From: Jonathan Amery Date: Mon, 11 May 2015 12:25:37 +0000 (+0100) Subject: First Up. X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~nmamery/git?p=letters-to-mps;a=commitdiff_plain;h=e897fe0f23c48a930e04b28866ac1bdfcca7a923;ds=sidebyside First Up. Letter to DZ about Snooper's Charter and Encryption. --- diff --git a/daniel-zeichner-20150511.txt b/daniel-zeichner-20150511.txt new file mode 100644 index 0000000..44108fc --- /dev/null +++ b/daniel-zeichner-20150511.txt @@ -0,0 +1,152 @@ +Dear Friend, + + May I congratulate you on your recent election to the House of +Commons; and commiserate with you that your first session will take +place upon t he benches of the Opposition. I hope that you will +quickly find your feet and come to a good working relationship with +both the other Opposition members and those of the Government. + + Looking forward I fear that there is going to be a lot of rightous +business for you as a member of the Opposition. Many of these issues +are things that I have observed you campaigning about in the run-up to +the election and hence I expect you need no further encouragment in +those areas. There are however two matters of Conservative policy +that I would like to encourage you to support, and in which as a +former IT professional you may find yourself one of the more informed +members of the opposition. + + + Firstly there is the matter of the Communications Data Bill, +popularly known as the "Snooper's Charter". No sooner had the +Conservatives been shown to have got a definite majority than Theresa +May was informing the BBC that she intended to pursude this bill in +the coming session. This bill is purported to restore to the +intelligence services capabilities that have been eroded by the +emergence of the internet as a common communications mechanism. This +bill will permit the Government to require any organisation that +interacts with users and produces or transmits electronic +communications to collect and retain information about the +communication and usage patterns of all their users; and to divulge +this information upon request. + + There are a number of problems here: + +1. This involves general surveillance of the population, in the hands + of the private sector. + +2. Much of this data is not currently captured and many of the + companies involved have no experience in controlling and safeguarding + sensitive data of this nature; many of these companies will likely be + the targets of opportunistic and targetted hacking attacks. This will + significantly increase the risks to the public at the hands of the + criminals involved; both as a result of being able to pinpoint their + locations and movement patterns, and also because the data involved + will be used to facilitate identity theft. + +3. The interception power involved here is significantly stronger than + traditional Police/Security powers to access, for instance, phone + records. he data generated through our use of services like + Facebook, Google and Twitter tells people far more about us, it + reveals our our tastes, preferences and social connections. + +4. In theory the bill does not cover the content of communications; + however it is not in practice easy to seperate content and + "envelope". For instance if I were to visit + https://naked-redheads.xxx/ or https://www.support-fox-hunting.org.uk/ + then it would be fairly clear what the content I was accessing was. + For that matter the leftmost part of a URL, after a ?, is sometimes + used as part of the "envelope" and sometimes conveys content data + (e.g. if I search for "who is daniel zeichner" then my computer will + make a request for https://www.google.co.uk/?q=who+is+daniel+zeichner . + +5. The procedures for accessing the data as outlined in the bill are + very open; basically leaving it to the recognisance of the requester + that the data is required and appropriate. There have been many + cases in the past of both individuals and organisations misusing such + powers; whether for individual or organisational advantage. And this + is not just limited to the Police or Security Services; consider how + local councils have misused RIPA; for example in Liverpool it was + used to investigate benefit fraud, fly-tipping, and a claim for + damages -- none of which things were within the original intent of + the framers. + +6. No evidence has been provided to show that these powers are in fact + necessary. Indeed it seems to be the case that the Police and + Security Services are not able to handle the quantity of data that + they already have - we're frequently being told that the criminals + and so-called "terrorists" have been under investigation before an + event, but that resources weren't available to piece together the + evidence in order to prevent the event -- for example the murder of + Fusilier Lee Rigby, and the Charlie Hebdo murders. + +7. In the case where suspects have already been identified existing + powers already permit this data to be collected upon obtaining an + appropriate warrant. + +8. The last time this bill was presented it was asserted that it would + cost approximately £1.8 billion; however this figure has not been + substantiated and no information has been presented on the ongoing + costs of maintaining and operating the surveilance. A YouGov survey + taken at that time found that about half of those polled thought this + would be bad value for money, and only 12% thought it would be good + value. In the light of point 6 above one has to wonder if a £1.8 + billion investment might be better spent in personel for the Police + and Security Services. + +9. This approach won't work at all where so-called "darknets" like + the Tor network are used and it can be bypassed by the use of + encrypted internet tunnels where the other endpoint is in a regime + that does not cooperate with our information requests. + + + Secondly we have the worrying policy proposed by David Cameron in +January; following the Charle Hebdo murders he asked "In our country, +do we want to allow a means of communication between people which we +cannot read?" and proposed that it should become illegal to use +encryption that the Security Services can't break. It seems to me +that there are two major objections to this policy: + +1. There's no such thing as a cryptographic backdoor that only one + person knows. There are billions of pounds spent yearly trying to + find holes and insecurities in cryptographic systems and when such a + thing is found it is rarely made publically known, but instead + exploited by the actor who found it. In addition if it is plausibly + expected that a system does have a backdoor then traditional criminal + or espionage mechanisms can be used to reveal it; such as blackmail + or bribary. + +2. David Cameron does not appear to have appreciated the quanity of + pervasive strong encryption in use by ordinary Britons daily. This + morning so far I have used strong encryption in the course of: + + * Updating myself with my twitter feed + * Connecting to Google and Microsoft's email servers to download + my email + * Making a VPN connection to my office so I can work remotely + * Authenticating myself to remote computers without using a password + (in a mechanism similar to that employed by online banking + security tokens) + * Buying a pair of slippers from an online store + * Making web searches + * Viewing the Conservative Party website to check their manifesto! + * Sending you this message + * Connecting to linux servers in the course of my job + + I'm sure there are other things I've used it for, and there will be + many more during the course of a week. + + Strong encryption is a cornerstone of our digital economy -- online + shops use it to protect credit card details, businesses use it to + protect their corporate secrets from their competitors and criminals, + banks use it to secure online banking, and social media sites use it + to protect the privacy of their customers. + + + I hope that all of the above is clear; if you need any clarifications +or further information then please do contact me. Alternatively the +Open Rights Group have a lot of relevant information on their website +. + + Yours in truth, + + Jonathan Amery