+44 (0)20 7877 0060 contact@2-sec.com
Select Page

Internet monitoring and civil liberties

The government has laid out plans to monitor internet usage in the UK, namely to tackle “serious” crime and make it easier to track criminals, through monitoring of webmail, social networking sites, internet phone calls and online gaming.

The first reaction of any serious criminal will be to go underground, that’s if they’re not there already.  It is trivial to implement peer to peer encryption and conceal one’s activities.  Take solutions such as http://www.openvpn.net, which punches a private tunnel through your ISP to out-of-jurisdiction proxy servers.  Or for the more paranoid, there’s the Tor project – https://www.torproject.org/.  For the even more paranoid then open source software can setup a darknet.  A darknet is your own private network of Internet based PCs, where you control the encryption keys and who has access.  After all, Cloud based solutions like OpenVPN and Tor are open to being cracked open by law enforcement agencies, or their owners forced to reveal encryption keys and install monitoring software under the US Patriot Act or RIPA.

Why all the fuss?

So why all the fuss by the UK government and why has the private ISP industry had to spend £2bn to implement solutions that record each and every internet conversation and store it for a year?  Apparently, this is so law enforcement agencies can track down perpetrators of “serious” crime, but with serious criminals being forced underground, or forced to Google for a readily available privacy solution, then it is doubtful that “serious” criminals would ever let unencrypted data leave their computers and enter the ISP in the first place.  The target for law enforcement agencies is low hanging fruit, and the intellectually challenged/opportunists/scripts kiddies, that fail to understand that if unencrypted data leaves their PCs, then the likes of GCHQ and law enforcement agencies will be able to see it.

They are not going to be able to use internet monitoring to track serious crime.  Terrorists, paedophiles, fraudsters and enemy states are already underground, and only traditional investigation methods, such as physical surveillance and extraordinary rendition are going to work in reducing serious crime.  Internet monitoring is no magic shortcut to catch serious criminals and may well make law enforcement agencies somewhat complacent and reluctant to leave their desks and do proper investigative work.  The plan will be good for catching cyber bullies, Sony’s public enemy number 1 (music pirates), tax evaders, people that use Twitter to plan riots, opportunists that import cheap goods from China and avoid import duty, software pirates and that’s probably about it. This is a message from the government saying “step out of line, we’ll prosecute you, we know what you’re doing”, as opposed to “serious criminals, take note, we’re going to get you”.

Inevitably when one deals dealing with Big Brother legislation such as this, the innocent will get caught up in it.  Maybe their PCs gets used by somebody else, maybe on a botnet, maybe there’s remote control malware.  Or technology gets it wrong and identifies the wrong person, law enforcement provide the wrong IP address on their records and who knows what else.  Given the huge £2bn investment and the number of law enforcement officers that would need to be trained up to use internet monitoring technology (or do they outsource it, like computer forensics?), this is not going to be a squeaky clean process.  Mistakes will be made, but rest assured, the judicial system will prosecute and fine as much low hanging fruit as possible.

Is this a bill to make money, or make the UK a safer place to live?

The Home Office has already hinted that the bill will generate UK plc £5-6bn over the next 10 years from seizing of criminal assets and catching out tax offenders.  It will cost ISPs and law enforcement agencies in excess of this to use the bill in a proportionate and measured way.  Given track records of the RIPA being used by councils to snoop on potential council tax evaders and being completely dis-proportionate, it will be interesting to see how law enforcement agencies play their carte blanche.  Completely unmonitored, unrecorded, ad-hoc access to our internet behaviours.

The bill moves focus away from serious crime, and targets minor offenders.  The music industry has been lobbying extra hard to get this legislation put through, as they come out as the only body that could rally financially benefit from such legislation.  Given recent account/password hacks via LinkedIn, last.fm and eHarmony, then password reuse “attacks” are going to draw the innocent to be investigated even further, as law enforcement will not be able to readily tell whether a social media account is actually being used by the individual in question.

Intrusive internet monitoring is wrong, it will harm the innocent and lawmakers have taken things too far this time.  This isn’t China.  It’s a democracy governed by human rights legislation and a right to privacy, which of course fly squarely into the path of the bill.