Investigatory Powers Bill

Written evidence submitted by Christopher Lloyd (IPB 35)

Summary

Internet Connection Records should be removed from the Bill in their entirety. They are costly, a massive breach of privacy, damaging to citizens and business alike, and easily defeated. There is no justification for their continued inclusion in the Bill.

Introduction

Internet Connection Records (ICRs) are the brainchild of someone with no understanding of the Internet. They will be an extremely costly waste that does not make us safer in the slightest, they can be evaded by people with almost no technical knowledge, they are a gross breach of privacy that will endanger innocent people when the information is inevitably hacked, and will do nothing to stop any criminal or terrorist that is even the slightest bit competent.

These may seem like bold statements, but regrettably this is the reality of the situation. We know they will not work, and many other experts have told the Joint Committee this before the bill was introduced to the House of Commons. The Home Secretary has completely ignored this in a desperate attempt to enact the bill as fast as possible, and has shown a shameful disregard for the facts.

Imagine airport security if we subjected passengers to even more invasive measures than we do today. Let us say we interrogated everyone about their life history and subjected them to strip searches. Let us say we spend hundreds of millions of pounds installing new security equipment and training staff to achieve this.

Now imagine all a terrorist had to do in order to get a bomb on a plane was to go through another door, bypassing all these measures entirely. No one sane would call this invasion of privacy justified, effective, and claim that it provided good value for the taxpayer. It would be a thing of mockery.

Despite how ridiculous it may seem, Internet Connection Records are the equivalent of the fictitious airport security measures described above. Analogies can only be taken so far of course, and the situation is actually even worse with regards to the Internet; in a real life airport you can secure all the entrances. With the Internet, and the "other door" is in fact impossible to secure due to the very workings of the Internet and the technology itself.

I do not fear my own activities being logged in an ICR, because I can completely control what is logged. I can use tools like a Virtual Private Network (VPN) and send my Internet traffic via an overseas server, outside of UK jurisdiction. Anyone can avoid their true activities being logged. A layperson could do this in less than a minute by reading some simple instructions that are easily found via a quick Google search.

So why is the Home Secretary so desperate to implement them, despite being told repeatedly they will not work?

Internet Connection Records – An Overview

The government states [1] [1] that Internet Connection Records are supposed to achieve the following goals by allowing the actions of an individual to be attributed to a person:

1) To identify the sender of a communication.

2) To identify the communications services a person is using.

3) To determine whether a person has been accessing or making available illegal material online.

ICRs fail at every single one of these goals, since an Internet user can easily:

· Hide the fact that they sent or received a particular message (Goal #1).

· Hide what services they have accessed (Goal #2).

· Hide the contents of their message, such that it is impossible to determine if illegal activity has taken place (Goal #3).

Additionally, it is stated that:

"[Internet Connection Records] could never contain a full web address as under the law these would be defined as content."

ICRs can indeed fall afoul of this under the terms defined in clause 193. For example, if I access bbc.co.uk/news, then the BBC website is considered the service. What I am looking at is not logged as this is content. However, there are alternative addresses for BBC News: news.bbc.co.uk and bbcnews.com. An ICR would log exactly what page I am looking at on the service and thus reveal the "content" of my communication, in violation of the law which states this information cannot be logged.

Programming a computer to be able to filter out any "content" gathered in this way is essentially impossible because a computer does not understand meaning. "Content" and "communications data" are arbitrary distinctions and computers do not operate in this way. A computer is simply opening, sustaining, and terminating an IP connection to a server. It has no concept of what the Bill considers to be content, or the overall purpose of the communication.

Further, even the domain of a website accessed as described in subsection 6b can indeed provide the "meaning" of the communication. Imagine the following websites are accessed:

breastcancertreatments.org.uk

divorcesolicitors.co.uk

financialadvice.com

suicidehelpline.com

abortioninformation.org.uk

dealingwithaddiction.com

These are very revealing about the user in a way that accessing google.co.uk, wikipedia.org, or bbc.co.uk is not, and this is one reason why ICRs are so devastating to privacy.

The intent of the law appears such that "content" is considered to be revealing private information, and "communications data" is low level information that does not particularly impose upon privacy. However as this has no technological basis, there is no practical way of separating and removing this information.

It is also very difficult to determine what specific device is communicating. Most Internet Service Providers only give their customer a single IP address, which is shared among multiple devices. For a typical home network with several laptops, a smart TV, and several smartphones, to the Internet as a whole and the ISP these essentially appear to be the same device. Facebook knows who you are and that you’ve accessed it via your phone. Your ISP has no idea who at the house has accessed Facebook because the information Facebook sends is encrypted. And if measures to hide the traffic are used, your ISP does not even know that you’re really accessing Facebook.

Evasion Methods

Evading having meaningful information logged in an Internet Connection Record is trivial. There are multiple techniques one can use, some of which take no real technical skill whatsoever. These include:

· Using a Virtual Private Network (VPN) to encrypt and tunnel traffic via a relay. The ISP can only see that traffic is being sent to the VPN provider, with no clue as to the real destination or the contents. When using an overseas server outside of UK jurisdiction, there is no means of compelling this data to be provided.

· Using the TOR web browser which is based on the popular Firefox browser. This routes the traffic several times in layers (hence the name "The Onion Router") so that no one other than the original user knows the true source and destination addresses. All an ISP will see is the user connecting to a TOR node.

· Web proxies download pages on behalf of a user. Thus an ICR would show webproxy.com when the user has in fact used this to access bbc.co.uk/sport. Web sites that take a snapshot archive of a page can also achieve the same effect.

· Public Wi-Fi networks can be used. A criminal could also break into an unsecured or badly secured wireless network and use that instead.

· Custom DNS settings could be used in order to make it harder for the ISP to determine what web site address was accessed. Web sites can share IP addresses in a similar way that your phone and your laptop can share a public IP address, a trend which is increasing as Content Delivery Networks (CDNs) are being used to sustainably deliver content to users. This would not be a serious means of evasion, but makes casual inspection and resolution of the web site much harder.

· Legitimate sites can be used to communicate, and communication via subtle methods is easily possible. Encrypted files can be uploaded to legitimate sites like Google Drive; all that an ICR would log is that a user accessed Google; useless since millions do this every day.

· Messages can be embedded in content like images via steganography. Thus terrorists could secretly communicate using a legitimate site (see above), while it appears simply as someone viewing an image in a web browser.

· ICRs as a whole can be jeopardised by deliberately introducing false positives and other noise or misleading information. Images and content can be embedded, causing a user to connect to the web sites without intent. For example, I could send an email with an image embedded in a terrorist web site. If images are shown automatically, this will result in the user accessing a terrorist web site with no intent whatsoever.

VPNs in particular are one of the most powerful means of evasion. They allow businesses to securely connect between branch offices over the Internet. Technologically savvy users may even use them to connect to their home PC from work or while on holiday. Our security, infrastructure, and economy depend on this vital piece of technology.

Conclusions

ICRs will pose an enormous target to hackers, and will inevitably be leaked at some stage, as it is almost impossible to completely prevent them. This would compromise the privacy of millions of people due to the very sensitive data contained within them, putting people at risk of blackmail, identity theft, fraud, and other criminal activity. Hackers would know what banks you use, what times your houses are unoccupied, where to target your children, aspects of your private life, and some of your innermost thoughts. It would be enormously damaging. Meanwhile criminals and terrorists easily evade it such that they provide no compromising information.

Millions of pounds will be wasted at a time Britain is looking to reduce the deficit. The UK security industry will become untrustworthy, and companies will likely have to migrate parts of their business elsewhere, resulting in the loss of British jobs. The measures will pose barrier to entry into the ISP market, reducing competition which will result in a negative impact on consumers. Unless the taxpayer picks up the full cost, these will need to be passed on to customers, resulting in higher prices.

Internet Connection Records should immediately be removed from the bill. They are a complete failure at a technical, financial, and moral level. There is a reason why other nations do not log this information; it invades privacy and it does not work.

We do need to look at how we protect our safety in an ever changing modern world. However we need intelligent, competently developed schemes, instead of poorly thought out mass surveillance dreamt up by those with no understanding of the topics at hand.

March 2016


[1] https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/473745/Factsheet-Internet_Connection_Records.pdf

 

Prepared 24th March 2016