London Internet Exchange prepares for tapping and gagging orders
First published in the Register 17 Feb 2017
Exclusive London Internet Exchange (LINX) – Europe's major internet traffic hub – faces a growing backlash over changes to its rules that would gag its directors applying secret government orders to monitor networks, under Britain's Investigatory Powers Act.
LINX members – hundreds of internet companies – have been given less than two weeks' warning of an effect of a proposed new LINX constitution (called "memorandum and articles") that would allow secret surveillance orders or requests to be implemented without members' knowledge.
The plans will be proposed at an extraordinary general meeting at London's West End Congress Centre on Tuesday. This will be held amid the LINX96 conference, which opens on Monday.
At the meeting, members will be asked to approve a new "gag clause", banning directors they appoint from asking members to agree or approve technical or security changes to enable or support surveillance.
LINX claims 780 organisations as members, a who's who of the world's biggest and best-known internet service and content providers, including Amazon and the BBC.
The proposals would also prevent LINX members from being asked to back potential court challenges to illegal surveillance. LINX claims to be a member-run organisation. The board and elected directors are there to "ensure that the company is run in the interests of the owners – the members."
The proposed constitution had already stirred up disagreement among those members with the expectation that things will now escalate.
BT's chief network architect Neil McRae a former long-serving LINX board member, told a LINX email list: "We see many challenges with how this would be achievable.
"It alarms us greatly that the will of the members' representatives would still be able to be overturned by a board member that does not represent the members. We believe this is not acceptable."
The plans – called a "chair override" in internal documents – were developed soon after the UK government secured royal assent for the controversial Investigatory Powers Act [PDF], aka the "Snoopers' Charter", in November.
In an initial member governance consultation in November, the wording of the gag clause to allow controversial decisions to be kept secret from members was omitted.
In its place, members were asked: "Do you agree that the chair should have a last-resort power to protect the company?" The consultation did not explain that – under the shadow of the Snoopers' Charter – this power will bring about secrecy orders to stop elected member representatives from referring government-ordered changes to the LINX membership for ratification.
William Waites of Scotland's HUBS internet service, a LINX member, told The Register: "LINX has been talking about changes for several years. There is no need to rush this through now, with no time for scrutiny, buried inside complex documents that few LINX members will have the time to read or understand – especially overseas.
"We need to know if this is being proposed because the government wants to get new taps into our networks."
The gag clause was published in a proposed constitution [PDF] on January 30, buried in section 42B.2.iii. The explanation for it was published nine days later, less than two weeks before next week's meeting. This additional documentation makes it clear the constitution is being updated to accommodate state-issued gagging orders, such as those attached to surveillance demands from the government:
"We should spend energy to make IXs [internet exchanges] robust against use for mass surveillance," said Waites. "This plan breaks the internet's rules."
A row has already broken out among LINX's members, during the course of which Waites pointed out that the Internet Engineering Task Force had advised in May 2014, following the revelations of former NSA contractor Edward Snowden, that:
Pervasive Monitoring is an attack on the privacy of internet users and organisations... It subverts the intent of communicating parties without the agreement of those parties. PM is an attack that needs to be mitigated where possible.
As an operator of critical infrastructure, Waites says, LINX ought to be addressing and discussing how it should defend against such attacks.
Such interception may also itself be illegal, because of a still unresolved clash between UK and European law. According to Eric King, visiting lecturer in interception law at Queen Mary University of London, LINX's European ISP members could be prosecuted or lose business by allowing bulk, untargeted interception to take place on their networks or equipment. Bulk interception with specifically targeted warrants has been ruled unlawful in a series of recent European Court of Human Rights judgments.
"This would put European internet companies in a potential illegal situation, if they permitted unwarranted access to and interception of their data by a foreign intelligence agency," King said.
An exclusive analysis of LINX member networks carried out for El Reg by Matthew Fowler found that most of LINX's members are outside the UK and mainly based in the US or Europe. Of 1,800 autonomous networks connected to LINX, 251 are in Europe, 45 in Germany, 51 in the Netherlands, and 38 in France.
These countries and their main internet connection providers are on the record as opposing British mass surveillance activities.
With most LINX member networks overseas, they offer lucrative prime targets for Britain's newly empowered signals intelligence agency GCHQ. Members suspect that LINX has been secretly consulted about new "National Security Notices" (NSNs), which can be issued to allow British agencies to scan, filter and copy communications of all users.
Founded in 1994 by a group of early British internet developers, LINX has become a successful not-for-profit enterprise wholly owned by service provider members.
Starting with a single 64kb/s link, LINX now provides 18Tb/s of bandwidth capacity from resilient hubs in London, and additional hubs in Manchester, Cardiff, Edinburgh and Northern Virginia.
If approved, the replacement constitution would add new paid executive directors to the current member-appointed board, and allow them and the paid chairman to force through tapping orders or "technical capability notices" to break security without telling the members that they and their customers' security was under attack.
According to the agenda, LINX members have been allowed 10 minutes to consider and vote on the proposal. They have been asked to vote electronically, in advance, and to vote "yes."
The proposed constitution was unveiled at the end of January, three weeks before the planned meeting. A week later, on 8 February, its significance was explained in a governance review [PDF] by company secretary and chief operating officer Howard Fisher.
Fisher explained: "If the board declines to put [a] motion to the membership for ratification, it might be because doing so would be illegal... the board might be arguing about whether to comply with a secret order from the government or to challenge it in court. Some such secret orders come with a legal duty of secrecy, such that it would be a criminal offence to disclose to the membership that it had been made.
"To place such a controversy in the membership's hands for their decision would expose board members as well as LINX corporately to criminal sanction."
According to an analysis of the new constitution published at the same time, the proposed new gag clause, numbered 42B.2.iii, was "included on specialist legal advice." [PDF]
BT's McRae has asked LINX to share the "specialist legal advice" but LINX refused, saying that it was "general... often verbal or by email... not really in a form we can share with a wider audience."
To avoid the controversial proposal being rushed through using advance proxy votes from other LINX members who did not realise what they were voting for, the HUBS exchange has published a help page to explain how to emergency retract a proxy vote.
"We hope other members will realise these changes should be done – if they are agreed to be done – only after they realise the harm that could be done to their businesses and customers by breaching security standards," HUBS' Waites explained.
Cybersecurity and internet expert Dr Richard Clayton of Cambridge University told The Reg that inserting "probes" into LINX would be both complex and costly.
"LINX is a widely distributed, resilient system, with very high speed data distribution taking place within different subnets in different locations," he said. "To get to all of those would need multiple accesses and lots of processing equipment or very large connections to get the data out.
"Members would not notice taps on the links between the main routing devices," he added, but "a great deal of LINX traffic goes over private fibres from member to member, and intercepting those without anyone noticing would not be easy."
Malcolm Hutty, head of public affairs for LINX, told The Reg: "We brought these proposals forward at the beginning of November. Our articles must be capable of governing the company in all situations. This is an attempt to provide flexible protection against extreme circumstances."
The UK Home Office did not respond for comment at the time of writing. ®
Editor's note: This article was updated after publication to make clear Neil McRae was quoted from a LINX mailing list, and did not speak directly to The Register. We are happy to clarify this point.