ENFOPOL Plans Provoke Strong Opposition

Secret European Union plans to require "interception interfaces" to be built into the Internet for surveillance purposes have drawn devastating criticism from British ISPs and from LINX, the major European Internet connection site. According to Britain's major Internet providers, the EU policing plans are technically infeasible, would impose massive costs, and would undermine the development of European communications and e-commerce. And they would not work.

The EU plans, called ENFOPOL 98 and revealed by Telepolis at the start of December, call for new national laws requiring every internet service provider to provide a security controlled area within their premises to allow law enforcement agencies to copy the data traffic they want. The operators would have to employ only security vetted staff to work in the interception interfaces, and to provide "real time, fill time" secure communications links to interception centres.

LINX, the London Internet Exchange, is the hub of British Internet communications, carrying and relaying the majority of the country's net communications. According to Keith Mitchell, chairman of LINX:

"Anything along the lines [of the ENFOPOL scheme] would probably have astronomical cost implications. In the event such a scheme was ever implementable, the costs should be met by the enforcement authorities. Since the industry cannot afford it I doubt the public sector could".

Mitchell considers the ENFOPOL plans to be technically almost impossible. "Clearly the bodies concerned have not been in discussion with the Internet industry, who could have easily told them what they propose is impractical. This kind of monitoring approach is based on a worldview of telecomms operators which is both technically and economically outdated. It presumes that the networks being monitored are statically circuit-switched, and that there is a small number of large operators per country."

"The modern reality of de-regulated, de-centralised dynamically routed datagram-based telecomms networks (of which the Internet has been a driving example) is that the effect of placing a tap in any point on the network will result in either only partial capture, or straightforward avoidance of the possible tap points as a result of technical or market-driven means. For a given Internet session, each of the possibly hundreds of datagrams making it upcan be potentially routed dynamically via different paths through the Internet. A typical datagram will traverse dozens of routers, a dozen different ISPs, and several borders and timezones in the course of its passage through the Internet."

Because of this, the ENFOPOL plans would require an enormous international network to be installed just to capture one Internet message. "Monitoring of an entire session requires at least one of each of the routers on every possible path for the data to have monitoring facilities accessible from the central monitoring point, and close agreement and [full-time] co-ordination between all the autonomous organisations whose infrastructure it is traversing. Such a high level of resource-intensive co-ordination seems very improbable. Further, the complex nature of the technical and commercial organisation of the Internet means that enumerating all possible paths would be difficult. Even if such agreement and co-ordination were achieved, it is unlikely sessions could be monitored in real-time".

A step in the wrong direction

The scale of the secret EU proposals has also surprised and alarmed leading ISPs. "These sound neither practical nor commercially sensible provisions", according to Tim Pearson, director of the UK ISP Association (ISPA), " it's a step in the wrong direction". There would be immense technical difficulties as well as threats to customer privacy. Frequent changes to network procedures and software operations at many ISPs would make it virtually impossible to maintain interception interface "black boxes", and might necessitate tapping centres copying a large part of the Internet traffic to get what they want. "Would they want multi-megabyte lines from every one of the ISPs in the country?", aks Pearson.

Internet Network Services, a UK licensed telecommunications operator as well as an ISP, say that have already had to comply with the special security regulations and agree to provide interception facilites required by national security and intelligence agencies. Of the ENFOPOL plans, managing director Tim Challenor says :

"Our anxiety is that any government agency anywhere could have general access across the network. We want to see sufficient circumstantial evidence to apply for authorities to tap logical or physical connections. I don't see why [the new arrangements] should be different."

A major problem, he felt, was that like other Internet newbies, police and security agents were intimidated by the complexity of the net, and the scale and sophistication of its potential use. Their answer to the technical problem of sifting through gigabytes per second of TCP/IP packets and sorting out the ones they wanted was the classic police response : "we'll take the lot". But "you can't tap an e-mail channel like a voice connection", says Challenor. "They are saying that in order to avoid technical difficulties, 'lets tap everything'. Then they could simply intercept any communications they like".

The problem is the same all over Europe, according to Keith Mitchell of LINX. "Even a small European country generates several hundreds of megabits of traffic per second spread over many diverse paths. Either the monitors need to have a very clear idea of what they are looking for to capture this in real time, which is computationally very demanding, or they need to log a very large amount of data for post-processing, which is even more demanding on storage space than processing power."

"Such monitoring will consume resources in any Internet backbone routers being used and probably lead to an unavoidable and noticeable degradation in service", he added.

In any case, malign users of the Net would easily and cheaply be able to defeat surveillance, he said. "I don't see how current freely available end-user to end-user encryption technology could not easily safeguard against any such monitoring. While there are various proposals for key escrow, it is unlikely these will have teeth or be enforceable".

If ever implemented, the ENFOPOL plan would damage Europe for no real benefit, Mitchell added. "The risks of abuse of general-purpose monitoring capabilities in contravention of the above principles are simply not worth the massive expense of implementing them. There is a global market in telecomms services - if the European Union wants other countries not to route traffic via it, creating a fear of interception would both be a good way of achieving this, and very bad for business." (Duncan Campbell)