8

It's just been reported that the BBC plan to deploy wi-fi detection vans to identify users who are streaming content from their internet service (BBC iPlayer) without a TV license. For example, see The Telegraph.

How might they achieve this? What signatures could possibly be detected if the wi-fi is encrypted?

Rodrigo de Azevedo
  • 242
  • 2
  • 13
lemon
  • 183
  • 4
  • 3
    Can't believe some idiot thought this was a better idea than to simply make iPlayer ask for authentication and give out the credentials to those who pay the license. – André Borie Aug 06 '16 at 14:29
  • @AndréBorie then nothing stops me sharing my details with my friends. Also the family rules (who it applies to and when) are a little complex. – Tim Aug 10 '16 at 04:08
  • @Tim make the credentials expire every month or so, and prevent simultaneous streams to thwart using multiple devices. Spotify and Netflix manage to do it just fine, there's no reason for the BBC not to be able to. – André Borie Aug 10 '16 at 13:48

5 Answers5

7

There's a number of possible aspects at play here. First up as @gegenbeispiel says it could just be a bluff, however lets consider the possibilities if it's not.

  • Unencrypted wireless. Obvioulsy if people have unenecrypted wireless it would be technically possible to sniff traffic going over the network and determine whether iPlayer URLs were accessed and then correlate that with the License fee database. You still have the problem of narrowing down the signal to a specific property (which could be quite difficult in things like flats, but it's technically possible)

  • Encrypted wireless. Here you can't get any details on the content being transmitted but in theory you could get some details about the volume of traffic being sent/received. Now in a lab style setup where there were no other wireless signals, if someone was watching a live broadcast, you might be able to say "that wireless network transmitted roughly the same amount of data as that stream is sending" and indeed that seems to be what they're describing. Where you own the server end of a connection you could modify the volume of data sent in a pattern that might be observable in a controlled environment.

  • Wired network. Outside a property there's basically no chance of detection using vans or the like.

So technically there are some possiblities with the wireless scenarios. So what are the problems here?

  • Legal. This is generalized traffic sniffing and would inevitably (in the unencrypted scenario) gather data not related to iPlayer. This leads to potential privacy/legal issues as faced by Google with their street view data gathering.

  • Technical. The number of unencrypted wireless networks is much much lower than it was in the earlier days of home broadband. All the major ISPs that ship Wireless routers make used of WPA2 encrpytion by default, so in most cases you're looking at the encrypted wireless scenario.
    The problem with what they're describing in the article is that to me it seems likely that even if it works in a lab environment, in a real-world scenario with the huge mess of connecting devices, connections from each device and the vagaries of Internet traffic, isolating the patterns being sent in a reliable way that would stand up in court seems unlikely.

Overall it seems most likely that this is a bluff (or someone has managed to sell some snake oil inside the BBC and is going to make some good cash desiging the solution), however we'll only really know if more details emerge, most likely when someone refuses to pay the BBC after being told they're infringing and taking the matter to court.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
5

I think this tweet from BBC settles the question:

statement

and I quote: "While we don't discuss the details of how detection works for obvious reasons, it is wrong to suggest that our technology involves capturing data from private wi-fi networks."

Via: http://www.ispreview.co.uk/index.php/2016/08/no-bbc-probably-can-not-snoop-wifi-via-tv-detector-vans.html

billc.cn
  • 3,852
  • 1
  • 16
  • 24
3

It's a bluff, like so much of BBC/Capita licencing stuff.

  1. Easily defeated by using RJ45 and either turning WiFi off or putting the router into a metal Faraday cage. Aluminium foil would suffice.

  2. It would be very difficult to provide criminal-conviction-standard proof with data like this.

  3. Unless BBC puts iplayer behind a paywall, any prosecution is going to be vulnerable to the "adverse possession" defence, i.e. the BBC did not make a reasonable, obvious effort to prevent contravention.

  4. It would be much easier, and much more reliable legally for Capita/BBC to require ISPs to supply traffic data for suspect addresses under RIPA2000.

Gegenbeispiel
  • 31
  • 2
2

How this could work: BBC iPlayer is obviously under control of the BBC. When it streams video, it can freely determine the packet sizes used, and create a pattern in those packet sizes. Even if you use VPN, the VPN server would encrypt the packets, and the packet sizes would be a bit bigger, but still in a recognisable pattern. So it may be possible to look at the encrypted packages that the VPN server sends to your home, and be very sure that this is a specific iPlayer program.

gnasher729
  • 1,823
  • 10
  • 14
0

The license fee in U.K. is paid per household. The BBC iPlayer does not require login from within the U.K.

BBC has detailed information about each streaming endpoint, but the challenge for them is to match the streaming destination (maybe obscured by a carrier grade NAT) with a physical street address (and thus verify the license).

In the simplest case they can deploy the vans and sniff the encrypted WiFi traffic in the proximity of a household that does not hold a valid television license. Then they can match the on/off usage pattern of a certain endpoint with the observed WiFi traffic pattern.

In a more advanced case they can try to introduce deliberate alterations (breaks that would not get notice because of cache, changing the packet size) for a certain endpoint.

Having the information about each single receiver, I don't see a need to deploy any more advanced analysis techniques.

techraf
  • 9,141
  • 11
  • 44
  • 62
  • But per the Google Streetview case, captchering of wifi data is illegal let alone actively tempering it. Traffic pattern is a very inaccurate side-channel as well and would not stand to any kind of challenge, so they still have no ground to take further legal action which makes this "detection" a bit pointless. – billc.cn Aug 08 '16 at 17:29
  • 1
    @billc.cn I don't know what you mean by "illegal", but the article OP referenced clearly states "*The corporation has been given legal dispensation to use the new technology**. It is the Parliament of the United Kingdom who decides what is legal in UK and what is not. – techraf Aug 08 '16 at 22:25
  • @billc.cn And if you ask exactly, it is the [Regulation of Investigatory Powers Act](https://en.wikipedia.org/wiki/Regulation_of_Investigatory_Powers_Act_2000) that the article refers to ("allows certain public bodies to monitor people's Internet activities"). Namely it suggests that BBC (which is a public broadcaster in UK, unlike Google, which is a US company) would be included on the list of entities along with such as Charity Commission, Postal Services Commission, or Ofcom. – techraf Aug 08 '16 at 22:40
  • @billc.cn And if you ever had chance to live in a country where public television license fee is collected by individual inspectors (like Japan), you'd know that they don't need to challenge anything, but use pure psychological pressure. It was not the question though. – techraf Aug 08 '16 at 22:51
  • The current RIPA only allows collecting meta-data by ISPs. The "certain public bodies" that can also monitor is a limited list, which does not include the BBC (nor do the NAO where this mis-information originates). If there are new provisions in law, please provide a reference to that legislation. – billc.cn Aug 09 '16 at 12:50
  • This is not legal forum. Neither the question nor my answer do mention any law. You brought the subject out of the blue in the comments. – techraf Aug 09 '16 at 12:56