Investigatory Powers Bill

Written Evidence submitted by James Le Cuirot
Software Engineer, Yakara Ltd (IPB 18)

Investigatory Powers Bill

1. I write this as a software engineer, who is familiar with the technological issues involved, but also as the father of a 5 year old, who realises that living in a major city could make us the victims of a terrorist attack. Statistically though, we are very much more likely to die in a car accident and I believe we should treat these dangers with the appropriate level of caution. I say this even in spite of the awful attacks in Brussels today.

2. I confess to not having read the bill itself as I am a busy man who does not speak legalese but I do not feel this precludes me from participating in the debate. I have been following its progress closely, largely thanks to Adrian Kennard, one of its foremost critics, who has also taken the time to write to you. A recent email to my own MP, Michelle Thomson, helped in her decision to vote against the bill's second reading. 1

3. I take particular issue with the collection of so-called Internet Connection Records. Apart from being poorly defined, as if they were some recognised pre-existing technological concept, whatever they turn out to be in practise are of very little use to either the security services or the police.

4. An illustration given by the NCA of what an ICR might be tells of a missing schoolgirl called Amy who uses Twitter on her phone 2. She goes missing and the police use data from her communications provider to determine who she had been communicating with lately. In reality, the presence of encryption means that all the communications provider will be able to say is that her phone accessed and regularly just as it had most likely done for weeks and months before. It would reveal practically nothing about whether she had been actively using these services as modern smartphones communicate with these services all the time, even when you're asleep if you leave data enabled. It would certainly not reveal who she had been speaking to or what was said. The only way to find out any useful information would be to approach Facebook or Twitter directly and having these ICRs does not help with that at all.

5. Unsatisfied by this conclusion, the government has been trying to convince us that they should have privileged access to encrypted communications via backdoors. There have been countless warning from experts about how this would make the Internet unsafe, how British technology would no longer be deemed trustworthy, and how it would only put legitimate users at risk while those being pursued could continue unhindered.

6. Encryption is mathematics and mathematics does not care whether you're the good guys or not. The recent plethora of data breaches have shown that security is hard to get right and you want to weaken it further with backdoors? If you thought the TalkTalk breach was bad, imagine the impact on a bank. Then imagine the public backlash when they realise it was not the bank's fault but the government's for making them weaken their security.

7. This is assuming that installing and using such backdoors is even logistically possible. I had to create a new encryption key for our company's private email server today. This is something we do on a regular basis and many other tech companies do so too. Would this key need to somehow lodged with a government entity? What if that key is handling traffic from another country? What if the server is in another country? Adrian Kennard gave this great example on his blog.

8. "If a British citizen with an iPhone purchased in France and roaming in Germany iMessages a Chinese citizen roaming in Sweden using an iPhone purchased in Denmark, which government's keys need to be inserted in the iMessage communications by an American company (Apple) legally based in Luxembourg using servers hosted in Eire?" 3

9. Contrived, yes, but not beyond the realms of possibility and if a terrorist could achieve something only half as complicated, it would still present a major headache for the security services. Not that they would even need to go to such lengths to escape detection. At the end of the day, nothing can be done to prevent terrorists from easily conducting their own end-to-end encryption across the Internet. Tech companies like mine do it constantly. Just today, I must have started dozens of Secure Shell sessions using freely-available non-commercial open source software 4 to our remote servers across the country. You don't even need a computer. A pen and paper will suffice. The one-time pad 5, used during the Second World War, is still just as practically unbreakable as it ever was, even against a supercomputer.

10. With all that said, one has to wonder what value there is in collecting ICRs at all. Sure, not all traffic is encrypted, but there has been a huge push for more encryption lately and why would a terrorist communicate in the clear anyway? Collecting this data would just be invading the privacy of everyday law-abiding citizens who have repeatedly and rightfully called upon the government not to spy on them. Those citizens would be particularly unimpressed when they learn just how much it costs to collect all that data. I am not in a position to give figures but feedback from the ISPs has shown that the government grossly understated the costs. The public is already angry over budget cuts, now more than ever. This is not the time to be throwing away huge sums on such useless schemes.

11. There is an inevitable desire among politicians to be seen to be doing something in the wake of a terrorist attack. Take a step back and consider that these measures may do more harm than good. If you want to be seen to be doing something then tackle the root causes through positive action in the schools and the communities. This problem cannot be fixed overnight.






March 2016


Prepared 24th March 2016