The Draft Investigatory Powers Bill has been published which sets out a new framework within which your Internet use can be monitored in various ways. These powers raise significant questions as to their effectiveness. Sebastien Lahtinen, co-founder of thinkbroadband.com, sets out some of the difficulties with the proposed Bill.
Trust & changes in behaviour
The Snowden revelations have made us all more aware of the interception activities of the intelligence services and as a result we have seen Internet companies starting to employ strong encryption to protect their customers' data to protect their own reputations. For example, Apple have told a court that it is 'impossible' for it to unlock iPhones running its latest iOS operating system. If companies are going to be required to compromise their products to enable monitoring of users, this will encourage users to implement their own encryption methods with software they trust (e.g. which has been peer-reviewed such as by the open source community) in a way which cannot be compromised as easily. Similarly, it is trivial to encapsulate any Internet traffic through a number of encrypted methods such as the use of Virtual Private Networks (VPNs) or other tunnelling techniques to hide the true source/destination of communications and the profiling this facilitates.
Whilst this type of security activity may only currently be used by a small number of privacy- conscious individuals for personal security with most using the default settings on phones and applications they use, these tools are likely to become easier to use and will in due course become more prevalent; it would be a foolish criminal or terrorist, who did not consider use of such systems and rely solely on systems provided by the major companies likely to be required to weaken their protections under this law.
Security of data — exposing UK companies and consumers to new risks
Whenever you collect data, there is a risk that this will one day be compromised. Technical systems are not fool proof, and the fact Edward Snowden was able to expose some of the innermost secrets of the U.S. intelligence and diplomatic services is a case in point that not even the most secretive of agencies are able to keep their data safe. The Internet Service Providers are being asked to retain Internet Connection Records (ICRs) which will contain details of who is accessing which services or websites. Only recently one of the largest UK broadband providers, TalkTalk has been hacked and customer details stolen. If this can happen, what makes anyone think that ICRs would be absolutely safe from such an attack?
Imagine the scenario of the next cyber-attack where a major UK broadband provider's database of websites you have visited was hacked and the data stolen by hackers based in a far away country. You receive an e-mail which states that the hacking group have identified you from the ICRs and the fact you have visited a website which you might be embarrassed to admit publicly or would just prefer to keep private. This might be a website or group of websites that identifies some of your political views, religious beliefs, sexual orientation, or information about your health, and you may not even have actually visited those sites. Of course visiting such websites doesn't necessarily imply anything as it provides no context, but publication of this information may still cause you significant distress. The e-mail asks for you to pay one bitcoin (a virtual currency which cannot be easily traced; currently around £315) to avoid this data being published.
Ashley Madison, a web site facilitating adulterous affairs was hacked a few months ago, exposing the personal details of its members. This has reportedly resulted in suicides of some individuals whose names were associated with the website. This shows that the cost of illegal access to such data cannot be measured merely in financial terms, and no amount of compensation can undo the damage that collecting sensitive personal data can cause to victims.
Even Anonymisation of the data is no guarantee that it could not be linked back to individuals. Last year, we saw how journey data from New York Taxis could be used to link back individuals to habits such as visiting gentlemen's clubs.
What constitutes an Internet Connection Record?
An Internet Connection Record is about identifying who is using what services or connecting to which websites (or IP addresses to be precise). You might feel safe now thinking that you don't visit any websites which you would consider embarrassing but if you understand how web pages work, you will soon realise how visiting an innocuous page might mean your web browser connects to a website which you may not actively wish to visit, yet an ICR would be created linking your device or identity to a website which might be embarrassing. Trying to prove a negative, that you didn't in fact visit the website, would be rather difficult.
There are provisions for the security services to undertake equipment interference (also known as hacking) which may give access to a system which would otherwise not be possible. Such an activity may well be for the benefit of society of it identifies a terrorist and prevents an attack and few people would argue against that, but what if this interference results in a security weakness in a system which is then exploited by criminals for their own purposes? Who would be liable for the consequences? How would victims even know when this was as a result of an action authorised under this Bill?
There is no doubt that we need to modernise the laws to take into account the ever evolving nature of the Internet, and targeted interception must be part of this. Tracking visitors to terrorist content or child abuse images may be necessary to prevent attacks against the country or vulnerable individuals, however recording visits to every single website is bound to eventually lead to tragic consequences for law abiding individuals and may result in a chilling effect on freedom of speech. Would you think twice about visiting the website of a controversial political party to find out their side to an issue and risk being labelled a racist? Many of these issues need to be worked through with a full analysis of the unintended consequences, before the impact of the proposed Bill will become clear.