How To React to Excessive Eavesdropping…

So, a couple of hours after I publish the post on Friday, the Guardian reveal that GCHQ are essentially downloading the internet. All of it. Daily. “Mastering the Internet” they modestly call it. I suspect the Internet might have a view on that.

How to Respond When they Want Access to Everything

Simple: Time for some good old-fashioned British Bloody Mindedness.

There’s only one sane and reasonable response to a government using laws essentially designed for voice calls and wiretapping (RIPA (2000)), then using it to hoover up 600m “telephone events” and 39 Terabytes of internet data (email, entries on Facebook, use of websites etc) a day. That’s for as many people as possible globally to start using encryption as often as possible. ESPECIALLY if your email and internet use consists of nothing but pizza orders and harmless trivia.

Why’s This Important?

Actual actual reality: No one cares about his secrets. (Also, I would be hard-pressed to find that wrench for $5.)

If everyone is using encryption, with suitably strong keys, we can return monitoring and snooping back to where it should be – only those who, for whatever reason, have come under suspicion. Hopefully that will require a warrant.

If everyone is using strong encryption properly then all the computing power in the universe will not help, so they’ll have to ask for your encryption keys – again, that’s going to require you be suspected of a crime and questioned or possibly arrested first.

Now, it’s entirely possible the law makers in some repressive regime would solve this by making it an imprisonable offence to not reveal one’s encryption keys. Say for five years because terrorism, or two years otherwise. If police think a file is encrypted when it isn’t, will you also go to jail for not providing the decryption key when it’s impossible? How do you prove it isn’t? If we include steganography almost any file is a potential container of encrypted data.

nb: The repressive regime in question is the UK, and this is current law : RIPA (2000) again.

This puts the UK in the almost unique, and entirely unenviable, position of requiring disclosure of encryption keys without either a warrant or court order. Nonetheless you at least have to raise profile enough that government or police actually ask you for the key, at which point they can go ferreting in your data. That’s precious little protection then.

Putting the Genie back in the Bottle

If the NSA or GCHQ can break some of the best respected encryption algorithms (very unlikely, but let’s run with that), it’s not credible they can do so without significant computing power. If everyone encrypts then it’s no longer feasible to simply monitor everything, so they’ll have to target those who have raised suspicion, and we’ll be back to innocent until proven guilty. Which is, after all, how it’s supposed to be in a “free” country.

Alternatively we’re back to the scenario I talked of last week where they can look into your “history of everything” for the last ten years or more, so they can victimise or smear you to their heart’s content. This is not security, for anyone.

Encryption Free or Clearly Terrorist

bletchley-bombeWhy’s it always framed as a bloody binary choice anyway? It’s not terrorism or security, encryption or freedom. The answer to terrorism was also to carry on, knowing the real chance of being a victim was vanishingly small, as changing our society as a result meant they had “won”.

The current fashion is the merest hint of something, that can even be framed as terrorism, results in a knee-jerk piece of restrictive or invasive legislation. This appears to show no signs of abating until we’re all bagged, tagged and barcoded at birth.

We’re informed the NSA, and presumably GCHQ also, feel that using encryption makes your data of more interest. (Presumably under the tortuous logic that encrypting means, in and of itself, you have done something nefarious); well, because Al Quaida – the modern trump everything card. So encryption places you under suspicion, but it does not follow that someone using encryption has anything to hide from a National Security perspective.

It could be something as harmless (to the nation) and simple as a health issue, seeking another job and not wishing others to know, an affair, a business startup idea discussed with a colleague, financial information, and any of dozens of other sensitive topics that are utterly irrelevant from a National Security perspective. I’m pretty sure in light of the recent revelations that many American businesses will be uncomfortable to learn some of their emails and activity have been shared with the British, and vice versa.

It’s entirely impossible that an NSA employee could have a relative running a business with overseas competitors. It’s entirely impossible that there would ever be a temptation to utilise some of that data for other than national security purposes. Ever. All 850,000 people who are allegedly authorised to view this are entirely trustworthy, never have affairs, or have anything resembling the range of emotions or personality disorders common in all the rest of humanity.

They’d never go too far, or harass someone for reasons other than the utmost noble interests of the nation. Similarly they’d never smear anyone who’s innocent of a crime. Likewise MPs would never fiddle their expenses; they are, of course, entirely trustworthy, so we can relax that the powers, and those employed by them are all essentially perfect. The killers of Lee Rigby were known to security services, yet he was still murdered in the street. How, therefore, does all this surveillance help anyone?

A “Free” Country?

national-registration-posterPerhaps in 1945. I find it deeply ironic that at the end of the Second World War the government abolished non-computerised, cardboard identity cards on the grounds they’d be an infringement of civil liberties. It would be very interesting to learn what that generation of politicians would make of today’s society. I doubt they’d be very impressed.

People search the internet for many sensitive topics, communicate via email and phone and presume, like a letter, their communications are private acting accordingly.  That they’re not, and the extent to which they’re not, is in no way justified by the extent of the “threat” we’re being protected from. (Four times more likely to be struck by lightning, remember!)

If we all start using encryption of email, Tor for browsing, and TextSecure and Redphone for SMS and mobile calls, the spooks can no longer conclude that use of encryption, in and of itself, is suspicious. Which is as it should be, because clearly there are many reasonable uses for encryption and privacy that aren’t nefarious. Hopefully we can then start rowing back to the position of someone being suspected of a crime before they are tracked, monitored and their communications snooped.

If you’re in the “if you’ve nothing to hide, you’ve nothing to fear” camp, what if you wanted to search for treatment options for your son on say a mental health issue, or a drug problem? What if you wanted to keep your homosexuality private from certain family members? You’d still be fine this being a matter of record, visible to some 850,000 cleared people on both sides of the Atlantic? Would the people you communicated with?  Is nothing personal any more?

According to the Guardian, even MI5 feared GCHQ went too far over phone and internet monitoring. From a civil liberties perspective.

But We’re Under Attack

Supposedly. It’s ironic that much of the protection the Americans have codified in the Fourth and Fifth Amendments stem from principles of English common law and Magna Carta; protections that have been significantly weakened in the UK; because… terrorism.  So it seems we’re under attack by the government.

At this point it would be useful to be reminded of this quote (from Wikiquote) from Hermann Göring, one time Hitler’s deputy, founder of the Gestapo, and head of the Luftwaffe:
(Wikiquote’s emphasis)

GöringWhy, of course, the people don’t want war. Why would some poor slob on a farm want to risk his life in a war when the best that he can get out of it is to come back to his farm in one piece? Naturally, the common people don’t want war; neither in Russia nor in England nor in America, nor for that matter in Germany. That is understood. But, after all, it is the leaders of the country who determine the policy and it is always a simple matter to drag the people along, whether it is a democracy or a fascist dictatorship or a Parliament or a Communist dictatorship.
Gilbert: There is one difference. In a democracy, the people have some say in the matter through their elected representatives, and in the United States only Congress can declare wars.
Göring: Oh, that is all well and good, but, voice or no voice, the people can always be brought to the bidding of the leaders. That is easy. All you have to do is tell them they are being attacked and denounce the pacifists for lack of patriotism and exposing the country to danger. It works the same way in any country.

Does that sound familiar?

Sadly it should, and it’s a poor indictment of our “free” society that we’ve reached here without a peep of complaint.

What Now?

Oh yes, I was suggesting being bloody minded, wasn’t I?

Internet Browsing: Tor Browser

SMS Text Messages: Textsecure for Android and in progress for iPhone

Mobile Calls: Redphone for Android.

Email: Enigmail + PGP. You’ll need to reclaim your email from a service such as GMail however.

Connections between business sites and internal comms: use a VPN.

Should give their computers a little to think over, no?

And last, but not least, don’t forget this “mastering the internet” malarky uses a get-out clause in RIPA that applies only to data going overseas – which much of it now does when you use, for example, Facebook.

You might wish to check where your online backup, email, social network is based and how they stores+routes the data if you have sensitive business or personal data that you’d prefer was kept private, as you always believed it was.

Bletchley Park Bombe photo by Andy Armstrong,
National Registration Poster photo by Dominic Alves.