Privacy and Security together…

I just spent a very interesting day at ‘Project Breach’ – an initiative of Norfolk and Suffolk police, trying to encourage businesses and others to understand and protect themselves from cybercrime. It was informative in many ways, and primarily (as far as I could tell) intended to be both a pragmatic workshop, giving real advice, and to ‘change the narrative’ over cybercrime. In both ways, I think it worked – the advice, in particular, seemed eminently sensible.

What was particularly interesting, however, was how that advice was in most ways in direct tension with the government’s approach to surveillance, as manifested most directly in the Investigatory Powers Act 2016 – often labelled the ‘Snooper’s Charter’.

The speaker – Paul Maskall – spent much of the first session outlining the risks associated with your ‘digital footprint’. How your search history could reveal things about you. How your ‘meta data’ could say more about you than the content of your postings. How your browsing history could put you at risk of all kinds of scams and so forth. And yet all of this is made more vulnerable by the Investigatory Powers Act. Search histories and metadata could be forced to be retained by service providers. ‘Internet Connection Records’ could be used to create a record of your browsing – and all of this could then be vulnerable to the many forms of hacking etc that Maskall then went on to detail. The Investigatory Powers Act makes you more vulnerable to scams and other crimes.

The keys to the next two sessions were how to protect yourself – and two central pillars were encryption and VPNs. Maskall emphasised again and again the importance of encryption – and yet this is what Amber Rudd railed against only a few weeks ago, trying to link it to the Westminster attack, though subsequent evidence proved yet again that this was a red herring at best. The Investigatory Powers Act adds to the old Regulation of Investigatory Powers Act (RIPA) in the way it could allow encryption to be undermined…. which again puts us all at risk. When I raised this issue, first on Twitter and then in the room, Maskall agreed with me – encryption is critical to all of us, and attempts to undermine it put us all at risk – but I was challenged, privately, by another delegate in the room, after the session was over. Amber Rudd, this delegate told me, wasn’t talking about undermining encryption for us, but only for ISIS and Al Qaeda. I was very wrong, he told me, to put the speaker on the spot about this subject. All that showed me was how sadly effective the narrative presented by Amber Rudd, and Theresa May before her, as well as others in what might loosely be called the ‘security lobby’ has been. You can’t undermine encryption for ISIS without undermining it for all of us. You can’t allow backdoors for the security services without providing backdoors for criminals, enemy states and terrorists.

VPNs were the other key tool mentioned by the speaker – and quite rightly. Though they have not been directly acted against by the Investigatory Powers Act, they do (or might) act against the main new concept introduced by the Act, the Internet Connection Record. Further, VPN operators might also be subjected to the attention of the authorities, and asked to provide browsing histories themselves – though the good ones don’t even retain those histories, which will cause a conflict in itself. Quite now the authorities will deal with the extensive use of VPNs has yet to be seen – but if they frustrate the intentions of the act, we can expect something to be done. The overall point, however, remains. For good security – and privacy – we need to go against the intentions of the act.

The other way to put that is that the act goes directly against good practice in security and privacy. It undermines, rather than supports security. This is something that many within the field understand – including, from his comments to me after the event, the speaker at Project Breach. It is sad that this should be the case. A robust, secure and privacy-friendly internet helps us all. Even though it might go against their instincts, governments really should recognise that.

The internet, privacy and terrorism…

As is sadly all too common after an act of terrorism, freedom on the internet is also under attack – and almost entirely for spurious reasons. This is not, of course anything new. As the late and much lamented Douglas Adams, who died back in 2001 put it:

“I don’t think anybody would argue now that the Internet isn’t becoming a major factor in our lives. However, it’s very new to us. Newsreaders still feel it is worth a special and rather worrying mention if, for instance, a crime was planned by people ‘over the Internet’.”

The headlines in the aftermath of the Westminster attack were therefore far from unpredictable – though a little more extreme than most. The Daily Mail had:

“Google, the terrorists’ friend”


…and the Times noted that:

“Police search secret texts of terrorist”


…while the Telegraph suggested that:

“Google threatened with web terror law”

Screen Shot 2017-03-25 at 20.34.14

The implications are direct: the net is a tool for terrorists, and we need to bring in tough laws to get it under control.

And yet this all misses the key point – the implication of Douglas Adams’ quote. Terrorists use the internet to communicate and to plan because we all use the internet to communicate and plan. Terrorists use the internet to access information because we all use the internet to access information. The internet is a communicative tool, so of course they’ll use it – and as it develops and becomes better at all these things, we’ll all be able to use it in this way. And this applies to all the tools on the net. Yes, terrorists will use Google. Yes, they’ll use Facebook too. And Twitter. And WhatsApp. Why? Because they’re useful tools, systems, platforms, whatever you want to call them – and because they’re what we all use. Just as we use hire cars and kitchen knives.

Useful tools…

That’s the real point. The internet is something we all use – and it’s immensely useful. Yes, Google is a really good way to find out information – that’s why we all use it. The Mail seems shocked by this – not that it’s particularly difficult to know how a car might be used to drive somewhere and to crash into people. It’s not specifically the ‘terrorists’ friend, but a useful tool for all of us.


The same is true about WhatsApp – and indeed other forms of communication. Yes, they can be used by ‘bad guys’, and in ways that are bad – but they are also excellent tools for the rest of us. If you do something to ban ‘secret texts’ (effectively by undermining encryption), then actually you’re banning private and confidential communications – both of which are crucial for pretty much all of us.

The same is true of privacy itself. We all need it. Undermining it – for example by building in backdoors to services like WhatsApp – undermines us all. Further, calls for mass surveillance damage us all – and attacks like that at Westminster absolutely do not help build the case for more of it. Precisely the opposite. To the surprise of no-one who works in privacy, it turns out that the attacker was already known to the authorities – so did not need to be found by mass surveillance. The same has been true of the perpetrators of all the major terrorist attacks in the West in recent years. The murderers of Lee Rigby. The Boston Bombers. The Charlie Hebdo shooters. The Sydney siege perpetrators. The Bataclan killers. None of these attacks needed identifying through mass surveillance. At a time when resources are short, to spend time, money, effort and expertise on mass surveillance rather than improving targeted intelligence, putting more human intelligence into place – more police, more investigators rather than more millions into the hands of IT contractors – is hard to defend.

More responsible journalism…

What is also hard to defend is the kind of journalism that produces headlines like that in the mail, or indeed in the Times. Journalists should know better. They should know all too well the importance of privacy and confidentiality – they know when they need to protect their own sources, and get rightfully up in arms when the police monitor their communications and endanger their sources. They should know that ‘blocking terror websites’ is a short step away from political censorship, and potentially highly damaging to freedom of expression – and freedom of the press in particular.

They should know that they’re scaremongering or distracting with their stories, their headlines and their ‘angles’. At a time when good, responsible journalism is needed more than ever – to counter the ‘fake news’ phenomenon amongst other things, and to keep people informed at a time of political turmoil all over the world – this kind of an approach is deeply disappointing.

Global letter on Encryption – why it matters.

I am one of the signatories on an open letter to the governments of the world that has been released today. The letter has been organised by Access Now and there are 195 signatories – companies, organisations and individuals from around the world.

The letter itself can be found here. The key demands are the following

Screen Shot 2016-01-11 at 06.10.45

It’s an important letter, and one that Should be shared as widely as possible. Encryption matters, and not just for technical reasons and not just for ‘technical’ people. Even more than that, the arguments over encryption are a manifestation of a bigger argument – and, I would argue, a massive misunderstanding that needs to be addressed: the idea that privacy and security are somehow ‘alternatives’ or at the very least that privacy is something that needs to be ‘sacrificed’ for security. The opposite is the case: privacy and security are not alternatives, they’re critical partners. Privacy needs security and security needs privacy.

The famous (and much misused) saying often attributed (probably erroneously) to Benjamin Franklin, “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety” is not, in this context at least, strong enough. In relation to the internet, those who would give up essential privacy to purchase a little temporary security will get neither. It isn’t a question of what they ‘deserve’ – we all deserve both security and privacy – but that by weakening privacy on the internet we weaken security.

The conflict over encryption exemplifies this. Build in backdoors, weaken encryption, prevent or limit the ways in which people can use it, and you both reduce their privacy and their security. The backdoors, the weaknesses, the vulnerabilities that are provided for the ‘good guys’ can and will be used by the ‘bad guys’. Ordinary people will be more vulnerable to criminals and scammers, oppressive regimes will be able to use them against dissidents, overreaching authorities against whistleblowers, abusive spouses against their targets and so forth. People may think they have ‘nothing to hide’ from the police and intelligence agencies – but that is to fundamentally miss the point. Apart from everything else, it is never just the police and the intelligence agencies that our information needs protection from.

What is just as important is that there is no reason (nor evidence) to suggest that building backdoors or undermining encryption helps even in the terms suggested by those advocating it. None examples have been provided – and whenever they are suggested (as in the aftermath of the Paris terrorist attacks) they quickly dissolve when examined. From a practical perspective it makes sense. ‘Tech-savvy’ terrorists will find their own way around these approaches – DIY encryption, at their own ends, for example – while non-tech savvy terrorists (the Paris attackers seem to have used unencrypted SMSs) can be caught in different ways, if we use different ways and a more intelligent approach. Undermining or ‘back-dooring’ encryption puts us all at risk without even helping. The superficial attractiveness of the idea is just that: superficial.

The best protection for us all is a strong, secure, robust and ‘privacy-friendly’ infrastructure, and those who see the bigger picture understand this. This is why companies such as Apple, Google, Microsoft, Yahoo, Facebook and Twitter have all submitted evidence to the UK Parliament’s Committee investigating the draft Investigatory Powers Bill – which includes provisions concerning encryption that are ambiguous at best. It is not because they’re allies of terrorists or because they make money from paedophiles, nor because they’re putty in the hands of the ‘privacy lobby’. Very much the opposite. It is because they know how critical encryption is to the way that the internet works.

That matters to all of us. The internet is fundamental to the way that we live our lives these days. Almost every element of our lives has an online aspect. We need the internet for our work, for our finances, for our personal and social lives, for our dealings with governments, corporations and more. It isn’t a luxury any more – and neither is our privacy. Privacy isn’t an indulgence – and neither is security. Encryption supports both. We should support it, and tell our governments so.

Read the letter here – and please pass it on.