The draft Investigatory Powers Bill has a zero-day vulnerability

Good law sticks and can be enforced effectively; bad law stinks and is worked around, rendering it ineffective.

With the prospect of the extensive surveillance and invasion of privacy in the UK, should the draft Investigatory Powers Bill become law, it is worth thinking for a moment how effective its measures might be.

Let us suppose, for a moment, that organisations – including corporations – outside the UK were to set up outside the shores of the UK servers to which UK Internet users could connect, using secure encryption. These servers then acted as proxies for the access of all other Internet services.

This could be a little like a simplified version of Tor: the only data recorded in the records of UK ISPs would be repeated connections to the remote IP address using a given protocol and port. Being securely encrypted, even ‘targeted equipment interference’ under the draft Bill would struggle to return anything useful to those trying to obtain details or content.

Being operated entirely outside the jurisdiction of UK law – and the loathsome IPA – and presumably in a jurisdiction which ensured full protection of privacy, the UK law enforcement agencies would not have access to those overseas systems.

I am sure that there will be several similar services available by the time that any draft Bill becomes law. Although the likes of you and I might not see the need to spend a few quid a month on them, you can bet that anyone who is up to no good will do so. Given that many of those the draft Bill claims to target – organised crime including drugs, terrorists, paedophiles – already operate on an international scale, it should be pretty easy for them to utilise.

Without strong international support, it looks like the draft Bill is already ineffective.