Dear Friend, May I congratulate you on your recent election to the House of Commons; and commiserate with you that your first session will take place upon t he benches of the Opposition. I hope that you will quickly find your feet and come to a good working relationship with both the other Opposition members and those of the Government. Looking forward I fear that there is going to be a lot of rightous business for you as a member of the Opposition. Many of these issues are things that I have observed you campaigning about in the run-up to the election and hence I expect you need no further encouragment in those areas. There are however two matters of Conservative policy that I would like to encourage you to support, and in which as a former IT professional you may find yourself one of the more informed members of the opposition. Firstly there is the matter of the Communications Data Bill, popularly known as the "Snooper's Charter". No sooner had the Conservatives been shown to have got a definite majority than Theresa May was informing the BBC that she intended to pursude this bill in the coming session. This bill is purported to restore to the intelligence services capabilities that have been eroded by the emergence of the internet as a common communications mechanism. This bill will permit the Government to require any organisation that interacts with users and produces or transmits electronic communications to collect and retain information about the communication and usage patterns of all their users; and to divulge this information upon request. There are a number of problems here: 1. This involves general surveillance of the population, in the hands of the private sector. 2. Much of this data is not currently captured and many of the companies involved have no experience in controlling and safeguarding sensitive data of this nature; many of these companies will likely be the targets of opportunistic and targetted hacking attacks. This will significantly increase the risks to the public at the hands of the criminals involved; both as a result of being able to pinpoint their locations and movement patterns, and also because the data involved will be used to facilitate identity theft. 3. The interception power involved here is significantly stronger than traditional Police/Security powers to access, for instance, phone records. he data generated through our use of services like Facebook, Google and Twitter tells people far more about us, it reveals our our tastes, preferences and social connections. 4. In theory the bill does not cover the content of communications; however it is not in practice easy to seperate content and "envelope". For instance if I were to visit https://naked-redheads.xxx/ or https://www.support-fox-hunting.org.uk/ then it would be fairly clear what the content I was accessing was. For that matter the leftmost part of a URL, after a ?, is sometimes used as part of the "envelope" and sometimes conveys content data (e.g. if I search for "who is daniel zeichner" then my computer will make a request for https://www.google.co.uk/?q=who+is+daniel+zeichner . 5. The procedures for accessing the data as outlined in the bill are very open; basically leaving it to the recognisance of the requester that the data is required and appropriate. There have been many cases in the past of both individuals and organisations misusing such powers; whether for individual or organisational advantage. And this is not just limited to the Police or Security Services; consider how local councils have misused RIPA; for example in Liverpool it was used to investigate benefit fraud, fly-tipping, and a claim for damages -- none of which things were within the original intent of the framers. 6. No evidence has been provided to show that these powers are in fact necessary. Indeed it seems to be the case that the Police and Security Services are not able to handle the quantity of data that they already have - we're frequently being told that the criminals and so-called "terrorists" have been under investigation before an event, but that resources weren't available to piece together the evidence in order to prevent the event -- for example the murder of Fusilier Lee Rigby, and the Charlie Hebdo murders. 7. In the case where suspects have already been identified existing powers already permit this data to be collected upon obtaining an appropriate warrant. 8. The last time this bill was presented it was asserted that it would cost approximately £1.8 billion; however this figure has not been substantiated and no information has been presented on the ongoing costs of maintaining and operating the surveilance. A YouGov survey taken at that time found that about half of those polled thought this would be bad value for money, and only 12% thought it would be good value. In the light of point 6 above one has to wonder if a £1.8 billion investment might be better spent in personel for the Police and Security Services. 9. This approach won't work at all where so-called "darknets" like the Tor network are used and it can be bypassed by the use of encrypted internet tunnels where the other endpoint is in a regime that does not cooperate with our information requests. Secondly we have the worrying policy proposed by David Cameron in January; following the Charle Hebdo murders he asked "In our country, do we want to allow a means of communication between people which we cannot read?" and proposed that it should become illegal to use encryption that the Security Services can't break. It seems to me that there are two major objections to this policy: 1. There's no such thing as a cryptographic backdoor that only one person knows. There are billions of pounds spent yearly trying to find holes and insecurities in cryptographic systems and when such a thing is found it is rarely made publically known, but instead exploited by the actor who found it. In addition if it is plausibly expected that a system does have a backdoor then traditional criminal or espionage mechanisms can be used to reveal it; such as blackmail or bribary. 2. David Cameron does not appear to have appreciated the quanity of pervasive strong encryption in use by ordinary Britons daily. This morning so far I have used strong encryption in the course of: * Updating myself with my twitter feed * Connecting to Google and Microsoft's email servers to download my email * Making a VPN connection to my office so I can work remotely * Authenticating myself to remote computers without using a password (in a mechanism similar to that employed by online banking security tokens) * Buying a pair of slippers from an online store * Making web searches * Viewing the Conservative Party website to check their manifesto! * Sending you this message * Connecting to linux servers in the course of my job I'm sure there are other things I've used it for, and there will be many more during the course of a week. Strong encryption is a cornerstone of our digital economy -- online shops use it to protect credit card details, businesses use it to protect their corporate secrets from their competitors and criminals, banks use it to secure online banking, and social media sites use it to protect the privacy of their customers. I hope that all of the above is clear; if you need any clarifications or further information then please do contact me. Alternatively the Open Rights Group have a lot of relevant information on their website . Yours in truth, Jonathan Amery