Your shout! E-snooping won't stop criminals

Among the subjects on readers' minds recently were government attempts to increase Internet and e-mail snooping, the...

Among the subjects on readers' minds recently were government attempts to increase Internet and e-mail snooping, the disruptive (or otherwise) effect of annual holidays, and what makes a digital neurotic.

Here are some of the e-mails we received following Peet Morris's Thought for the Day in defence of government monitoring of e-mails and Net use.

I fail to see how monitoring those of us who don't take steps to protect their privacy would help catch any of the four horsemen of the Internet.

As Peet Morris pointed out, anonymisers and open relays already exist. A good example would be the site that was around a year or so ago, and had HTTPS access for its users - a level of encryption that no passive monitoring (and only very dubious active interception) could breach.

To set up encrypted access to external Unix servers, to relay on to anything (Web, chat or e-mail - whatever) is similarly easy, and the required software can run happily directly from a floppy with no install or record on the user's computer. In fact, the required software can run happily from a bootable DOS floppy, rendering all but hardware keyboard loggers useless.

Monitoring is an "easy fix". It will catch the stupider offenders, giving a short term hike in the results ledger, but after a matter of months, the only established "bad guys" to be apprehended will be caught by the current methods - infiltration, acceptance then betrayal.

It has already been established that, even if encryption were forever banned and full analysis of every message sent by anyone to anyone had taken place, the September 11 attack would still have been a surprise. The attackers openly used Web mail accounts in cybercafes, and spoke only of "meeting up" at the World Trade Center.

When the local trading standards officer is listening in on your every phone call and reading your every mail (as the Government believes he should be able to do) how secure will you feel?

David Howe

Yes, paedophilia is bad but the proposed extensions of the Regulation of Investigatory Powers Act (RIP) were not limited to this. Terrorism is bad, but RIP was not limited to this either.

The fundamental concept, that any random individual should be able to watch what you do, read, browse and pass judgment, is a major concern in any political system.

Governments are composed of people, not all of whom are pure and beyond reproach. Handing this kind of power over invites its abuse for commercial, personal and political gain. And, it seems that there was insufficient control in place to prevent its abuse in this way, or to prevent RIP being invoked on speculative grounds - the Internet equivalent of random searches.

It should be made more difficult for this kind of infringement of one's privacy to occur, not less.

What's more, the knowledge that this kind of supervision might occur will encourage those with something to hide to take more extreme measures to protect themselves from detection.

We could expect an increase in the uptake and strength of encrypted communications and the use of steganography (hiding information) as a consequence. Consequently, we would need more laws to limit the strength of such techniques, or even to make their use illegal.

These moves would obviously be rigorously opposed by the e-commerce sectors. And, in any case, they would probably be as effective as the current gun laws - ie, the law-abiding citizens comply and those with more nefarious objectives circumvent.

Because the Internet is a global means of communication, unless such measures are adopted universally, or we decide to adopt a Fortress Britain approach, there will always be methods by which local controls can be bypassed by those that see the need.

Finally, on the point that we should/should not be able to see what the Government holds on us and how data viewing should be a two-way process - no, I don't see this as a valid argument either.

You should be able to view any personal information held about you, especially by corporate or government bodies. This information can be used to make decisions about what you can or cannot do, what privileges you have, and can have a direct impact on your quality of life.

If this information is incorrect in some way, how are you going to be able correct it if you can't see it, if you don't even know it is being held? The Data Protection Act, feeble though it may be, is at least a step in the right direction - redressing the balance where information about you, which may have been culled from a variety of sources (some of dubious integrity), is used to make decisions about you.

RIP RIP, good riddance to bad legislation.

Jim Madar

I think it is incredibly naive to think of government as a passive force for good.

Didn't MI5 have files on most of the left-wingers in Parliament 20 years ago? Why wouldn't this happen again?

Add to that the power that corporations have over government, and you can see that these investigative powers are open to abuse from several angles.

Fraser Boswell

Let's not spend a large sum of money on something that gives the illusion of working, otherwise the money won't be there to spend when something that meets the task is available.

First, having more information does not necessarily make it easier to catch the criminal, and it can mean there is more for the criminal to hide behind (this was noted in the September 11 investigation).

There's also the issue of interpreting the information gained from ISPs. The quantity of information traversing an ISP network means this is not a simple task. The proposed changes to RIPA would have made more sense if access were limited to specific security related departments and forces such as the police and military.

Second, there are conflicting laws governing the collection and storage of data. RIPA would require the ISP to collect and hold the data, while other laws limit what the ISP can collect and hold, and how long they may hold it for. If this issue is not resolved, a potential prosecution may be thwarted by evidence being collected "illegally". Which law would take precedence?

Third, the data collected would be in the form of proxy, web and mail server logs. Although most ISP proxies are generally transparent, you can bypass mail servers by using your own local SMTP server (available on most operating systems), so that your activity is not logged. If the suspect has set up a serious organisation, they are likely to have included stealth methods such as encryption of e-mail or coded messages.

Fourth, it assumes that the ISP can associate the source of the request to a user. With so many corporate bodies not securing access to their networks, and this availability being made public through warchalking and publication on Web sites, it would be easy for an offender to use a corporate gateway to access the Internet, and although the activity may be captured, the source of the data is unlikely to be identified.

Fifth, the storage systems required for such an activity would be enormous and very expensive. This would be a significant constraint to competition and the take-up of broadband technologies, which is another key government target (and consequently another conflict of interest). Although commercial issues are not a justification for limiting investigatory powers, the activities should not commercially cripple companies.

The Government has made many proposals recently which suggest they are "thinking out loud" before actually making sure they make sense. If they continue to do this they will jeopardise any hope of being able to present sensible policies in the future.

Mark Hogan

Summer is a time to get away from it all, but is your absence merely piling up problems at work? asked Colin Beveridge in a recent Thought for the Day. Indispensability is what you make of it, reckoned readers.

Given the current climate in IT, it is safer to have something go wrong while you're away to demonstrate just how needed you are.

The international company I work with has just brought in or, should I say, sprung on us, a policy that has this intention of training colleagues to do your job... for the sake of cover.

It has left many feeling wary as to whether the need of their presence is now being measured. There now exists a cold air of communication when talking to others about not only what we are doing, but how we are doing it.

Paul Phillips

Colin Beveridge recommends that everyone makes sure that all their tasks are covered so that "you can then fly off to the flesh-pots of Filey, or the back alleys of Bridlington with a clear conscience, secure in the knowledge that you are not indispensable".

Colin might be missing the point that the primary reason to hide information is to make yourself indispensable.

It's no use asking people politely to communicate information only they possess. If they believe that this knowledge is the only thing that stands between them and the sack, they will fight to the bitter end to retain exclusive ownership.

Celia Redmore

If the IT staff works as a real team and info is shared throughout the year, the hand-overs and delegation to others while individuals are on vacation are more likely to show clients and colleagues a seamless continuation of "business as usual".

Without that longstanding practice of good teamwork, the best efforts of those providing coverage may fall short of the unit's standard .

Catherine McLean

Simon Moores proposed that the Brits were digital neurotics compared to our continental cousins, but not everyone agreed.

How can anyone be so general about the Europeans? First, if I go to a city in Europe like Munich, Berlin, Paris or Oslo, I am sure they are just as busy and worried about their e-mails as "the overworked and stressed English tourists, separated from their in-boxes".

I have been in Southern France on holiday and the English tourists did not seem very stressed about their mailboxes. And if you go to the Scottish highlands (sorry, they are not English, but British) I doubt if you'll find they are mad with their e-mail boxes!

And the other point is where in the world has Simon Moores been? Where is it that you still can take a two-hour lunch break? Definitely not in Germany and probably not in most Scandinavian countries. So is he taking a remote Spanish village to represent the whole of Europe?

I reckon he is from London and his own view is from a London-centric perspective. Yes, I agree that in London there are highly paid employees, who might worry on holiday without having their phone on or without connection to the Internet.

But London is not England, fortunately.

Yvonne Klein

I am a Yankee and have lived in England. My take is that we are all neurotic in one way or another, and that the British (and US) need for everything fast and instantaneous is just one manifestation. To each his own style of neurosis.

Catherine McLean

Read more on IT for government and public sector