InfoSec questions about the response to the riots

A thorny topic this one, and the situation in London is ongoing, so some care is required…

I’ve seen commentary today that the Met Police should be monitoring social networks and so on for intel on the riots in London. Is this an unreasonable demand?

I should set out my stall here, just so the context is clear. I have no intimate knowledge or understanding of the situation in North London and the pressures of living there. All I can say is what I see on the subject I understand. And there’s some very odd commentary today on the wires.

It would appear that some of the organisational work behind the riots is being conducted via Twitter, social media and BBM (Blackberry Messenger) and one would assume SMS. This is hardly surprising. All of these mediums are platform independent, swift to use and enable large groups of people to broadcast messages.

Let’s start with the can-it-be-done question. The answer is: yes of course. There are Government agencies across the world whose sole purpose is to collect Signals Intelligence (SIGINT). Monitoring voice and data comms is a day-to-day activity for such organisations. And social networks are open, and SMS is decidedly insecure.

However, a statement issued by RIM via twitter just after 1500 on the 8th August read: “We feel for those impacted by the riots in London. We have engaged with the authorities to assist in any way we can.” The implication of this is startling. RIM has been battling with Governments across the world for years, because its network traffic is encrypted, stopping SIGINT types from reading the traffic. One MUST assume that how this reads isn’t what they meant. Because if it is the case, it opens up a whole trust conversation that is beyond the pale. I’m not naive – I’m sure if SIGINT types want this traffic they can get it, but cracking such relatively low-threat traffic (vs, say counter-espionage or counter-terrorism) sets an unpleasant precedent.

Extrapolating this conversation takes it into some wild places, and one that makes me uncomfortable as an InfoSec professional. Clearly we are just at the beginning of this, but real care is needed here lest we back ourselves down an alley we may struggle to get out of.

Advertisements

About Graeme Stewart, McAfee

I work for McAfee as Director of Public Sector Strategy and Relations, UK&I
This entry was posted in Information Security, InfoSec, Legal, Security, Sophos and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s