than it is to attract retail competitors, and Google may have been rejected because their offer came too soon.

Cuba needs time to plan a very difficult transition in which the roles of ETECSA, national and municipal governments and wholesale and retail connectivity providers are considered. Perhaps they will ultimately decide upon a Kampala-like solution with Google and perhaps other wholesalers operating open, transparent backbones. Another model is that of Stockholm, where the municipal government operates Stockab, a successful, open, transparent backbone.

Stokab investment and return, millions of Swedish Kronor

Looking around the world, there are other possibilities. In Singapore, the government acts as a venture capitalist, investing in Internet service providers.

Of course, Cuba needs connectivity outside of Havana and the world has models for that as well. At least 450 small towns and cities in the US have municipal broadband networks with a variety of ownership and regulation policies -- could Cuba model their success? (Note that the states shown in red on the map below have legal barriers to municipal networks).

Interactive map showing over 450 wholesale and retail municipal networks

India has a much larger rural networking task than Cuba, but Cubans might also study India's national fiber network, which hopes to reach 250,000 rural villages and offer non-discriminatory access to all service providers.

If the Cuban government is serious about making a transition away from ETECSA's current wholesale/retail monopoly, they need to be working on an infrastructure ownership/regulation plan. We have seen a leaked executive summary of an infrastructure plan for the next five years, but it is not focused on future technologies or ownership and regulation policies and it was leaked, not openly developed by multiple stakeholders.

Cuba needs to consider alternative infrastructure ownership and regulation policies if they hope to achieve an affordable, modern Internet. Doing so will take political will and time. The time to start planning is now.

Beginning a discussion of Cuban Internet policy

Number of countries with broadband plans, source ITU

The policy research process, like the policy it produces, should be open and transparent.

Norges Rodriguez wrote a recent post surveying the historical causes of the sorry state of the Cuban Internet and calling for a digital revolution. At the end of that post, he promised a followup post suggesting steps to take on the road to Cuban connectivity.

He has now published the followup post. You should read Rodriguez' post, but here are a few points I took from it:

• He advocates competition and is wary of partnerships with Google or other large firms.
• ETECSA has an important role to play, but it must be re-defined -- a national monopoly on wholesale and retail service is clearly a bad idea. (Note that incumbent monopolies often prove to be strong competitors after markets are opened to competition).
• The government has a significant role to play in subsidising connectivity to public institutions and poor people, encouraging digital literacy, reducing the digital gap between rural and urban areas and creating content.
• Transparency in policy setting, enforcement and business is mandatory.

His post is not a plan, but a call to start the discussion. The road to connectivity is a long one and the time to start planning is now.

The starting point is setting infrastructure and application goals. Infrastructure goals are things like affordable fixed and mobile broadband, connectivity to homes and public buildings and high usage rates in rural and urban areas and by men and women. Application goals would focus on areas like health, education, industry, government and entertainment. (For an early definition of this sort of framework, in which Cuba is used as an example, see this article).

Infrastructure regulation and ownership policies are equally important. What should be the role of the national government, local governments, private cooperatives and companies, foreign investors and the owners of homes and other premises?

The bad news is that Cuba is late to the game, but the good news is that many other national and local governments have implemented a diverse array of infrastructure ownership strategies and Cuba can learn from their experience -- what works and what does not. Cuba is also free to adopt emerging technologies.

We have seen a leaked executive summary of an infrastructure plan for the next five years, but it is not focused on future technologies or ownership policies. Furthermore, it had to be leaked.

If Cuba wishes to jump to a modern Internet, policy research and planning should begin today. The policy research process, like the policy it produces, should be open and transparent. Norges Rodriguez has outlined several principles, but the government, ETECSA, universities and others must join the conversation.

-----

This post was translated into Spanish by a friend, Armando Camacho. (Scroll down for the Spanish version). It is on his blog, Carpe Diem, which covers the Internet and a lot more.

Alan Gross interviewed on Sixty Minutes

Alan Gross gave his first interview last night on CBS 60 Minutes. He spoke of his suffering in prison, his 20 years as a contractor installing communication equipment in 54 countries, and his surprise at not being quickly freed by the US Government. The segment also told of the key role played by Senator Patrick Leahy of Vermont in arranging for the prisoner swap that freed Gross and the effort of Alan's wife Judy, who worked tirelessly to keep the case in the public eye -- losing her house in the process.

I have said that the equipment Alan Gross actually brought to Cuba would have had no political impact if he had succeeded -- it would have been a drop in the bucket and a waste of US resources. As it turned out, it provided Cuba with a propaganda opportunity and a bargaining chip in negotiations with the US. I think Alan Gross agreed with me in his Sixty Minutes interview last night -- he described it as a "cockamamie" program.

That opinion was shared by senator Leahy who considered the effort "stupid" and "a disservice to all the men and women who work so well for our country with USAID around the world."

I share Gross's belief that "access to information is a right for everyone" and am happy to see him home. The best part of the interview for me was to see Gross smiling and relaxed with a sense of humor.

(You can see more background on the Alan Gross case here).

Alan Gross, before, during and near the end of his imprisonment

Alan and Judy Gross when he returned

Gross being greeted by Secretary of State Kerry

Smiling and relaxed on Sixty Minutes

NY Times editorial on the Internet in Cuba

The New York Times has published an editorial call to "bring Cuba online." they say "millions of Cuban citizens could have affordable access to the Internet in a matter of months" if only the government were willing to allow Google to go forward with a Project Link installation or invite companies to bid on mobile licenses, as was done in Myanmar.

I appreciate their goal, but there are stumbling blocks and problems with their proposal.

Google made an unspecified proposal to build Internet infrastructure in Cuba, but some in the Cuban government did not trust Google's representatives. The Times suggests Google's Project Link, which has been implemented in Kampala and Accra, as a model, but Project Project Link only provides a wholesale fiber backbone in a city, not national, retail coverage -- and it would take more than a few months to implement.

The editorial also ignores the interests of ETECSA, the Cuban telecommunication monopoly. If ETECSA's goal is to maximize profit or government revenue, Cuba will fall short of the vision of the Times. (I speak from the experience of being a customer of a monopoly Internet service provider, Time Warner Cable).

They also overlook Cuban commitments to and history of doing business with Chinese telecommunication firms.

Even if the government were willing, inviting in Google or accepting Myanmar-like bids for mobile licenses, would limit Cuban technology and, more important, policy choices. Cuba has an opportunity to leapfrog technology and implement policies that will benefit the Cuban people.

I am not optimistic that that will happen, but it is possible that after 2018, when Raúl Castro has retired and the Cuban economy has improved, Cuba will have the funds and will to implement a uniquely Cuban, modern Internet.

-----
Update 12/9/2015

Norges C. Rodríguez Almiñán has written a thoughtful blog post, inspired by this New York Times editorial.

He starts by surveying Cuba's history of the supression of free expression and communication technology and recalls Cuba-US conflicts from the Bay of Pigs to ZunZuneo with events like the Cuban Missle Crisis and downed aircraft in between. There are bad deeds all around.

In spite of this, we have December 17th, progress is being made and Rodríguez says it is time for Cuba's digital revolution. Better yet, he promises that in his next post he will suggest steps to take on the road to Cuban connectivity -- I can't wait to read it!

Never mind Internet Connection Records, what about Relevant Communications Data?

It was always a good bet that the draft Investigatory Powers Bill would broaden data retention obligations to cover more categories of communications data. That was at the core of the Communications Data Bill, blocked in 2012 during the Coalition government and vowed after the May 2015 election to be resurrected.

The draft Bill has duly delivered, accompanied by a blizzard of commentary about the propriety of forcing communications service providers to retain users’ browsing histories.

But what exactly are the categories of data that communications providers could be made to keep? The Home Office has coined the label ‘internet connection records’ to describe the new datatypes that it plans should be retained for up to 12 months. These records, it stresses, could include websites and services visited but not individual pages or other content. This is in line with what the Home Office had previously said to the Anderson Review about ‘weblog data’ (the then current jargon for browsing histories).

Internet connection records and the proposed restrictions on accessing them (clause 47 of the draft Bill) have become a lightning rod for the ensuing discussion: not just the rights and wrongs of requiring browsing data to be retained, but whether internet connection records as defined in the draft Bill can be matched to real categories of data processed by service providers.

The focus on internet connection records is understandable. The Home Office’s Guide to the powers in the draft Bill focuses on internet connection records.  The estimated cost increase in the Data Retention Impact Assessment mentions only internet connection records as a new category of retained data.

However the draft Bill casts the retention net wider than just internet connection records. Clause 71 of the Bill would empower the Home Office to issue retention notices covering six categories of what the draft Bill calls ‘relevant communications data’.  

According to the draft Bill’s Explanatory Notes, one of those six categories (71(9)(f)) corresponds to internet connection records. That leaves five categories which, on the face of them, seem to go wider than the existing data retention categories under the Data Retention and Investigatory Powers Act 2014 (DRIPA) as amended by the Counter Terrorism and Security Act 2015 (CTSA).

For internet communications the current DRIPA data retention categories cover internet access services, internet e-mail and internet telephony. Those categories replicate the 2009 Data Retention Regulations, which implemented the now invalidated EU Data Retention Directive.  The CTSA extended DRIPA to include so-called IP address resolution data. 

We can get an idea of the scope of ‘relevant communications data’ by appreciating that it covers any type of communication on a network, expressly including communications where the sender or recipient is not a human being. This sweeps up not only background interactions that smartphone apps make automatically with their supplier servers, but probably the entire internet of things. 

The type of data about these communications that could be required to be retained goes beyond the relatively familiar sender, recipient, time and location information to data such as the ‘type, method or pattern’ of communication (clause 71(9)(c)). ‘Data’ is defined to include ‘any information which is not data’ (clause 195(1)).

In another departure from existing retention laws, providers could be required to generate data specifically for retention (71(8)(b)(i)). At present they can only be required to keep data that they already generate or process in the course of providing their service.

Another change from existing law is that retention notices could be given to any kind of telecommunications operator, not just those providing services to the public as under the existing legislation. Finally, providers could be given a notice requiring them to install specific technical capabilities to support communication data access and retention requirements.

Although the current Home Office Guide and the Impact Assessment talk only about retention of internet connection records by public telecommunication service providers, that would not prevent future changes of policy whereby broader retention notices could be served on a wider variety of communications service providers.  There is no obvious mechanism to bring a change of policy to the attention of the public, since service providers would be obliged not to disclose to anyone else the existence and contents of a retention notice.

All this suggests that it is fairly important to understand what ‘relevant communications data’ might consist of.  That requires an informed conversation between legislators, lawyers and technical experts. As a discussion aid, here is my map of the 14 interlinked definitions that go to make it up. 

And here are the 14 definitions. Where a definition uses another defined term I have italicised it for ease of reference.  

“relevant communications data” means communications data which may be used to identify, or assist in identifying, any of the following—

(a) the sender or recipient of a communication (whether or not a person),

(b) the time or duration of a communication,

(c) the type, method or pattern, or fact, of communication,

(d) the telecommunication system (or any part of it) from, to or through which, or by means of which, a communicationis or may be transmitted,

(e) the location of any such system, or

(f) the internet protocol address, or other identifier, of any apparatus to which a communication is transmitted for the purpose of obtaining access to, or running, a computer file or computer program.

In this subsection “identifier” means an identifier used to facilitate the transmission of a communication.

“Telecommunication system” means a system (including the apparatuscomprised in it) that exists (whether wholly or partly in the United Kingdom or elsewhere) for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electromagnetic energy.

“person” (other than in Part 2) includes an organisation and any association or combination of persons,

“Communications data”, in relation to a telecommunications operator, telecommunications serviceor telecommunication system, means entity data or events data—

(a) which is (or is to be or is capable of being) held or obtained by, or on behalf of, a telecommunications operator and—

(i) is about an entity to which a telecommunications service is provided and relates to the provision of the service,

(ii) is comprised in, included as part of, attached to or logically associated with a communication (whether by the sender or otherwise) for the purposes of a telecommunication system by means of which the communication is being or may be transmitted, or

(iii) does not fall within sub-paragraph (i) or (ii) but does relate to the use of a telecommunications service or a telecommunication system,

(b) which is available directly from a telecommunication system and falls within sub-paragraph (i), (ii) or (iii) of paragraph (a), or

(c) which—

(i) is (or is to be or is capable of being) held or obtained by, or on behalf of, a telecommunications operator,

(ii) is about the architecture of a telecommunication system, and

(iii) is not about a specific person,

but does not include the content of a communication.

“Communication”, in relation to a telecommunications operator, telecommunications serviceor telecommunication system, includes—

(a) anything comprising speech, music, sounds, visual images or dataof any description, and

(b) signals serving either for the impartation of anything between persons, between a person and a thing or between things or for the actuation or control of any apparatus.

“apparatus” includes any equipment, machinery or device (whether physical or logical) and any wire or cable,

“Telecommunications operator” means a person who—

(a) offers or provides a telecommunications service to persons in the United Kingdom, or

(b) controls or provides a telecommunication system which is (wholly or partly)—

(i) in the United Kingdom, or

(ii) controlled from the United Kingdom.

“Telecommunications service” means any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system (whether or not one provided by the person providing the service).

“Entity data” means any data which—

(a) is about—

(i) an entity,

(ii) an association between a telecommunications service and an entity, or

(iii) an association between any part of a telecommunication systemand an entity,

(b) consists of, or includes, data which identifies or describes the entity (whether or not by reference to the entity’s location), and

(c) is not events data.

“Events data” means any datawhich identifies or describes an event (whether or not by reference to its location) on, in or by means of a telecommunication system where the event consists of one or more entities engaging in a specific activity at a specific time.

“Entity” means a person or thing.

The content of a communication is the elements of the communication, and any data attached to or logically associated with the communication, which reveal anything of what might reasonably be expected to be the meaning of the communication but—

(a) anything in the context of web browsing which identifies the telecommunications service concerned is not content, and

(b) any meaning arising from the fact of the communication or from any data relating to the transmission of the communication is to be disregarded.

“data” includes any information which is not data.

Cuban Internet interruptions

Is there a connection between Cuba's email interruption and access to the Reflejos blogs?

Cuban email has been interrupted and colleague Doug Madory discovered that access to Cuba's Reflejos blogs at is inconsistent. One can access the Reflejos home page, but some links work and others do not. For example, try these permalinks:

http://internet1.cubava.cu/2015/11/19/internet-en-cuba-porque-estamos-desconectados/

http://alejandro13.cubava.cu/2015/10/14/he-sido-hackeado-el-proyecto-que-promete-conocer-si-tu-email-se-ha-visto-comprometido/

or the blog home pages: http://internet1.cubava.cu and http://alejandro13.cubava.cu

The connections to these requests are inconsistent. Sometimes they work and others not. When they fail, they do not time out, they just take forever, so a handshake must at least be made.

Does that suggest some sort of flooding DoS attack? Do these problems have a common cause?

-----
Update 11/21/2015

The Reflejos blogs seem to be working again, but I've not seen an update on Nauta email.

-----
Update 12/1/2015

I've been told that Nauta email is only working on the WiFi network from 7am to 11pm and it will not work in the Nauta rooms.

From Oversight to Insight - Hidden Surveillance Law Interpretations

The focus of my posts on RIPA, DRIPA and now the Investigatory Powers Bill has been on the scope and extent of the powers – what exactly they enable law enforcement and the agencies to do – rather than on oversight and safeguards, important though those are.

One aspect of oversight, however, bears directly on the scope of the surveillance powers granted by legislation. It relates to an issue that has perhaps not received as much attention in the UK as it has in the USA: secret interpretations of the law.

The problem arose in the USA partly as a result of the secret FISA court system. Controversial previously secret interpretations of the law came to light following the Snowden disclosures. This led to, for instance, the Electronic Frontier Foundation's Secret Law is Not Law campaign.

We have a similar problem on this side of the Atlantic. Here, though, it is about interpretations conceived and acted upon by government without any court involvement.

The clearest example to date is the government’s interpretation of ‘external communications’ under RIPA. This was revealed by senior Home Office official Charles Farr in a witness statement filed in the Investigatory Powers Tribunal case brought by Liberty and others. The background is that GCHQ can intercept in bulk if its objective is to intercept external communications. So the meaning of 'external communications' is significant. The Home Office interpretation was controversial. It also had implications for who (or what) could be regarded as a sender or intended recipient of a communication, a foundational building block of RIPA. (See further paragraphs 6.52 and 12.25 of the Anderson Report ‘A Question of Trust’ and paragraphs 31 to 54 of my submission to Anderson.)

The Home Office’s interpretation, which underpinned the agencies’ operations under RIPA S.8(4) warrants, would not have seen the light of day had the NGOs not brought the IPT legal challenge. That occurred because of the Snowden disclosures. The interpretation was a significant, but previously hidden, aspect of the law under which the agencies were operating.

Another example was The Data Retention and Investigatory Powers Act (DRIPA), rushed through Parliament in four days in July 2014. The Home Office argued that amendments to RIPA’s territoriality provisions and to the definition of telecommunications services did no more than reflect what the legislation had always meant. The claim was untestable, since the public had no way of knowing how the Home Office might have interpreted the provisions either in the minds of its officials or in its previous dealings with communications service providers.

A similar issue is boiling up over the effect on end to end encryption of the Investigatory Powers Bill. The Home Office says, with some justification (although a debate is taking place around possible knock-on effects of other changes), that the draft Bill mirrors existing law. Clause 189(4)(c) of the draft Bill is very similar to paragraph 10 of the Schedule to the 2002 Maintenance of Interception Capability Order. On the face of it neither affects end to end encryption where the protection is applied not by the service provider but by the user. However the public is in no position to know whether the Home Office has adopted some other interpretation or, if so, whether it might be as open to debate as its view of external communications.

The Investigatory Powers Bill provides an opportunity to ensure that the proposed new oversight body proactively seeks out and brings to public attention material legal interpretations on the basis of which powers are exercised or asserted. Service providers might also be able to bring a legal interpretation asserted against them to the attention of the oversight body. This may be all the more necessary in the light of the new disclosure offences built into the draft Bill.

Such mechanisms would enable material legal interpretations to be publicly debated and if appropriate challenged. None of this would require to be made public any legal advice that the government had received, nor any factual matters that should properly remain secret, but only the substance of the legal interpretations themselves.

This could be an important protection against the possibility of groupthink, the tendency for members of a closed group to convince themselves of the rightness of a consensus position and to resist contrary views. It would contribute to the new standards for openness, transparency and oversight that the government has promised in the new legislation. Most fundamentally, by providing not only oversight but insight it would help to satisfy the basic rule of law tenet that the law should be foreseeable and accessible.

[Amended 7 pm 9 November 2015 to include reference to possible knock-on effects of other changes on end to end encryption]

ETECSA will sell -- and service -- Huawei phones.

ETECSA has agreed to sell and service Huawei phones. Since Cuban cell service is 2G, they will be used for voice calls and Internet access at WiFi hotspots and elsewhere. (I have heard that there is a little 3G coverage in Cuba -- is that the case)?

Javier Villariño, Huawei’s director of sales in Cuba, said the phones would “improve the voice quality and data services offered by ETECSA." Perhaps more important, he said Etecsa would be able to distribute spare parts and accessories, and train repair staff. That sounds like ETECSA will be competing with independent, self-employed phone repair people.

Since I am a customer (victim) of a mobile access oligopoly and a fixed access monopoly (Sprint and Time Warner Cable), that sounds ominous to me.

Photos of the phones are shown below -- does anyone recognize them or know their specs?

China has dominated the Cuban Internet infrastructure market in recent years and Chinese exports to Cuba are increasing in all sectors, reaching $1.33 billion in the first three quarters of this year, up by 82.4 percent. On the other hand, Cuban exports to China have dropped, due to a decrease in the production of nickel, which is the country's principal export. Over 40 Chinese companies participated in the 33rd Havana International Fair, which ends today.

Prediction and Verdict - the draft Investigatory Powers Bill

Two months ago I took a shot at predicting what might be in the draft Investigatory Powers Bill. It will replace a confusing patchwork of surveillance and interception legislation centred on RIPA, the Regulation of Investigatory Powers Act 2000. 

I was particularly intrigued by how much of the old draft Communications Data Bill (CDB, or the Snoopers' Charter, blocked by the Liberal Democrats in 2012) might make it through into the new legislation. Today, following a blizzard of leaks and unofficial briefings over the past couple of weeks, the draft Bill has been published along with a mountain of explanatory papers and impact assessments, only some of which I have been able to read at this stage.

Here's an initial impression of how the draft Bill pans out against my predictions. More to come in time as the detail sinks in. As relatively instant comment, some of this may have to be refined or corrected as the light slowly dawns.  And there are many important points that I haven't touched on. The Home Office Guide to Powers and Safeguards is a reasonable place to start to get an overview.  

The 'What is it?' and 'Prediction' sections are as in my original piece. The rest is new.

GCHQ’s bulk interception warrant

What is it? The bulk interception warrant under Section 8(4)of RIPA. These warrants authorise GCHQ’s TEMPORA programme of tapping into transatlantic fibre optic cables, one of the most significant Snowden disclosures.  

Prediction: Bulk warrantry powers to stay, perhaps significantly modified.

Verdict: Still here, but with some changes. There is a new power to extract and examine communications data derived from bulk intercepted content (S.106(8) and see Explanatory Notes 271 to 275). 

The overall objective of a bulk interception warrant must be to intercept communications 'sent by individuals' or 'received by individuals' outside the British Islands. This is a new approach in place of the much criticised RIPA distinction between internal and external communications.

Devil in the detail:

Is it clearer than RIPA? Yes, but some similar nuanced pathways through the legislation remain.

Specific objectives for bulk interception warrants? (This was an Anderson recommendation.) Yes, sort of. S.111(3) says: "A bulk interception warrant must specify the operational purposes for which any intercepted material or related communications data obtained under the warrant may be selected for examination."  S111(4) tells us how specific (or not) those purposes have to be: "it is not sufficient simply to use the descriptions contained in section 107(1)(b) or (2) [e.g. 'national security'] , but the purposes may still be general purposes.".

Tighter constraints on searching for communications of persons within British Islands? Looks very similar to RIPA.

Is there a tighter framework for searching captured related communications data? Under RIPA most of the limitations on searching the content of bulk intercepted communications do not apply to related communications data. Related communications data can currently be scooped up alongside both external (at least one end outside British Islands) and collaterally acquired internal (British Isles to British Isles) communications.

In substance this is all retained in the draft Bill. Additionally, related communications data can now include content-derived communications data. The new Bill provides that selection must be necessary and proportionate and examination must be only so far as necessary for the operational purposes.

Prior judicial or quasi-judicial authorisation? See below.

Tighter limits in who can apply for a bulk warrant? Limited to the security and intelligence agencies, for specified purposes that must always include national security.

Background on RIPA bulk interception warrants here.

Broad Ministerial powers

What is it? A wide statutory power in Clause 1 of the draft CDB allowing Secretary of State to make regulations under which she could give notices to CSPs to generate, obtain and disclose communications data and to install designated equipment for that purpose.

Prediction: Increased specificity, but government will still want a method of future-proofing.

Verdict: Nothing like as vague as CDB, though the power to give retention notices to CSPs appears to have a significant element of future-proofing built in. The draft Bill also includes a major expansion of the powers to require service providers (extended to include non-public service providers) to install specified technical capabilities, allied to most of the new warrants and communications data acquisition powers (see S.189). At present RIPA only provides this power for interception warrants and for large public service providers.

Background on future-proofing here.

Browsing histories

What is it? Extension of current data retention powers so as to require storage of browsing histories (alias weblog data). This was one of the most contentious aspects of the draft Communications Data Bill. It is like keeping a list, which the authorities could demand to inspect, of all the books, newspapers and magazines that you have read in the last year.  Weblog data probably excludes web addresses (URLs) ‘after the first slash’. That is like listing a book, but not every page within it.

Prediction: Bank on this one coming back in some form.

Verdict: It's back, rebadged as 'internet connection records'. For which read everywhere you go at site or service level on the internet, but not individual pages. Part of a significant extension of DRIPA's data retention provisions.

Is this like a universal CCTV system recording when you go outside your front door and visit the bank and the shops? Or is it like a spybot in your home noting which books you read? Or is it something else? One thing is certain: we can't simply analogise this to keeping a log of which telephone number you called, where and when. This is a record of how we live our digital lives.

It is important to separate the scope of retention from the power to access. Access to this category of data will be more tightly restricted than for other communications data. Local authorities will have no access. The draft Bill sets out specific purposes for which public authorities can demand access to this category of communications data or make a demand that requires it to be processed (s.47(4)). 

The Home Secretary has (very) broadly paraphrased this restriction as 'determining whether someone had accessed a communications website, an illegal website or to resolve an IP address'. Regrettably there is no substitute for quoting the section:

"to identify—

(a) which person or apparatus is using an internet service where—

(i) the service and time of use are already known, but

(ii) the identity of the person or apparatus using the service is not known,

(b) which internet communications service is being used, and when and

how it is being used, by a person or apparatus whose identity is already known, or

(c) where or when a person or apparatus whose identity is already known is obtaining access to, or running, a computer file or computer program which wholly or mainly involves making available, or acquiring, material whose possession is a crime."

  

Like most requests for standard communications data under RIPA, requests for 'ICR' will not require judicial approval. They are authorised through Designated Persons within the public authorities, who are internally independent from the investigation in question.

The existing, narrower, data retention provisions of DRIPA have been challenged in court by MPs David Davis and Tom Watson and questions are being referred to the European Court of Justice. 

Devil in the detail:

David Anderson said that no detailed proposal should be put forward until a sufficiently compelling operational case had been made out and a rigorous assessment conducted of the lawfulness, likely effectiveness, intrusiveness and cost of requiring weblog data to be retained. The Home Office has now published an 'Operational Case for the Retention of Internet Connection Records'. This will repay careful scrutiny.

Background on weblog data retention here.

Digital footprints

What is it? Retention of the geolocation data that, thanks to our smartphones and tablets, we leave like a breadcrumb trail behind us.  The Annex to the CDB Explanatory Note explained that Communications data “includes information identifying the location of equipment when a communication is or has been made or received (such as the location of a mobile phone)”. A phone call, text, software update, e-mail check, news feed update, an app checking in to its provider are all communications and they happen all the time. Each could have precise GPS or Wi-Fi location data associated with it. 

Prediction: Probable.

Verdict: Yes, falls within relevant communications data that may be required to be retained. S.71(9) is explicit that the sender or recipient does not need to be a person, and that relevant communications data includes data identifying the location of any telecommunication system by means of which a communication is transmitted. Location of that system is one of the categories of data that the Secretary of State can order to be retained.

Data generation by decree

What is it? The Home Office would be able to order CSPs to generate communications data for the benefit of the authorities.  At the moment CSPs can only be made to retain data that they already generate or process in the UK. Think about that list of books, newspapers and magazines in the weblog data section (above). You don’t ordinarily keep a list? This is like compelling you to make one.

Prediction: Data generation to reappear.

Verdict: Yes, as predicted (S.71(8)). A significant change.

Background on compelled data generation here.

Boundary between communications data and content

What is it? On the one side we have email addresses, user IDs, IP addresses, domains, and the like.  On the other side content (including URLs beyond the first slash). Public authorities have far readier access to communications data than to content.  There are also sub-divisions of communications data (traffic data, service use data, subscriber data) that under RIPA affect the conduct that is classified as interception. The powers of public authorities to demand access to communications data vary depending on the type of communications data.

Privacy advocates question the historic assumption that content is necessarily more sensitive than communications data. Changes to the dividing line would have an impact on the data that the authorities could request and a knock-on effect on the scope of communications data retention.  

Prediction: Government will continue to maintain that communications data is less sensitive than content. Possible clarification of the boundary in areas of uncertainty such as social media and revision of communications data categories.

Verdict: The definition of communications data has been revised to cover 'entity' and 'events' data. There is also now a definition of the content of a communication, where RIPA had none.

Devil in the detail:

Requires application of a wet towel before commenting on whether anything has changed significantly.

Background on the existing RIPA content/communications data boundary here.

Third party data collection

What is it? A scheme that would enable the Home Office to require CSPs to collect and retain communications data from foreign services transiting their pipes.  This was part of the CDB.

Prediction:  Anyone's guess.

Verdict: Out.

More on third party data collection here.

Request filter

What is it? A plan for a system enabling authorities to search across communications  data collections retained by multiple CSPs.  Another part of the CDB.

Prediction:  Anyone’s guess.

Verdict: In.

Background on request filter here.

Judicial authorisation

What is it? Interception warrants in the UK are authorised by a Minister, not by an independent judicial or quasi-judicial body.  This has always been a bone of contention for civil liberties advocates.  Most demands to access communications data are authorised internally by the requesting authorities themselves.

Prediction: In the balance. The government may prefer to retain Ministerial control over warrants. But if it wants the new interception warrants regime to be legally bullet proof, the prudent course would be to go with a scheme for judicial or quasi-judicial approval of interception warrants.  Separately it has to decide how to deal with the regime for communications data demands following the Davis/Watson decision.

Verdict:  Generally the government is proposing a two tier system of Ministerial sign-off of warrants followed by an approval process undertaken by new judicial commissioners before the warrant can take effect (but retrospective in urgent cases).  They would review a decision to issue a warrant to the 'judicial review' standard rather than a de novo reevaluation of the merits.

Some other significant highlights that I didn't cover in my original predictions:

Section 94 Telecommunications Act 1984

What is it? The most mysterious existing power of all, enabling Secretaries of State to give national security directions to telecommunications companies.  Now there will be a 'national security notice' power spelled out in greater detail (S.188).

Extraterritoriality

What is it? RIPA always applied in general terms to telecommunications services provided to the UK from abroad. What wasn't so clear was whether interception warrants, interception capability notices and communications data acquisition notices could require conduct outside the UK, could apply to non-UK providers or how (if at all) they could validly be served on a non-UK provider. DRIPA fixed that. It didn't do the same for communications data retention notices, but which in any case could only require retention of data generated or processed within the UK.

Verdict: Extraterritoriality will apply to targeted interception warrants and mutual assistance warrants (S.29(4)); communications data acquisition notices (S.69(3)); targeted equipment interference warrants (S.99(3)); bulk interception warrants (S.116(3)); bulk acquisition warrants (S.130(3)); bulk equipment interference warrants (S.145(3)); technical capability notices (S.189(8)).

Non-UK operators can rely on a conflict of non-UK law defence in some of these cases: (S.31(5), S.69(4)). A technical capability notice is enforceable against someone outside the UK only if it relates to a targeted interception or mutual assistance warrant, a bulk interception warrant or a communications data acquisition notice or authorisation (S.190(10)).

Communications data retention notices can also be extra-territorial (S.79(1)). However while operators generally have a duty to comply with a notice, if a notice relates to "conduct or persons outside the United Kingdom" the duty is only to "have regard to the requirement or restriction".  (S.79(2))

Computer Network Exploitation (CNE) 

What is it? Official hacking.

Verdict: Warrantry powers formalised in the draft Bill. No surprise at all. Existing general powers were on shaky legal ground and had to be made more transparent. Both targeted and bulk equipment interference warrants are provided.

[Updated 5 November 2015 to add technical capability notices to Extraterritoriality section; section on Broad Ministerial Powers updated 6 November 2015 to add future proofing of retention notices and extension of technical capability notices to non-public service providers (h/t to @neil_neilzone for spotting the latter).]