[tor-talk] surveillance discussion in Finland

Mon Jan 26 06:45:25 UTC 2015

Hi,

Here is a very short summary of the surveillance discussion in Finland.

Ministry of Defence of Finland published a report that proposes internet
intelligence activities. The problem is that they also propose (Swedish
FRA style) MITM to cross-border communication.

In short, the report says:

"The existing legislation in Finland does not, however, address
intelligence. The Working Group therefore proposes that the Government
should initiate necessary measures to create a legal basis for
intelligence activities."

"The purpose would be to collect vital information to protect national
security against serious international threats. These could be military
or civilian in nature."

"Military and civilian authorities in charge of national security should
be granted powers to conduct cross-border intelligence to respond to
changes in the security environment."

"It is to be considered whether the Defence Forces and the Finnish
Security Intelligence Service should be given powers to conduct foreign
intelligence to gather information from individuals and on information
systems."

Ministry of Transport and Communications published their counter report
that very strongly points out that MITM attack to cross-border Internet
connections is technically problematic, unethical, ineffective and would
not necessarily yield the desired information.

With Electronic Frontier Finland we published our similar view:

My opinion and Electronic Frontier Finland opinion is that the MITM part
is problematic. The other parts of the report do not create that kind of
privacy or human right issues, are technically doable, not waste tax
money and do not break the Finnish Constitution.

There are a lot of good points in the intelligence report, for instance,
they clearly state that they do not want any encryption keys from the
companies nor want backdoors to any commercial systems. Furthermore,
there would be a strict guidelines and demand for the court warrant and
independent oversee.

MITM attach can be called a mass surveillance even if it tries to target
some traffic. The obvious problems are:

1) This is very ineffective surveillance. Real bad guys can secure and
hide their communication. Even HTTPS encrypted Facebook chat hides their
communication in this case!

2) Of course, the most problematic part is that this kind of
surveillance is unethical and illegal in any EU country. Moreover, it
would require a change to the Finnish Constitution where "The secrecy of
correspondence, telephony and other confidential communications is
inviolable.". Fortunately, it is hard to change the constitution.

3) A report promised to address how to solve a national level security
issues like large DDOS and spyware produced by another state. However,
mass surveillance is not an effective way to solve these problems.

4) Where are the options for this awkward MITM? Is this really a good
way to spend our tax money? Does it help to solve the problems?

5) Is it even technically possible to build this system? The report says
that it is still illegal to read any messages that are not related to
national level threads. How the hell they are going to just read the
communication of the bad guys? Not to mention again that basic HTTPS is
enough to secure communication.

I am optimistic. Don't worry, we will stop this nonsense. When another
ministry, mainstream media and the Constitution are against something it
is likely to fail.

References:

The report, page 5 English summary: Guidelines for developing Finnish
legislation on conducting intelligence -
http://www.defmin.fi/files/3016/Suomalaisen_tiedustelulainsaadannon_suuntaviivoja.pdf

Ministry of Transport and Communications demands more public debate on
efficiency and impact of online surveillance -
http://www.lvm.fi/topical/4430582/ministry-of-transport-and-communications-demands-more-public-debate-on-efficiency-and-impact-of-online-surveillance

Electronic Frontier Finland pointing out the problems (Finnish) -
https://effi.org/blog/2015-01-19-verkkovalvonnasta.html

Greetings,
Juha

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20150126/dabd56eb/attachment.sig>