--- /dev/null
+Dear Friend,
+
+ May I congratulate you on your recent election to the House of
+Commons; and commiserate with you that your first session will take
+place upon t he benches of the Opposition. I hope that you will
+quickly find your feet and come to a good working relationship with
+both the other Opposition members and those of the Government.
+
+ Looking forward I fear that there is going to be a lot of rightous
+business for you as a member of the Opposition. Many of these issues
+are things that I have observed you campaigning about in the run-up to
+the election and hence I expect you need no further encouragment in
+those areas. There are however two matters of Conservative policy
+that I would like to encourage you to support, and in which as a
+former IT professional you may find yourself one of the more informed
+members of the opposition.
+
+
+ Firstly there is the matter of the Communications Data Bill,
+popularly known as the "Snooper's Charter". No sooner had the
+Conservatives been shown to have got a definite majority than Theresa
+May was informing the BBC that she intended to pursude this bill in
+the coming session. This bill is purported to restore to the
+intelligence services capabilities that have been eroded by the
+emergence of the internet as a common communications mechanism. This
+bill will permit the Government to require any organisation that
+interacts with users and produces or transmits electronic
+communications to collect and retain information about the
+communication and usage patterns of all their users; and to divulge
+this information upon request.
+
+ There are a number of problems here:
+
+1. This involves general surveillance of the population, in the hands
+ of the private sector.
+
+2. Much of this data is not currently captured and many of the
+ companies involved have no experience in controlling and safeguarding
+ sensitive data of this nature; many of these companies will likely be
+ the targets of opportunistic and targetted hacking attacks. This will
+ significantly increase the risks to the public at the hands of the
+ criminals involved; both as a result of being able to pinpoint their
+ locations and movement patterns, and also because the data involved
+ will be used to facilitate identity theft.
+
+3. The interception power involved here is significantly stronger than
+ traditional Police/Security powers to access, for instance, phone
+ records. he data generated through our use of services like
+ Facebook, Google and Twitter tells people far more about us, it
+ reveals our our tastes, preferences and social connections.
+
+4. In theory the bill does not cover the content of communications;
+ however it is not in practice easy to seperate content and
+ "envelope". For instance if I were to visit
+ https://naked-redheads.xxx/ or https://www.support-fox-hunting.org.uk/
+ then it would be fairly clear what the content I was accessing was.
+ For that matter the leftmost part of a URL, after a ?, is sometimes
+ used as part of the "envelope" and sometimes conveys content data
+ (e.g. if I search for "who is daniel zeichner" then my computer will
+ make a request for https://www.google.co.uk/?q=who+is+daniel+zeichner .
+
+5. The procedures for accessing the data as outlined in the bill are
+ very open; basically leaving it to the recognisance of the requester
+ that the data is required and appropriate. There have been many
+ cases in the past of both individuals and organisations misusing such
+ powers; whether for individual or organisational advantage. And this
+ is not just limited to the Police or Security Services; consider how
+ local councils have misused RIPA; for example in Liverpool it was
+ used to investigate benefit fraud, fly-tipping, and a claim for
+ damages -- none of which things were within the original intent of
+ the framers.
+
+6. No evidence has been provided to show that these powers are in fact
+ necessary. Indeed it seems to be the case that the Police and
+ Security Services are not able to handle the quantity of data that
+ they already have - we're frequently being told that the criminals
+ and so-called "terrorists" have been under investigation before an
+ event, but that resources weren't available to piece together the
+ evidence in order to prevent the event -- for example the murder of
+ Fusilier Lee Rigby, and the Charlie Hebdo murders.
+
+7. In the case where suspects have already been identified existing
+ powers already permit this data to be collected upon obtaining an
+ appropriate warrant.
+
+8. The last time this bill was presented it was asserted that it would
+ cost approximately £1.8 billion; however this figure has not been
+ substantiated and no information has been presented on the ongoing
+ costs of maintaining and operating the surveilance. A YouGov survey
+ taken at that time found that about half of those polled thought this
+ would be bad value for money, and only 12% thought it would be good
+ value. In the light of point 6 above one has to wonder if a £1.8
+ billion investment might be better spent in personel for the Police
+ and Security Services.
+
+9. This approach won't work at all where so-called "darknets" like
+ the Tor network are used and it can be bypassed by the use of
+ encrypted internet tunnels where the other endpoint is in a regime
+ that does not cooperate with our information requests.
+
+
+ Secondly we have the worrying policy proposed by David Cameron in
+January; following the Charle Hebdo murders he asked "In our country,
+do we want to allow a means of communication between people which we
+cannot read?" and proposed that it should become illegal to use
+encryption that the Security Services can't break. It seems to me
+that there are two major objections to this policy:
+
+1. There's no such thing as a cryptographic backdoor that only one
+ person knows. There are billions of pounds spent yearly trying to
+ find holes and insecurities in cryptographic systems and when such a
+ thing is found it is rarely made publically known, but instead
+ exploited by the actor who found it. In addition if it is plausibly
+ expected that a system does have a backdoor then traditional criminal
+ or espionage mechanisms can be used to reveal it; such as blackmail
+ or bribary.
+
+2. David Cameron does not appear to have appreciated the quanity of
+ pervasive strong encryption in use by ordinary Britons daily. This
+ morning so far I have used strong encryption in the course of:
+
+ * Updating myself with my twitter feed
+ * Connecting to Google and Microsoft's email servers to download
+ my email
+ * Making a VPN connection to my office so I can work remotely
+ * Authenticating myself to remote computers without using a password
+ (in a mechanism similar to that employed by online banking
+ security tokens)
+ * Buying a pair of slippers from an online store
+ * Making web searches
+ * Viewing the Conservative Party website to check their manifesto!
+ * Sending you this message
+ * Connecting to linux servers in the course of my job
+
+ I'm sure there are other things I've used it for, and there will be
+ many more during the course of a week.
+
+ Strong encryption is a cornerstone of our digital economy -- online
+ shops use it to protect credit card details, businesses use it to
+ protect their corporate secrets from their competitors and criminals,
+ banks use it to secure online banking, and social media sites use it
+ to protect the privacy of their customers.
+
+
+ I hope that all of the above is clear; if you need any clarifications
+or further information then please do contact me. Alternatively the
+Open Rights Group have a lot of relevant information on their website
+<https://www.openrightsgroup.org/>.
+
+ Yours in truth,
+
+ Jonathan Amery
~nmamery / letters-to-mps / blobdiff