Investigatory Powers Bill; build a haystack and the needles will come.

The draft Investigatory Powers Bill unveiled by the UK government earlier this month is, in the words of the UN, “worse than scary”.

Investigatory Powers Bill; build a haystack and the needles will come.

The draft Investigatory Powers Bill unveiled by the UK government earlier this month is, in the words of the UN, “worse than scary”.

We have already covered in a previous blog post how the government deny that they are trying to ban encryption whilst in actual fact doing exactly that with the current wording of the draft bill which necessitates the weakening, if not complete decryption, of currently highly secure communication systems such as Apple’s iMessage service or the WhatsApp messaging service.

In this blog post we want to look at one of the other, perhaps even scarier, and more invasive parts of the bill; the requirement to log every website and service which every person in the UK connects to. This is done not in response to a warrant, but rather proactively to every connection of every citizen and that data retained for a full 12 months.

The “Plan”

The government have decided that if they were to log every single connection that a user makes to any service on the internet, then this could be used to catch terrorists, criminals, sex offenders, council tax evaders, and various other ne’er-do-wells.

The bill proposes that service providers, i.e. ISPs, will log each and every connection that a user of their internet service makes. So when your web browser connects to google.com it will be logged, when you then click to a result your connection to that website will be logged. Likewise when your phone connects to Snapchat via an app, that will be logged. Every connection that is made will be logged, and that data will be retained for 12 months.

The government are extremely quick to point out that the bill does not log the content of the connections, so if you browse to specific pages this will not be logged, only the fact you connected to a website or online service in general.

What this means is that the government will know when you browse to the Alcoholics Anonymous website, or a website about sexual health or abortion, but not what specific pages you view on these websites.

Building haystacks to find needles.

At the moment British security services and police are intelligence led. The information that they are seeking to proactively log (and more) is already available to them when they are granted the appropriate warrant for surveillance to be carried out on that individual, to get this warrant however they must be able to demonstrate that their is sufficient cause for them to surveil that person. This is similar to the stop and search powers available to the police; they must have reasonable suspicion that the person is carrying something they should not be. They cannot currently simply surveil anyone they please just in case they might be doing something illegal, likewise the police cannot simply raid a house just to have a look and see if there is anything illegal inside; they must have sufficient evidence to obtain a warrant to raid a property and search it.

If we take the analogy of finding needles in haystacks where terrorists are needles. At the moment law enforcement when looking for a needle use other intelligence sources to figure out where the needle most likely is, and then obtain a warrant to search that particular part of the haystack. The draft Investigatory Powers Bill proposes to build a haystack so big, that by laws of probability there simply must be a few needles in it somewhere.

Giant haystacks are expensive to build.

The infrastructure required to log every single connection that every internet user in the UK makes and then store that data for 12 months is substantial to say the least, which inherently means that an astronomical amount of money will be required in order to implement the mass logging proposed in the draft bill. Several terabits of data flow across the UK internet every second, so leaving aside the technical challenge of how to accurately capture this connection data in the first place without compromising network performance and availability, the sheer volume of disk space required to store the logs will be enormous and thus extremely expensive.

Luckily for the service providers, they likely won’t have to foot the bill for all of this. The draft bill says that the government will reimburse service providers for the costs associated with implementing the logging requirements of the Investigatory Powers Bill should they be subject to a retention order, however in its current form it does not state that they will be reimbursed in full. The home office has indicated that this is their intention, however it is not explicitly written into the bill and so this is one of many things which service providers are seeking clarification on.

But if the government is reimbursing service providers for the cost of implementing the infrastructure required to comply with a retention order under the bill, then this ultimately means that British tax payers are paying the bill, and we already know that it won’t be a small one - it will likely run into hundreds of millions of pounds! For the government to say that the costs will be met by the government and so won’t result in increased broadband prices is disingenuous, because whilst there it won’t cost internet subscribers more on their monthly bill, it will cost them in tax instead. It will either require higher taxes, or savings must be made elsewhere in government (perhaps with benefit and tax credit cuts) to fund this new Investigatory Powers Bill.

Some needles don’t want to be caught.

At risk of taking the analogy too far, some needles don’t want to be found. Some needles hide in the haystack undetectable, perhaps bone needles.

It is trivial to hide the details of your internet connections from your ISP using a Virtual Private Network (VPN) connection and thus avoid being logged. School children across the country do it to bypass their schools blocks on games every day, house wives do it to watch Friends on US Netflix, and terrorists can do it to avoid their every connection being logged. Using a VPN all the government would know is that a connection had been made to a VPN service (most likely located outside of the UK and so not subject to the Investigatory Powers Bill), and nothing else after that.

Innocent people have nothing to hide.

The old adage of innocent people having nothing to hide makes perfect sense here, after all the average Joe is not Googling how to make bombs, or sharing selfies with ISIS, so logging their every connection shouldn’t bother them, especially if it means that the guilty do get caught.

This is where the problem lies; the guilty are clever enough (and it really doesn’t require you to be particularly clever) to avoid being logged, so actually the innocent are the only people being logged and the guilty are getting away scott-free. Or rather, to be precise, the people the bill is trying to catch such as terrorists and organised crime are getting away and the only people who are likely to be caught are the low-level criminals.

Whilst we at Freethought certainly do not endorse any form of crime, even low-level crime, using sweeping mass surveillance legislation to spy on the internet connections of an entire nation in order to catch some petty criminals is rather over the top! Even criminals have basic human rights, and every citizen in the country is entitled to a private life free of invasive observation by the state. If law enforcement suspect that someone is a criminal, then they can already get a warrant and search them or surveil their communications.

If you look hard enough you will find crime.

It stands to reason that if you look hard enough then more crime will be found. Let’s assume a hypothetical scenario where the police decide to search every single home in an inner city housing estate looking for evidence of crime, if you search every house without warrant then you will obviously find more crime, probably lots of minor misuse of drugs offences. This is not to say that minor crimes shouldn’t be punished, but searching every single home without warrant to find a handful of low-level crimes that likely would otherwise have gone undetected is a gross violation of the large majority of innocent home owners human rights.

Under the draft Investigatory Powers Bill it will be possible for local police, councils and neighbourhood teams to access this data. What’s more, the bill describes in essence what is a search engine for the data being logged.

Hypothetically, if a police officer, or even a community support officer, has a quiet day, then they could just pop into the system and search for people nearby who’ve been visiting drug related websites or perhaps online stores selling legal highs. They can quickly find some people who may potentially be in possession of illegal drugs and go and search their homes.

Or maybe even more controversially, police in Northern Ireland could look for individuals obtaining information about abortion, which is still illegal in many cases in North Ireland. After all, the connections of a desperate young mother who is searching for information will be logged and that data will be available for all and sundry in government, local council, and police to see.

Of course, we understand that it is good to catch criminals, but is it a proportionate to violate so many peoples private lives to do so?

The draft bill doesn’t do what it says on the tin

Ultimately, the draft Investigatory Powers Bill in its current state represents a potential mass violation of the private lives of millions of people in the name of catching terrorists. But the bill simply will not catch any terrorists, it will however be great at letting police and councils find low-level criminals, perhaps catch some TV license fee avoiders, maybe even find some parents tricking the school catchment areas to get their child into a better school. It will not however catch terrorists, or organised crime, or sex offenders, or any of the other serious people which is purported to catch. And all whilst costing hundreds of millions of pounds of tax payer’s money.

Freethought believes in your right to privacy

We truly believe in your right to a private life exactly as the Human Rights Act describes, you should be able to go about your life safe in the knowledge that your daily comings and goings are not being logged for anyone with the right access (or even the wrong access if hackers manage to their hands on this extremely sensitive data!) to view as they please. The need to observe citizens should be proportionate to what that observation achieves, and in the case of the draft Investigatory Powers Bill, it does not in any way achieve what it set out to.
Freethought is working hard to bring this to the attention of others, we’re talking to MPs, expressing our concerns at industry events, and our industry as a whole is lobbying the government to rethink this legislation.

You can do your bit as well, we would urge you to write to your MP and tell them what you think about these proposals, you can find your MP and message them online at www.theyworkforyou.com