Friday, 6 November 2015

It's the Little Things that Matter

The tone of the draft Investigatory Powers Bill debate was set for me when I spotted a story in the Telegraph ("Protecting children from paedophiles trumps your privacy", apparently) illustrated by a picture of a finger pressing a backspace key but captioned: "a person pressing the delete button on a laptop". I suspect this was a MacBook, which doesn't have separate keys, as favoured by the creative types who produce stock photos. My keyboard pedantry might appear excessive, but it highlights the casual imprecision about technology common among politicians and the media. While civil libertarians focus on the legal safeguards of the draft bill and obsess about the mechanics of judicial review (whenever you hear that phrase, just remember Lord Denning), there is a danger that its technical ambition will be under-estimated or misunderstood through plain old ignorance.

The BBC apparently used an image from the same stock photo-shoot in their coverage of the Home Secretary's announcement to the Commons, which reinforced the impression that we're witnessing a large-scale PR exercise that spans the political spectrum. I wouldn't go so far as to suggest that the suspension of UK flights to Sharm-el-Sheikh was a piece of opportunism in this regard, but the insistence by Philip Hammond that the UK government had intelligence not available to the Egyptian and Russian authorities was a clear nod to the utility of data interception and surveillance, not to mention a feather in the cap of the spooks. Of course, we'll never know whether this is just the inflation of boastful chatter by wannabes or something more serious, though we can be pretty sure that actual terrorists do not discuss their plans online even with the benefit of encryption and router masking.

Labour's Andy Burnham has come in for criticism for being so accommodating, welcoming the Home Secretary's proposal and dismissing the suggestion that it constitutes a "snooper's charter", though I think his lack of scepticism is more residual Blairism than evidence that Theresa May has compromising photos: "In a world where the threats we face internationally and domestically are growing, parliament cannot sit on its hands and leave blind spots where the authorities can't see". The notion of the "growing" threat, like "blind spots", is a classic securocrat trope, while the elevation of our concern to "the world" is totalising neoliberalism. The draft bill is not informed by any threat analysis that would justify this claim, or at least not one the government feels able to share even in redacted form. This is about maximising potential capability, not minimising anticipated risks.

In her speech, the Home Secretary insisted that law enforcement agencies access to communications data would be tightly controlled. They "would only be able to make a request for the purpose of determining whether someone had for example accessed a communications website, an illegal website or to resolve an IP address." She did not explain how "illegal" websites would be defined, nor why you'd need to access Web logs to resolve an IP address (presumably she's never heard of WHOIS). What this means in practice is the ability to trawl bulk data by IP address, which in turn implies an obligation on the part of ISPs to provide address assignments by device and account. In other words, every end-point will be "on-grid". There will be no more blind-spots.

The draft bill's own blind-spots are much the same as those that were evident in the Anderson Review that reported on the UK's data investigatory powers earlier this year: little concern with the behaviour of business, in terms of its responsibilities to data-providers (i.e. we, the people); no interest in personal data as property or as having inherited human rights (EU privacy judgements are conspicuous by their absence); and an assumption that "additional protections" should be limited to institutional elites (MPs, journalists, lawyers etc). In other words, companies like TalkTalk can continue to have shockingly poor levels of data security, companies like Facebook can continue to expropriate user data in any way they wish, and your "right to privacy" means transparency to others.

As is now traditional, the government have made great play of the difference between "Internet Connection Records" and content, even wheeling out the "itemised phone bill" analogy one more time. The Guide to Powers and Safeguards issued with the draft bill defines them thus: "A kind of communications data, an ICR is a record of the internet services a specific device has connected to, such as a website or instant messaging application. It is captured by the company providing access to the internet. Where available, this data may be acquired from CSPs [communication service providers] by law enforcement and the security and intelligence agencies. An ICR is not a person’s full internet browsing history. It is a record of the services that they have connected to, which can provide vital investigative leads. It would not reveal every web page that they visit or anything that they do on that web page" (section 44-45).

This is disingenuous. The Internet is "stateless", which means that there isn't a persistent connection. Every individual request (i.e. what happens when you click a link or a button) is a separate connection, which means that accessing a single website may produce scores of separate records. In contrast, an analog telephone connection (which is what the deliberately misleading phone-bill metaphor conjures up) is "stateful" in that a fixed connection is maintained for the duration of the call (imagine a manual switchboard and an operator saying "I'll put you through"). The claim that ICRs will only record domain names rather than resources (i.e. specific pages or images to the right of the "/") is dubious, and that's without considering the complication of redirects and aliases. The C/ISP weblogs record the full URL. The idea that commercial operators would go to the trouble of truncating these before providing access to state agencies beggars belief.

The issue of content, like encryption, is a red herring. The security services are interested in network analysis, not reading your emails. Content is overwhelmingly noise and there is simply too much of it. This is why the government can claim there is no "mass surveillance", meaning individual surveillance extended to most people. When they do wish to eavesdrop, which will be on a tiny percentage of the population, full content can be secured through "equipment interference" while encryption can be circumvented by infecting target devices with keyloggers and screen-grabbers (which incidentally means the state has an interest in keeping devices vulnerable to malware). The state has always gathered data in bulk. Without Snowden and the Tempora revelations, the only reason for a bill to regularise this would be to compel business cooperation. As we now know, business is happy to cooperate and willing to support opaque language that keeps the arrangements secret (as was the case with the 1984 Telecommunications Act).

Ostensibly, the draft bill is not about giving the security services more powers, but about providing legal cover for established practice, both to absolve business of responsibility and to protect the state from legal challenge. Where it does seek to extend powers is by future-proofing the security services' surveillance capabilities in respect of the Internet of Things (IoT). Its definition of communication data includes "signals serving either for the impartation of anything between persons, between a person and a thing or between things or for the actuation or control of any apparatus" (section 193.2.b). In other words, if you use a smartphone app to remotely-control your central-heating, that will count as communications data, and so too will a thermostat automatically turning on a boiler. Within your home, a LAN or Wi-Fi constitutes a "private telecommunications system" that would come within the bill's scope (193.14). If it hadn't already been taken by a mobile phone operator, the strapline for this bill could be "Everything, Everywhere".

As more and more of our lives are mediated by networked devices, so more and more of our activities and associations come within the view of both businesses and intelligence agencies. It is this pattern of "entities" and "events", in the language of the draft bill, that constitutes value for both parties in the surveillance economy, not the specifics of our communications. When we talk or write, we are presenting a persona rather than our "true" selves. But what we do, and who we associate with, does not so easily dissemble. The "party animal" who tweets about a mental night out while streaming Netflix to her TV and having ordered a pizza online may be misleading her friends, but she's not misleading the harvesters of bulk data. Perhaps the most significant aspect of the public reaction to the draft bill is the failure to appreciate this imperial ambition: a form of biopolitics that makes George Orwell's 1984 look unimaginative.

1 comment:

  1. Herbie Kills Children10 November 2015 at 15:45

    Disagree with the tone of this article, you are too undestated.

    This is not just about establishing legal cover for current practices but is about setting us on the path to totalitarianism, which is now inevitable. It really cannot be stopped.

    You know they know they are up no good when they have to sell this using the image of child abusers and terrorists (that great double act for wannabe authoritarians everywhere).

    They wouldn't go to all that trouble if stopping pedophiles was their agenda. They don't give a shit that you now have to negotiate to get an ambulance to come out (I have first hand experience of this). They are pretending they give a shit when they really don't, that sets alarm bells ringing with me. And those bells are could not be any louder.

    But it should be noted that people havce took this path quite willingly.

    I just hope they will all shut the fuck up about evil dictators and what a free country we are. Actually I have not heard anyone say this is a free country in a long time, you couldn't get through the day without someone dropping that into casual conversation in the 1980's!