Communications privacy in the spotlight again
Like a bad April Fools Joke, Home Secretary Theresa May used April 1st to announce that the government was resurrecting the controversial project to monitor email communications. Whilst this has provoked much debate about the privacy implications and whether or not it clashed with EU privacy laws, little has been said about the technology behind it.
Police forces have long used postal mail intercepts and phone taps as a way of gathering evidence. Phone records, knowing who phoned who and when, can give additional intelligence. It is not surprising, given the evolution of communications across the internet, that police and security services would like to know the same about who emails who. However, unlike phones where there are only a couple of well defined ways of communicating with someone, (voice or text message) and those records are essential to the billing system, the internet is diverse and has no need of such record keeping.
That is the heart of the matter. The proposed bill would make it mandatory for ISPs to maintain records of emails for a period of several years to allow access by police and the security services. In a Select Committee statement, May said it was needed "to maintain the capability for the security services to access certain data on terrorists, criminals and so on" although who the "so on" are wasn't questioned. Is that another way of saying "and everyone else"?
Is this bill intended to allow investigators to find out who mailed who, or to keep a record of the contents of everyone's email? And will it be a record which can only be accessed once a person is suspected of a crime, or will spooks use it on fishing trips to trawl for mentions of keywords like "bomb"? May said, rather ambiguously, that "It will not be looking into emails in real-time." Why qualify it with "real time". That implies they would have the capability to look into mail contents at some other time.
A question that affects us all is how they propose to collect this information? Will everyone who runs a mail server, whether it is a company like ourselves, SKILLZONE, or a company with an in-house Exchange server, be expected to preserve records, or will it only be ISPs? If it is done at ISP level, this suggests they will need to monitor all traffic going in and out of your premises and detect email traffic within it. Who will provide the software to do that? Or will everything have to go through a government-approved standard issue black box with unknown capabilities?
The question I find hardest to answer though is how it will detect mail which doesn't go through the email protocol? All of us are familiar with webmail such as Gmail and Hotmail. Will the black box also need to monitor that traffic? There is a pretty endless list of webmail services and you can even write your own, as well as other channels such as Facebook postings, Twitter, private forums and so on. Will all of these be logged, just in case? And even if they do, using encrypted communications over HTTPS to link to sites should make it impossible for any black box to know anything about who you are talking to on that web site. How could that problem be overcome, without making privacy illegal?
The security services of the USA are much more adept at playing the terrorist card to justify surveillance and its plans make the UK's proposals seem mild. At the small town of Bluedale, Utah the NSA is building a massive multi-billion dollar data centre in its quest for "total data awareness". It has 10,000 builders working on constructing four server halls, each 2,300 square metres. According to Wired Magazine, the centre will "intercept, decipher, analyse and store vast amounts of the world's communications from satellites and underground and undersea cables of international, foreign and domestic networks. Even the most apparently insignificant scraps of data will be captured and stored in case they later become important: private emails, mobile phone calls and Google searches, as well as personal data trails, travel itineraries, purchases and other digital pocket litter."
26th April 2012
This article comes from the SKILLZONE email newsletter, published monthly since January 2008, and covering topics related to technology and the internet. All articles and artwork in the SKILLZONE newsletter are orignal content.