Telco metadata surveillance: only minimal avoidance with HTTPS and Tor

In this post I’ll explore possible telco (mostly, Internet Service Providers) metadata countermeasures using the specific example provided by Australia, a member of Five Eyes. It is not exhaustive. Glyn Moody has written a disturbing article concerning Australian data retention.

The Australian Parliament has passed a series of amendments to the country’s Telecommunications (Interception and Access) Act 1979, requiring “telecommunications service providers to retain for two years telecommunications data (not content) prescribed by regulations.”

The target audience is the 98% of the Internet users that are victims of passive surveillance. At least, the much smaller percentage that cares for and understands minimal aspects of transport encryption.

Metadata notes

There are two important distinctions for threat analysis:

1. This metadata seizure (misleadingly popularized as “bulk collection”) is outside of the scope of programs like the United States’ Special Source Operations (SSO). It does not include what governments are able to directly collect (using Section 702 of the FISA Amendments Act in the USA) at end points (downstream programs like PRISM and MUSCULAR) or en route (upstream programs).

2. Only so much can be done to mitigate telco metadata collection because most of it depends on you physically performing an action, like turning on your computer and simply accessing the Internet at all.

Metadata collected

Here is a somewhat simplified version of what the Australian government considers telco metadata, re: section 187AA Information to be kept

  1. Subscribers, accounts, services, devices: The status of, name(s) of, address(s) of, billing information of, payment(s) for, and any contact information of — and any other information that can be used to identify — the subscriber(s), account user(s), service user(s), and device user(s).
  2. Communication source: Service or device identifiers that send any and all communication.
  3. Communication destination: Account, device or service identifiers that successfully or attempt to send, forward, route or transfer communication.
  4. Session: The date and time of the start, end, connection, or disconnection of any Internet service.
  5. Communication type: The type of communication, including voice, SMS, email, chat, forum, and social media. The type of service, including ADSL, Wi-Fi, VoIP, cable, GPRS, VoLTE, and LTE. The features of services that were, would have been used by, or enabled for the communication, including call waiting, call forwarding, and data volume usage.
  6. Medium: The location of the equipment or line at the start and end of any communication, including cell towers and Wi-Fi hotspots.

HTTPS versus Tor

A general consideration is the fact that your computing and routing devices all have unique fingerprints. This includes cell phones, laptops, and routers. In order for networked devices to work at all, they have to be able to talk to other devices in order to network. Aside from having unique, physical addresses, networking protocols work by devices saying “hey, i’m alive” or “hey, are you there”. The implementation of these network protocols provides network adversaries unique clues about when, who, and what is talking on the network. Telcos see a lot of this type of identifying metadata because they’re the ones connecting you to everything else.

A general difference between HTTPS and Tor is that Tor protects the identify of your destination. If you log into Twitter over Tor, Twitter knows who you are because you’re logging into an identifying account. But your telco, who connects you to your next hop in the Tor network (the guard), will not know where your traffic is destined. Tor is, of course, limited to Internet data and not plain SMS or voice calls.

metadata-https-tor-2

Subscribers, accounts, services, devices

Only users of Internet service are partially protected when using transport encryption services like HTTPS and/or Tor as long as you’re behind an Internet router (like a Wi-Fi router) that helps mask who is using the Internet. The reason for this is that encrypting internet data might conceal the actual user using any particular service. For example, if you log into Twitter with HTTPS, the telco can only see that you’re using Twitter. If it was HTTP-only (clear text), your telco could specifically see what account is being used. Unfortunately, users of home and work Internet are routine users that are easily linkable to the account holder. Users of publicly-accessible Internet sources are better protected here.

Account information is something you have to give telcos for work and home use. Telcos know the devices immediately connected to them, when it’s used, when it’s not used, who’s likely using it, and what type of traffic those devices is making.

Communication source

Tor is only able to protect the Internet services that you’re using from spying telcos. Device and network fingerprints along with simple on/off usage of devices are very identifying. HTTPS protects the metadata within the encrypted session, but your telco can still see that you’re connecting to “https://twitter.com/”, when, and for how long.

Communication destination

Within this very small scope of threat mitigation, Tor shines when protecting your Internet destination. Unlike HTTPS that is end-to-end encrypted, that end is the service provider which your telco fully observes. Tor, on the other hand, while not end-to-end encrypted (unless you’re connecting to a Tor hidden service), has to make five hops across the global internet in order to help sever the logical connection between start and end.

Session

When using Tor, it is able to help hide your destination. So, while your telco does see what is connecting and using what device, when, and likely by whom, connecting that metadata to the services and people that you talk to is made tremendously harder. However, a global adversary like FVEY might be able to correlate the known and the unknown if you’re logging into identifiable Internet accounts.

Communication type

Again, within the small scope of Internet usage, Tor helps avoid metadata correlation. But Tor, be it from your phone or laptop, still requires physical Internet access and it still requires TCP/IP protocols. So if your communication “type” is within this small scope of communication, Tor helps. A little.

Medium

Network level encryption does nothing to protect physical medium.

Conclusion

My analysis only looks at one-time events, not holistic trends or past/future unintended consequences of this manner of data retention. A more detailed analysis might also look at the OSI-layer threats posed at each of the seven layers, and in different environments such as “work”, “home”, and “public library”, but I hope this has gotten you to think more about these complex problems.

When in doubt, use Tails Linux on a second-hand laptop at various Internet cafes in a country that doesn’t require ID to connect. How sad.

#LLAP