Who put the Rip-off into RIPA? Surveillance plans mired in hypocrisy, but so is the opposition

What is the difference between Google, Facebook  and Fixed and Mobile Operators monitoring traffic to “improve” their services to paying customers and government plans to pay operators to store communications data in case they might want it for intelligence or law enforcement?

The simplest answer is “Google, Facebook et al do it to make money for themselves. Government does it to make money for suppliers of storage technology.”  

If Government has £1.8 bn to help improve the ability of law enforcement to protect us against terrorists, pederasts, hactivists and on-line fraudsters, is the most efficient use of that money to pay UK communications operators to retain communications data for longer?

The inability of the police to handle the wealth of informationoffered to them by the mobile operators last summer has led to a crisis of public confidence that is helping deepen recession . Allders was not itself attacked but the subsequent collapse of trade ripped the heart out of South London’s oldest store chains and Croydon’s premier shopping mall.

Government may talk of the need to identify and monitorpotential terrorists but the public gives priority to preventinglooters and muggers taking over our streets and shopping malls. Short of an IRA style bombing campaign, the latter has more impact on the economy, including the Chancellor’s tax take.  The Court of Appeal has appreciated thisHas the Home Office? The sums allocatedto data retention for possible future use could transform the ability of law enforcement to analyse the operational intelligence feeds already on offer in time to take action on crimes (including cyber attacks on critical systems and physical assaults on high streets or shopping malls) while they are being organised or are under way.

Similarly, if Government were to be serious about protectingchildren for on-line predators, e.g. those hanging around on their social andgames media such as Facebook or Habbo , should it not give priority to better enabling law enforcement to use the services used by business to identify, track and trace those attacking them and their customers? My understanding is that many of the services now being used to identify those organising botnets, corporate or personal impersonation and on-line fraud could equally well be used against those seeking to corrupt and abuse the young.   

Here we approach some of the hypocrisiesat the heart of the current debate.

The services used by industry also have the potential to identify and perhaps even cripplethe cyberwarfare capabilities of nation states: “ours” as well as “theirs”. 

It is not just the libertarian supporters of Big Brother Watch whowant to preserve the anonymity that lies at the heart of the current Internet.  The current proposals are about preservinganonymity for the cyberwarriors of government while denying it to the rest ofus.

Who really wants to honestly debate the benefits, including reducedcosts and improved confidence, that could be derived from wholehearted co-operation between public and private sectors in removing predators while protecting the vulnerable?  

I first spoke over a decade ago at a Freedom Forum event , before the bulk of on-line transactions had migrated to the Internet, on the need to separate trusted (walled gardens) and untrusted (including anonymous and pseudonymous) traffic. With the transition to IPV6 the need to find ways of preserving genuine anonymity for those who want or need it has acquired a new urgency.

We need to think constructively about how to reconcile the means of protecting some of the most vulnerable in society (as well as those seeking regime change via peaceful means) with the need to update the interception and monitoring capabilities of law enforcement to better protect us against malpractice. That includes looking at the issues in the context of policy over electronic identities (where the UK appears to have given up and contracted debate to OIX)  We also need to look at the means of better organising (and funding) co-operation between Industry and GCHQ/MoD on “civil defence” as the Cold Cyberwar begins to burst into Flames

The good news, at least for me, is that I am now collecting retainers, albeit quite small, to help some of those who are serious about finding answers that will help make the UK “the most trusted place in the world to do on-line business”. I have also agreed to help an exercise on the meaning of “Trust” in the on-line world. I will blog again when we have worked out how to structure the exercise and who to involve.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

There is also the matter that the current requirements appear to be mired in technical unworkability - at least, without a radical restructuring of how the Internet works, and I can't see that happening. When examined from a technical viewpoint, some of the requirements even appear self-contradictory.

While the US Government has the luxury of having most of the large poducers of the equipment which holds together the Internet and the international telecoms systems headquartered in the US, such that it's possible for them to impose interception requirements such as CALEA, we Brits don't have such luxury. Even so, CALEA's technical requirements haven't kept pace with the increase in use of strong cryptography and endpoint obfuscation by use of proxies (dynamically-nested, or simply located outside relevant jurisdiction), and can't really address it. I can only speculate how the likes of the FBI get on, but determining whether parties A and B are communicating by trying to match "piece of statistical whitenoise intercepted near A" with "piece of statistical whitenoise intercepted near B" can't be much fun.

Also, the idea of going to "the bodies which govern the Internet" has its own problems; the IETF produces standards but can't enforce compliance, US law enforcement is already concerned about IANA's changing role in an IPv6 world - and in practice, there are so many different parts of the Internet with different sets of legislation covering them, that the whole is ungoverned. While the "Wild West" metaphor is rather over-used, paraphrasing Kissinger is also close to the truth: "If I want to talk to the Internet, who do I call?"

Your mention of "Trust" reminds me of Trusted Computing - something which I still think has a fundamental part to play in helping address some of the issues you raise, as well as others, and provided it doesn't get subverted for anti-competitive ends. Every layer of computing abstraction introduces new opportunities for security to be compromised, and Trusted Computing (in combination with some other things) looks like the best shot at having things operate as they should. Some people who have shown from previous ventures that they really know what they are doing, are now saying "don't buy another server without a TPM in it".

One things for sure, it'll be an interesting exercise...