Enforcing the minimum information requirements, (including to ensure that those claiming to be based in Europe really are, e.g. the reform of .uk), will do more to enhance consumer confidence in the on-line world and business confidence in Europe as a location of choice for e-commerce operations, than any of the Data Protection, Identity or other directives and Regulations currently under discussion.
In parallel we also need GCHQ to be more public about its govenance processes, particularly those that protect against political interference. These mark it out from similar operations in other nations (including the USA). Until that happens, GCHQ (and the rest of UK surveillance activities in support of law enforcement), are unfairly tarred by a series of brushes, from the dodgy dossier at the top, through to local authority staff using data access to help police family honour or school admissions policies.
I had hoped to lose the debate at the Real Time Club last night but I won, (23 to 14 with 17 abstentions) after putting the symbiotic relationship between surveillance and ICT into perspective and kicking as many cyber-myths as practical, given my ten minutes and some very perceptive and well-informed questioning and probing as the evening wore on. The meeting was under the Club's variation of the Chatham House Rule so I will not repeat any of what was said during the discussion but I will refine the comments I blogged when I rehearsed the arguments I was planning to make in order to open that discussion ...
My core "truth" was that the symbiotic relationship between surveillance and information and communications technologies goes back hundreds of years before a telephone exchange was turned into a computer to help decrypt intercepted traffic at the Bletchley Park harem: 8,000 women and 2,000 men, more than half of the latter being guards to protect the women, particularly from the US Army and Air force. The US Navy had 200 men on the inside.
The UK Government policy of routing our communications through channels they can readily monitor goes back to 1680, when James Duke of York suppressed the original penny post, because it bypassed the General Post Office. The reasons given included its use to facilitate adulterous affairs at Court, as well as sedition and treason. The Hornblower and Jack Aubrey stories both feature man-in-the-middle attacks on French semaphore traffic. These are based on a real raid, in 1808 when Lord Cochrane captured and ran an isolated signal station on the chain between Marseille and Toulon.
The Internet is the current state of the world largest machine, the global telecommunications network. Its electronic lineage goes back to the need to send signals between railway stations to arrive before the train to which they referred. The first large scale commercial customer was the East India Company, who also saw the need for encryption, although General Napier's telegram after the capture of Sind was not "Peccavi". That was a school girl joke reproduced in Punch and serves to remind us that the involvement of women at the heart of cryptography also goes back a hundred years before they helped win the war at Bletchley.
By 1856, in time for the Indian Mutiny, the East India Company had over 4,000 miles of telegraph wires across India. American Civil War saw the first cyber-battles, with each side not just cutting down poles and attempting to decode each other's telegrams but organising telegraphic deception. The slaughter at Gettysburg would not have been fought had the Unionists secure telegraph system not failed in the middle of the battle of Chancellorsville, turning victory into defeat.
We hear a lot of rubbish on the need for government programmes and legislation to promote electronic signatures. Their use goes back over 150 years. The first test case on whether a cable authentication is a signature went to the Supreme Court of New Hampshire back in 1869.
Last week at the UK Internet Governance Forum it was said to be disgusting that we and the Americans were tapping international submarine cables. We have done so for over a century. The Royal Navy's first action, in 1914, before escorting any troops to France, was to cut the cables out of Germany to force traffic between Germany and the United to transit the UK.
The special relationship between GCHQ and the NSA with regard to spying on the rest of the world goes back over 70 years, to the dark days of 1941, before America entered the war, when we gave the secrets of Bletchley to the US Navy - because we could not even hope to build all the Bombes we needed to decrypt the traffic being intercepted. The UK end of the agreements may still be secret but little that Snowden has told us could not be deduced from what was released by the American in the 1990s, during the euphoria of glasnost.
Whatever we do on-line is recorded (to enable the packet-switched, store-and-forward, Internet to work at all), stored (often well beyond the time needed for resilience), analysed (not just to improve performance) and the results made available (legitimately or otherwise), to a growing variety of "researchers", lawyers, spooks and organised crime groups.
"They" not only know you are a dog, but which breed and what trees you pee against. And everyone is recording what you do on line:
• to help telcos and mobile operators deliver their services and charge for them
• to help advertisers target those they wish to sell to
• to help lawyers trace who is downloading their clients' films or music
• to help those running transaction services distinguish between customers and impersonators.
• to help predators, from organised crime downwards, select suitable victims
• to meets the demands of market and consumer protection regulators, in case they might need it
All Edward Snowden has told us is that national security services also use subsets of the same technologies to try to identify the current and potential enemies of their Governments. The reactions to that "revelation", like the similar reactions to attempts to protect children from on-line bullying and abuse, tell us that those running the Internet do not want us to know the truth: the moment you switch on your PC or browser a myriad of unknown players are watching everything you do.
Big Data is another manifestation of the symbiotic relationship between computing and surveillance. The tools were developed to digest signals intelligence from the enormous volumes of data passing over the cables serving the main Internet peering points. Post Snowden, the Russians, Chinese and every other state security service want similar access and the members of the Global Government Surveillance Reform group (from Google to Yahoo) want us to trust them while they use similar tools to target advertising against us and help anyone with the right US Court order to hound our children for downloading that over which their clients claim copyright.
We have a multi-billion pound Data Protection industry, supposedly enforcing principles drafted for the age of mainframes, while our personal data (including our on-line habits) is routinely collated, stored and analysed by those outside their reach. Meanwhile those who want to better serve and protect us are stuck with trying to make sense of a jungle of semi-incompatible demands to destroy or retain data according to how many angels there are on the head of a regulatory pin.
Next comes the obsession of Cabinet Office and Commission with Digital Identities and Trust Services. Those running banking and payment services cannot afford the risk that third party certificate providers (e.g. Diginotar) have been compromised (not just by the NSA). They use real time transaction profiling (alias surveillance) to back up their in-house routines. They also join "intelligence led security" partnerships to identify those attacking them and to help them mount "asset recovery" exercises to get redress and cause their attackers to target some-one else next time.
Meanwhile our children's phones are packed with apps monitoring their location and behaviour, with only domestic law enforcement unable to have access in order to protect them and ISPs refuse to support and mandate age verification, supposedly because of cost and complexity, but really because it gets in the way of the drive-by, click per view, advertising revenues on which they have come to depend.
In short: almost everyone is running surveillance operations, to identify terrorists, victims or potential customers or those in need of health and welfare services or to attack, exploit, serve or protect current customers and their families.
The on-line world is now ubiquitous as well as mobile. The first fridge has been caught taking part in a bot attack. To quote the Choco Leibnitz adverts before "Person of Interest" - Who is watching yours?
- The food police to report you for breaking the latest NHS obesity "guidelines"?
- Google or Amazon to target advertising to encourage you to break the guidelines?
- Organised crime looking to frame and blackmail you for doing so?
And no-one is telling us the truth. The only way to protect your privacy is to switch off your phone, PC and TV when they are not in use and put a booster bag, alias Faraday cage, over them.
Last night I stopped on that note - which was, of course, a very partial truth. There are many less drastic tools available that can help, but first we have to think about why we want to protect our privacy and from whom. Then we have to work together, including politically, to gain the power to exercise the informed choices that the members of the Global Government Surveillance Reform Group, and their peers, have denied to us: including by failing to help police the requirements of the e-Commerce Directive and the 2003 regulation for "minimum information" before allowing their paying customers, and a myriad of others, to put surveillance software on our systems. But that is only an EU requirement and does not count, compared to the priorities of Californian lawyers, New York investors and Washington lobbyists.
Perhaps our most valuable ally is, however, market forces. The "pay-per-click" advertising bubble looks set to burst under the weight of fraud and we know that consumers who actively exercise choice proceed to spend a lot more.