Privacy and Security together…

I just spent a very interesting day at ‘Project Breach’ – an initiative of Norfolk and Suffolk police, trying to encourage businesses and others to understand and protect themselves from cybercrime. It was informative in many ways, and primarily (as far as I could tell) intended to be both a pragmatic workshop, giving real advice, and to ‘change the narrative’ over cybercrime. In both ways, I think it worked – the advice, in particular, seemed eminently sensible.

What was particularly interesting, however, was how that advice was in most ways in direct tension with the government’s approach to surveillance, as manifested most directly in the Investigatory Powers Act 2016 – often labelled the ‘Snooper’s Charter’.

The speaker – Paul Maskall – spent much of the first session outlining the risks associated with your ‘digital footprint’. How your search history could reveal things about you. How your ‘meta data’ could say more about you than the content of your postings. How your browsing history could put you at risk of all kinds of scams and so forth. And yet all of this is made more vulnerable by the Investigatory Powers Act. Search histories and metadata could be forced to be retained by service providers. ‘Internet Connection Records’ could be used to create a record of your browsing – and all of this could then be vulnerable to the many forms of hacking etc that Maskall then went on to detail. The Investigatory Powers Act makes you more vulnerable to scams and other crimes.

The keys to the next two sessions were how to protect yourself – and two central pillars were encryption and VPNs. Maskall emphasised again and again the importance of encryption – and yet this is what Amber Rudd railed against only a few weeks ago, trying to link it to the Westminster attack, though subsequent evidence proved yet again that this was a red herring at best. The Investigatory Powers Act adds to the old Regulation of Investigatory Powers Act (RIPA) in the way it could allow encryption to be undermined…. which again puts us all at risk. When I raised this issue, first on Twitter and then in the room, Maskall agreed with me – encryption is critical to all of us, and attempts to undermine it put us all at risk – but I was challenged, privately, by another delegate in the room, after the session was over. Amber Rudd, this delegate told me, wasn’t talking about undermining encryption for us, but only for ISIS and Al Qaeda. I was very wrong, he told me, to put the speaker on the spot about this subject. All that showed me was how sadly effective the narrative presented by Amber Rudd, and Theresa May before her, as well as others in what might loosely be called the ‘security lobby’ has been. You can’t undermine encryption for ISIS without undermining it for all of us. You can’t allow backdoors for the security services without providing backdoors for criminals, enemy states and terrorists.

VPNs were the other key tool mentioned by the speaker – and quite rightly. Though they have not been directly acted against by the Investigatory Powers Act, they do (or might) act against the main new concept introduced by the Act, the Internet Connection Record. Further, VPN operators might also be subjected to the attention of the authorities, and asked to provide browsing histories themselves – though the good ones don’t even retain those histories, which will cause a conflict in itself. Quite now the authorities will deal with the extensive use of VPNs has yet to be seen – but if they frustrate the intentions of the act, we can expect something to be done. The overall point, however, remains. For good security – and privacy – we need to go against the intentions of the act.

The other way to put that is that the act goes directly against good practice in security and privacy. It undermines, rather than supports security. This is something that many within the field understand – including, from his comments to me after the event, the speaker at Project Breach. It is sad that this should be the case. A robust, secure and privacy-friendly internet helps us all. Even though it might go against their instincts, governments really should recognise that.

3 thoughts on “Privacy and Security together…

  1. Thanks for highlighting this Paul.

    We have been house-hunting for the past few weeks and it came to my attention just how fraught with malicious software are these estate agents. Although I don’t consider myself a computer expert, I have had so much trouble in the past with such things that I decided to install a system that is as immune to attacks as is possible; I also have encryption, a non-tracking search and VPN installed. Logging into various estate agents I find what looks to me like they are all spying on each other and their customers.

    I find it disturbing to think that the powers that be, who tell us they are protecting us, may be able to take away my hard earned protection. That they will return me and others to the days of having to reinstall my operating system on a monthly basis – which is what used to happen. Its not that I have anything to hide, the world and his wife must know what’s on my hard drive by now. You can probably buy copies from the “Microsoft” guy who phones us all from Mumbai.

    Double standards:
    The point of this is that I searched for people prosecuted for doing this very thing. Try it, you will be surprised how few are followed up, with prosecutions for a year that can be counted on one hand. If the law were to be enforced, all the estate agents would be in the clink.

    1. What’s interesting is that the police do really know this, and, as this event showed, in practice they encourage the use of encryption, VPNs and so forth. On the ground, the message is in favour of privacy and security. The double standards come from the leaders, from Amber Rudd and Theresa May, and sometimes from the tops of the Met and the security services. Hogan-Howe sent precisely the wrong messages on a regular basis: it will be interesting to see if Cressida Dick is any better in this area.

      1. I wrote on my website a year ago …”the security services don’t want us to secure our computers because it stops them spying on us. I doubt that many understand the paradox and what’s really going on”…
        Even after being told exactly what the state is doing and all the fake news propaganda there are people who don’t believe it.

        But It’s quite simple really: The politicians do their three year, or whatever stint and then another comes along with the same old policies re-wrapped in pretty paper. They are given orders by their establishment bosses (who never court publicity) or their political careers are ended because the press and the media are owned by the same cartel. This same story has been reported by numerous politicians and presidents for decades.
        See The Wizard of Oz Conspiracy

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s