3 May I congratulate you on your recent election to the House of
4 Commons; and express my regret that your first session will be in
5 opposition. I hope that you will quickly find your feet and come to a
6 good working relationship with both the other Opposition members and
7 those of the Government.
9 Looking forward I fear that you will be kept very busy holding the
10 Government to account. Many of the issues requiring attention
11 are things that I have observed you campaigning about in the run-up to
12 the election and hence I expect you need no further encouragement in
13 those areas. There are however two matters of Conservative policy
14 that I would like to encourage you to oppose, and in which as a
15 former IT professional you may find yourself one of the more informed
16 members of the opposition.
19 Firstly there is the matter of the Communications Data Bill,
20 popularly known as the "Snooper's Charter". No sooner had the
21 Conservatives been shown to have got a definite majority than Theresa
22 May was informing the BBC that she intended to pursue this bill in
23 the coming session. This bill is purported to restore to the
24 intelligence services capabilities that have been eroded by the
25 emergence of the internet as a common communications mechanism. This
26 bill will permit the Government to require any organisation that
27 interacts with users and produces or transmits electronic
28 communications to collect and retain information about the
29 communication and usage patterns of all their users; and to divulge
30 this information upon request.
32 There are a number of problems here:
34 1. This involves general surveillance of the population, in the hands
35 of the private sector.
37 2. Much of this data is not currently captured and many of the
38 companies involved have no experience in controlling and safeguarding
39 sensitive data of this nature; many of these companies will likely be
40 the targets of opportunistic and targeted hacking attacks. This will
41 significantly increase the risks to the public at the hands of the
42 criminals involved; both as a result of being able to pinpoint their
43 locations and movement patterns, and also because the data involved
44 will be used to facilitate identity theft.
46 3. The interception power involved here is significantly stronger than
47 traditional Police/Security powers to access, for instance, phone
48 records. The data generated through our use of services like
49 Facebook, Google and Twitter tells people far more about us, it
50 reveals our our tastes, preferences and social connections.
52 4. In theory the bill does not cover the content of communications;
53 however it is not in practice easy to separate content and
54 "envelope". For instance if I were to visit
55 https://naked-redheads.xxx/ or https://www.support-fox-hunting.org.uk/
56 then it would be fairly clear what the content I was accessing was.
57 For that matter the rightmost part of a URL, after a ?, is sometimes
58 used as part of the "envelope" and sometimes conveys content data.
59 (e.g. if I search for "who is Daniel Zeichner" then my computer will
60 make a request for https://www.google.co.uk/?q=who+is+daniel+zeichner )
62 5. The procedures for accessing the data as outlined in the bill are
63 very open; basically leaving it to the recognisance of the requester
64 that the data is required and appropriate. There have been many
65 cases in the past of both individuals and organisations misusing such
66 powers; whether for individual or organisational advantage. And this
67 is not just limited to the Police or Security Services; consider how
68 local councils have misused RIPA; for example in Liverpool it was
69 used to investigate benefit fraud, fly-tipping, and a claim for
70 damages -- none of which things were within the original intent of
73 6. No evidence has been provided to show that these powers are in fact
74 necessary. Indeed it seems to be the case that the Police and
75 Security Services are not able to handle the quantity of data that
76 they already have - we're frequently being told that the criminals
77 and so-called "terrorists" have been under investigation before an
78 event, but that resources weren't available to piece together the
79 evidence in order to prevent the event -- for example the murder of
80 Fusilier Lee Rigby, and the Charlie Hebdo murders.
82 7. In the case where suspects have already been identified existing
83 powers already permit this data to be collected upon obtaining an
86 8. The last time this bill was presented it was asserted that it would
87 cost approximately £1.8 billion; however this figure has not been
88 substantiated and no information has been presented on the ongoing
89 costs of maintaining and operating the surveilance. A YouGov survey
90 taken at that time found that about half of those polled thought this
91 would be bad value for money, and only 12% thought it would be good
92 value. In the light of point 6 above one has to wonder if a £1.8
93 billion investment might be better spent in personnel for the Police
94 and Security Services.
96 9. This approach won't work at all where so-called "darknets" like
97 the Tor network are used and it can be bypassed by the use of
98 encrypted internet tunnels where the other endpoint is in a regime
99 that does not cooperate with our information requests.
102 Secondly we have the worrying policy proposed by David Cameron in
103 January; following the Charlie Hebdo murders he asked "In our country,
104 do we want to allow a means of communication between people which we
105 cannot read?" and proposed that it should become illegal to use
106 encryption that the Security Services can't break. It seems to me
107 that there are two major objections to this policy:
109 1. There's no such thing as a cryptographic backdoor that only one
110 person knows. There are hundreds of millions of pounds spent yearly
111 trying to find holes and insecurities in cryptographic systems and
112 when such a thing is found it is rarely made publicly known, but instead
113 exploited by the actor who found it. In addition if it is plausibly
114 expected that a system does have a backdoor then traditional criminal
115 or espionage mechanisms can be used to reveal it; such as blackmail
118 2. David Cameron does not appear to have appreciated the quantity of
119 pervasive strong encryption in use by ordinary Britons daily. This
120 morning so far I have used strong encryption in the course of:
122 * Updating myself with my twitter feed
123 * Connecting to Google and Microsoft's email servers to download
125 * Making a VPN connection to my office so I can work remotely
126 * Authenticating myself to remote computers without using a password
127 (in a mechanism similar to that employed by online banking
129 * Buying a pair of slippers from an online store
130 * Making web searches
131 * Viewing the Conservative Party website to check their manifesto!
132 * Sending you this message
133 * Connecting to linux servers in the course of my job
135 I'm sure there are other things I've used it for, and there will be
136 many more during the course of a week.
138 Strong encryption is a cornerstone of our digital economy -- online
139 shops use it to protect credit card details, businesses use it to
140 protect their corporate secrets from their competitors and criminals,
141 banks use it to secure online banking, and social media sites use it
142 to protect the privacy of their customers.
145 I hope that all of the above is clear; if you need any clarifications
146 or further information then please do contact me. Alternatively the
147 Open Rights Group have a lot of relevant information on their website
148 <https://www.openrightsgroup.org/>.