On Twitter: @JamesFirth and @s_r_o_c (post feed)

Got a tip? tip@sroc.eu

Monday, 2 April 2012

Do not allow the government to back-door our entire communications infrastructure

Communications Capabilities Development: Mass Internet Interception and Surveillance Programme

My earlier description of CCDP explains how the government proposes to introduce warrantless mass surveillance by downgrading much of our internet activity from content to traffic data.

Despite what many readers may instinctively think, my objections to this internet monitoring plan aren't primarily rooted in generalised notions of civil liberties such as privacy.

Costly unsustainable capability-based policing must not come at the expense of consensual community-based online policing.

I think the proposal is disproportionate with questionable benefit. Serious criminals, terrorists and state actors will up their game, rendering much of this surveillance useless. Telephone and mail interception didn't stop the terrorists of the 70's, 80's and 90's.

MPs may feel compelled to act, for if they don't and something bad happens, questions will inevitably be asked why this type of surveillance wasn't installed.

And herein lies a problem as no-one will know if mass surveillance would have stopped it.

But we already have a good idea of the price of surveillance.  Greg Callus wrote an excellent piece in light of the Leveson inquiry, detailing how we're struggling even today to stop enterprising criminals selling access to our private communications.

I have three further worries. There will be a costly arms-race, I have no doubt of that.  Only the manufacturers of surveillance equipment can possibly benefit.

Plus, back-dooring our entire communications infrastructure creates a cyber security risk.  Yes, that's right, a risk.  The claim that such monitoring will help the good guys is based on a premise that only the good guys will have access to it.  (If you haven't already, do go and read Greg's piece.)

Anyone who claims a system is 100% secure is either deluded or lying.  And the more people involved, the more private companies involved - surveillance equipment manufacturers and private ISPs - the greater the chance that the system will leak or be cracked.

I firmly believe that privacy is actually an enabler for cyber security. It encourages us all to act responsibly and autonomously, reduces the amount of exploitable sensitive data on the network and and minimises what system designers call "common-mode weaknesses" in the network.

And I'm worried that the focus on capabilities-based 'behind the scenes' intrusive policing will come at the expense of developing a far more effective and sustainable consensual-based policing approach for online spaces.

Surveillance and monitoring encourages cops to dig around in the bowels of the internet to find the crooks, rather than developing cyber-detective skills which in reality are nothing more than traditional detective skills transposed into the digital space.

Delving around behind the curtains is not sustainable because crooks quickly learn not to leave evidence there.

Every police force needs a substantial new division of cyber detectives, people tasked to understand not just the technology but motive, culture, who's who in online communities, what are the current tools of the criminal trade.

People on the internet are just people.  They slip up, they make mistakes. Anonymous are not anonymous but pseudonymous, and this is important.

Yes, a large proportion of anons are not criminal. But the few that are rely on pseudonyms in order to build a reputation. A reputation which acts as a currency for acceptance with other criminals.

But loose collectives of cyber criminals rely on open spaces to congregate and find each other. Their pseudonyms are both necessary and a weakness. Pseudonyms allow good cyber detectives to build a profile without resorting to intrusive mass surveillance.

The online space is just a community of people like any other

Any good neighbourhood cop, such as Surrey's top neighbourhood cop Chief Superintendent Gavin Stephens will tell you that policing a community is a delicate balance. An absence of authority can in some cases make people feel more secure, and in other cases less.  A police presence can reassure or unnerve, and police forces have learned over centuries to strike the right balance.

The internet is just a community space and people on the internet are just people.

Yes I expect police and government to have access to powerful tools as and when needed.  But we have learned from real-world policing that guns - things in the UK the average guy on the street doesn't have access to - aren't for the most part required for maintaining general order.

Having a largely unarmed police force prevents an arms race with criminals. Having an approachable neighbourhood police presence helps the police harness community good-will.

We the online community might be happy to help police the online space if we could trust that the authorities were acting in our best interests, not falling over themselves to censor, contain and control the online space.

Achive: more from me on communities, policing, security and open versus closed.


1 comment:

  1. It's always worth remembering that the security risk caused by "lawful intercept" interfaces (which the CCDP will effectively demand) is not just theoretical - it has been used.

    See http://spectrum.ieee.org//telecom/security/the-athens-affair


Comments will be accepted so long as they're on-topic, do not include gratuitous language and do not include personal attacks or libellous assertions.

Comments are the views of the commentator and not necessarily the view of the blog owner.

Comments on newer posts are not normally pre-moderated and the blog owner cannot be held responsible for comments made by 3rd parties.

Requests for comment removal will be considered via the Contact section (above) or email to editorial@slightlyrightofcentre.com.