This month, the UK Government produced it’s latest piece of legislation designed to provide intelligence agencies with unfettered access to all our data and communications. The Investigatory Powers Bill (IPB), affectionately known as the Snoopers Charter by privacy advocates, is the latest play in the long running debate about whether governments, should not only be legally empowered to bulk collect and surveil our data, but actually force companies to weaken the encryption they use to protect their user’s data, thereby enabling the Government to read it.
While privacy advocates will attack the legislation and rather predictably the government will defend it, the strange thing about the IPB legislation in general is that it will not and cannot deliver the government’s primary objective, which is in the words of the Home Secretary Theresa May, to ensure that “…intelligence agencies have the powers they need to keep us safe in the face of an evolving threat”.
Mass surveillance doesn’t work
There is absolutely no evidence that supports the argument that the mass surveilling of data stops attacks, or catches terrorists and there is plenty of evidence to the contrary. For example, despite the individuals involved in the terrible attacks in Paris being known to security services, and the fact that France has already implemented their own mass surveillance legislation, the atrocities still took place. Similarly, those that took part in the Charlie Hebdo attack, and the men responsible for the shocking murder of Fusilier Lee Rigby in Woolwich, were all known to security services.
If we can’t monitor those flagged up to be potential terrorists, how do we expect to effectively monitor the many millions of regular Internet users?
Drinking from a fire hose
The reason that mass surveillance doesn’t work is that it is not the correct tool to prevent terrorism, and in fact, some experts believe it takes valuable time and resources away from more effective tactics. Well respected cryptographer Bruce Schneier suggests that data mining (sifting through large amounts of data looking for patterns) is effective when seeking well defined behaviour that occurs reasonably regularly, such as credit card fraud. However, they are less effective with very rare behaviour as the mining algorithms are either tuned to provide so much data that they overwhelm the system (some have likened this to drinking from a fire hose), or are tuned to produce less data and miss an actual attack.
Bruce Schneier illustrates this point in his book, Data and Goliath:
“Think about the full-body scanners at airports. Those alert all the time when scanning people. But a TSA officer can easily check for a false alarm with a simple pat-down. This doesn’t work for a more general data-based terrorism-detection system. Each alert requires a lengthy investigation to determine whether it’s real or not. That takes time and money, and prevents intelligence officers from doing other productive work. Or, more pithily, when you’re watching everything, you’re not seeing anything.”
Safer by removing protections?
Delving into the IPB more closely, specifically section 189 entitled “Maintenance of technical capability”, would enable the secretary of state to issue orders to companies “relating to the removal of electronic protection applied … to any communications or data”. Basically, the Government could demand end-to-end encryption be disabled, or replaced with a weaker form of encryption by the provider, enabling user data to be read.
End-to-end encryption enables both the sender and receiver to encrypt and decrypt messages without the message content being available to an untrusted third party, such as the Internet Service Provider, or application provider. When we consider that one of the UK’s largest ISPs, Talk Talk, was just hacked, we can start to appreciate just how nonsensical this proposed solution is as end-to-end encryption would have ensured that none of the stolen information was readable. Should this law come into force, the law abiding citizens and companies of the UK would adhere to the IPB, becoming less secure in the process, while the terrorists and criminals illegally enjoy all the protections that well implemented encryption technology offers.
This doesn’t sound like legislation that will “…keep us safe in the face of an evolving threat”. In fact, with the removal of end-to-end encryption, the government is prioritising their ability to read our information over the security of our data, which in itself is curious, for as we know, mass surveillance doesn’t make us safer either.
Connect the dots…
So, if the answer to making us safer isn’t weakening encryption and hyper surveillance, what is it?
Simply, a return to traditional investigative work, using the tried and tested connect the dots approach suggested by experts. Specifically, following up reports of suspicious activity and plots, using sources and investigating other seemingly unrelated crimes, mixed with targeted surveillance. Many of the privacy advocates that have spoken out about this bill have not expressed a demand for privacy above all else. Rather, if we are going to use practices that clearly undermine our human rights there should be a clear benefit for doing so. As it stands, the proposed legislation and solution is not a sufficiently good reason.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net