Exclusive London Internet Exchange (LINX) – Europe’s largest provider of internet interconnect services – faces a growing backlash among members over changes to its rules that would gag directors applying secret government orders to monitor traffic under Britain’s new Investigatory Powers Act.
Members of LINX have been given less than two weeks’ warning of an effect of a proposed new LINX constitution (called “memorandum and articles”) that would allow secret surveillance orders or requests to be implemented without members’ knowledge.
The plans will be proposed at an Extraordinary General Meeting (EGM) of members at London’s West End Congress Centre, starting on Monday.
At the meeting, members will be asked to approve a new “gag clause”, banning directors they appoint from asking members to agree or approve technical or security changes to enable or support surveillance.
LINX claims 780 organisations as members, a who’s who of the world’s biggest and best-known among internet service and content provision, including Amazon and the BBC.
The proposals would also prevent LINX members from being asked to back potential court challenges to illegal surveillance.
LINX claims to be a member-run organisation. The board and elected directors are there to “ensure that the company is run in the interests of the owners – the members”.
The proposed constitution had already stirred up disagreement among those members with the expectation that things will now escalate.
BT’s chief network architect Neil McRae, a former long-serving LINX board member, told The Reg: “We see many challenges with how this would be achievable.
“It alarms us greatly that the will of the members’ representatives would still be able to be overturned by a board member that does not represent the members. We believe this is not acceptable.”
The plans – called a “chair override” in internal documents – were developed soon after the government secured royal assent for the controversial Investigatory Powers Act (PDF), aka the “Snoopers’ Charter”, last November.
In an initial member governance consultation in November, the wording of the gag clause to allow controversial decisions to be kept secret from members was omitted.
In its place, members were asked: “Do you agree that the chair should have a last-resort power to protect the company?”
The consultation document did not explain that this would include a power for secrecy orders, intended to stop elected member representatives from referring government-ordered changes to the membership for ratification.
William Waites of Scotland’s HUBS internet service, a LINX member, told The Reg: “LINX has been talking about changes for several years. There is no need to rush this through now, with no time for scrutiny, buried inside complex documents that few LINX members will have the time to read or understand – especially overseas.
“We need to know if this is being proposed because the government wants to get new taps into our networks.”
The gag clause was published as part of the proposed constitution on 30 January, located deep into the document on page 23. The explanation for it was published nine days later, less than two weeks before the meeting.
“We should spend energy to make IXs robust against use for mass surveillance,” said Waites. “This plan breaks the internet’s rules.”
A row has already broken out among LINX’s members, during the course of which Waites pointed out that the Internet Engineering Task Force (IETF) had advised in May 2014, following the revelations of former NSA contractor Edward Snowden, that:
Pervasive Monitoring is an attack on the privacy of internet users and organisations… It subverts the intent of communicating parties without the agreement of those parties. PM is an attack that needs to be mitigated where possible.
As an operator of critical infrastructure, Waites says, LINX ought to be addressing and discussing how it should defend against such attacks.
Such interception may also itself be illegal, because of a still unresolved clash between UK and European law. According to Eric King, visiting lecturer in interception law at Queen Mary University of London, LINX’s European ISP members could be prosecuted or lose business by allowing bulk, untargeted interception to take place on their networks or equipment. Bulk interception with specifically targeted warrants has been ruled unlawful in a series of recent European Court of Human Rights judgments.
“This would put European internet companies in a potential illegal situation, if they permitted unwarranted access to and interception of their data by a foreign intelligence agency,” King said.
An exclusive analysis of LINX member networks carried out for El Reg by Matthew Fowler found that most of LINX’s members are outside the UK and mainly based in the US or Europe. Of 1,800 autonomous networks connected to LINX, 251 are in Europe, 45 in Germany, 51 in the Netherlands, and 38 in France.
These countries and their main internet connection providers are on the record as opposing British mass surveillance activities.
With most LINX member networks overseas, they offer lucrative prime targets for Britain’s newly empowered signals intelligence agency GCHQ. Members suspect that LINX has been secretly consulted about new “National Security Notices” (NSNs), which can be issued to allow British agencies to scan, filter and copy communications of all users
Founded in 1994 by a group of early British internet developers, LINX has become a successful not-for-profit enterprise wholly owned by service provider members.
Starting with a single 64kb link, LINX now provide 18Tb capacity from differing resilient hubs in London, and additional hubs in Manchester, Cardiff, Edinburgh and Northern Virginia.
If approved, the replacement constitution would add new paid executive directors to the current member-appointed board, and allow them and the paid chairman to force through tapping orders or “technical capability notices” to break security without telling the members that they and their customers’ security was under attack.
According to the agenda, LINX members have been allowed 10 minutes to consider and vote on the proposal. They have been asked to vote electronically, in advance, and to vote “yes”.
The proposed constitution was unveiled at the end of January, three weeks before the planned meeting. A week later, on 8 February, its significance was explained in a “Governance Review” by company secretary and Chief Operating Officer Howard Fisher.
Fisher explained: “If the board declines to put [a] motion to the membership for ratification, it might be because doing so would be illegal… the board might be arguing about whether to comply with a secret order from the government or to challenge it in court. Some such secret orders come with a legal duty of secrecy, such that it would be a criminal offence to disclose to the membership that it had been made.
“To place such a controversy in the membership’s hands for their decision would expose board members as well as LINX corporately to criminal sanction.”
According to an analysis of the new constitution published at the same time, the proposed new gag clause, numbered 42B.2 (iii) was “included on specialist legal advice” [PDF].
BT’s McRae has asked LINX to share the “specialist legal advice” but LINX refused, saying that it was “general… often verbal or by email… not really in a form we can share with a wider audience”.
To avoid the controversial proposal being rushed through using advance proxy votes from other LINX members who did not realise what they were voting for, the HUBS exchange has published a help page to explain how to emergency retract a proxy vote.
“We hope other members will realise these changes should be done – if they are agreed to be done – only after they realise the harm that could be done to their businesses and customers by breaching security standards,” HUBS’ Waites explained.
Cybersecurity and internet expert Dr Richard Clayton of Cambridge University told The Reg that inserting “probes” into LINX would be both complex and costly.
“LINX is a widely distributed, resilient system, with very high speed data distribution taking place within different subnets in different location,” he said. “To get to all of those would need multiple accesses and lots of processing equipment or very large connections to get the data out.
“Members would not notice taps on the links between the main routing devices,” he added, but “a great deal of LINX traffic goes over private fibres from member to member and intercepting those without anyone noticing would not be easy.”
Malcolm Hutty, head of public affairs for LINX, told The Reg: “We brought these proposals forward at the beginning of November. Our articles must be capable of governing the company in all situations. This is an attempt to provide flexible protection against extreme circumstances.”
The Home Office did not respond for comment at the time of writing. ®