One problem with this “30 posts in 30 days” format is that it doesn’t lend itself to deep discussion about current events. Trying to react to a piece of news with a well-reasoned, detailed view in real time is hard and I don’t feel I’m doing the topics justice.
I’m still not sure if I can give a fully fledged view on the matter, but I’d like to revisit the Snooper’s Charter.
About a week ago the news broke that the UK government has passed a law (subject to “Royal Assent”) that will increase their ability to access your personal data by accessing your browsing history by requiring ISPs to store it by law.
I hinted at my disbelief and disagreement with this news, but I want to elaborate a bit, as well as revisit the angle of what we can do about it.
Is it so bad?
Philosophers and security experts have no doubt thoroughly chewed over this topic in the past, but let’s briefly examine some arguments on both sides, pro- or anti-surveillance.
Pro-surveillance: Terrorists Shouldn’t Have Privacy
I guess one way to maximise your chances of identifying illegal activity is by just monitoring everyone’s activity by default. You’ll get tons of false positives, but no one will fall through the net. This obviously requires an extraordinary apparatus, and we’ll get back to that.
It is therefore possible to argue that we should have the ability to listen in on people, because we cannot afford not to miss an instance of wrongdoing.
Anti-surveillance: Listening to Innocent People
The counter-argument lends itself: that means we have to monitor innocent people. What happened to “innocent until proven guilty”? While it is true that obstructing people’s privacy without valid cause sounds like overkill, how would you know who is innocent and who isn’t without monitoring them in the first place? The answer to this of course could be that you only start monitoring people who you otherwise have reason to believe are suspicious, i.e. are already suspects in some way. This is what’s being argued from the side of the people passing this law – in theory only a court order will allow the government access to anyone’s data.
And anyway, there’s always the following trope that can be wheeled out.
Pro-surveillance: “You Shouldn’t Be Worried If You Have Nothing To Hide”
This argument makes its appearance every time the privacy debate comes up.
There are a few simple answers to this. First of all, yes, as a citizen of the 21st century you have to accept that your data will be captured, stored and used by third parties, be that your supermarket, bank or digital advertising companies.
I don’t mind my shopping habits being used by my supermarket to give me a more tailored and relevant online shopping experience.
What I do mind is the idea that this might get in the hands of “bad actors”.
Today I heard a quote apparently attributed to Cardinal Richelieu, which I thought was apt:
If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him.
Your otherwise innocuous data can easily be used against you, either by a future government with malicious intent, or a hacker that gains access to the data and uses it for social engineering.
Anti-surveillance: Right to Privacy
Ultimately the argument against this sort of law is that privacy is a fundamental right. It’s in the American Constitution (sort of), it’s in the Human Rights Act. What you do behind closed doors is your own business, and no one else’s.
What about the IP Bill specifically?
After that bit of philosophical ping-pong, let’s consider this specific bill. What are the real points of contention?
I alluded to returning to this earlier. The bill requires ISPs to store a year’s worth of browsing history for each of their users. Even if it’s just metadata, that’s a lot of data to store and in real time. The storage and latency issues associated with this will pose a huge challenge to ISPs who may or may not be equipped to cope with it.
On top of that, there are huge security concerns. Companies like TalkTalk and Three have already had large scale data breaches in the last year. ISPs will be much more of a target now that hackers will know the kind of data they could have access to. Now all of a sudden we’re not even talking about malicious governments accessing your data, but concerns about simple security.
Questions about Access
I stumbled upon an article on the subject, and I’d just like to quote from it.
A list of who will have the power to access your internet connection records is set out in Schedule 4 of the Act. It’s longer than you might imagine:
- Metropolitan police force
- City of London police force
- Police forces maintained under section 2 of the Police Act 1996
- Police Service of Scotland
- Police Service of Northern Ireland
- British Transport Police
- Ministry of Defence Police
- Royal Navy Police
- Royal Military Police
- Royal Air Force Police
- Security Service
- Secret Intelligence Service
- Ministry of Defence
- Department of Health
- Home Office
- Ministry of Justice
- National Crime Agency
- HM Revenue & Customs
- Department for Transport
- Department for Work and Pensions
- NHS trusts and foundation trusts in England that provide ambulance services
- Common Services Agency for the Scottish Health Service
- Competition and Markets Authority
- Criminal Cases Review Commission
- Department for Communities in Northern Ireland
- Department for the Economy in Northern Ireland
- Department of Justice in Northern Ireland
- Financial Conduct Authority
- Fire and rescue authorities under the Fire and Rescue Services Act 2004
- Food Standards Agency
- Food Standards Scotland
- Gambling Commission
- Gangmasters and Labour Abuse Authority
- Health and Safety Executive
- Independent Police Complaints Commissioner
- Information Commissioner
- NHS Business Services Authority
- Northern Ireland Ambulance Service Health and Social Care Trust
- Northern Ireland Fire and Rescue Service Board
- Northern Ireland Health and Social Care Regional Business Services Organisation
- Office of Communications
- Office of the Police Ombudsman for Northern Ireland
- Police Investigations and Review Commissioner
- Scottish Ambulance Service Board
- Scottish Criminal Cases Review Commission
- Serious Fraud Office
- Welsh Ambulance Services National Health Service Trust
That list is bonkers. Why would the Welsh Ambulance Services NHS Trust need my browsing history? Or Food Standards Scotland?
I do not support this bill.
The reason isn’t even to do with the general privacy debate.
Even if, for whatever reason, you agree with governments being able to access this data in extreme cases (suspected terrorism, whatever) and even if we put aside concerns about governments misusing this power, this bill also relies on ISPs keeping data safe. That is a huge risk in itself.
Based on the number of data breaches we’ve seen over the months and years, I simply do not trust that my data will be kept safe.
I’d argue that you should be concerned about this bill in its current form regardless of how you feel about the politics of the bigger issue of privacy.
Although I am also quite concerned about how long that list of departments that can access my data is.
What can we do?
I touched on this previously. VPNs are not covered by the law, so they’re a good solution. Bear in mind that it matters where your VPN provider’s servers are, and what they do with your data.
You could start here.
Sign a Petition
There is also a petition you can sign. It’s already past the point where the government must respond to it. It is, at time of writing this, 68% of the way to being considered for debate in Parliament.
Write to your MP
Some have also suggested writing to your local MP. I checked and it turns out my local MP has one of the lowest response rates out of all of them, but I might try anyway.
You can find out who your local MP is (and how they vote on all issues!) here: They Work For You.
Read About It
If you want some more detailed discussion on the topic, you could start with this Hacker News thread.
Footnote: This is the 25th entry in my 30 day blog challenge.