cancel
Showing results for 
Search instead for 
Did you mean: 

Government-mandated email/website visit snooping - PlusNet implementation?

newlay
Dabbler
Posts: 24
Registered: 07-12-2008

Government-mandated email/website visit snooping - PlusNet implementation?

The news has been full of reports (1,2) of this new goverment-mandated database where all our surfing habits and email contacts (though, I gather, not the emails themselves) will be stored for a year.
I was hoping someone could tell us how PlusNet's implementation of this works:
Email
Are details of all emails sent through relay.plus.net stored?
How does it affect customers using their own email servers?
What about customers using SMTP relays in other countries?
Is all traffic on port 25 snooped on?
What about webmail? Is there a deeper inspection of http streams to places like hotmail and gmail?
Web
Again - is it only port 80? What about https? What about other non-standard ports?
I'm asking because what's been stated ("details of every email sent and website visited") is incredibly vague, and I hope PlusNet will continue with its openness and let us know what they're doing to our connections. I worry about the state of the country when even my parents (also Plusnet customers) are asking about Tor (3).
Thanks for any info anyone knows.
1. http://news.bbc.co.uk/1/hi/technology/7985339.stm
2. http://www.telegraph.co.uk/scienceandtechnology/technology/technologynews/5105519/Internet-records-t...
3. http://www.torproject.org/
14 REPLIES
Community Veteran
Posts: 3,789
Registered: 08-06-2007

Re: Government-mandated email/website visit snooping - PlusNet implementation?

From my understanding of the technical limitations:
Email
1.  Mail sent via relay.plus.net is likely to be affected.
2.  Users using their own mail servers, that don't use relay.plus.net as a smarthost are likely to NOT be affected, (although see point 4)
3.  It's unlikely that users utilising relays in other countries will be affected, (although see point 4)
4.  'Sniffing' port 25 is technically feasible, but opens gaping holes upon implementation (like running mail servers on nonstandard ports, using SSL encrypted connections etc)
NOTE:  this could also be implemented for incoming mail which is likely to be relayed through Plusnet's servers, although this is again likely to not be the case if you run your own mailserver.
Web
1.  It's likely only port 80, although this would mean a 'sniff' of that traffic, or perhaps a tweak to the method that the IWF blacklist uses.
2.  SSL encrypted pages are end-to-end encrypted.  There is no feasible way to decrypt the stream to decipher which pages are visited.
3.  Probably unlikely that non-standard ports will be sniffed.
Ultimately, it's a new piece of legislation that is not only short-sighted, but also incredibly pointless to even implement.  It will only track the usage habits of "normal" users, with the more  devious users already circumventing any possible method of interception (because frankly, it's not hard).
I'm looking at using Tor, because I'm disgusted that any politician actually thinks that this is a good idea, and will actually help in the fight against this theoretical 'terrorism' etc.  As usual, it merely makes a criminal out of the man-in-the-street user, with the REAL criminals safely locked away behind multiple layers of encryption and TOR routing.
B.
itsme
Grafter
Posts: 5,924
Thanks: 1
Registered: 07-04-2007

Re: Government-mandated email/website visit snooping - PlusNet implementation?

Surely the Webmail emails sent (and received) will hit PN smtp servers so the details can be extracted here so there's is no to sniff port 80?
Community Veteran
Posts: 3,789
Registered: 08-06-2007

Re: Government-mandated email/website visit snooping - PlusNet implementation?

I would assume that webmail services hosted outside the EU would not be required to store the information when sent.  However a receiving ISP may be required to store the details upon receipt of the email?
B.
itsme
Grafter
Posts: 5,924
Thanks: 1
Registered: 07-04-2007

Re: Government-mandated email/website visit snooping - PlusNet implementation?

Okay, I was being slighty narrow minded and only thinking of PN Webmail. But this does show the weakness of the new law as the criminals will use non-european mail services by webmail which then require sniffing on all ports. My Webmail server use port 8000.
Community Veteran
Posts: 3,789
Registered: 08-06-2007

Re: Government-mandated email/website visit snooping - PlusNet implementation?

The problem is that it's been drafted by a bunch of politicians who have absolutely no technical understanding as to how "the intertubes" work.  Even a blind man with no arms controlling an etch-a-sketch with his nose could have drafted a more competent bill.  There are so many holes in their proposition, it would be better to rename it "The Emmentaler Proposition" and just go and arrest every citizen of the EU member states now.

sigh... /rantoff
B.
deadkenny
Grafter
Posts: 231
Thanks: 2
Registered: 13-09-2007

Re: Government-mandated email/website visit snooping - PlusNet implementation?

Regarding web sites, I'm not sure, but I think the entire session is encrypted which hides the full URL, but the initial DNS request to a server will still be loggable. So going to w*w.isupportbinladen.com is still going to get you into trouble (if you substitute that * for a w that is. Don't want to get people into trouble already! Wink )
As for Tor and the like, surely use of these services is going to get you on the watch list anyway, and if it isn't already in law, it won't be long before use of a service like this to circumvent snooping will probably become illegal. Plus isn't Tor vulnerable to the police infiltrating nodes etc ?
And don't even think of securing your data with encryption either as refusal to release keys to decrypt it can lead to a prison sentence as well.
Of course the bigger concern is how this snooping will be misused in the name of anti-terrorism. How long before the data is used by people to restrict or refuse products and services on the basis of the sites you frequent?
I think the safest thing is to get yourself a net nanny product now to block the web and ensure you can never roam onto a site that can land you in trouble (and remember a web page can load other URLs, especially via adverts, so ad blocking is essential too).
Or safer still, chuck the PC in the bin, unplug the phone, or ultimately emigrate.

Anyway, anything official on this? Surely the implementation must be published as part of the privacy and/or data protection T&Cs, and being a change in T&Cs gives us the option to break contract (not that going to anyone else in the UK is going to be any different).
Community Gaffer
Community Gaffer
Posts: 13,326
Thanks: 1,111
Fixes: 89
Registered: 04-04-2007

Re: Government-mandated email/website visit snooping - PlusNet implementation?

Quote from: newlay
The news has been full of reports (1,2) of this new goverment-mandated database where all our surfing habits and email contacts (though, I gather, not the emails themselves) will be stored for a year.
I was hoping someone could tell us how PlusNet's implementation of this works:
Email
Are details of all emails sent through relay.plus.net stored?

No. We keep syslogs and things like that but AFAIK these are rotated pretty frequently and are not kept for a year. We don't store the body of emails after they have been downloaded from our servers and I don't believe the directive requires ISPs to do this anyway.
Quote
How does it affect customers using their own email servers?

Hardly comes as a surprise but the directive isn't really specific in that regards, you can see it here. I would imagine personal email servers are exempt which is a good example as to why this all seems a bit pointless.
Quote
What about customers using SMTP relays in other countries?

If you're not connected to our network and you're not using our servers then I can't see how this concerns us or how we could possibly take reasonable measures to keep a log of your communications. The directive probably includes inbound email to our network that has been sent from a third party SMTP server though. Again, whilst I've not gone over it with a fine tooth comb, it's hardly clear from the directive.
Quote
Is all traffic on port 25 snooped on?

We've no intention of doing this and I don't think it would go down particularly well with our customers.
Quote
What about webmail? Is there a deeper inspection of http streams to places like hotmail and gmail?

Can't see that even being possible. In fact the whole thing is easily circumvented from what I can tell by using Gmail and enabling SSL.
Quote
Web
Again - is it only port 80? What about https? What about other non-standard ports?

I don't think there's a requirement to keep details of web transactions in the UK.
Quote
I'm asking because what's been stated ("details of every email sent and website visited") is incredibly vague, and I hope PlusNet will continue with its openness and let us know what they're doing to our connections. I worry about the state of the country when even my parents (also Plusnet customers) are asking about Tor (3).

IMO there's a fair bit of misinformation and scaremongering about the directive. "Details of every email sent and website visited" is a very sweeping statement and can be easily misinterpreted.
Hope that helps allay some of your concerns.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

puddy
Grafter
Posts: 1,571
Registered: 10-06-2007

Re: Government-mandated email/website visit snooping - PlusNet implementation?

I thought the whole idea had been canned for the time being?
Some EU countries have refused to ratify it because it would be against our human rights/privacy 
As for  e-mail they could only see the headers and not the full message anyway
puddy
Community Gaffer
Community Gaffer
Posts: 13,326
Thanks: 1,111
Fixes: 89
Registered: 04-04-2007

Re: Government-mandated email/website visit snooping - PlusNet implementation?

At the moment it's simply an EU Directive. Until it becomes law (assuming it does) then it doesn't really mean an awful lot.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

Community Veteran
Posts: 3,622
Thanks: 398
Fixes: 5
Registered: 05-04-2007

Re: Government-mandated email/website visit snooping - PlusNet implementation?

Yeah - we must be the only country in the EU which takes their daft ideas seriously and tries to implement them.
newlay
Dabbler
Posts: 24
Registered: 07-12-2008

Re: Government-mandated email/website visit snooping - PlusNet implementation?

Quote from: Bob
Quote
What about customers using SMTP relays in other countries?

If you're not connected to our network and you're not using our servers then I can't see how this concerns us or how we could possibly take reasonable measures to keep a log of your communications.

In this instance I was wondering about customers using plusnet's network, but sending their mails via SMTP to a smarthost located outside the country - for example I rarely use relay.plus.net myself and mostly use an smtp relay hosted in the US which is run by the registrar for one of my domains.
Quote
Quote
Is all traffic on port 25 snooped on?

We've no intention of doing this and I don't think it would go down particularly well with our customers.

Good to hear! As you say, this thing has been stated in such a non-specific manner that it could easily be considered to entail such practices as this.
Thanks for your response, though it surprises me that Plusnet seem to have gone even less far than I'd expected (I was expecting at least logging of headers for all emails sent via relay.plus.net). Is the statement that there's going to be no logging of websites visit canonical and unlikely to change?
Community Gaffer
Community Gaffer
Posts: 13,326
Thanks: 1,111
Fixes: 89
Registered: 04-04-2007

Re: Government-mandated email/website visit snooping - PlusNet implementation?

Quote from: newlay
Quote from: Bob
Quote
What about customers using SMTP relays in other countries?

If you're not connected to our network and you're not using our servers then I can't see how this concerns us or how we could possibly take reasonable measures to keep a log of your communications.

In this instance I was wondering about customers using plusnet's network, but sending their mails via SMTP to a smarthost located outside the country - for example I rarely use relay.plus.net myself and mostly use an smtp relay hosted in the US which is run by the registrar for one of my domains.

I use a third party relay server too most of the time and I doubt there'd be any snooping of that traffic given that it's all transmitted over SSL Wink
Quote
Quote
Quote
Is all traffic on port 25 snooped on?

We've no intention of doing this and I don't think it would go down particularly well with our customers.

Good to hear! As you say, this thing has been stated in such a non-specific manner that it could easily be considered to entail such practices as this.
Thanks for your response, though it surprises me that Plusnet seem to have gone even less far than I'd expected (I was expecting at least logging of headers for all emails sent via relay.plus.net). Is the statement that there's going to be no logging of websites visit canonical and unlikely to change?

I can't see it happening in the immediate future unless there are some pretty draconian laws passed.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

MacDaddy
Newbie
Posts: 4
Registered: 04-08-2007

Re: Government-mandated email/website visit snooping - PlusNet implementation?

Quote
I can't see it happening in the immediate future unless there are some pretty draconian laws passed.

...isn't this law Draconian enough?!
Quote
At the moment it's simply an EU Directive. Until it becomes law (assuming it does) then it doesn't really mean an awful lot.

I think it effectively is law... The Guv seems happy to promulgate a "voluntary code". It was adopted as a "Directive" in  March 2006, and if you scroll down that PDF, you'll find the beloved regime's gleeful response to the deadline for implementation that's just passed.
Here's the low down on what they can check up on:
en.wikipedia.org/wiki/Telecommunications_data_retention#Home_Office_Voluntary_Code_of_Practice_on_Data_Retention
I wouldn't rely on the EU's "Human Rights" Act too much... it's perverse decisions are becoming legendary.
Here's some clues about what you might be able to do:
en.wikipedia.org/wiki/Telecommunications_data_retention#Protection_against_data_retention
proxy.org/cgi_proxies.shtml
*... hanging out for I2P v3.0! ...worth reading their website i2p2.net for a reality check on how anonymous you can realistically get.
...a smattering of politics that might clarify some stuff:
openrightsgroup.org/orgwiki/index.php/Data_Retention
I also found a range of services like these:
idzap.com/services.php
secure-tunnel.com/
neomailbox.com/services/199-anonymous-surfing
securenetics.com/
(opinions welcome)
...it makes you wonder, if there's a market for this, why don't Plusnet set up a service on a data-ship or non-EU location like the Isle of Man?!
So, alright, they get all the details we submit to Plusnet when we sign up (name, address, numbers, banking details - which also come from Experian etc...); they can't get much off the average surfer who only uses Gmail and switches on the permanent SS feature; but they also get to copy all our itemised phone bills from every company, but not the content of any call. Plus, records of every website ("wrong" or "unwrong") visited.
I don't remember anyone asking my or anyone else's permission for this. Most of us will support the retention of info on the obviously genuinely harmful and unpleasant things on the net - and we've got "Cleanfeed" for that; but this is just abusing the public's goodwill, by suggesting all of us need to be monitored and checked up on all the time, for our own safety - like putting us all in straightjackets to ensure we're all "safe".
Essentially, I would like PlusNet to just make a little "legal" page on the site just to clarify exactly how they intend to interpret this law - as part of their Acceptable Use Policy etc... I don't think you should be leaving people to find out by chance; then raise a ticket; then get directed to this forum. Just be up front about it; reassure people; and maybe look into offering new services to foil the dark side of the force on the internet. 
pierre_pierre
Grafter
Posts: 19,757
Registered: 30-07-2007

Re: Government-mandated email/website visit snooping - PlusNet implementation?

thats what surprised me Yesterday when a PN Coms team person said they were not saving the headers, on this thread #7, #9, #10