Lately, the web has been vibrating against the French government’s Law project whose news can be followed on twitter with the hashtag #PJLRenseignement, and which would decree that hosting providers and Internet service providers (from now on referred to as ISP) must get equipped with a “black box” that could retain all digital communication of the citizens, at any time.
As we said in our two former articles, this project will be inefficient, dangerous for the French digital economy and also very complex to set up.
Moreover, as Benjamin Franklin said, “Any society that would give up a little liberty to gain a little security will deserve neither and lose both”.
By the way, this massive violation of communication liberty and of the right to exchange in privacy reminds us of what many political regimes set in place to control their population, with the consequences that followed. Besides, quite recently, several tapping cases, the legality of which was contested, dotted the news and contributed to the animation of Justice Courts.
It is clear that nobody here supports terrorism. We are inclined to help Justice and we wish for hosting providers to be included in the process. But on the opposite, systematic tapping is not a viable or acceptable solution. And the installation of “ghost”, “wild” equipment, which the hosting provider cannot control, puts its activity and the security of its clients in jeopardy.
The main obstacles we identify are:
- The automatic approach, without a selection, of tapping operations
- The lack of judges in the authorization process of a tapping
- The setup of non-controlled device and equipment, whose security levels are unknown and whose installation is operated by a third party, within a trusted network
- The huge cost of the operation, for a useless result
Besides, the secret of correspondences and the right to private life are articles of the French Civil Code (9 and 10) and are very clearly defended in the article 8 of the European Human Rights Convention. The project, such as it is presented today, is very close to violating these articles.
Offering criticism without a solution is not within our habits, thus we would like to formulate a counter-proposition that would allow the resolving of these key points.
A more realistic, secure and less expensive technical solution
Telephone operators already have a settled in, non-intrusive process allowing, after the delivering of a warrant, to tap a phone number. They placed themselves, on their infrastructure, a “legal interception equipment”. This equipment enables, on request of the Justice system, to directly pass through the telephonic data flow or to make a copy of it, regularly, and to send them to the entity responsible with the analyzing of the data. We offer, here, to adopt the same method and the same type of process, for hosting companies, as part of the Intelligence Bill.
The setting up of a solution of this type can be realized in record time, all the while limiting material, human and budgetary investments.
- Redirecting a flow of data or realizing a copy of it in order to hand them over to an exterior entity does not require new equipment. A configuration of the firewalls or routers would be enough. For the most part, hosting providers already own the equipment allowing this configuration; namely no, or very little, material investment.
- This configuration can translate into a few lines of code. Thus, R&D would be almost inexistent, and the testing time very short; namely a very limited human investment.
- The technical deployment, very quick, can happen in a few days. The equipment would be provided, installed, controlled and maintained by the hosting provider or the Internet service provider; namely no financial investment from the State.
- The access to the datacenter would be exclusively kept by the hosting provider or the ISP; namely the upholding of a high level of security.
- The hosting provider can thus guarantee that only metadata would be sent; namely the preservation of the trust of French and foreign actors.
- Norms like PCI/DSS would be maintained; namely the conservation of the French expertise regarding e-Commerce security.
- The integrity of the data and the level of security will still be dealt with and controlled by the French numeric actors without considering delocalization; namely the guarantee of the French expertise in security and integrity.
The setting up barriers
The only elements that will be “problematic” and that will take longer to position concerning the “administrative” and “accreditation” part are:
- A choice of the entity that will receive the data
Debates will open and huge organisms and companies, that are multinational today, will certainly fight to obtain this accreditation and official recognition. This mainly political choice belongs entirely to the government.
It is important, in this antiterrorist law project, to plan secure transmissions with no breach or vulnerability that could be exploited by international pirates. France has the benefit of having, on its territory, security specialists (white Hats), such as the experts working for companies such as NBS System, HSC, or Intrinsec (without giving an exhaustive list). The government could consult these experts and use their competences to establish a viable and secure protocol.
- A procedure involving judges
As Marc Trévédic (antiterrorist judge) mentions in an article published in the French newspaper L’Express of March 19th, 2015: “let us not lie to the French proplr by presenting this project as an antiterrorist law. It opens the way to the spread of intrusive methods, outside the control of judiciary judges, however guarantors of individual freedoms in our country”. It is indeed important for judges to intervene in the authorization process of a tapping. A new protocol could be created, that would allow to simplify the procedure and habilitate the judges to deliver a warrant in a faster way (a few hours) implying the digital tapping of a source or destination IP.
- A warrant clarify the conditions and obligations of the hosting companies or ISP
This warrant will have to impose on the hosting provider or the ISP very well-defined terms: emitting or receiving IP addresses to tap, legal time of response (being reduced to a few hours), frequency of the sending of data or constant copy of the network flow of the tapped IP address, implication period, official entity which should receive the elements, etc.
- A homologation process ensuring the good faith of hosting providers and ISP
In order to be certain that the hosting providers and ISP don’t send false information or don’t retain data, the government could be inspired by the functioning of the ARJEL (French online gambling regulation authority). The State will thus have to recognize and qualify a few companies which it trusts, for them to become an intermediary and certify the good will of hosting providers and ISP. They will make sure that the hosting provider or the ISP has the necessary competences and tools to hand the data over, and that it set in place the right internal processes so that nothing is left to chance. It will allow the State to be sure of the integrity and completeness of the received data. To top it off, the government can reserve the right to realize “surprise visits”, within reason, at the hosting providers’ or ISP’, as well as to control the work of the chosen certifying companies.
This solution enables to achieve the surveillance objective, while solely filtrating what is necessary. Systematically reintegrating the judges in the demands would keep the integrity of the digital actors and French judiciary system intact. This solution would not impact the production environments of digital actors, and would avoid many financial, human and material investments that are not necessary to attain the primary objective of the Intelligence Bill.
By writing this article, NBS System wishes to contribute to the placing of a new antiterrorist system without falling into the trap of mass surveillance.
Read our other articles about the subject:
– French hosting providers are opposed to the “Black Box” project of the French Intelligence Law
– Why the « Intelligence Bill » or « Black Box » project is technically unrealistic