Interception of electronic communications

C

crbuys

Legal Expert: Internet
Joined
Sep 23, 2004
Messages
126
Reaction score
1
Location
South Africa.
Hi all,

I need some help from the techies...

In terms of the provisions of the Regulation of Interception of Communications (RIC) Act 70 of 2002 which was gazetted in 2002 but will only become effective in the coming weeks, employers and the government have the rights to intercept communications. Service providers like ISPs also have duties to retain information related to a communication, such as the sender, recipient and time of an email message...

The RIC Act may be downloaded from: http://www.info.gov.za/acts/2002/a70-02/

The first draft regulations issued in terms of the Act may be downloaded from: http://www.doc.gov.za/images/DirectivePTNV1.pdf and http://www.doc.gov.za/images/DraftDirISP_v4_1.pdf

The Act is, like most of our new IT related laws, not very well drafted and may result in some truly silly situations. See http://ebiz.co.za/article.asp?pklArticleID=2452&pklIssueID=335&pklCategoryID=131

Government feels that the Act balances the individuals right to private communications with the states duty to secure its citizens. But that is not my reason for this posting.

I would like to know if it is in fact possible to detect and intercept VOIP communications through services such as Skype (http://www.skype.com/) and Instant Messenger (http://messenger.msn.com/). Also, is Internet chat subject to interception, re-routing and monitoring?

Your comments are welcome.

Cheers,[:p]



Reinhardt Buys
 
The empolyer has the right to monitor everything you do using his equipment.
If there is any misunderstanding, they will make you sign a document in which you give up all your rights and let them monitor eveything you do.

Skype can use port 80 ... BUT there are some servers that skype uses so if you monitor connections to those servers (the number could be large) you could monitor.

Instant messanger, yahoo, AIM, etc can all be intercepted... I have personally tried a MSN sniffer on my home server to see if it would work ... it records everything I have typed on MSN from my PC on the network ... so I'm sure there are similar tools fro the other chat programs

We are Telkom - Resistance is Futile - You will be Assimilated
 
There is software called Simp Lite that encrypts MSN,

problem is you might be able to encrypt your chatting with a friend or GF but the company might come to you saying you signed a form saying they may monitor your chatting so please remove it,

I use to work for DD on a international project and we all used it to communicate between NY, Chicago, and London, Jhb and CPT. you always justify the encryption by saying work related and you dont want a third party to spoof work related things. Nice thing with simp Lite is it only encrypts designated chat friends.

as for email, there are many good PGP outlook plugins to make sure no one reads your mail.

G

You Have The Obligation to Inform One Honestly of the risk, And As a Person
You Are Committed to Educate Yourself to the Total Risk In Any Activity!
Once Informed & Totally Aware of the Risk,
Every Fool Has the Right to Kill or Injure Themselves as They See Fit!
 
<blockquote id="quote"><font size="1" face="Verdana, Arial, Helvetica" id="quote">quote:<hr height="1" noshade id="quote">I would like to know if it is in fact possible to detect and intercept VOIP communications through services such as Skype (http://www.skype.com/) and Instant Messenger (http://messenger.msn.com/). Also, is Internet chat subject to interception, re-routing and monitoring?
<hr height="1" noshade id="quote"></blockquote id="quote"></font id="quote">
Skype - communication (file, chat, voice) is encrypted end to end so its totally secure.

MSN Messenger - vulnerable unencrypted transmission although one can download plug-ins to encrypt your communications.

If Government want to decrypt every piece of communication they're going to be sitting with one helluva problem. Evern thinking of doing that is't all that clever. All the manpower and technology and time to be invested in something like that will be exhorbitant. If a criminal really wants to do things without being caught he'll find a way. 1024-bit military-grade file encryption products are freely available - it will take Government centuries to decrypt just one small file. They're being a bit silly with this interception nonsense and they will be wasting everyone's money. Sure balancing privacy and safety is a tricky thing, but what would happen if someone were to find out they're being monitored and haven't done anything wrong? Or if some nut wants to monitor his ex girlfriend online? Theres lots of room for exploiting a 'service' such as monitoring and intercepting...

But the short answer is Skype is secure, MSN is not secure [:)]




<font color="navy"><font size="1"><b>Where others have progress, we have Telkom.</b>
Hellkom website - www.hellkom.co.za</font id="size1"></font id="navy">
 
Even using PGP for email is not secure, because the interception people still know that you sent an encrypted message from A to B at a particular time. The only thing they don't know is what you said.

I'm not sure whether this applies to Skype as well: is the fact that you called a particular number also encrypted, or just the conversation itself?

I think that the law enforcement people should have a public PGP key available, so that if they want to read my encrypted emails they can do so simply by supplying me with their PGP key.

<b>What do they plan to do about https traffic</b>, say online internet banking? Do they plan to eavesdrop that as well? If so, will the banks guarantee that this information is not used for fraud?


<hr noshade size="1">
Donn Edwards <font size="2"><div align="right">MyWireless: Diva-style reliability, dial-up performance (or worse)</div id="right"></font id="size2">
<font size="1">“If our government ever goes bad, as sometimes happens in a democracy... As we extrapolate our [surveillance] technologies into the future, if the incumbency has that political advantage over their opposition, then if a bad government ever comes to power, <b>it may be the last government we ever elect</b>.” See http://privacy.4mg.com </font id="size1">
 
Hi guys

Nice topic! We had a discussion regarding these issues some time ago and a few interesting articles came to light… VOIP is not that easy to intercept (http://slate.msn.com/id/2095777 ) but the companies themselves can be asked to record calls from a certain address. This is obviously not possible with a product like Skype that does not use centralized routing computers… And then there is the 256-bit encryption that MaD spoke about. To the best of our knowledge it is logically unbreakable, unless a backdoor is provided or the FBI/CIA figured out some ingenious mathematical way to break this encryption.

For email communication there is obviously PGP as Donn pointed out. The usual problem with PGP is that you will get flagged by any good security system for using strong encrypted communications. The law will certainly force you to supply your private key on demand (the case in the UK). The solution for this problem proposed by Zimmerman (who has since left PGP due to some concerns about the openness of the project) is for everybody to start using encrypted email. Unfortunately the state will certainly not encourage this and it will be very hard to convince people of the advantages. The other question also remains: Did the PGP company insert a backdoor in their new software (after 9/11)? It is not completely open source anymore!

Regards,

RPM
[email protected]
 
RPM, you are most correct with everything you said, however somebody mentioned earlier that if you want to keep something hidden, you will find a way. That statement is very true. You can use double encryption techniques purely by arrangement with the designated recipient. This technique uses more than one encryption tool which in turn puts a massive problem right in the lap of the unwanted viewer trying to decrypt the message. Once decrypted, he sits with another encrypted message. The ways and means to the disposal of somebody with a truly sensitive message in order to get it across great distances safely are numerous and very secure.

The different methods of creating encryption software have been floating around on the web for a while now and even PGP (considered the best out there) was shipped on paper out of the USA in code format in order to circumvent now old and changed US laws restricting the export of encryption technology. The code was taken, scanned into computer and compiled in Europe where it was turned into a free product for non-commercial use.

If you are relatively clued in programming then you can even code your own encryption software. If you do not feel like it, simply read the code of an already available encryption tool and compile it on your own. That eliminates the risk of backdoors.

In my humble opinion, I’d consider the encryption movement as integral to the protection of privacy in an increasingly connected world. We the public must protect this ability and right with our lives!

Regards,
Antowan


### What we need in South Africa is cheap 24/7, always on Internet for under R300 a month. ###
 
Agreed, basically those who are knowingly doing something wrong (e.g. terrorists) will obviously use strong encryption to protect their communication so I don't see how the ability to intercept EVERYONE's communication makes citizens more secure. Even having excellent knowledge of publicly available encryption methods doesn't help government. In my own development projects (and as antowan mentioned) I always throw some custom encryption into the mix to make it more difficult to decipher the data. I think government should be using its resources more constructively than restricting the rights of innocent citizens.
 
Can't resit this Quote then:

"The RSA encryption algorithm depends critically on the fact that it is easy to multiply two large prime numbers together and obtain their product, but it is computationally “hard” to factor the resulting product back into the original primes, if they are not known. The main part of the public encryption key used by Bob is, in fact, a large number that is the product of two primes, and his private decryption key is one of the prime factors of that public key.

With a conventional computer, it might require many years of computer time to factor the large number in Bob’s public key. However, with a quantum computer the large number, at least in principal, can be factored very rapidly and the message broken. Thus, the RSA encryption procedure is based on the assumption of the difficulty of prime factoring, and quantum computers threaten to invalidate that assumption.

It is not surprising that the National Security Agency, the code-breaking and electronic surveillance arm of the U. S. federal government, has for many years opposed the wide distribution of strong encryption schemes such as the RSA algorithm. It has also arranged for federal laws that block the distribution in certain forms of strong encryption outside the USA and Canada. It is perhaps more surprising that the NSA is currently one of the principal funding sources for research into quantum computing. Big Brother would like to read your E-mail, even when it is RSA encrypted."

see http://www.npl.washington.edu/AV/altvw112.html for the full story and many other fascinating insights into Quantum Physics.

Cheers
Chris
 
I dont care if the work place go through my mail or MSN chats... got nothing to hide from them... and besides I am using their computer and their line so it is acceptable.

I do however have huge issues with my personal machine being monitored by goverment but somehow I dont think they could do that 24/7 with every wired person. Perhaps they just have it there so when they do suspect somene of being a terrorist or a wrong doer then atleast they have the power and the law to snoop information.

Besides send two emails to a friend in the USA. In the one mail write whatever you usually do. In the second email use words like TERRORIST, NUCLEAR, DEATH TO USA. Then see how long each one takes to reach your friend. Quiet amusing actually...

Been like that for a while.

myWireless 128, 64, 48, 16 - depends on its mood.
 
The legal people are so out of touch with reality that it makes one sick. All these records that needs to be kept at enourmous costs are totally useless - only amateurs will be trapped. But there are cheaper ways to trap them anyway.

Recently BBC-News had an article on how "al keida" could communicate. They claim that these people use internet cafes, and have a range of free webmail addresses that are used in a predefined manner only once.

Google for "steganography" - it is the art of hiding a message inside a message. This way you can hide an encrypted message inside eg a MP3, jpg ... file. So, the CIA etc first needs to determine that there is an encrypted message inside the MP3 file (there are claims of statistical methods - but again very expensive if they are to be used on every attachment)

The fact is, the fools piling expensive legal requirements on anyone operating a mailserver, don't know the reality outside. On paper it sounds great. In reality it is a waste of good time and money.

In the end the only people that will smile are the lawyers defending ISP's in court because they could not keep track of all the silly laws. I still have to see the lawyer actually figthing a silly law.


South Africa needs World Class Broadband at World Competitive Prices.
 
Hi

As I understand it, government interception relies heavily on keyword usage. Due to volume, this happens with the help of computers that basically sniff traffic moving through the networks. If the info is encrypted, there is no way in hell they can flag the info for follow up on the fly. Perhaps there is a massive inbox somewhere at the Pentagon or here at the NIA in Pretoria that systematically decrypts messages that it could not read on the fly, but I am guessing that inbox is getting steadily more crowded as we speak.

;o)

I know that all mail coming into the UK is scanned.

Cheers
Antowan


### What we need in South Africa is cheap 24/7, always on Internet for under R300 a month. ###
 
This would most probably be illegal in banana republic South Africa...

See http://www.iol.co.za/index.php?art_id=vn20041026045052380C391469&click_id=79&set_id=1

Electronic censors help war on office sexism

October 26 2004 at 07:06AM

By Rachel Stevenson

London - "Had cancer, been a pain and now pregnant." These were the damning words with which an executive at Schroder Securities described a colleague, Julie Bower, in an email, leading to a £1,4-million (about R15-million) payout from the company for sexual discrimination.

But banks and other financial institutions could soon be installing monitoring systems to catch and stop sexist remarks before matters get to court.

Autonomy, the software developer whose technology is used by governments to monitor possible terrorist activity, has transferred its know-how to protect banks and City institutions from the growing tide of sexual harassment and discrimination cases....



South Africa needs World Class Broadband at World Competitive Prices.
 
Folks, if you want an interesting insight into what can be learnt by electronic snooping, get a copy of "Dangerous Data" from your library. The details are on my web site. At no stage does the snooper actually read the emails, but looks purely at the to and from addresses. Similarly, phone call numbers, time and duration can give you a lot of information.

<blockquote id="quote"><font size="1" face="Verdana, Arial, Helvetica" id="quote">quote:<hr height="1" noshade id="quote">From original post:
... have duties to retain information related to a communication, such as the sender, recipient and time of an email message<hr height="1" noshade id="quote"></blockquote id="quote"></font id="quote">
They don't need to decrypt the message. They just want to know who you are talking to.

My guess for the PGP backdoor (if it exists) is that all encrypted messages include the public key of "Big Brother" because any other backdoor would be too easy to crack. If you haven't already done so, there is a really good interview with Phil Zimmerman on my web site, with a link to the full text.

This business of "I've got nothing to hide" is all well and good, but it isn't true. We all have things to hide, it just depends who we're trying to hide it from. I want to hide my credit card number from you, so you don't spend my money for me. But I need to disclose it to the shopkeeper when I buy stuff. Similarly, we wouldn't do electronic banking if it wasn't encrypted, would we?

Why any government would want to do bulk scanning of emails beats me. If I wanted to arrange something subversive I would assume that all my communications were being intercepted anyway, with or without a court order. To me this act is more about trying to reassure the public that "the government is doing something about ..." (fill in the issue: terrorism, pedophiles, drugs, arms, 419 scams, etc.) even if they don't have a clue.


<hr noshade size="1">
Donn Edwards <font size="2"><div align="right">MyWireless: Diva-style reliability, dial-up performance (or worse)</div id="right"></font id="size2">
<font size="1">“If our government ever goes bad, as sometimes happens in a democracy... As we extrapolate our [surveillance] technologies into the future, if the incumbency has that political advantage over their opposition, then if a bad government ever comes to power, <b>it may be the last government we ever elect</b>.” See http://privacy.4mg.com </font id="size1">
 
Free beer, libre secure VOIP:

http://linux.slashdot.org/linux/04/11/03/2333232.shtml?tid=126&tid=172&tid=106

-Information anarchist-
www.sentechhatesfreespeech.org.za
I support:
www.hellkom.co.za
www.poopband.co.za
Looking for something better than IE?
www.mozilla.org/products/firefox
 
<u>What is the diference between:</u>
<b>A - Store All Communication.</b>
Purchasing a separate server to store all trappable communications within and leaving the office, and maintaining that server and it's laaaarge storage.
And
<b>B - Record All work.</b>
Placing a camera behind every employee's desk and recording their every move, and managing the tapes. (Or - recording the keystrokes, the "screen capture", microphone input and speaker output.)

IMO - they're one and the same thing.

The only difference is that it would take longer to unencrypt/decipher some kinds of transmissions/communication, though its not impossible.

So - my question is - do I have the right to not have my every move recorded by my employee/the government ? i.e. Define my right to privacy.

Privacy = "The state of being free from unsanctioned intrusion." (Dictionary.Com)
Our Constitution and the right to Privacy:(http://www.info.gov.za/constitution/1996/96cons2.htm)
"14. Everyone has the right to privacy, which includes the right not to have ­
-their person or home searched;
-their property searched;
-their possessions seized; or
-the privacy of their communications infringed."

So - no matter what anybody or any piece of paper/act says, you have the right to not allow anybody/anything to violate your privacy.

But - everyone has the right to allow their privacy to be violated as well, in the interests of a better, safer country/workplace/... (NOT TRUE)

MY POINT IS - There is no difference between recording our every move and recording our communications, except for the time it would take to work out what our every move was if just communications are being recorded.

Conclusion - if you let somebody/something record your communications, you have in essence tried to give your privacy rights away completely, but you cannot give away your rights.

When you open a bank account, you sign away your rights, when you are hired, you are forced to oblige with company policy, when you open an account with an ISP ...

But - I still recon that you can, at any time, argue that your right to privacy was infringed, because no-one can take away your basic rights, NOT EVEN YOU.

If you want to rob a bank [}:)] - email your partner in the crime, with all the details, and if it is intercepted and you are arrested and you can proove that the email was the only way that the details could have been known, then you can go straight back to the "My Privacy was Infringed" argument and win, until the basic bill of rights in the constitution is changed.

Am I wrong here ?
 
OT : This new legislation is a B1TCH of note, hidden in the legislation, is a nice little clause that ant provider of cryptography services has to be 'Registered' with Gov.

WTF??????????
Are these people mad,
it doesn't seem like such a problem, and could ensure cryptographrs are qualified, but what are the conditions of registration.

It could imply that if I don't agree to give my algorithms/keys to whoever the fsck in government wants them at some point, I probably can't get licensed, or before providing a service, I must get a license to use that encryption technique.
privacy...whats that??

for some more implications, see http://www.tectonic.co.za/view_feature.php?viewid=4
for an interesting twist on how wide the legislation is, see the OPEN SOURCE implications on page 2 of the article!
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X