Bytemark & spooks


#1

A question that has to be asked given topic news; one that I suspect might be hard for Bytemark to answer.
What is the bytemark position on requests to access customers’ machines if requested by the UK spooks/police/… ? Have there been any such requests ? Do you have a corporate position that is shown on your web site ?
I do appreciate that you might not, eventually, have a choice in the matter, but what hoops do you make the spooks jump through ? What do you say to non UK spooks ? (There have been stories of the USA gov’t demanding access to machines owned by non USA companies and physically outside of the USA).


#2

As I’ve said to a few others on Twitter:

  1. Bytemark has not yet been approached with any spook-y requests;

  2. we will always be happy to discuss this topic, unless we suddenly decide that we’d rather avoid it;

  3. secret network taps are probably going to be very unreliable. If we ever had to host one and keep it secret, I’d expect a customer to see difficult and inexplicable network problems, with queries passed up to the directors to answer.

Like any ISP we can’t promise who’s looking at your traffic after it leaves our sites, and we’d be glad to advise on how to make taps as hard as possible.

At present we get odd requests to help with police enquiries (usually petty harassment or card fraud, on the rare occasions they care about those things) and some civil sabre-rattling from solicitors. Our reaction in almost all cases is to hook up the complainant with the customer, and let them sort it out.


#3

Thank you. Sorry for having to ask the question.


#4

It is not such a silly question to ask.

I currently have a customer who hosts a forum. One of the posters has noticed that certain words like ‘Snowdown’ and ‘GCHQ’ can result in a RST being send to his browser. It can take 3 or 4 goes before the post can be made.

Good to know the ‘gremlin’ is not on the bytemark side. Just in case I am soon to re-image my server in case the spooks have managed to hack it without my noticing. (We all know how easy it is to have a hacked server. And with so many zero day exploits being mentioned no anti-malware is likely to give any warning.)


#5

Would it make sense for Bytemark to maintain a web page stating no warranted spooky requests have been received ? My understanding is that these authorities can stop you telling your customers and our users when such a request has been received, but they cannot legally oblige you to lie. So if such a web page were to be automatically updated every day with the day’s date, and then removed when any conflicting official request were to be occur, this would legally slightly reduce the effectiveness of the current white paper (reintroduced snoopers’ charter, or RIPA on steroids). As I’m responding to a statement of the suggested nature, but made more than 2 years ago, I’ll understand perfectly if no response to this suggestion occurs.


UK still a good place for data?
#6

Hey @rkay@mbloch is on leave today and I’m sure he’ll reply when he’s back. :smile:

We’re soon to publish a privacy policy that will collect in one place much of what we’ve written publicly so far and I hope that’ll cover your questions.


#7

So if:

  1. Bytemark maintained a “warrant canary” web page, and
  2. a court made an order for us to betray / reveal data for a customer, and
  3. the court ordered that this must not be publicised to anybody, even in general terms,

I am certain we’d be in contempt of court if we didn’t use that warrant canary page to lie about it.

After saying all that, so far we’ve never received such a request, and have released our privacy statement in the last few days which has a specific section on how and when we’ll release your data to 3rd parties.

Please let me know if you have any questions or unease I can resolve.


#8

IANAL, but I suspect Matthew is correct. From what I’ve gleaned from blog and mailing list posts from lawyers on both sides of the pond, the warrant canary probably doesn’t provide the protection that many assume.

While (it seems) no nation has an explicit law stating “thou shalt lie on behalf of your government if we demand that you do so”, authorities can nevertheless achieve the same effect by simply prohibiting you from revealing the existence of any warrants. “We’re not saying you have to lie, we’re simply saying that if you do anything to reveal the existence of these warrants you’ll be in contempt of court” kind of thing. Such threats of course are backed up with our scarily authoritarian counter-terror laws, powers to summarily arrest individuals, shut down businesses, hold hearings in secret, etc. etc.

In other words, if my understanding is correct, the often asked question “they can’t force me to lie to my customers, can they?” can be answered thus: technically no, they can’t, but they can prohibit you from telling the truth, something which, depending upon which promises you’ve made to those customers, whether or not you’ve configured a warrant canary, etc. can in fact put you in the position where you are forced to lie anyway.

The actual legal situation may well be different from what I describe here (again IANAL!). This is just my sense of things based upon what I’ve stumbled across and read. Like many here I’m sure, I’d be very interested to hear the opinion of anyone with actual legal expertise in this area.

[Edited for typos]


#9

Further to my post yesterday, Adrian Kennard the director of the ISP Andrews & Arnold, was invited to the Home Office yesterday, along representatives from other small ISPs, to discuss the proposed Investigatory Powers Bill. He’s written up the experience on his personal blog:

Warrant canaries get a (very brief) mention:

“I asked about my canary and if the law could compel me to lie - they could not answer that either.”

Oh well. Nevertheless, the rest of the post is well worth a read for anyone interested in these matters.