Bricking up windows on privacy

Anyone with an interest in old buildings in the UK will have noticed how many of them have windows which have been filled in. In a nation in which, for half the year at least, daylight is at a premium this seems odd behaviour.

It results of course from the Window Tax, which for over 150 years from 1696 imposed a tax on property according to the number of windows that it had. It was not the first time that legislation changed people’s behaviour in order to mitigate its effects on them, nor will it be the last.

Despite this almost literal writing on the wall, legislators still fail to consider how people will respond to their legislation. Of course some laws cover matters which are more immutable: if you have six children and a government ends child benefits, you can’t give those children away.

When it comes to behaviours and tools which are in a constant state of flux, like those of the Internet and modern electronic communications, then trying to accommodate those changes in legislation might be harder than trying to nail jelly to a wall. Thus the UK’s draft Investigatory Powers Bill, published just a day before the 410th anniversary of Guy Fawkes’ arrest for high treason, for trying to blow up the House of Lords, looks already to be a lost cause.

As I wrote in my initial analysis, the draft Bill aims to codify and legitimise three main types of surveillance: mass surveillance, the collection of ‘Internet Connection Records’ by ISPs, and targeted electronic wiretapping.

The extensive documentation provided to try to justify what others have called this ‘breathtaking loss of privacy’ labours under a sustained misapprehension: that the people of the UK, whether criminals or terrorists as targeted by the draft Bill, or ordinary, honest law-abiding folk, will not change their behaviour.

Oddly this danger was pointed out to the Prime Minister in the Independent Reviewer of Terrorist Legislation’s Report of the Investigatory Powers Review back in June.

Put in a nutshell, there are already technical measures which are being used by organised criminals, terrorists, and the other ‘bad guys’, which nullify attempts at their mass surveillance, render ISP data gathering useless, and make even targeted electronic wiretapping extremely difficult (when still possible).

These measures include the use of VPN, with or without proxy servers, Tor and similar anonymisation, and secure messaging, as I have recently reviewed. As each has legitimate and sometimes mandatory uses, and none could be banned, you would have thought that they would merit consideration in the draft Bill’s supporting information. Yet there is no mention of VPN, which is already extensively used in business, for instance.

Ironically, the Home Office’s own CyberStreetWise website, which provides advice to individuals and businesses to improve their Internet security, recommends measures detailed by the Get Safe Online website, which include the use of encrypted VPN connections.

The draft Bill appears to expect anyone involved in telecommunications services – not just the ISPs – within its jurisdiction to possess the ability to decrypt encrypted material. As the Report of the Investigatory Powers Review noted:
“The experts to whom we spoke told us that if one government can gain access through a door, so can other governments and private actors. Sooner or later the existence and knowledge of how to exploit such flaws will be discovered via research, serendipity, bribery or coercion.”

Furthermore, the evidence in that report is that the horse has already bolted: increasing numbers of targets of the law enforcement agencies “are employing techniques such as Tor, PGP and VPN to ensure their anonymity”. It is “becoming more difficult to attribute a device to a person, to discover the true user of an identifier, to identify the location of a device at the time of use or when trying to locate a victim, to identify which service has recorded some of the data, to separate CD [communications data] and intercept material and to analyse without bulk machine-based techniques.”

Quoting a senior counter-terrorism officer, “We have had 15 years of digital coverage being the main thing – a golden period. But the way people run their lives is not so accessible to us now.” Most telling is the report’s summary that law enforcement “has access to a decreasing proportion of an increasing quantity of digital information.”

So even before the legislation proposed to impose a tax on windows has been published, windows are fast disappearing. Will there be any left by the time that the draft Bill might become law, as the IPA?

A year (or more) is a very long time in terms of the Internet. It is ample to allow offshore operators to set up low-cost services with better-encrypted VPN to access faster proxies. It is ample for the spread of end-to-end encrypted messaging services operated from jurisdictions with a very different approach to privacy than that being assumed in the UK.

By the time of the Investigatory Powers Act 2016, chances are that much of the information which it seeks to acquire will be inaccessible. As the goal of the supporting documentation is to express its value, as a benefit, against the cost, in terms of loss of privacy, that cost-benefit analysis is clearly misleading (as well as being emotively unrepresentative).

Which begs the question as to why UK politicians – both in the government and its opposition – are showing support for the draft Bill. Should they not be challenging its assumptions and brazen assault on privacy and freedom? Or are they too busy bricking up their own windows in preparation?