This week, the most invasive and repressive surveillance measures of any nation passed into UK law, in the form of the Investigatory Powers Act 2016 (IPA). Although there has been a lot of discussion about its probable implications for those using the internet from the UK, advice about how to live with it is scant, and often ill-informed.
Furthermore, now that one formerly democratic and quite liberal legislation has implemented these draconian measures, other governments may well follow suit. If you think that none of this applies to you yet, be grateful, but don’t be complacent: it might be your turn next year.
The new law
You can read the full text of the IPA at its official site. Broadly speaking, it provides for four main types of surveillance measures:
- Internet connection records to be kept by Internet Service Providers (ISPs),
- Bulk data collection on large groups of individuals,
- Specific interception of individuals being investigated,
- General technical capability measures which can alter your assumed privacy.
It is important that you recognise that these apply to all internet (and certain other) communications made in the UK. It does not matter whether you are a US or any other citizen: as long as you are in the UK, you will be subject to this law. Equally, it means that UK citizens who are living or visiting outside the UK should not be subject to its surveillance there (although there are provisions for this, and for co-operation with foreign surveillance procedures).
It’s also essential to know that the IPA doesn’t only apply to firms operating from the UK: even service providers which are wholly based overseas come within its scope, although it remains to be seen how effectively it can be enforced on those overseas companies.
So in practice, your ISP will – once they are capable of doing so – be recording all your internet connections, but not the content of data which is transferred. You may come within a mass surveillance programme, although you will not know whether or when you do. You may also be the subject of a specific (targeted) interception programme, but again will not know if you do so. If this reminds you of the notorious Stasi in the old East Germany, you’re correct, as it is, only over the internet.
The implications of the fourth type of surveillance have also not been properly explored by many. Essentially, it allows the UK Home Secretary to require service providers of all types, including those offering VPN services, end-to-end encrypted communications, and anything else, to provide backdoors to facilitate UK surveillance operations. These should result from authorised attempts to intercept communications of specific individuals, but could readily to used to gain more general access.
The major problem with these technical capability measures, like everything else conducted under the IPA, is that this is all done in complete secrecy. Let’s say that in a specific anti-terrorist investigation, the Home Secretary is convinced that getting Apple to build a backdoor into iMessage communications would be very helpful to that investigation. They can then, with only limited (and completely secret) checks, make a demand on Apple to change iMessage/Messages to comply. Although Apple could claim that it was not feasible or extremely costly to do so, all this is supposed to take place in absolute secrecy.
So the upshot of the technical measures is that we will never know whether any particular service has been opened up to allow backdoors of this kind, unless it is provided as open source. No VPN service provider can ever have your complete confidence again. The IPA breeds the same generalised distrust that resulted from the activities of the Stasi in East Germany.
This brings us to three potential strategies:
- Use maximum privacy measures such as Tor, VPN, and communications encrypted using offshore services as much as possible;
- Carry on as normal, knowing that you are doing nothing illegal;
- Keep your head down and avoid doing anything which might attract attention.
We do not know how the IPA will work in practice. Whilst you’re in the UK, it is going to be almost impossible to avoid having all your internet connections logged by your ISP. Sooner or later, there will be a data breach in which lots of connection records will be stolen. There is nothing that you can do to prevent that, although certain ISPs already have poor track records of data protection, and could be worth avoiding. It is likely the systems to accomplish that data collection will be fairly standardised (we are going to be paying for them, too), and the risks should therefore be largely evened out.
I also think that the value of connection records is being overplayed. Any substantial theft will involve so much data and so much meaningless noise that it would take some quite purposeful mining to make much use of it. It should not (must not) contain immediately marketable personal information such as credit card and banking information, although it may still prove valuable to overseas governments such as the Russians, who might be better equipped to make good use of the data. It would be deeply ironic if the IPA were to be exploited to the advantage of a foreign power.
Assuming that you are not a criminal and do not conduct any kind of illegal business over the internet, in theory you should have no concerns over surveillance. After all, you have nothing to hide. But reality is different: already, before the IPA, errors have been made, for instance when associating IP addresses with individuals, and some completely innocent people have been subjected to unacceptable treatment, even arrest, as a result. Existing powers have also been abused to investigate and prosecute quite inappropriate and minor misdemeanours, sometimes perhaps maliciously.
For most of us, this means avoiding getting picked up in a mass surveillance campaign, and becoming the subject of more specific investigation. As anyone who lived in the former East Germany, or similar regimes, will tell you, the best way to do this is to be a Grey Person, dull and of no interest to surveillance.
Protecting your privacy could compromise it
If you routinely use VPN and access sites through Tor to protect your anonymity and privacy, even your ISP’s basic connection records will make that abundantly clear. There are two traits in connection records which can draw attention to an individual: connecting to sites on a watchlist including known terrorist, criminal, and related services and information, and connecting to addresses which intend to obfuscate such connections.
So trying to protect your privacy by using VPN and Tor might actually bring you to the attention of anyone conducting mass surveillance, and put your privacy at risk. VPN is still essential when using public, or eavesdroppable, WiFi services, but that is quite a different need, and unlikely to alter your risk under the IPA.
What if you need to access sites which might be on a watchlist? That is far more difficult, and the simple answer might be to do this as sparingly as possible using obfuscation techniques such as VPN or Tor. But if you’re researching ISIS, say, you would be better getting specific advice from someone who is already addressing this problem.
If you inadvertently access a site which is likely to be on a watchlist, get off it as quickly as possible. Don’t stay gawking, as every connection you make to that site and its relatives will increase the risk of your being identified as acting suspiciously. Remember that a lot of people have tried using such stories (including research) when trying to defend themselves against charges of possessing paedophile pornography, and very few prove successful. Clearing your browser history won’t undo your connection record, although it might help prevent you from returning to those pages.
No one outside GCHQ knows how thorough or effective mass surveillance techniques will be. We must all hope that, with the IPA in effect, the data will be overwhelming, and very occasional access to sites on a watchlist will be lost in the general noise and bulk collected.
You must also bear in mind that, as time goes on, some of the tools which we might trust to maintain our privacy today become vulnerable as a result of technical capability measures implemented in secrecy. Tor itself has suffered from vulnerabilities which could have compromised some of its users, and will continue to be the target of hacks and attacks by security (and other) agencies from many different governments. Little is now safe, and international co-operation, such as that between the US and UK, poses its own threats to users in both countries.
So long as surveillance is carried out primarily on basic connection records, and not on the content of data transferred, you should be able to send sensitive information by conventional encryption, for example as an encrypted email message or an attachment. As surveillance becomes deeper, and starts looking at the data being exchanged, encrypted content will stand out, and could destroy your Grey Person image.
Techniques to hide encrypted data and make it look innocent are not particularly well-developed yet, although they do exist. This is likely to become a growth area, and methods such as steganography could become more popular. If you do need to transfer information which must be kept private, keep an eye on these, as they may prove useful.
Isn’t this just alarmist nonsense?
Maybe the IPA will not do the things of which it is capable. All recent evidence is that, far from under-using such powers, most agencies push them to their limits, and occasionally exceed them.
If you are one of the many who has been fooled by the claim that the IPA is all about terrorists and serious crime, browse the list of organisations which are now able to obtain access to your private data thanks to the IPA, detailed here. Among the organisations which are not themselves responsible for primary investigation of terrorism or serious crime are:
- Immigration inspectors concerned with immigration and border security
- Department for Work and Pensions officers in fraud and errors services, and child maintenance
- Ambulance controllers
- Trading standards
- Fire and rescue services watch controllers
- Food Standards Agency officers
- Gambling Commission
- Gangmasters and Labour Abuse Authority
- Health and Safety Executive
- Information Commissioners
- Office of Communications
- Local authorities throughout the UK.
So do you really still believe the lies which the government told you? The IPA is a major step in equipping the state with powers of the Stasi. No less.