Everyone is recording what we do over the Internet: why should the NSA and GCHQ be different?

On February 18th I am due to propose the motion “Nobody is telling the  truth about cyber security – not even when they think they know what the truth is” at a Real Time Club dinner debate.

I do not plan to accuse anyone of lying, merely of a mix of ignorance, myopia, tunnel vision and “economy with the truth”.  I expect to begin by describing the symbiotic relationship between communications surveillance and computing that the Bletchley Park trustees appear concerned to erase from their sanitised version of history. That relationship still lies at the heart of the modern on-line world, as with big data technologies and tools, whose roots lie with the need to digest sigint from the enormous volumes of data passing over the cables serving the main Internet peering points .

Just as “everyone” uses computers today, so “everyone” is recording what you do on line: including to help:
– telcos and mobile operators to charge for and fine tune their services,
– advertisers to better target those they wish to sell to
– lawyers to police their clients’ intellectual property
– market and consumer protection regulators, in case they they ever decide to do their jobs
– organised crime with victim selection
– transaction services to distinguish between known customers and impersonators.

All Edward Snowden has told us is that our national security services are also trying, under semi-democratic control, to use subsets of the same technologies to identify the current and potential enemies of our Governments.  

The over-reactions to that “revelation”, like the similar over-reactions to attempts to protect children from on-line bullying and abuse, tell us that the Internet has lost its innocence.

Whatever we do on-line is not only recorded (to enable the packet-switched, store-and-forward, Internet to work at all), but stored (often well beyond the time needed for resilience), analysed (not just to improve performance) and the results are made available (legitimately or otherwise), to a growing variety of “researchers”, lawyers, spooks and organised crime groups.

“They” not only know you are a dog, but which breed and what trees you pee against.

I plan to question the relevance of the EU obsession with Data Protection principles drafted for the age of mainframes, because today our most personal data (including our on-line habits) is being routinely collated, stored and analysed around the world by persons outside the reach of any UK or EU regulator.

I will question the relevance of the obsession of the Cabinet Office and European Commission with Digital Identities and Trust Services, because those running banking and payment services can no longer afford the risk that their certificate providers have been “quietly compromised” (and not just by the NSA). Instead they increasingly use real time transaction profiling to back up their in-house routines.

Meanwhile those who are serious about protecting their organisations and their customers are joining a variety of “intelligence led security” partnerships to not only identify those attacking them but support “asset recovery” exercises to get redress and deter future attacks.

In short: almost everyone is running surveillance operations, whether to identify terrorists, victims or potential customers or those in need of health and welfare services or to attack, exploit, serve or protect existing customers and their families.

But the on-line world has also gone both mobile and ubiquitous. The first fridge has been caught taking part in a botnet attack. To quote the Choco Leibnitz adverts before “Person of Interest” – Who is watching yours?

– The food police for breaching the latest NHS obesity “guidelines”?

– Google or Amazon looking to target advertising?

– Organised crime looking for an exploitable change in your life style?

I look forward to a debate as hard-hitting and informative as when the Real Time Club debated whether Google was a greater threat to personal freedom and civil liberties than GCHQ. That debate was introduced by a former Director of CESG and a senior Google executive.  I do not think that my opponent (one of his current roles is a reporter with the Register) and myself can match their expertise: but, between us, we have half a century of experience with throwing rocks into stinky pools.

P.S. You can book on-line via the Club’s website (the untruth in the booking form concerns my directorships, I have only two and neither affect my impartiality, i.e. ability to throw stones in any direction without breaking my own windows.

Those looking to actively help in clearing up the current mess of misinformation and apparently contradictory mindsets, objectives, values leading to schizophrenic public policy should also put the following in their diaries:

Internet Safety Day

the next meeting of the UK Internet Governance Forum

the Internet Engineering Task Force (IETF)  meeting on 2-7 March in London 


the ICANN meeting in London from 22 to 26 June .

ISOC England will be taking the opportunity to be involved in both the IETF and ICANN events including co-chairing the “ISOC in ICANN” meeting on the eve of the ICANN meeting and the Chair of ISOC England has just sent out an e-mail asking the three thousand or so individuals on their mailing list to get involved, including channelling inputs on the issues under discussion.

I was persuaded to join ISOC back in 1995, by the then head of IBM’s Internet Strategy. IBM was about to use the Internet Protocols to run the systems for the Atlanta Olympics. He told me that sooner or later the Internet Society would have to develop into the governance structure that would be needed as the Internet matured – because Governments could not trusted, even if they could agree.

I am still waiting – but the juxtaposition of meetings in London does give the opportunity to “make a difference”.

If you are serious about making the Internet a safer place, rather than run the risk that politicians will do it for you (or rather them), then you should join ISOC, Nominet and/or ICANN and make your voice heard in the inside.

Alternatively join the political party of your choice and get them to take action – as chairman of the Conservative Technology Forum I have already asked my opponent on the 18th February to lead a group looking at the issues. I also know that the Council of the Digital Policy Alliance is looking at an exercise in co-operation with the European Internet Foundation to help politicians make sense of the current rash of Internet governance initiatives (another one was launched at Davos).