04.14_PJLRenseignementThe French Intelligence Bill project that is being debated since Monday, April 13th, 2015, offers an automatic and global tapping at the network level of Internet service providers and hosting providers, through the use of a “black box”.

Without even mentioning the liberty-killing and counter-productive aspects of such a Law, it is surprising to note that clearly, no preliminary study seems to have been ordered by the initiators of the project. Why? Because as it is, the implementation of the main idea seems quite unrealistic.

Tapping the French Internet?

First, let us talk about the most obvious concept: storage.

The words “listening” or “tapping” extremely simplify the imposing device necessary to see this widespread surveillance through. Indeed, the data that are passing through from your computer to an Internet website, Skype or your favorite game’s server is not simply “listened to”, it is STORED for future analysis.

Let us take the example of an average Internet user who would only use his/her mobile phone in “data” mode (we leave all vocal data aside). Let us reckon that this user only downloads 1GB of data per month because of his subscription. Let us now multiply this sole Giga octet by a pessimist number of operator subscribers; Free mobile for instance, claims 9,6 million subscribers in November 2014, which represents 9,6 x 1Go, or 9 375 TeraBytes.

9 375 TB of data for:

  • 1 month of exploitation,
  • for only 1 operator,
  • for mobile use only,
  • With a low estimation of the number of users,
  • without vocal data.

One may argue that it is only about storing the infamous “metadata”, which would diminish the quantity of data to be stored; and we will answer that if we divide the data quantity by a 100, which is completely unrealistic (we do not have public references on volumetry), we would still reach 93TB of data.

This number does not shake you? To give you a hint, a classic industrial storage equipment from a renowned brand, able to store 16TB, costs about 100 000€. 6 like that would be needed (about 600 000€). And we talk, here, only of one month of operations, taking into account only “data” communication (no voice) on the mobile telephony of one operator!

As for the possibility to listen on the fly, it seems very unrealistic since the calculation and quantity of necessary memory would be gigantic. The criticized devices that were set in place by Bull (and its subsidiary Amesys) in several dictatorships, and which were the subject of gossip, are very costly and allow only very partially “real-time” tapping.

Capacity and cost of the “black boxes”?

The Internet is made of tubes. The cables that join equipment, called routers and switches, allow (if we simplify) the communication between a machine hosting a website and the browser (Firefox, Chrome, Safari…) of your computer.

DatacenterThe infamous “black box” would thus be placed as a breach between the Internet service provider’s cables and the final user. As for hosting providers, the “black box” would be placed above the machines network on which websites are set up.

What do French Congressmen imagine when they talk about “black boxes”? A device the size of a DSL or modem box that would intercept the whole traffic emitted and received by an operator or a hosting provider? On wide networks, several hundred GB per second pass through those cables. It would imply very high-level equipment placed in the professional’s network; and rather than a “black box” we would then talk about “black racks”, crowded out with switches, processors and storage units. We can reasonably imagine that these racks would cost, at the minimum, no less than a handful of hundred thousand euros each, or even more depending on the size of the hosting or Internet service provider.

Location of these “black boxes”?

But it is here only a small part of the technical challenge arising from this old fantasy of watching the Internet and all communications of a country. Because beyond the local capture, in professionals’ data centers, the question of data centralization comes up. Without even mentioning the problems related to communication confidentiality and the preservation of everyone’s private life, these data will have to be captured by a system that will have to be sent to the government’s datacenters, implying at least colossal infrastructure costs, but also potential road works to dispatch the cables.

Besides, these “black boxes” made to gather, store, transmit and analyze data will consume a gigantic amount of electricity. Who will deal with the energetic bill of this project? Will hosting providers have to pay the installation and energetic bill of this equipment, thus diminishing greatly their competitiveness? Of course, this used energy will not exactly be a win for our country’s ecology.

Location of these “black boxes”?

 utah-data-centerSuch a volume of information requires physical space because yes, the “Cloud” relies on physical equipment. It will be the same for the infrastructures that will receive the storage bays, routers, servers, dispatcher and switches whose role is to conserve our numeric interactions. In the US, Utah’s NSA-controlled datacenter stretches over 140km², with 9km² of “datacenter” spaces and more than 84km² of technical support and administrative space. As a comparison, it represents almost all the surface area of Liechtenstein (160km²). It cost 1.5 billion dollars, might cost 2 billion more for maintenance and equipment, as well as 40 million dollars a year for electricity only.

Abandoned security standards ?

Numerous security standards will simply not be available anymore, and wiped off the French territory. Let us take the example of the PCI/DSS certification. This norm allows, today, a retailer to offer 1-click orders like Amazon, or simply to be able to store in a secure way its client’s credit cards data. From the point of view of the hosting providers, being compliant with the PCI/DSS norm translates into processes and radical technical restrictions.

As a matter of what, the hosting provider has to control the data transfers without any third party being able to access it. The location of the government’s “black boxes” would simply prevent French hosting providers from being compliant with that norm, and have their competitiveness decline.

The security related to these “black boxes”

The location of the “black boxes” causes two big securing problems. The first one affects the transmission of data from the black boxes to the analyzing datacenter. Will the data be transmitted in plain text without any security, which means that when it is compromised all the data will be accessible by the pirates? Besides, if the transmission protocol happens through an encryption key, it will greatly complicate the exchange processes between the hosting provider and the government. Will hosting or Internet service providers have to give away their keys? Must the government determine a new security protocol?

The second problem (and not the least) concerns the potential compromising of these “black boxes”. Who will give guarantee to the operators regarding this hardware’s security? Picture the case of an e-Commerce websites hosting provider. If the “black boxes” are compromised, it is the integrity of the whole of hosted websites that is jeopardized. Let us not underestimate the opportunity that these “black boxes” represent for pirates! The big retail company Target was, after all, compromised via its air conditioning provider…

And it is only the tip of the iceberg

What perimeter will be set up (in the first instance, since it will obviously widen year after year)? Will this project include all the fiber connections, DSDL, MPLS and others that link hosting providers to their clients, multiplying the number of black boxes or at least increasing their cost? Also, if all connections must end in the infamous “black box”, what is the guarantee that its conception will always allow an impermeability between these different flows?

Of course, targeted individuals and organizations use encryption, but it is also the case of untargeted individuals and companies; will we thus have to deliver all of our encryption keys (as well as our clients’ ones) to the government?

Also, this “black box” equipment will have to be installed and maintained over time, like all equipment of this type. The conditions to access a datacenter are very controlled (for normative and security reasons), will we thus have to accredit new people and give them access to our offices and hosting zones, without knowing them? They would then have access to all our equipment without any control. On the opposite, if we have to come with them every time they need to visit a datacenter, will the intervention cost be covered by the government?

Schrödinger’s “black box”!

schrodingers-cat-artwork-500x500Thus, is the “black box” project realistic?

Technically speaking, whatever the Congressmen in charge say, it seems poorly engaged. Actually, in terms of costs, complexity and placing time, it appears that the government does not realize the scope of the project and its abysmal cost.

It realizes even less the security issues, the probable huge escape abroad of French hosting providers’ clients, when even foreign clients came to France to be hosted… A drop of confidence of French companies but also of foreign markets will be seen, all this involving a major economic risk for one of the only French sectors still growing.

The Government, before taking a decision, should thus slow down and take the time to really study the impacts and feasibility of the project. And why not integrate the field’s professionals to the discussion, in order to come to a more realistic, efficient and economical project?

Read our other articles about the subject:
– French hosting providers are opposed to the “Black Box” project of the French Intelligence Law
– “Intelligence Bill” or “Black Box” project: another view of the tapping

Emile Heitor
Emile Heitor
After being NBS System’s CTO, Emile now guides our clients in their most complex projects, especially on the AWS public Cloud. A renown expert in IT, always at the forefront of technology, he understand and makes understand the stakes and evolutions of the field.