The military pushes for a legislation that would allow for monitoring of the entire Czech internet – without court approval or other legal restrictions.
Objections against data collection as part of recent Electronic Registry of Sales project (EET), submitting all invoices as part of the VAT reports, and creating a central registry of all bank accounts have not yet quieted down. But politicians from the governmental ANO party are already coming with a far more inconspicuous but all the more dangerous proposal: they intend to authorize the military secret service to attach “technical tools of cyber defense” to internet providers. These “probes” or “black boxes” could monitor but also modify, and block traffic of the Czech internet. Even so, the amendment to the Military Intelligence Act that would give the military such broad powers is hardly discussed.
Clash with the constitution
The "Black boxes" could monitor the entire Czech internet traffic, process the communication content, or record and store it. This includes emails, social network communication, and overview of the sites we access. A great deal of the data is already encrypted, but the encryption can be cracked or the saved data can be stored for later when decryption will be possible. The legislation does not restrict this in any way. In addition, metadata, that is the information about who communicated with whom and from what location, still come unencrypted, even if these data often tell a lot more than the message content itself. Statistical analysis enables to closely follow relationships among people, for example mapping contacts of friends, journalists, activists, or political parties and their opponents.
Data about our internet activity also give away uncomfortably much about our real-world activity – e.g. stating where we are located, where we move, when we go to bed, and what we are interested in.
But communication transferred through the internet – whether or not encrypted – is protected by the mail privacy governed by the Charter of Fundamental Rights and Freedoms that grants us the right to privacy, even if it allows for exceptions as stipulated by the law. These are already put in place: monitoring by the police and secret services are allowed with a court permit.
Contemporary practice is to try to overstep the boundaries. “Police has started visiting us quite frequently these days. More than five days a week. It is about clients, they come to ask questions, they want data, information.” states Damir Špoljarič from the webhosting company VSHosting in an interview for Lupa.cz server. “Most of the time they do not follow the rules given by law. We are public communication network provider so we insist on court order. Once we tell them this, the police often doesn’t return.“ Other providers confirm this off the record. Based on the new law, however, the military intelligence will not need to obtain a court permit, or will otherwise be able to bypass it. Czech Bar Association warns that the amendment will “loosen up the constitutionally-given protection of information transferred through the public networks and create a tool for possible misuse without any effective control by an independent authority.” This is because the law does not stipulate any limits. It matter-of-factly states that “technical tools of cyber defense” are to be installed per the approval of the government. What the intelligence will do with the probes is completely up to them.
The act is advocated by the necessity to employ cyber defense of the country. But nobody stated how the probes could help with the matter. Additionally, the term “cyber defense” means something else than “cybersecurity” – that is, “military operations in the cyberspace.” If the country intended to protect its infrastructure, it would first invest into “hardening” and “bulletproofing.” For example, it could run critical infrastructure independently of the public part of the internet and commercial providers. If this were the case, not even serious public network outage could endanger the management of, say, electrical plants.
There are both governmental and nongovernmental CSIRT groups that focus on monitoring and investigating cyberattacks and proposing security measures. Following the huge DDoS attacks in 2013 (see A2 no. 7/2013), association of Czech internet providers created so called Fenix Project. This voluntary “internal network” of operators is supposed to withstand massive attacks. Media, specialized computer security industry, and expert analysis has been focusing on cyberattacks. But the military and politicians discuss neither any concrete measures nor the ways they would put their systems in place to protect the country. Most frequently, the examples concern information collection: for example, “there can be a coded term in a text or email message that the system recognizes and sends a notification that the communication concerns a topic of security risk,” explained a defendant of the law Bohuslav Chalupa in public television. So there is an appropriate concern that this will be predominantly about intelligence. As politicians equate the probes with a banal speed measuring and Minister of Defense Martin Stropnický scaremongers with the recent local czech Google outage, military secret service agents are already talking with providers.
Man in the middle
Czech internet providers are most concerned about the fact that aside from passive monitoring, the probes will be able to conduct active interventions. They are afraid that the military will be able to break their networks. This is a serious risk that jeopardizes the security of the Czech internet. Active probes will enable direct attacks as well – for instance at the https protocol that enables encrypted web surfing. The small web browser lock that is highlighted when we communicate with, say, the bank, can be attacked from the man-in-the-middle position. Someone who, appears as the bank to me and as me to the bank, steps in the middle and gains access to both sides of the conversation. There are tools for attacking, but they run in to the tree of trust incorporated into the browser or operating system and contains lists of trusted authorities that can issue certificates – and the browser informs us about the issue. But we can also inadvertently drag “not entirely trusted authority” into the system. Paranoid users who examine the “locks” in detail will likely notice this. But it will not be the case of those who simply “click the weird notification.”
The “man in the middle” can also cooperate with already trusted authorities and let them issue fake certificates (as in the Czech environment PostSignum certification authority run by state-owned Czech Post). Active probes can replace programs we download with infected ones or implant backdoors in them – this also applies to automatic updates. They can also create false evidence and pretend there was a conversation that didn’t occur, impersonate someone, or block communication. In an extreme case, the probes could function as the “great Czech firewall.” After all, such kind of black box has already been developed for the government. The department of information technologies at the Brno Technology University utilized a Ministry of interior grant to conduct extensive research into the means of combating cybercrime. As part of the results, they developed a prototype of a “high speed probe” to monitor network operations. To this end, the school also developed the Netfox Detective software to analyze collected data. It isn’t possible to directly connect these probes to the new law and conclusively claim that the military will use them. But we know what the government commissioned to develop and can potentially order in a greater series from a commercial supplier. The company Flowmon Networks that sells boxes and software used to capture and analyze network traffic is a spin-off from Brno academic environment. The tools for all kinds of surveillance, filtering, traffic capture and analysis on a massive scale thereof represent business for many other specialized companies. It is also possible to get commercial tools that automatically attacks encrypted communication, for example through the means of the man-in-the-middle method. For this reason, a slight correction of the law, preventing the probes’ “active” operation would be a huge relief for the actual security.
Regardless, the military will now deal with either how to manage a huge data flow in the real time or where to store all the data before they will be able to process them. This is nothing trivial, but also nothing that couldn’t be had for a lot of money. Once the man in the middle arrives, we will have to be able to encrypt our data bloody well. Who among us can do this?
The author is documentary filmmaker.
Translated by Dagmar Frančíková.