Skip Navigation


Opinion: The Draft Investigatory Powers Bill
Thursday 05 November 2015 00:00:27 by Sebastien Lahtinen

The Draft Investigatory Powers Bill has been published which sets out a new framework within which your Internet use can be monitored in various ways. These powers raise significant questions as to their effectiveness. Sebastien Lahtinen, co-founder of thinkbroadband.com, sets out some of the difficulties with the proposed Bill.

Trust & changes in behaviour

The Snowden revelations have made us all more aware of the interception activities of the intelligence services and as a result we have seen Internet companies starting to employ strong encryption to protect their customers' data to protect their own reputations. For example, Apple have told a court that it is 'impossible' for it to unlock iPhones running its latest iOS operating system. If companies are going to be required to compromise their products to enable monitoring of users, this will encourage users to implement their own encryption methods with software they trust (e.g. which has been peer-reviewed such as by the open source community) in a way which cannot be compromised as easily. Similarly, it is trivial to encapsulate any Internet traffic through a number of encrypted methods such as the use of Virtual Private Networks (VPNs) or other tunnelling techniques to hide the true source/destination of communications and the profiling this facilitates.

Whilst this type of security activity may only currently be used by a small number of privacy- conscious individuals for personal security with most using the default settings on phones and applications they use, these tools are likely to become easier to use and will in due course become more prevalent; it would be a foolish criminal or terrorist, who did not consider use of such systems and rely solely on systems provided by the major companies likely to be required to weaken their protections under this law.

Security of data — exposing UK companies and consumers to new risks

Whenever you collect data, there is a risk that this will one day be compromised. Technical systems are not fool proof, and the fact Edward Snowden was able to expose some of the innermost secrets of the U.S. intelligence and diplomatic services is a case in point that not even the most secretive of agencies are able to keep their data safe. The Internet Service Providers are being asked to retain Internet Connection Records (ICRs) which will contain details of who is accessing which services or websites. Only recently one of the largest UK broadband providers, TalkTalk has been hacked and customer details stolen. If this can happen, what makes anyone think that ICRs would be absolutely safe from such an attack?

Imagine the scenario of the next cyber-attack where a major UK broadband provider's database of websites you have visited was hacked and the data stolen by hackers based in a far away country. You receive an e-mail which states that the hacking group have identified you from the ICRs and the fact you have visited a website which you might be embarrassed to admit publicly or would just prefer to keep private. This might be a website or group of websites that identifies some of your political views, religious beliefs, sexual orientation, or information about your health, and you may not even have actually visited those sites. Of course visiting such websites doesn't necessarily imply anything as it provides no context, but publication of this information may still cause you significant distress. The e-mail asks for you to pay one bitcoin (a virtual currency which cannot be easily traced; currently around £315) to avoid this data being published.

Ashley Madison, a web site facilitating adulterous affairs was hacked a few months ago, exposing the personal details of its members. This has reportedly resulted in suicides of some individuals whose names were associated with the website. This shows that the cost of illegal access to such data cannot be measured merely in financial terms, and no amount of compensation can undo the damage that collecting sensitive personal data can cause to victims.

Even Anonymisation of the data is no guarantee that it could not be linked back to individuals. Last year, we saw how journey data from New York Taxis could be used to link back individuals to habits such as visiting gentlemen's clubs.

What constitutes an Internet Connection Record?

An Internet Connection Record is about identifying who is using what services or connecting to which websites (or IP addresses to be precise). You might feel safe now thinking that you don't visit any websites which you would consider embarrassing but if you understand how web pages work, you will soon realise how visiting an innocuous page might mean your web browser connects to a website which you may not actively wish to visit, yet an ICR would be created linking your device or identity to a website which might be embarrassing. Trying to prove a negative, that you didn't in fact visit the website, would be rather difficult.

Equipment interference

There are provisions for the security services to undertake equipment interference (also known as hacking) which may give access to a system which would otherwise not be possible. Such an activity may well be for the benefit of society of it identifies a terrorist and prevents an attack and few people would argue against that, but what if this interference results in a security weakness in a system which is then exploited by criminals for their own purposes? Who would be liable for the consequences? How would victims even know when this was as a result of an action authorised under this Bill?

Conclusion

There is no doubt that we need to modernise the laws to take into account the ever evolving nature of the Internet, and targeted interception must be part of this. Tracking visitors to terrorist content or child abuse images may be necessary to prevent attacks against the country or vulnerable individuals, however recording visits to every single website is bound to eventually lead to tragic consequences for law abiding individuals and may result in a chilling effect on freedom of speech. Would you think twice about visiting the website of a controversial political party to find out their side to an issue and risk being labelled a racist? Many of these issues need to be worked through with a full analysis of the unintended consequences, before the impact of the proposed Bill will become clear.

Comments

Posted by mervl about 1 year ago
Fear is a more effective weapon than bombs or armies. The terrorists know that only too well.
Posted by AndrueC about 1 year ago
So do governments. And religions. It's a universal truism that anyone who wants to manipulate people knows.
Posted by davidinnotts about 1 year ago
Good article, Sebastien. But you don't cover one key point which the media seem keen to sideslip, too: it is of supreme indifference to security agencies whether their access to your data results in the possible attacks and scams you describe so well. As long as they have access for counter-terrorism, any criminal consequences are an issue for governments to deal with, not a reason for them to stop insisting on access to all personal data. The fact that only organized criminals, terrorist groups and other governments can protect themselves is not a reason to stop, either.
Posted by Skilty about 1 year ago
What I also find interesting is that "The Wilson Doctrine" will be enshrined in law. There was mention of journalists but interestingly (unless I missed it) no mention of communication between a solicitor and their client(s).

It seems that politicians have ensured they are exempt. David Chaytor, Jim Devine, Elliot Morley, Eric Illsley, Margaret Mora, Lord Taylor and many others have had suspended sentences or prison terms.
Posted by DrMikeHuntHurtz about 1 year ago
So the lesson from this... use a VPN.
Posted by djfunkdup about 1 year ago
Yes agreed Dr Mike .. VPN polished and ready to deploy ;-)
Posted by gerarda about 1 year ago
I think there is a superfluous r in the title
Posted by mdar5 about 1 year ago
If you lot on here think VPN providers do not keep records (despite what they might say) or that will be only to eager to provide the info when when the police call and 'suggest' that they might like to cooperate, then you are living in laa laa land.
Posted by Spud2003 about 1 year ago
Unless you can actually provide evidence that VPN providers who claim not to log do then all you have is an opinion. There are plenty of them claiming not to log and they'd be out of business if just a single disgruntled employee said otherwise -

https://torrentfreak.com/anonymous-vpn-service-provider-review-2015-150228/
Posted by GeeTee about 1 year ago
VPN is all well and good. Endpoint to endpoint encryption of messaging is all well and good. Those may get you out of the dragnet.

But consider https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/473740/Factsheet-Targeted_Equipment_Interference.pdf

^^ This is riding along with the proposed IPB... basically encrypt your comms, expect an endpoint exploit to capture content before encryption kicks in. Using a VPN or TOR just paints a target on your own back.

Insidious is an understatement.
Posted by GeeTee about 1 year ago
As could have been predicted from some distant orbit, that document harnesses the Islamist extremists, paedos, organised crime, terrorists, "cyber-attack" whatever that may be in order to get the message across.

Whatever you do... be very afraid.... or something, whatever just submit.

Write to your MP... kill this thing.
Posted by ValueforMoney about 1 year ago
I am not sure it will ever possible to stop these folk collecting data.
The Legal use of any data should I think acknowledge that the data itself cannot be relied upon as evidence against a person, thus acknowledging that the naming and numbering for the internet is such a kludge. I do not own my phone number, or IP address; I do not control where these are registered or maintained. This must have a legal bearing on the status of any information stored against numbers loosely associated against me.
Posted by Blackmamba about 1 year ago
Hi Broadband Watchers.
Only a few years ago before broadband ,data colection was called SVI service interception today it is called Hacking which can be done by any person so it is the responsibity of the individual not to be Hacked. When SVI was used it had to go via the courts to collect data for prosecution.
Posted by seb (Favicon staff member) about 1 year ago
ValueforMoney: You're absolutely right in the difficulties using the data for 'legal' purposes.. but the abuse is far more likely to be related to unlawful and illegal uses where burdens of proof don't exist.. rumours and conjecture will take over.
Posted by ValueforMoney about 1 year ago
@Andrew Perhaps, but one step at a time. The key in pogressing the matter over time is establishing that the data cannot be trusted for legal purposes, and perhaps can be used to narrow an investigation to remove rumour and conjecture. You looking in a haystack for a needle of unknown quality and dimension. You have to definitively assume innocence until other evidene emerges.
Posted by Teefenn1 about 1 year ago
You haven't mentioned the most dangerous and insidious aspect of this Bill, i.e. the secrecy. Any provider that has had a Communications Data Retention Notice served on them will be prevented by thsi law from ever disclosing this fact to their customers or anyone else. I know my ISP, AAISP, would never willingly cooperate and have no current systems to log web visits. However should they be served with a notice they will be barred from telling me so, on pain of being criminalised.
You must be logged in to post comments. Click here to login.