Brexit trade deal advises governments to use Netscape Communicator and SHA-1. Why? It's all in the DNA
A simple cut-and-paste text job from a 2008 EU treaty for genetic databases
People are pointing to the inclusion of Netscape Navigator and SHA-1 in the newly-minted British Brexit trade deal – yet no one seems to have realised part of the text in question is a treaty underpinning an EU-wide DNA database.
Buried in the 1,000+ pages of the UK-EU trade deal are references to the obsolete Netscape Navigator browser and even Netscape Communicator, which was declared end-of-life in 1997.
“s/MIME functionality is built into the vast majority of modern e-mail software packages including Outlook, Mozilla Mail as well as Netscape Communicator 4.x and inter-operates among all major e-mail software packages,” says page 921 of the deal, in a part named “ANNEX LAW-1: EXCHANGES OF DNA, FINGERPRINTS AND VEHICLE REGISTRATION DATA”.
Rather than being a throwback to the dusty days of dial-up internet and shouting at your mum for picking up the phone while you try to download cat GIFs, however, that annex contains the full and current text of the Prüm Convention – the treaty underpinning the European Union’s bloc-wide DNA database, to which the UK wants to keep access after departing the EU on Friday (1 January).
Unilaterally modifying a treaty with more than 20 international signatories could open a can of worms – so it’s no surprise that the whole thing has been included in the Brexit trade deal, AES-256, SHA-1 and all.
The obsolete programs and security standards laid down in the Brexit trade deal are mandated for use with the Prüm database, with criminal suspects’ fingerprints, DNA and car registration details being sent around the bloc’s various police forces by email as described in both the EU treaty and the Brexit trade deal annex.
With Britain leaving both the EU’s political and legal control, a new legal basis had to be found to enable ongoing access to the DNA database. Putting it into the UK-EU trade deal appears to be the solution.
An EU thing that’s valued by UK.gov
Government minister James Brokenshire told Parliament in summer:
The Government has considered the impact of sharing suspects’ data as it concerns individual freedoms. However, I am reassured by protections applicable to England and Wales which carefully govern the retention of biometric data, and which confer protections to data from individuals who have not been convicted.
Brokenshire also confirmed that since the UK joined the scheme in July 2019, around 12,000 people’s fingerprints and DNA profiles had been sent to British police through the EU DNA database – and 41,000 Britons’ information had gone to EU countries in return.
It is not immediately obvious whether the EU’s systems for moving personal data around the internet have had security updates since 2008, though one would hope the bloc’s focus on data protection would have seen the infosec parts of the Prüm treaty being pragmatically set aside.
Nonetheless, the security standards mandated are dangerously out of date and no-one serious would advocate using them today. For example, the SHA-1 hashing algorithm is no longer supported by Microsoft and the 25 year-old hash function can now be cracked for less than $50,000.
Politico-legal analysis in 280 characters
When the “obsolete security” part of the deal began circulating on Twitter this week, people whose critical thinking skills begin and end with Ctrl-F inevitably began airing their political views about the inclusion of ancient tech in the trade agreement.
Yet simply copying and pasting snippets from the annex into popular search engines takes the curious reader to its original source: EU Council decree 2008/615/JHA, dated 23 June 2008. That document adopts the Prüm Convention that was signed in 2005 by a handful of European countries, making it part of EU law.
The EU’s own EUR-lex website, a website of EU laws similar to legislation.gov.uk, appears to show that the 2008 EU treaty’s wording has never been updated. In June this year, however, the EU Council accepted that it “needs to ensure full alignment of the new Prüm Framework with the [EU Law Enforcement Directive], especially regarding the data protection safeguards.”
Somebody’s finally noticed that the Prüm Convention’s recommendations are out of date but updating it will not be a fast process.
Sadly the BBC, whose hacks were presumably enjoying an extended period of festive cheer, reported all this dull-but-important detail by churning throwaway speculation – and even managing to quote “experts” who were curiously incurious about where the original text came from, or why a 2020 trade deal would mandate early 2000s tech.
Sneering Britons were informed that it was probably down to some tired civil servant inappropriately using copy and paste from a “late 1990s security document”; an “explanation” that is simply untrue.
Sometimes the truth is both dull and not immediately obvious – two categories of information that El Reg, at least, still specialises in ferreting out. ®
Netscape is not the only example of elderly tech being used to define EU legal standards. The Register knows of at least one diagram in EU transport safety regulations that was created by hand using MS Paint.