The #IPBill aka #Snooperscharter second letter

26 November 2015

Here is my second letter to My MP. This is the important one as they rarely see your first letter.

Dear Alok Sharma,

I thank you for your reply to my letter (ref: CRM12097), while your response tries to clarify some aspects of this bill you fail to address any of this issues that I raised.

I would like to explain just a few of the issues I, an others in the Cyber Security community, have with the Investigatory Powers Bill. Firstly the bulk collection of data.

Bulk collection of data records “meta data” is not equivalent to a phone bill. This implies that it only relates to a small part of a citizens life and interactions. In the case of the Internet we are living our lives where all our actions and thoughts travel on the Internet in some form. And this is rapidly expanding, from smart phones reporting location, activity, and biomedical information to our homes becoming automated and reporting machines that we live in. The “meta-data” of these interactions is vast and detailed view of our lives.

If you want a simple parallel it is equivalent to the information collected by the East German Stasi, collected and stored, and could be searched and analysed.

It is amoral in a free society to collect and store this level of information on citizens, whatever the justification.

Secondly the the storage and analysis of this data does not help the police, or GCHQ in performing their roles. If this is to protect us against terrorism it will not work. All of the recent terrorist attacks have been performed by persons known to the police. No cases of terrorism have been identified from bulk analysis of data. If this data truly was able to do this then we should demand extraordinary proof that this is the case, and subject this to public scrutiny. Where the NSA has been challenged to do this they have failed to provide a single case where access to bulk data was instrumental.

The simple argument here is that if the terrorists of all previous actions were known to the police but they were unable to spot this from the data they have, how does adding more data to the pile help.

This collection will be expensive and hamper the development of businesses in the UK. The Snowden revaluations mainly reflected on the operation of the NSA, and those revelations had, and are having a major impact on US businesses that sell technology solutions, especially internationally. This bill will have an even worse impact on UK businesses than the current revelations have already had.

The collection of useful data is easily bypassed by citizens. The entertainment industry has been trying to detect and prosecute people for copyright infringing activities for 10 years. This has taught much of the population how to use technologies like VPNs, and TOR. When these are used data collected under these Bulk collection schemes is useless.

The collection of this data is probably illegal under the European Convention on Human Rights. The recent ruling on the data retention directive, should alert you the the fact that the basic human rights are being infringed by the current collection schemes, and so this will probably be illegal under a similar challenge when it eventually comes. It would certainly not be legal under the American constitution.

Next I would like to discuss encryption. In your letter you say that you do not want to break encryption, The point in my letter was specifically about end-to-end encryption. This is where the service provider is unable to decrypt messages. The Bill states that service provider must comply with a warrant, and provide decrypted information. So what does this mean for services where the service provider is unable to do this? This implies that you will ban such services. If you think that this will help catch criminals, and not seriously harm UK businesses you don’t understand the issues.

End-to-end encryption uses the same technologies that secure connections to services providers. These are widely available technologies in open source products. These will be used whatever the law states.

I hope that this will help you understand how deeply flawed this bill is and and convince you not to support this. I have only covered a couple of issues with this bill, there are many more that I have not covered here.

Yours sincerely,

Stuart Ward

Advertisements

Investigatory Powers Bill

21 November 2015

One of the problems in our political system is that most of the members of parliament, and their advisor’s, pundits, and the politically active population have little knowledge or understanding of the technical infrastructure that runs our world. A combination of the lack of interest in politics by technical people, and the lack of education in scientific disciplines of our politicians.

We on the technical side, dare I call us geeks, now need to get involved in the political discussion. The second round of the crypto wars s upon us with the combination of people saying they don’t care about interception, and the week voice of those of us who do understand and care in speaking up, if we don’t speak up we will loose.

Can I urge all of you out there to write to your MP! It is not hard, but if we all do it, we can start to reclaim the internet for the good of the future.

Here is what I have sent, awaiting a reply.

Re: Investigatory Powers Bill
Dear Alock Sharma

I am very concerned about this new bill and the massive encroachment into the public right to privacy it enshrines. This has rightly earned the nickname “The Snoopers Charter”

If you want access to my data Get A Warrant!

The bill seems to retrospectively enshrine into law the massive, and probably illegal, interception of the internet by GCHQ. Prevent any disclosure of the extent of that interception and prevent anyone leaking information about that from using a public interest defence.

The only reason we know anything about these activities is because of whistle-blowers, who have endured political witch-hunts as a result of revealing these illegal activities.

The “Going Dark” argument, that the Police are unable to investigate crimes because of the improvements in security of the internet is a very spurious one. It implies that there has been total surveillance of the population in the past (and present) and this needs to continue.

If the police need access to end-to-end encrypted communication that can get a warrant and cease the device, view the decrypted messages.

The idea that a law can ban end-to-end encryption is as ridiculous as the claim from David Cameron to ban encryption, or mandate back-doors in all systems. The security profession has told you many times that inserting back doors safely into encryption software is imposable. (see Keys under dormats)

If you want access to my data Get A Warrant!

Banning end-to-end encryption will not stop the bad guys using it. How to do this, and the programs to do it are all publicly available and open source. All you will do is hamper UK law abiding citizens in using these, and kill the security software industry in this country.

There are also the sections allowing the Police, and GCHQ to break the Computer Misuse act, by hacking into any computer or device they wish. There is no justification for allowing this extreme power. The government should be working to improve our security not undermining it.

What we want from an investigatory powers bill is something like:

1. Full disclosure of all interception programs, and the number of cases involved
2. Disclosure after a reasonable amount of time that my data has been intercepted.
3. Independent oversight of All cases by someone like the RIPA Interception Commissioner
4. All cases to be authorised by an individual warrant authorised by a judicial person.

What we want is the law as it applies to everything else, should apply to the internet. Searching my data should be the same as searching my house, or searching my person. It is the same amount of intrusion, it should have the same controls.

I trust that you will NOT vote for this bill and will argue against it in the House.

Yours Sincerely

Stuart Ward


More evidence that bulk snooping dosent work

27 April 2015

http://www.nytimes.com/2015/04/25/us/politics/value-of-nsa-warrantless-spying-is-doubted-in-declassified-reports.html

But little came of the Stellarwind tips. In 2004, the F.B.I. looked at a sampling of all the tips to see how many had made a ‚Äúsignificant contribution‚ÄĚ to identifying a terrorist, deporting a terrorism suspect, or developing a confidential informant about terrorists.

Just 1.2 percent of the tips from 2001 to 2004 had made such a contribution. Two years later, the F.B.I. reviewed all the leads from the warrantless wiretapping part of Stellarwind between August 2004 and January 2006. None had proved useful.


Article on IMSI Catchers and Stingrays

24 April 2015

I have been helping a proper journalist, Brady Dale, write a article on the use and abuse of Stingrays and other IMSI catchers. It turned out quite well. It is up on Motherboard.


DRIP letter part 2

27 February 2015
I got a reply to my previous email to my MP Alok Sharma, with a note from James Brokenshaw, basically reiterating the the well publicised position of the government on the DRIP act. I wont type all of this in here, but here is my response to this.

Dear Alok Sharma

Thanks for the response to my letter from James Brokenshire of the home office. This appears to be a form letter reiterating the government position, rather that a response to any of my issues. It was also good to chat briefly to you when you called at my house a couple of weeks ago.

I get the impression you don’t fully grasp the importance of this. The internet at the moment is the preferred tool of communication for many in some circumstances, but it is rapidly becoming the only way of communication for many things. For the UK to prosper it is essential that individuals and businesses can operate here in a secure manner.

I noted that your response was a physical letter, and so not subject to electronic surveillance, or retention. Why should there be such a vast difference in the government and police powers depending on the medium of communication?

I and most people would agree that the Police need to have access to electronic data and the RIPA should be the basis of that access. That a warrant is required, and it has to be specific, relevant, and proportionate.

What we object to is the “Collect it all” attitude of turning the internet into the total surveillance tool. Firstly because it is amoral and repugnant in a free society, and secondly because it does not work in catching criminals.

The DRIP act extends the current powers in crucial areas, for the government to assert otherwise is misinforming the public. (see https://www.openrightsgroup.org/blog/2014/the-drip-myth-list )

What should we do about this? The best laws are those based on clear principals, not on specific technologies. Like the Human Rights act. So when a court such as the CJEU rules that a domestic law breaches human rights the government should take note and adjust the domestic laws. Not just pass another “emergency” law to reinstate the powers that the court have ruled on.

I hope that you will consider this carefully when the DRIP act comes up for renewal, and pledge in your election manifesto not to support this law.

Kind Regards

Stuart Ward

Letter to my MP on the DRIP act

20 January 2015

Here is a copy of the letter I have sent to my MP asking him not to renew the DRIP act.

Dear Alok Sharma,

Please reject the DRIP act renewal.

The DRIP Act was passed as an emergency legislation but it seems that this was primarily to avoid any discussion of the issues rather than any real emergency.

The problem is that extraordinary level of surveillance that we are subject to by Police, GCHQ, and external organisations such as the NSA, is not subject to any reasonable levels of oversight.

RIPA which seems on the face to control the interception with procedures to raise a specific warrant, subject to oversight by the Interception Commissioner, and general rules on the scope and breadth of the request that it is proportionate to the investigation. Mostly that it is an investigation not a fishing exercise.

I would however welcome a change as stated by David Cameron that the Home Secretary would personally sign all interception warrens rather than it being delegated down to Police Sergeants.

However, the Interception Commissioner only ever sees a faction of the intercepts that actually happen. If any part of the communication travels outside of the UK, it can be intercepted without a warrant.

Terrorism and child molesters are always trotted out as the justification for giving up our rights in order to protect us. But then these powers are used to detain the partner of a journalist, to intimidate them against embarrassing revelations.

Having lived through the Irish troubles we know that all these methods of preventing terrorism do not work. Internment did not work, restrictions on broadcasting did not work. What does work is treating these acts as simple crimes and allowing the court process to move forward in a fair and transparent manner. And political negotiation between countries and organisations with grievances that fuel acts of terrorism.

The UK and US governments are doing much to promote terrorism where they are killing people with drone strikes without any due process of the law. How would we feel if other countries were sending drones in to kill people here based on political orders of a foreign government?

We will win only if we show that everyone has the same human rights and our democratic governments respect these.

David Cameron recently stated that he wanted to be able to intercept every communication in the UK. This is an extraordinary stupid pronouncement. Firstly that the just because a conversation is mediated by an electronic network mean that it is right that interception should be possible. And that it shows a total lack of understanding of the good that encryption technologies play in keeping us safe. To ban encryption, which is the logical extension of his claim, would be to put the UK back into the stone age, and would not offer any protection in return.

The gunmen in Paris that this is predicated on were known to the authorities, and had been under surveillance. It was not a case that existing levels of interception were insufficient to know what these men were planning. The wife of one of the gunmen was not aware of what he was planning, to know this in advance the police would have had to know this man even more intimately than she did.

Irrespective of the fact that the levels of surveillance that the government is proposing will not make us safer. I do not want to live in a Panopticon society. Privacy is a basic human right and must be respected.

Yours sincerely,

Stuart Ward