The web snooping plans: time to get campaigning

The Queen’s Speech will contain legislation on the interception of communications. Should Liberal Democrats (and indeed liberals) be alarmed?

I treat this question with some initial caution because in one respect many liberals have been – rightly – calling for more use of interception by the government for many years. That is in making intercept evidence admissible in court, so that more cases of alleged terrorism and the like can be brought to court , curbing the (claimed) need for legal powers to allow people to be restricted or restrained without a court case happening.

The other reason for treating the question with caution is that much of the media coverage has conflated two different issues: access to communications data and access to message content. Think of a letter that you post. Someone looking at the name and address you’ve written on the envelope and checking the date on the postmark is finding out something about you – who you communicate with and when. But that is of a different degree of intrusion from opening the envelope and looking at what you have actually written. Technically the two are also rather different – looking at an envelope rather than opening it.

Those differences explain why the existing rules for phone calls and the like distinguish between them. Access to content of phone calls, emails and so on (opening the envelope) currently can only be done when judged to be necessary to investigate or prevent serious crimes or in the interests of national security. They need a warrant signed by the Home Secretary.

From what I understand of the government’s plans for the Queen’s Speech, this is not going to change. That is important, but not the whole story.

What is going to change is the access to communications data (looking at the envelope, not opening it). Again, the principle of communications data being available is not new, and it is currently controlled under the Investigation of Regulatory Powers Act, 2000.

That was a pretty controversial Act with Liberal Democrats (and liberals), so the government’s plans to extend RIPA to cover a wider range of communications methods under the same regime needs caution, at best.

What the government will be proposing is to extend the RIPA powers to cover newer forms of communications such as Facebook Chat or Instant Messaging.

RIPA allows communications data to be used by the police, security services and others where it is a necessary and proportionate part of their legal investigations. Superficially that might sound a decent safeguard, but the record of RIPA is not promising – think of the abuse of RIPA by local councils.

That is a serious problem with the government’s plans, even though they do not include (hooray) the Labour scheme of producing one central database of all this communications data. That would have opened up a whole new world of security risks and potentials for abuse.

Liberal Democrats in Whitehall I’ve spoken to are very keen to see the RIPA safeguards improved. So far some changes have been kicked off  – such as to those rules that local councils abused. But more will be needed.

In addition, there are technical issues here. One, of major concern to internet service providers, is that whilst the communications data for phone calls and emails has traditionally been held and kept  for limited periods of time for their own billing and technical needs, the same does not apply to some of the newer forms of communications.

Here the government’s plans are unclear, as the Gateshead conference motion said that we should be “ensuring that service providers are not mandated by law to collect third-party communications data for non-business purposes by any method”. Yet, the government is wanting to change the law to provide access to such to data and will be offering money to such firms to gather this sort of data. Quite how that can be squared with the conference motion wording is hard to see, unless this will be a voluntary snooping scheme, whose value would then be highly questionable. (There is also the issue of quite how much money would be involved. Estimates so far are that the costs will be large.)

Moreover, there are technical issues around the access. This is where some of the debates get very technical, but to give a rough analogy many online communications are like a postcard. That is, if you are allowed to look at the postcard to see the name and address of the recipient, you can also thereby see the content by moving your eyes only fractionally to the left. In other words, access to the communications data opens up access to message content.

People such as Liberal Democrat MP Julian Huppert, and the party conference in Gateshead, have been very clear in their views that communications data should only be available if done in a way that does not make the message content available. Is that technically possible? Technical experts outside government say ‘no’, but the government seems to think it can be done. It is certainly true that GCHQ and the like have many advanced, expert techniques but it is hard to see at this point how this technical hurdle will be resolved, if indeed it can be.

In other words, on the likely most sensitive issue the details are shrouded in a fog of uncertainty. What is clear is that the details of what will be done are in some major respects a mix of uncertain and still up for debate.

However, what the Home Office proposes is not the same as what Parliament will legislate. No matter how flawed the initial proposals put to Parliament by Theresa May are, they put the RIPA rules on the table – giving the opportunity to get them changed to meet what a liberal approach should be – as little intrusion as possible, only for the most serious of offences and with rigorous, independently verified safeguards.

UPDATE: See also Why so many Liberal Democrats are angry.

3 responses to “The web snooping plans: time to get campaigning”

  1. "Think of a letter that you post. Someone looking at the name and address you’ve written on the envelope and checking the date on the postmark is finding out something about you – who you communicate with and when."

    No, a letter that I post does not have any indication on the outside that it has come from me, unless I choose to write a return address on (which I never do). The "when" I communicated it – at best the postmark could indicate roughly when it was sent, though it may have languished in a postbox over a weekend awaiting collection. And the likelihood of someone checking every item of mail I send is incredibly low – practically zero.

    This proposal is different, it will tie-together sender and receiver of electronic communications with accurate sending date & time stamps. Say it's an e-mail and the sender has requested a read-receipt, it will be trivial to tie together the date/time of the read-receipt message with the sender's original message and link that in too. Even without read-receipts, if the sender replies, the reply carries in it's header a unique number that allows the chain of messages in the conversation to be linked and ordered. Note this isn't the message itself – it's ancilliary, header information about the message, and will be included in the data collected.

    And the postcard metaphor for examining the content of a message rather than limit yourself to just the source and destination details, is an oversimplification that doesn't work either. Returning to e-mail as an example, the header detail which includes sender, receiver, and a whole host of other interesting information about how the message has been handled, runs on into the message – they are mixed-up. You have to actively filter out the message content (which we're being told is not going to be stored) from the header information (which is what we're being told is going to be stored). That active filtering will be carried out by software, written by humans, that could have flaws in it. I really don't want to trust my ISP with this task.

    On the bright side, a proxy server account hosted either in Sweden or the USA should get around this for a few tens of dollars per year. Or I get a Tor network client running (which could be a free solution) Yes, I'd rather funnel money to a foreign company to get around this.

    *slow handclap*

    • Chris: Analogies are never perfect, but they can be very helpful – such as to start explaining an issue to someone not familiar with the details. Talking about "headers" to someone without a fair degree of technical knowledge risks losing them, and failing to win them over to understanding what the problem is.

    • Mark Pack If you check RIPA definitions of communications data you will note (s.21(7) ) that the *only* thing which limits communications data relating to postal items to material written out the outside of the envelope (rather than also including the senders address conventionally written on the top right hand corner of the first sheet of the letter and the signature block) is that it's specifically excluded by the statute wording itself. Otherwise opening the envelope – provided it was only the communications portion of the letter that was read – would be perfectly legitimate and IS legitimate in respect of all non-postal communications caught by the act.

Leave a Reply

Your email address will not be published.

All comments and data you submit with them will be handled in line with the privacy and moderation policies.