Last Thursday(17th Nov 2016), The UK Parliament approved a bill called Investigatory Powers Act that legalise a plethora of digital spying activities by government agencies. This bill is also known as “The Snoopers Charter” and grants following powers:
Equipment interference by government agencies becomes legal
Upon obtaining a warrant, government agencies may hack into computers, networks, mobile devices, servers or any other connected or offline device. This would allow government agencies to do things like:
- download data from a mobile phone at that is stolen on left unattended
- install intrusive software that track every key pressed on a laptop.
While this is nothing new, it is the first time the practice has been made legal in a western democracy. Given that a warrant is required before any attacks, most people would be fine with this law. But…
Bulk hacking and collecting bulk data sets also becomes legal
This is where things start to get too intrusive. “Bulk hacking” grants government agencies to perform proximity attacks on networks and devices in bulk, and almost indiscriminately. For example, it would become legal for government agents to hack your company’s network if they think one of your colleagues is emailing ISIS. Not only that, it’s also legal for them to keep whatever data they might find about YOU even though you had nothing to do with it.
IP Bill and web logs
Internet service providers are now obliged to store internet history data for all their customers for a minimum of 12 months. Internet history data logs will be made up of websites that you may have visited and devices that you have connected with. Government agencies are to be given full access to all of this data without any need for a warrant.
OK so what? What’s wrong with all this?
Let’s not worry about equipment interference since this is quite similar to other breaking and entering laws that many think is fair. However, very few would find indiscriminate attacks on private data to be fair.
But I’m not fussed about the fairness of this bill, actually. What I’m concerned about is how ineffective are these policies at doing what the government claim they do: counter-terrorism and provide security. Before going further, let me introduce some security engineering jargon:
- Policy (or the objective goal)
- Mechanism (ciphers, access controls, hardware tamper-resistance and other machinery that you assemble in order to implement the policy)
- Assurance (the amount of reliance you can place on each particular mechanism)
- Incentive (the motive for people to either guard or try and defeat the policy)
Snoopers Charter is a collection of ineffective policies backed by weak mechanisms brought forward to give the illusion of assurance.
These policies are ineffective mainly due to weak mechanisms. IP bill can be defeated quite easily by proxying through a VPN. Someone who has a vested interest in maintaining anonymity and communicating secretly can still do that quite easily. You don’t need to be a genius to learn how to use Tor browser or PGP encryption.
So what’s actually happening is that criminals and terrorists can go about their business without having to change anything. ISPs will have to spend millions of pounds to collect and store weblogs. Surely, this is a cost they will just pass on to their customers. Digital intrusion is a paid service, you see.
But what is dangerous about this is that there will no doubt be a demand in the digital blackmarket for all this web-log data. Yahoo were the most recent company to come out clean about how successful they were at securing their customer data. When it comes to privacy, it’s very difficult to put the genie back in the bottle. So the fewer the data that is stored about you, the better your privacy.
Since the 9/11 attacks the Transport Security Administration in USA has spent $14.7 billion on aggressive passenger screening, which is fairly ineffective since well below half of the weapons taken through screening (accidentally or for testing purposes) were picked up, while $100m spent on reinforcing cockpit doors would remove most of the risk.