End User security surveillance & privacy

I break my silence on the Snooper’s Charter

my latest observations on the snooper’s charter

I have in the past been very vocal when it comes to the snooper’s charter. Especially when I was more active in the ISP industry. Having throttled back a bit I let others, the professionals, have their say and stuck to my own counsel.

Just received a summary of the comments from MPs in respect of the latest incarnation of the Bill from the ITSPA Secretariat. I’ve pasted it below with a few of my own observations.

Internet Connection Records

  • Burnham said that whilst the Government’s position in the draft code of practice makes it clear that URLs are not communications data and therefore, by definition, cannot be included in ICRs, it would be more useful to have a single, clear definition of ICRs in one place in the Bill.
  • Burnham stated that communications data should not be capable of being accessed to investigate any crime, regardless of how serious the offence is and the impact on victims.
  • Member of the Public Bill Committee, Gavin Newlands MP, said that the measures in the Bill are not limited to internet access, email or telephony and include, explicitly, communication without human intervention. He added that the industry has indicated a willingness to work with the Government to help implement ICRs, but the trouble is that the industry does not know what ICRs are, and it seems Government still do not know either. He said that these powers were intrusive and needed to be properly defined.
  • Member of three Committees which scrutinised the Bill, Matt Warman MP, said that people needed to be reminded that it was CSPs and not govt who would hold ICRs and govt would not be dipping into this information for any other purpose than to stop serious crime.
  • Alistair Carmichael MP said that it was unacceptable at this stage of proceedings that there is still no proper clear definition of ICRs.


Tref writes: Government has no idea what it is talking about in respect of ICRs and is probably keeping things deliberately vague so that they can apply the “definition” to anything that suits them.

Matt Warman is also missing the point. It doesn’t matter who keeps the data – it will be hacked into and leaked. Also we hear all sorts of stories about RIPA requests from councils wanting evidence on relatively trivial “crimes”. The concern is that once the data was available all sorts of people would come out of the woodwork wanting to look at it.


  • Member of the Public Bill and Joint Committee, Suella Fernandes MP, said that the UK wants world-class encryption and privacy, but also wants world-class security and citizens should trust the skill and restraint of the analysts, the cryptographers, the mathematicians and the codebreakers who safeguard security and have maintained confidence and discretion in relation to the secrets they have seen.
  • Stephen Hammond MP said that encryption was hugely important to the digital economy and said it should not be undermined, however, he said he had faith in the security services that they would use restraint.


Tref writes: they are totally missing the point here. If encryption methods are designed to be hackable by government codebreakers then criminals and hostile foreign powers can do the same. You can’t have “world-class” encryption if it can be hacked.

Cost Recovery

  • Newlands highlighted that owing to uncertainty about the extent and definition of ICRs and the extension of CSPs that will be affected by the proposed provision, the cost is difficult to estimate, but industry figures have said that they expect it to be anywhere between £1 billion and £3 billion. He said that it was not good enough that govt had not produced robust figures which could be examined whilst the Bill was being scrutinised.


Tref writes: they have no idea what the implementation of the Bill is likely to cost and are keeping quiet about it because the eventual figure is likely to be unpalatable.

End User surveillance & privacy

Like a bit of porn do you fnaa fnaa wink wink

What price privacy? Snooper’s charter 2015 – round “n”

The snooper’s charter debate shouldn’t be about what will be monitored by the government.  We should be discussing exactly what price we are prepared to pay for our security. Considering that any data stored under this edition of the “charter” will eventually be hacked and leak out are we ok with this?

The supplementary debate of how effective the monitoring will be in catching terrorists is a different matter.

Check out a ton of posts on the snooper’s charter.

Btw the featured image is simply a seasonal photo taken this morning in the car park of Yarborough Leisure Centre where I go swimming. Nothing to do with the snooper’s charter 2015 unless something is hiding under there…:)

surveillance & privacy

Off we go again – snoop snoop nnngggggg aaargh

Home Secretary Theresa May wants to look at your browsing history

Home Secretary Theresa May will announce plans to give Police the power to view the web browsing history of everyone in the country when she introduces the Government’s new surveillance bill in the House of Commons on Wednesday.

You are talking to confused of Lincoln here. On the one hand I want the government to catch spies, terrorists, child molesters, cyber criminals etc etc etc. On the other hand I don’t want a 15 year old kid being able to hack in to the database where all my personal online activity is stored and being able make use of what could be very interesting data to someone. If the database doesn’t exist then the kid/crook/etc won’t be able to hack it.

An offline existence seems to be quite an attractive proposition at the moment. One where I can make sure all my doors and windows are locked before I go out and the burglar alarm is set. A life where I don’t wake up in the night and pick up my phone to see what goes.

On the other hand I just bought a book – Venice by Jan Morris. I got it from Amazon, who store my credit card details and inside leg measurement. Had I used offline means to buy the book I would probably never have found it in the first place.

I wanted the book because Anne and I are off to that city in January courtesy of a flash online sale by BA. I found out about the sale via Slack, an IM platform that LONAP uses for intra team communication. BA too have my credit card data and know that I prefer an aisle seat (1C depending on the plane).

Before clicking “buy” I was able to check the reviews of the hotel in Venice. I didn’t go for the first hotel and also opted to upgrade to a room with a view of the Grand Canal, thanks to the reviews. I may use Uber to get me to the airport and quite possibly on another occasion AirBnB to find somewhere to stay.

So the 15 year old kid will be able to watch me take off and then go and burgle my house before heading off himself to a sunny spot (sunnier than Venice in January) paid for with my credit card.

A holiday at home is starting to sound good. I’d amble out and buy a paper every morning. Chillax in a cafe in Lincoln’s Bailgate with a pal, watch the people go by and then buy a few bits and a nice fresh crusty loaf before ambling home for lunch. In the afternoon I may attempt to catalogue my book collection whilst listening to some music on my record player (or possibly a CD if the vinyl is scratched).

Presumably I’d phone a friend to see if he (or she) fancied a coffee or it could be a long standing arrangement (if it’s Tuesday…). I wouldn’t use Facebook…

I’m just a crazy mixed up 53 year old. Is it a generational thing? The demographic 20 years older than me tends not to have an internet connection. They are the dwindling number of people in the UK without broadband. Am I part of a generation with one foot either side of the technological divide who can remember the days before the internet but has until now totally embraced it and who now grows dizzy in this data whirlwind of a world in which we exist.

HELP HELP I cry. I don’t know what to do. I’m just one entry in a database. And anyway I’m off away for the weekend – Durham and York. But then you knew that didn’t you…

End User internet security surveillance & privacy

Anderson Report on Terrorism Legislation

Anderson Report on Terrorism Legislation

The Independent Reviewer of Terrorism Legislation, David Anderson QC, yesterday published his report into investigatory powers. The Anderson report on terrorism legislation is almost 400 pages long and includes 124 recommendations so you need some stamina to plough through it.

Following the report’s publication Home Secretary, Theresa May MP, gave a statement (watch it here) to the House of Commons. She set out a timetable and provided some general comments:

A draft bill (Snooper’s Charter revisited) will be published in the Autumn and subject to pre-legislative scrutiny by a Joint Committee. A Bill will then be published early in the New Year with a view to passing a final act before the DRIPA sunset clause come into effects at the end of 2016.

While generally accepting Anderson’s recommendations, May seemed to question the viability of his proposals to require judicial authorisations for warrants, highlighting the need for balancing the responsibilities of the Judiciary and Executive.

In addition to the draft bill, Government will look at a reform of the mutual legal assistance framework (in response to the Sheinwald Report which has not yet been published).

The Anderson Report

Overall approach by David Anderson is as follows:
‘A clear, coherent and accessible scheme, adapted to the world of internet-based communications and encryption, in which:

a. public authorities have limited powers, but are not shut out from places where they need access to keep the public safe;

b. procedures are streamlined, notably in relation to warrants and the authorisation of local authority requests for communications data;

c. safeguards are enhanced, notably by:

i. the authorisation of warrants by senior judges;

ii. additional protections relating to the collection and use of communications by the security and intelligence agencies in bulk;

iii. greater supervision of the collection of communications data, including judicial authorisation where privileged and confidential material is in issue or novel and contentious requests are made;

iv. improved supervision of the use of communications data, including in conjunction with other datasets and open-source intelligence; and

v. a new, powerful, visible and accountable intelligence and surveillance auditor and regulator.’

This forthcoming bill is going to require very careful scrutiny and it will be interesting to see how many of Anderson’s recommendations are implemented. Governments have a habit of listening to these things only when it suits them. Theresa May is already suggesting that she wants the power herself that Anderson is saying should be given to Judges. It’s exactly this situation that we want to avoid.

In principle I don’t think any sane person can object to a government wanting to make it easier for themselves to catch more crooks. However we don’t necessarily need to give them authority to monitor every one of us. Why can’t they stick to just monitoring suspected criminals?

Thanks to the ITSPA secretariat for some of the inputs to this post.

Other Snooper’s Charter posts (lots of them) here.

Business security surveillance & privacy

Snooper’s Charter a honeypot for security breaches

Snooper’s Charter security breach – an “accident” waiting to happen.

The Snooper’s Charter, they aren’t going to get away from that name, is the proposed law where the Government seeks to legitimise spying on all our internet communications. They of course have very legitimate reasons for wanting to do this – national security, prevention of terrorism etc and promise not to look at the information of innocent persons.

I’m not going to go into the lengthy list of issues with this (list here). Except that is to say that one of my objections to the Snooper’s Charter is the fact that once the government has gathered all this communications data it will lose it. Once lost it will eventually it will find its way into the public domain.

“No no no don’t worry it will be very secure” says a government minister (I’m sure). “Oh no it won’t” says I, as sure as hard drives will fail or get left on a bus.

It isn’t just that the information will get left on a bus. Someone will hack into the vault where it is stored and steal it.

The latest news from the US is that some overseas government (allegedly) has hacked into the Office Of Personnel Management and pinched details of the entire staff of the US government.

Just imagine if this was the Snooper’s Charter database. UK government ministers would have details of their affairs made public, or at least placed in the hands of agencies that might make “good use” of the information.

Who will be the first to be blackmailed? When will the first really serious compromise of national security happen as a result?

This is just an example of a possible scenario. It could be information about you. No national security involved but quite possibly embarrassing. Maybe you don’t want the world to know that you buy women’s underwear for your own use, or that you are a trainspotter.

It will happen if we implement the Snooper’s Charter. It’s up to you to decide whether that is a good thing or not. I don’t think it is.

Snooper’s Charter security breach – an “accident” waiting to happen.

End User social networking surveillance & privacy webrtc

Real Time Campaigning: How will WebRTC and other tech impact elections in 10 years’ time?

What might a WebRTC enabled democracy & election process look like in 10 years’ time? (Or, technically, 12)

There’s a lot of pre-election stuff that’s the same every year. The campaigning, the squabbles, the gaffes and the villains: they’re all regular plot lines in Britain’s most depressing pantomime. As we go to the polling stations tomorrow, however, we can reflect on 2015 as the year that something did change – the first year that the parties appear keen, rather than reluctant, to embrace technology. We’re seeing as many memes and mashups as we are manifestos; not surprising really as this is, afterall, what many of the traditional media outlets have dubbed “the social media election”.

It’s true that there’s been far more activity on the social media battlefield than ever before (even if they’ve not quite got it right) and it seems that parties are even beginning to use big data – although they’ve a long way to go to replicate the success that Obama had with data in his 2012 campaign. But what role could or should technology play in the elections of the future? What might, say, the 2027 election look like? How might WebRTC play a part in that? Here’s what I imagine might happen…

Every campaign sits on a foundation of micro targeting

TargetIf there’s a question worth asking, in 2027 there’ll be some data that supports the answer. Parties will dedicate greater spend to using big data as the foundation of each campaign – whether that’s in the capture and curation of data relevant to them or analysing it.
This will allow focus of specific campaign messages on certain groups, or even at an individual level. They’ll focus on swing voters, and those within swing constituencies, targeting them with whichever marketing method suits that opportunity, at that time. Meaningful, one-to-one engagement with individual voters will be commonplace, made easier with social media. In addition, these engagements will be more memorable because they’ll use video and other real time comms via WebRTC.
Shaping campaigns in this way has obvious benefits for the parties, but could this type of targeting backfire? Will voters get creeped out and perceive the relevant party in a negative way? Will the long heralded privacy backlash make it too difficult to capture the right data in the first place? Do we rely too much on the integrity of the people to whom we give our data?

Predicting outcomes and campaign agility

With so much data available, much of it collected from social media engagements, will it be easier to predict results?

In the 2012 election in the US, analyst Nate Silver created a model that accurately predicted the winner in every state. Was his success simply due to the fact that Nate was ahead of the curve with the system he was using, and no one had time to react? In 2027, prediction models will have become even more sophisticated and we will see a greater emphasis on doing this in real time. That will then have an effect on parties’ activities and focus throughout the campaign. Each party will need to be agile and have the means to react quickly to changing predictions. Technology like WebRTC could provide another way to communicate with party members, on the ground campaigners or even swing voters in a really quick and effective way.

Real democracy in real time

Electronic systems could allow the public to vote on issues before or as decisions are taken in Parliament. The government paid lip service to using technology to help represent the public’ views with e-petitions, but will they ever be brave enough to open up decision making to registered voters on a regular, or even real time basis? Technology like WebRTC, with its low barrier to delivering enriched comms universally, could potentially be used to allow voters to watch a live debate and then vote at the end. This vote could then shape Members’ opinions or, even, make the decision outright. Would Parliament ever be that bold, and would MP’s accept their role being changed from being a voting representative of a constituency to its steward?

Some governments have already trialled this kind of approach, albeit to shape decision making in advance of its debate. DemocracyOS is an example of this: an open source solution that seeks to provide voters with the means to inform, debate and vote on bills before they are passed. According to them, it’s already been used by the Government of Mexico, the Congress of Buenos Aires, and by some congressmen in the US amongst others. Adopting this kind of approach would be an interesting way to reduce the effectiveness of large companies’ lobbying, and ensuring that airtime in front of MPs isn’t just a question of money and power.

I easily can imagine that forward-thinking councils in the UK, or even individual MPs could use this kind of democratic technology to debate local issues, gaining traction by social media sharing. It would be a welcome alternative to local, “public” consultations that are conducted so discreetly that the public are not properly represented.

Even if government, councils and elected representatives don’t themselves adopt that approach, there are other organisations that seek to make government more democratic from the outside. US startup Placeavote has an interesting model, where site members vote on bills on any range of topics and Placeavote’s candidates will represent the majority of voters. It has failed to gain much traction so far but could prove disruptive given the chance, and I imagine that by 2027 we could have seen someone try a similar approach in the UK.

Reducing expenses, humanising politics and customer service 101

keevio webrtc interfaceIn 2027, MPs will find it much easier to balance their Parliamentary duties with those in their constituency. Technology like WebRTC will mean there’s little excuse to not participate in a debate or vote because they will be able to do so remotely, and there would no longer be the possibility for bills to be passed due to poor scheduling and low turnour. Furthermore, MPs won’t need a second home in London and can spend more time in their constituency.
Internet connectivity will be ubiquitous, as will devices to access it. This means that they can use tech like WebRTC to engage with their constituents in a different way with memorable, multimedia enriched conversations with the same universal reach of the phone systems of the past. For example, elected MPs and their representatives could use this to make their “MP surgeries” more accessible for their constituents by negating the need to travel. They could even adopt a real time “ask me anything” approach during pre-election campaigns.
By 2027, local MPs will have learned lessons from the way that businesses use technology to improve their customer service. Communicating with your MP will be more efficient and timely and, as a result, people will engage with them more than ever before.

The voting process itself

DecisionAn obvious area where technology could improve elections is in the voting process itself. For example, how backwards and archaic is it that we should turn up to a physical location with just a polling card and no verification of identity, yet we already need an online government gateway ID to get a passport? And how secure is it really to leave counts of paper ballots to volunteers? Technology like WebRTC could reduce the technical barrier of providing biomechanical verification in the process.

In addition, increasing the number of people who are registered to vote, and those who actually do place a vote is an ongoing challenge. Technology could make the process of registering and voting more convenient in the hope of increasing participation. To this end, the Political and Constitutional Reform Committee has already proposed that all electors should have the choice to vote online in the UK by 2020. Electronic voting has already been trialled in some countries and so some level of e-voting in the UK by 2027 is not unimaginable – although the experience in Estonia hasn’t actually increased turnout in itself so its effect on this could be in question. Furthermore, whilst paper counting by humans may have its drawbacks, it is very open, auditable and therefore resilient against high level, systematic abuse. Will we ever have the same level of assurance with an electronic vote?

Whatever happens, it’s pretty safe to say that the stage has been set for much wider use of technology during the election process. The challenges will be cultural and institutional – and we’ll be interested to see which parties will be first to adopt real time technologies to make a real difference to the voting public.

Previous posts from the ipcortex WebRTC week:

Hacking together a WebRTC Pi in the sky – keevio eye

Wormholes, WebRTC and the implications of algorithmical analysis Defragmenting today’s communications

WebRTC – where are the real world applications?

Welcome to ipcortex WebRTC week on

Check out all our WebRTC posts here

Engineer surveillance & privacy video webrtc

Wormholes, WebRTC and the implications of algorithmical analysis

James Batchelor is Founder and Chief Executive at Alertacall, an organisation which uses neat technology to deliver services which increase human contact with people at risk and are used to improve the lives of many thousands of vulnerable people. Prior to that he was involved in the creation several ventures in the internet service provision, internet retail, telecoms, recruitment and telecare sectors. James has been an ipcortex customer since some of our earliest days and is one of those people who, every time I have the pleasure of chatting to him, I always walk away with a valuable bundle of unique insight. I posed the question to James about the technology impact of WebRTC, and this is what he came back with…

WebRTC meets wormholes

On a long-haul flight in 2001, with the occasionally pungent aroma of reconditioned air in my nostrils and the drone of Rolls Royce engines through my headphones I was transported for a few hours not only to USA – but in to an alternative future. I had the immense pleasure of having time and little else to do but read a novel and a science fiction one too.

The story I read, “The Light of Other Days”, is centred on the discovery of wormhole technology which can be used to pass information instantaneously between points in the space-time continuum. The technology is commercialised by a global media company and used to create the “wormcam” which allows for anything anywhere to be viewed with profound implications for privacy.

As I ponder the applications and implications of WebRTC, and explore its own wormhole like qualities, I wonder whether there are similar impacts for humanity and how the absolute digitisation of our communications streams – coupled with the massive computing power now at our fingertips – could impact upon our own privacy in novel and unexpected ways.

My own company Alertacall is particularly interested in understanding how patterns in the way people communicate with us can indicate a change in their “need”. This is with the positive goal of helping our older customers get the help they need before a situation escalates and becomes materially more difficult to manage. And, as our future products and services start to use WebRTC and other similar communications technologies I wonder what additional data we’ll have at our disposal.

Real-time analysis

I’ve long hypothesised that computers should be able to detect from cameras and other input devices subtle things about human physiology that the human eye cannot, but only had clear evidence of it after stumbling across the fascinating TED talk See invisible motion hear silent sounds.

This talk demonstrates the possibility of detecting heart rate with nothing more than video, by analysing the microscopic movements in our skin caused by pulsating arteries. I wonder how long it is before a methodology to determine skin temperature is devised, or what can be inferred by knowing how quickly someone breathes, blinks or swallows?

In 2012 the mathematician Mr Max Little announced that Parkinson’s symptoms can be detected by using algorithms that analyse voice data. There is also Voice Stress Analysis, which can indicate a range of emotional states including the detection of whether someone is potentially lying. What else could be inferred from a “call”?

But what specifically has this got to do with WebRTC and similar stacks? I suggest that the incredible proximity of these communications streams to silicon provides an unprecedented opportunity to develop applications that exploit all of these methods for causes good and bad. For example: imagine if calls to emergency services were prioritised using real-time analysis of video and voice, where the person most likely to be having a heart attack is answered first.

Also, imagine a world, in which the person or organisation you are in a call with has installed one of the dozens of analysis applications that are likely to emerge – and can infer huge amounts about your physiology. “Mum, I’m absolutely fine” the daughter says to her mother, but moments later the concerned mother’s machine tells her it’s simply not true with a simple Chrome plugin.

We’re tremendously excited about the applications we can build with WebRTC to connect with our customers and to connect our customers to each other – but live in constant wonder about what opportunities will emerge.


Previous posts from the ipcortex WebRTC week: Defragmenting today’s communications

WebRTC – where are the real world applications?

Welcome to ipcortex WebRTC week on

Check out all our WebRTC posts here

End User social networking spam surveillance & privacy

fling flung over twitter

Fling – adult social network – I’m not supplying a link

Somewhat surprised that Twitter let this ad through. I’ve been pushed a promoted tweet by “fling” three times in the last few days. There’s nothing in the ad to tell you what fling is. Just looks like an odd way to push photos.

It’s only when you click to go to their website and are faced with a wall of nude photos that you realise what it is – an adult social network. For adult read porn. I find this quite distasteful of Twitter. I also find myself in the unusual situation of saying “Facebook would not have allowed that ad” although this is not based on any knowledge of fact.

You can see from the featured image in this post that the ad says “Send your snaps to 50 people around the world at random”. This must surely be something that the Advertising Standards Agency would want to take a look at. It’s something that kids might inadvertently click on. After all it suggests something like Instagram.

Fling must have some money to spend if they’ve pushed the ad to me three times. Unless I’m considered to be of a “certain demographic” which could be a bit worrying. Makes you wonder what data mining is being done by Twitter.

An individual is pretty helpless in this situation. We need the social networks as they have become part and parcel of our everyday lives but seem to have little control over what those networks might do with our data1. It feels to me that governments should start taking a much tougher stance with these guys.

Lots of posts on the subject of surveillance and privacy elsewhere on this blog. Check them out in the surveillance and privacy category here.

1 eg class action against Facebook for privacy breach & Facebook admits to tracking non-users

End User surveillance & privacy

Privacy International

25th Anniversary Privacy International

Article 12 of The Universal Declaration of Human Rights says ‘No one shall be subjected to arbitrary interference with his privacy, family, home, or correspondence.’ This is the message driven home on the front page of human rights charity Privacy International who this year celebrate their 25th anniversary.

Gus HoseinExecutive Director Gus Hosein recently made an excellent contribution to our week of advice to the next government regarding internet related legislation. I thought because it’s their 25th birthday I’d tell you a bit more about them. In particular we have to remember that they are a charity and need everyone’s help in continuing their good work.

I first came across Gus and PI in the rush to defend against the Snoopers Charter. I spoke at an event he helped organise at The London School of Economics called called “The Race for Safety”. I was on a panel with Shami Chrakrabarti of Liberty and David Davis MP. Both seriously knowledgeable people.

Their achievements are best noted in the following bullet points:

  • they are working on state surveillance; privacy in developing, emerging and weak democracies; and on data exploitation by companies and governments
  • fought against RIPA, against the UK ID Card and helped set up NO2ID, against communications data retention in Europe, travel and financial surveillance by the Bush Administration, biometric passports
  • are now exposing the trade in surveillance technologies to undemocratic regimes, creating a global movement of advocates including in weak and emerging democracies, and applying the rule of law to intelligence agencies’ practices

The PI organisational statement is:

“Privacy International is committed to fighting for the right to privacy across the world.

We investigate the secret world of government surveillance and expose the companies enabling it. We litigate to ensure that surveillance is consistent with the rule of law. We advocate for strong national, regional, and international laws that protect privacy. We conduct research to catalyse policy change. We raise awareness about technologies and laws that place privacy at risk, to ensure that the public is informed and engaged.

To ensure that this right is universally respected, we strengthen the capacity of our partners in developing countries and work with international organisations to protect the most vulnerable.

Privacy International envisions a world in which the right to privacy is protected, respected, and fulfilled. Privacy is essential to the protection of autonomy and human dignity, serving as the foundation upon which other human rights are built. In order for individuals to fully participate in the modern world, developments in law and technologies must strengthen and not undermine the ability to freely enjoy this right.

Privacy International, a registered UK charity (No. 1147471), was founded in 1990 and was the first organisation to campaign at an international level on privacy issues.”

Please help Privacy International by donating what you can. Their fundraising page is here.

PS It will be interesting to see if any of the subjects raised in the political week on this blog get covered in the election campaigns of any party.

End User internet online safety Regs security surveillance & privacy

Julian Huppert MP proposes that the next government implements an online rights framework of principles

Online rights framework will help safeguard privacy

The internet is increasingly key to our daily lives and a crucial part of public policy making with ramifications across all areas. However, too often what we get from politicians is poorly thought through kneejerkery. I’ve seen this myself, on far too many occasions.

Just to pick up a few examples, when we were re-writing the Defamation Bill, there was a proposal being pushed that ISPs should be required to filter out any defamatory content on their network – quite a tall order.

David Cameron has been particularly bad – you may remember his suggestion at the time of the riots that he should be able to turn off social media to avoid panic. It took a lot of work to stop that and make it something that was ‘not even considered’. More recently, he’s been insisting that we should ban any messaging system that cannot be decrypted by GCHQ, completely failing to understand the essential link between encryption and cyber-security.

But this problem strikes the opposition too. There have been some really alarming comments about filtering out legal material online that completely miss the point of what is technically possible or desirable. And of course there are people in each party who do actually get it, although not all of us get to have the necessary influence over our front benches to achieve sensible outcomes.

My party has taken these issues seriously, and there are several things we hope to achieve in this area. One of these is stable sensible regulation – something that almost shouldn’t need to be said. Brilliant new ideas can easily be killed off if regulation is tweaked unexpectedly and long term investment will drop off if there is a risk of irrational rule changes. We as politicians should set a framework of principles, which should then be relatively stable. We should call on technical experts for help and have  discussions with the community and businesses. We can then setting the detailed online rights rules in a rational way. That has to be the best way forward.

I’ve been particularly working to develop a Digital Bill of Rights, setting a basic framework for what people should expect online when it comes to issues like privacy, net neutrality and more. This has become especially important since the Snowden revelations. All of us want security, and all of us want privacy.  How do we try to achieve both of those goals? When should the police or security services be allowed to collect information on us, and for what purposes?

Typically, these issues have been dealt with largely secretively and reluctantly, and with a focus on specific data types. For example, strong controls were introduced on DNA data in the Protection of Freedoms Act, but the Police just sidestepped them when storing biometric information, without even attempting to learn the principles from DNA data.

So those are my two key points – stable and sensible regulation, and a clear principle framework for our online rights. If I’m re-elected I’ll fight for those but it would be great to have more colleagues to help with that.

If you want to help me achieve this vision, please consider helping me out – has the details.

Julian Huppert is Liberal Democrat MP for Cambridge. He has a scientific background and is one of a very small minority of our MPs who can grasp issues relating to internet technology.

Although one or two more might creep in that pretty much concludes the week’s posts on advice to the next government. Other political week posts on are linked to below:

James Firth on why government should stop looking to big corporates for tech innovation
Gus Hosein on Data Protection Reform and Surveillance
The Julian Huppert crowd funding campaign here
Paul Bernal suggests government should hire advisers who know what they are doing
Domhnall Dods on Electronic Communications Code reform
James Blessing Says “No matter who you vote for…
Peter Farmer on Ofcom really isn’t an all powerful deity
Dr Monica Horten on Why the Magna Carta applies to technology policy

See all our regulatory posts here.

End User Legal Regs surveillance & privacy

Why Magna Carta matters to technology policy – listen up Dave

Monica Horten

Dr Monica Horten continues the internet privacy rights debate

This year is the 800th anniversary of Magna Carta, the Great Charter that established the right to a fair trial and  put an end to arbitrary justice in private hands. What, you may ask, does this have to do with technology policy for the 21st century? It’s a strange twist of fate that this year, in Britain, we face calls for private companies to take on the role of  (secret) police-man, judge and censor all wrapped up in one.

Post-election, the government of whatever colour – blue, red, yellow, purple or green – will have to face up to policy issues concerning the technology that runs our lives and the companies that control the underlying infrastructure. Broadly, the issues fall into two categories:

Control of content on networks (BT, Virgin, TalkTalk, Vodafone etc) and platforms (Google, Twitter, Facebook, Instagram, etc)

Surveillance using the underlying data created by transmissions using  these networks and platforms

In both cases, the issue is whether technology companies can be asked to take action in respect of individuals and their private communications  at the demand or insistence of third parties. Those third parties might be governments but might also be other private or public interest groups with a range of  aims relating to, for example,   terrorism,   children,   defamation or copyright.   The kind of action they might be asked to take is to  block or filter content; or collect, store and supply data.

The suggestion by intelligence chief Robert Hannigan, in his Financial Times article, for a public debate is absolutely welcome, and it will be down to the next government to show the strength of character  to facilitate such a discussion.

My plea to politicians and government officials  is that they should not simply accept these kinds of demands at face-value. They should try to understand the importance of the balancing act that they are obligated to carry out when addressing individual communications. These obligations fall under the human rights framework and they  take us back to Magna Carta and the stand against arbitrary justice.  Whatever the policy aim, it is paramount that the government must balance such demands against rights to free speech and privacy, and  ensure that justice is conducted with due process.

There is scholarly and legal opinion that mass retention of communications data  puts privacy rights at risk. In particular, the risk concerns abuse of powers of access to the data. From local councils seeking to get at dog owners, as apparently happened a few years ago, right through to very nasty possibilities of  the misuse of data to spy on and pressure innocent individuals, such possibilities must be guarded against.

Similarly, it is widely recognised among experts that the blocking and filtering technology implemented by the broadband providers is capable of interfering with free speech rights,  and there is a growing body of case law to that effect. This is especially the case where the filtering is carried out with no legal basis, using secret black-lists created by third-parties, and outsourced to companies operating in other countries under foreign legal jurisdiction. Arguably, such filtering represents  an intolerable interference with a precious right to freedom of speech and uncensored publishing that we have enjoyed for over 300 years since the lapse of the Licencing Act in 1695.

In the country that gave birth to Magna Carta and to the most essential principles of democracy, it is incumbent on policy-makers to remember that any decision  regarding interference with personal communications and online content  must be necessary and proportionate, meet a legitimate policy aim and be provided for by law. Private corporations are the kings of today. Like King John, they should not be above the law. They should also not be asked to enforce the law.  Arbitrary demands that technology companies take action without the proper legal basis, arguably puts democratic speech on a slippery slope going backwards.

Dr Monica Horten is a Visiting Fellow, London School of Economics and Political Science. She is an independent expert on  the Council of Europe’s Committee of Experts on Cross-border Flow of Internet Traffic and Internet Freedom. She is the author of two books:  A Copyright Masquerade: how corporate lobbying threatens online freedoms and The Copyright Enforcement Enigma: Internet politics and the Telecoms Package and writes the Iptegrity blog   (Twitter: @Iptegrity). She has a new book on Internet policy forthcoming from Polity Press in early 2016.  She also has a forthcoming paper on free speech rights, private actors and the duties of the State.

First published on political week posts on

James Firth on why government should stop looking to big corporates for tech innovation
Gus Hosein on Data Protection Reform and Surveillance
The Julian Huppert crowd funding campaign here
Paul Bernal suggests government should hire advisers who know what they are doing
Domnhall Dods on Electronic Communications Code reform
James Blessing Says “No matter who you vote for…
Peter Farmer on Ofcom really isn’t an all powerful deity

See all our regulatory posts here.

Business End User Legal Regs surveillance & privacy

Reform or go quietly – data protection and government surveillance

Gus Hosein data protection reformData protection reform – Government should stop promoting industry and government interests at the expense of protecting citizens says Gus Hosein of Privacy International

You can tell it is almost election time. All the discussions with anyone in the policy sphere quickly moves on to the ‘next parliament’, and questions arise about who will be the next Minister, and probably more important, Committee Chair. And there is more talk of manifestos than positions on key pieces of legislation and policies that should be discussed today. Instead, everyone would rather wait for some indeterminate amount of time into the future where we know not when these issues will again find their day on the policy agenda.
In the meantime, the government departments and agencies continue their work to dismantle privacy.

It’s a sad state of affairs. After all, the coalition agreement of the current government declared, in heady and idealistic days of May 2010, very strong ambitions around privacy protections — deleting databases and discontinuing surveillance programmes, including communications data retention. Yet in the past five years we have seen repeated policy attempts and intense politics around expanded surveillance powers. And in the past five years, we’ve seen government resistance to stronger privacy protections in the form of data protection reform.

Despite all the news about lack of consumer confidence, data breaches, hacking, court decisions protecting privacy, and yes, over-reach by intelligence agencies, the UK Government can’t stop being the bad-boy of the western world on surveillance. And it continues to drag the rest of the world down, as it insists on expanding surveillance and retreating on privacy.

So what hope is there for the future? To be honest, despite past performances by all, I’m quite optimistic.

1. Data protection reform
At the moment, the Government is actively obstructing data protection reform. Neither the Ministry of Justice nor BIS want to see strong protections of privacy. The EU has spent the past five years trying to build a new legal regime to replace the outdated Data Protection Directive, and thereby the 1998 Data Protection Act here. But in recent years the UK Government has been active in promoting industry and government interests, at the expense of protecting consumers and citizens. This just can’t continue. Eventually the UK Government has to recognise that stronger data protection rules are essential to consumer confidence, civil liberties, and the marketplace. And if it doesn’t care about protecting UK consumers and citizens, then it would be best to get out of the way. And the emerging instruments will again set the example globally.

2. Reform surveillance law
It’s not just that the Regulation of Investigatory Powers Act 2000 was given royal assent nearly 15 years ago, before the spread of wifi, mobile internet, social networking. It’s not just that Parliament had to approve under duress, and under a Home Office manufactured ’emergency’, legislation that is due to sunset in 2016 requiring continued data retention despite a very clear European Court of Justice ruling declaring it unlawful. It’s not just that the Home Office is rushing through a consultation on when the Government should be able to hack computers. It’s not just that getting companies in other jurisdictions to cooperate with requests from UK law enforcement and intelligence agencies should require a higher standard of authorisation than just a ministerial warrant or a self-authorised request by police agencies. Rather, it is that the case for surveillance law reform has become so clear that we now have the opportunity to make UK law the standard for the rest of the world.

The UK can stop being the bad-boy of the western world. And it can be within the next Parliament.


Gus Hosein has worked in the field of technology and human rights for over fifteen years. He has advised international organisations and institutions including UNESCO, UNHCR, OSCE, and the UN Special Rapporteur on Terrorism and Human Rights. He has held fellowships at the London School of Economics and Political Science and the American Civil Liberties Union. As Privacy International’s Executive Director he coordinates work advancing the protection of privacy across the world, with a particular emphasis on developing countries.

This is a week of political posts on in which guests discuss technology regulatory issues that they feel should be addresses by the next government. Other posts this week include:

James Firth on why government should stop looking to big corporates for tech innovation

See all our regulatory posts here.

End User security surveillance & privacy

Pretty graphic reaction to ISP porn blocking

Thought I’d slip this one in – adult content filter eh 😉

adult content filter

I don’t know John Harvey but he seems a fairly forthright kind of guy. From Yorkshire maybe.

It’s not so much that you are telling your ISP anything when you opt out of the adult filter, or whatever it’s called. We doubt that any human intervention is involved in the process. It’s the likelihood that the information that you don’t wish adult sites to be blocked is leaked or hacked. That’s the issue.

If the information isn’t there is can’t be hacked. If this was an opt in that would sort it, aside from the fact that these filters aren’t renowned for their accuracy.

As an aside I assume that this site will henceforth be blocked by these filters. Probably already is. Parents don’t want their kids to know that they go to parties like trefbash or the pissup in a brewery. The blog was once blocked by the Timico firewall as “social media” sites were frowned upon by whoever set the policy in place (not me – I used to spend all my time on social media – I had a different set of permissions:).

The question is would Twitter be blocked. There’s a lot of graphic language on Twitter. I once unfollowed someone because of his non stop use of swear words. Not my kind of thing. Would be interesting to hear from anyone who has adult content filtering in place to see whether Twitter was visible or not.

Looking on the positive side, if you have opted out of the adult content filter, and are therefore “down on the list” you can always say it’s because you wanted to read posts on;)

Effin read it first on wtf!

Read this highly popular and relevant post on the consequences of allowing government to monitor our online habits here.

Bad Stuff Business ecommerce Engineer internet online safety Regs security surveillance & privacy

A quick guide to problems that will arise if we implement further internet surveillance measures

Snoopers Charter revisited

The aftermath of the Charlie Hebdo murders has lead to goverment and opposition calling for more internet surveillance. Here are a few points for your consideration.

  1. Storing this data will inevitably result in it being hacked, left on a train/taxi on a laptop/memory stick and details of a government minister affair with another MP being made public. Example here (29 Jan 2015)
  2. The overhead associated with having to gather and store the data in a secure way will be proportionally huge compared to the size of the business and to the number of customers for smaller ISPs. This will result in the government deciding not to force these businesses to store the information and settle just for the biggest 7 ISPs aka the Digital Economy Act. The consequence will be that potential terrorists will just use these smaller ISPs for their internet services leaving a big hole in the “surveillance net”
  3. The resources required to make this happen will be huge. The French government already knew about the Charlie Hebdo killers. They just lacked the feet on the street to keep tabs on them. Diverting staff to managing the data gathering project will mean even fewer feet on the street or divert cash from adding more feet.
  4. The technical challenges with managing sender and receiver data for email clients is not small due to the hundreds of different clients out there with non standard formats.
  5. Most email is in any case encrypted these days and is run on platforms that are not necessarily owned by UK businesses. The difficulties associated with extracting these data will not be small (if not impossible). Ditto social media platforms.
  6. Forcing these platforms to provide a back door into the encrypted data (assuming it will be doable) will erode trust in areas of the economy that also rely on such encryption such as banking and ecommerce.
  7. Businesses will move away from the UK. It will be the start of the rot and leave us with a reputation akin to China et all when it comes to “surveillance society”.
  8. Terrorists will move deeper into darknets and continue to kill innocent people.
  9. On balance I’d spend the money on more feet on the street.

The rush to call for the snooper’s charter to be implemented would result in a bad law that will not have had adequate scrutiny. My wife and one of the kids were in the audience during last night’s BBC Question Time filmed in Lincoln’s Drill Hall. I watched despite it being well after my bedtime.

None of the panellists or the audience really had a grasp on the issues which reflects its highly complex nature. It’s very easy for MPs to support this type of legislation. Most right minded people will agree that it’s a good thing to stop terrorism. It’s just that they don’t understand the implications.

Check out other snoopers charter type posts here.

Business security surveillance & privacy voip

Why are the Major Telcos Afraid of encrypted voip?

A significant disconnect exists between the reality of today’s IP communications and the security concerns and needs of the customer (read encrypted voip). welcomes VoIP Week guest contributor Peter Cox, UM Labs Ltd. Founder and CEO.

One of UM Labs’ long-standing customers is using our product to provide encrypted VoIP connections from remote users (mostly home workers) and to encrypt calls they make and receive on their SIP trunk. Their motivation is simple: They are in the USA and their business makes it necessary for them to work closely with federal government, a connection that subjects them to security and compliance requirements. This customer’s view is that applying encryption to all VoIP calls — including those made and received on their SIP trunk — is an essential step towards meeting these requirements. Even if some SIP trunk calls are then relayed in clear text, as is the case for PSTN calls, the encryption applied on the connection to their trunk provider protects their network and ensures the confidentiality of SIP trunk calls on the connection between the service provider and their office. This effort demonstrates that they are taking all reasonable steps to secure the network connections under their own control and is thus a significant step towards meeting the compliance requirements.

Recently, our customer’s existing service provider announced that they were considering discontinuing encrypted SIP trunk connections, and being unable to find an alternative they asked me for some alternative service provider recommendations. I posted the question to the SIP Trunking & Enterprise VoIP LinkedIn group and received a number of helpful replies. My question also sparked some interesting discussion. A number of the participants gave spurious reasons why encryption was too difficult or not needed on a SIP trunk. What surprised me most was that representatives of two very large and well known telcos weighed in against encryption. One claimed that providing an encrypted SIP trunk connection was incompatible with legal intercept requirements, while the other tried to claim that since enterprises trust their data on “private” networks shouldn’t they trust their voice as well?

Addressing the claim that SIP trunk connections are not compatible with legal intercept requirements, I submit that when properly implemented and with the appropriate systems encrypted VoIP does not prevent legal intercept or call recording for compliance purposes. What it does stop is unauthorised call monitoring. The risk of unauthorised call monitoring is not confined to VoIP, as there is a significant risk to calls on cellular networks (see my recent blog at Encryption also has a role to play in controlling other threats, including call fraud.

Regarding the comment about enterprises trusting their data on private network connections to service providers, this I found even more surprising. I have spent many years in network security and this is the first time I have heard a connection to a 3rd party service provider classified as sufficiently private to trust for data transmission without some form or additional security. While connection to service providers may be more controlled than the open Internet, they are not private. Most enterprises will naturally want to protect their data with a VPN, so it makes sense to do the same for voice.

Part of the problem is that part of the telecoms industry is stuck in the past, back in the days when the phone companies owned and operated the networks. Things have moved on, and a significant proportion of all communications now runs on IP networks, much of it on the Internet. The move to IP has spawned new applications such as presence and IM and is the driving force behind convergence. The use of IP networks, and specifically the Internet for voice and UC, is a big step forward, but we must recognise that a different set of security rules apply. We have the knowledge and technology to address the security issues. Rather than finding reasons to avoid implementing VoIP and UC security technologies, the industry needs to embrace them and promote their implementation.

I won’t name the two telcos, but if you are interested in seeing them incriminate themselves you can follow the full LinkedIn discussion at

This is a VoIP week post on Check out other VoIP themed posts this week:

Why are major telcos afraid of encrypted VoIP? by Peter Cox
Emergency calls and VoIP by Peter Farmer
VoIP, the Bible and own brand chips by Simon Woodhead
Why the desktop VoIP telephone isn’t going away by Jeff Rodman
Small business VoIP setup by Trefor Davies
VoIP fraud-technological-conventionality-achieved  by Colin Duffy

Regs surveillance & privacy

Privacy International versus GCHQ on PRISM

Since I last commented on the Edward Snowden affair, the inevitable has happened: the issues exposed have been raised in a judicial body in the United Kingdom.

Privacy International, a charity that campaigns to protect citizens’ privacy, has filed a case against the Foreign Secretary and GCHQ for the snooping alleged in the Snowden files (for those interested, the full case has been made public.

The Investigatory Powers Tribunal is the first and last judicial body in which such cases can be heard — there is no right of appeal to the Court of Appeal or the Supreme Court or any other such body, only to the European Court of Human Rights — which means we are in this one for the long haul as such cases are rarely expeditiously dealt with.

Prima facie, there’s nothing new in the case that we haven’t heard about from the Guardian newspaper or various media outlets, and therein lies the crux of the whole thing. Where’s the smoking gun? (An idiom invented by Sir Arthur Conan Doyle for the etymologists among you). The case appears to rely in great measure on revelations from Snowden in the press and doesn’t seem to provide, for example, a laptop with the alleged malware on it. The accusations are second hand — powerpoint presentations referring to capabilities, not a Flickr stream of unwitting selfies from usurped webcams. Essentially, in fact, the entire case is hearsay. In America, depending on the exact implementation in the specific State, it is generally inadmissible in its entirety, but following reforms of the UK judicial system in 2003 with regard to both civil and criminal cases, hearsay is admissible under certain criteria (which are not strenuous — the focus on what weight the court should give the evidence and not the admissibility). And, no doubt, that is a substantial factor as to why Privacy International chose to file a claim in the UK as opposed to the USofA.

Without writing an essay on the subject, and noting that I am not a lawyer but a regulation guru that spends a lot of time surrounded by them, it appears to me that the Edward Snowden revelations have a good chance of meeting the admissibility of hearsay criteria — good news for Privacy International, and bad news for GCHQ in terms of the first hurdle at least, with one notable exception. In order for it all to be admissible, the inability for the Defendants or the Claimant to call the Claimant’s key witness (Snowden) would have to meet certain thresholds.

Edward Snowden, to our knowledge, is not yet dead nor is he unfit to testify as a result of mental illness of physical disability. Whilst he is outside the UK, you can argue, it is not unreasonably practicable to secure his attendance because there is an extradition treaty with the Russian Federation where he is alleged to be currently residing (which takes care of the “cannot be found” argument too). Also, on the face of it, Snowden could be alleged to have been complicit or guilty of carrying out criminal acts under UK jurisdiction covered by the treaty. Thus, only “afraid to testify” remains, which is a valid concern, given how extradition might work with the USofA should Ed step foot on these shores to be cross examined or prosecuted.

I can’t help but wonder if this action by Privacy International is a double edged sword. Clearly it’s a strong attack on the UK government for their alleged involvement in Prism et al and it is good such actions and potential criminality is heard fairly in court, however its weight is somewhat compromised by the lack of a smoking gun and star witness. Regardless of your leanings on the subject, it is certainly something to watch.

Regs surveillance & privacy

European Court Rules European Data Retention Directive Unlawful


Judgment was handed down today in a long running campaign brought by Digital Rights Ireland against the European Data Retention Directive* (transposed into domestic law in The Data Retention (EC Directive) Regulations 2009). In short, the European Court of Justice has overturned the Directive, saying “[it] entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data“.

Broadly, the Directive required telcos to store certain data for a minimum of 6 months and a maximum of 24 months. The UK transposition mandated 12 months which is consistent with other legislation). The natural consequence of this is that our own transposition will need to be repealed, which has obvious consequences — directly, and indirectly as a result of the court’s decision — for law enforcement and the security services, as well as telcos (the Regulation of Investigatory Powers Act, or RIPA, predates this, as does the Data Protection Act).

Watch this space!

* Strictly known as Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC.


Related posts:

Business surveillance & privacy

Telegraph totty – politics and page impressions

Websites that carry adverts are typically paid based in terms of £/$/E1 per 1k page impressions. The more visitors the more page impressions and the longer you can keep them on site browsing through different articles the better. It’s all about dosh.

If you look at any particular post you see many inducements to stay in the site. “Related articles” or “More from the Telegraph”. You will see that recently we have started to add such links on and are in the process of getting to grips with whether this can be automated when the new site goes live.

It’s quite amusing therefore when reading a serious article on calls for DCMS Minster Maria Miller to resign to see that the Telegraph’s presumably automated system of determining which links to include come up with what appear to be “female” related posts. They don’t appear particularly relevant unless the Telegraph knows something we don’t2.

telegraph totty mariamiller_300















I make no comment here on whether Mrs Miller should be sacked or not.

Related posts:
Weekend gardening tips
Next time you eat a kebab
Tractors tractors tractors

1Pounds $hillings and pEnce
2The screenshots are from the mobile version of the site which seems to have different links to the desktop site but hey…

Business internet online safety piracy Regs surveillance & privacy

An evening with Julian Huppert MP – Internet Hero #fundraiser

julian_huppert_mpI’m not in the least bit political. If I get involved on the periphery of Parliamentary discussions and debate it is because I occasionally see MPs trying to implement legislation that doesn’t make sense in our modern internet based world. This is often because MPs have so much information thrown t them that they have to resort to keeping ideas simple so that they can get their brain around them.

Unfortunately when it comes to legislation that touches the internet, and by default touches those of us whose livelihood depends in one way or another (an increasingly large cohort of people) on the internet, the simplistic view often taken by MPs is often at odds with the practical workings of internet technologies.

We end up spending a lot of time and money fending off such legislation, more often than not pretty successfully but usually after great effort and pain. This is because it takes an age for people (MPs) who because of the practicalities of their job have to look at complex issues very simplistically.

I’m all for keeping things simple (stupid) but we also need people in our Parliament who can get their brain around the complexities associated with the internet. What to the layman is a simple network that “just works” is in reality a hugely complex ecosystem. In fact the complex issues faced by MPs often extend to non-technical considerations such as the privacy of the individual In reality it is difficult to separate the technical issues from the non technical as they feed off each other.

One of the few Members of Parliament who does understand these issues is Dr Julian Huppert, MP for Cambridge. His background is research science at Cambridge University. Julian has taken a very active participation in internet and technology related debates in the House of Commons and was one of the leading opponents of the Digital Economy Act that was (outrageously in many people’s view) rushed through in the dying days of the last Labour government.

Because of his work supporting the internet industry, last summer Julian was awarded the Internet Hero Award at the annual ISP Association Awards dinner. Since then he served on the Parliamentary Select Committee looking at the Draft Data Communications Bill (Snooper’s Charter) and was highly influential in the decision making that lead to the Bill being killed it off for this Parliament.

We need to keep MPs like Julian in the House of Commons. He is good for the internet. He understands the issues. MPs need to raise a lot of cash to pay for their election campaign. I assume the next election will be in 2015 but much will go on between now and then.

I have agreed to help Julian by organising a fundraising dinner on his behalf. He is a Liberal Democrat but this is not a party political issue. In fact this is a technology blog not a political blog.

Whatever your political beliefs, if you work in a business, or maybe it is your business, that makes its living from the internet it is in your interest to support Julian.

So this is an invitation to you to a Fundraising Dinner entitled “An  Evening with Julian Huppert – Internet Hero”. This dinner, on Tuesday 25th February,  is a sit down job at the National Liberal Club in Whitehall – a totally high class environment if you’ve never been.

At £300 a head this isn’t a cheap do but we have to remember that the idea is to help raise funds to get Julian re-elected. We won’t be stinting on the quality of the food and drink in any case.

You will be in the company of 49 other influential people from the internet industry so it will also be a great night for networking. We shouldn’t forget that it will also be an opportunity to share your thoughts with Julian.

Click here to find out more or drop me a line if you want to talk about it.

That’s all for now. Please help if you can.

Business Regs surveillance & privacy

Huppert hero but turkey stuffed


Last night at the annual ISPA Awards, Julian Huppert MP (with me in photo) was crowned Internet Hero. Julian has done a fantastic job putting across common sense arguments in debates that affect the internet industry. Notably he was a voice of reason in the noise surrounding the Draft Communications Data Bill (snooper’s charter) that was killed off by Deputy PM & Lib Dem leader Nick Clegg. Julian also spoke out against the Digital Economy Act that was outrageously introduced in the dying days of the last Labour government.

The internet villain award went to Turkish PM Recep Erdogan. He didn’t respond to an invitation to attend the awards but I guess he was probably busy on the night. RE is amongst other things a big fan of surveillance and internet filtering. The Turkish Embassy was unavailable for comment. We should pop round sometime and drop off the award which will look really good in their Embassy reception. I presume they have a glass case for these things.

End User Regs surveillance & privacy

PRISM and the currently shelved Draft Communications Data Bill

PortcullisThere’s been a lot of noise about the PRISM surveillance program (American spelling because it’s American). There’s a ton of stuff about it on Wikipedia.

A few people asked whether I was going to write a blog post about it. I wasn’t. Lots of people earn their living just looking at this kind of stuff.

There is one thing worth considering though that particularly springs to the forefront of my mind and that relates to the Draft Communications Data Bill that was recently dropped by the Government from the Queen’s Speech.

Without understanding fully what PRISM actually does and what data it accesses I imagine that the capability is pretty similar to what might have been demanded of the ISP industry by the Comms Data Bill.

My biggest objection to that Bill was that it was a serious threat to the personal privacy of every individual in the country because of all the data that would have been gathered. Availability of the data = inevitability that the data would have been leaked. The only way to not have that data leaked would be by not gathering it in the first place.

History shows that the most likely source of such a leak is internal to an organisation, be that within the ISP storing the data or from the negligence (laptop left in taxi etc) of the civil servant or member of the security forces looking after said data.

Well the fuss about PRISM has demonstrated that this is exactly so. Important information was leaked from within the US security establishment by an insider, Edward Snowden. The same can be said of Bradley Manning and Wikileaks.

The only way of not having the data in the public domain is not to keep it in the first place.  I’m not going into a lengthy debate re the rights or wrongs of what the USA is actually doing with PRISM. Just that we should bear that in mind whenever the next attempt to introduce the Draft Communications Data Bill comes along, as it inevitably will.

Business fun stuff surveillance & privacy

ISPA Internet Hero and Villain Finalists

Normally I like to add value to a news item if I am going to comment on it.  I see so many scraper websites that pick up my stuff you wonder what they get out of it.

I have just sat down to comment on the press release from ISPA announcing the internet Hero and Villain finalists for this year’s ISPA Awards. I found however that ISPA had already put across  much of what I might have said. I have therefore reproduced it below in its entirety with links to where you can buy tickets for the Awards on 11th July.

I will say that as one of those with a vote for these awards it is always easy to find candidates for heroes but not so for the villain. Actually that isn’t right. There are plenty of MPs that we could line up with very little understanding for how the internet works but with their own objectives in controlling it. I’m speaking personally here and not on behalf of ISPA but we have to be careful how we approach the subject of internet regulation in the UK. We need to work with MPs to help make things better in a sensible way without shooting from the hip in an emotion filled gunfight.

The winners will be announced on the night of the awards and you can read the ISPA release below. There are some great “goodies” and some shocking “baddies” taken, the internet being the global entity that it is, from around the world.

ISPA release:

End User online safety surveillance & privacy

Snooper’s Charter update #CCDB – Nick Clegg kills it off

PortcullisIt’s been a week of publicity around the Snooper’s Charter. On Tuesday I attended a meeting with Julian Huppert MP where we talked about what is known about the expected redraft of the Draft Communications Data Bill.

Home Secretary Theresa May is widely expected to include this as an item in the Queen’s Speech on May 8th. If it doesn’t make this Queen’s Speech then it is not likely to happen during this parliament because of the length of time (the outrageous haste of the Digital Economy Act aside) it takes to process the Bills.

There is clearly an appetite at the Home Office to introduce such a law. It was attempted by the last labour Government but withdrawn for a number of reasons, not least of which was the opposition of the Conservative Party. How the heavy mantle of responsibility changes people!

My own view up until now has been if they are going to pass a law anyway then lets minimise the damage. For example although no details have been made available on the contents of the Bill it is believed that the Home Office is desirous of an automated access to the various databases that will be accumulated if this Bill became law. If we keep this as a purely manual interface, where the ISP has to physically hand over data, then there is less likely of mass data loss due to hacking by a 3rd party.
However reading some of the stuff published this week has made me rethink my tactics. The Open Rights Group (and others) letter that appeared on the front page of the Times does ask us to consider what kind of society do we want to live in. Do we want a surveillance state?

The precedent being set would legitimise similar activities around the world in countries that are notionally less democratic than our own and whose purposes are on the face of it likely to be more sinister. I say “on the face of it” but we would have to be very careful of mission creep in the UK.

Content providers operating on a global scale should be very concerned. If UK law said they had to handover private data on their customers’ activities whenever required by the government then their defence for refusing to do so when these requests were made by totalitarian regimes would be removed.

The Home Office has been very secretive about the content of the revised draft of the Bill keeping all briefings very general. My belief is that this is because there will continue to be huge holes in their arguments and they won’t want too much detailed discussion that might derail its inclusion in the Queen’s speech.

It is natural for people to be suspicious when others are keeping secrets. For example it’s like the attitude of most people towards the Masons. In this instance the ORG letter attacks ISPs for supporting the Home Office by maintaining radio silence regarding the details of the Bill.

Although I don’t know for sure I expect most ISPs haven’t seen the detail either. Certainly I doubt that Zen, who have been openly vociferous with concerns about the Bill will have been involved. Of course the bigger the ISPs get the more they have to lose. Some of the bigger ones are known to take neutral stances in respect of proposed legislation because they wouldn’t want the negative PR in their customer base by being seen to cooperate with the government on contentious matters.

On the other hand they need to be seen to be taking a responsible line where law enforcement is concerned. ISPs are after all staffed by human beings. We all want to clamp down on paedophiles and evildoers and always cooperate with requests from law enforcement for help using the existing RIPA system.

The other aspect of this line of debate is also the issue of competition and subsidies. A Freedom of Information request made at the end of last year showed that at least £400m had already been spent by Government on this Bill. A big chunk of this is likely to have gone on equipment in ISP networks. Part of me says “great, the government can pay for Timico to upgrade our own network” but the opportunity cost for us would be huge – diversion of key engineering staff to government projects.
You do have to ask how much of that £400 spend is now contributing towards lower operating costs of larger ISPs and thus increasing their competitiveness.

We still don’t know the detail of the Bill although we don’t have long to wait. In the meantime we can only look for clues. BAE Systems’ Detica who “develop, integrate and manage information intelligence solutions” are known to have been involve in HO meetings re the Bill.

We now have to wait and see but on balance I think this is likely to be a Bill whose disadvantages far outweigh its benefits. Julian Huppert by the way is a good guy. He is of the few technology savvy in a Parliament in which we have a highly dangerous situation: MPs who don’t understand technology voting on technology oriented laws drafted by civil servants who also don’t understand technology.

More when I have it…

Update just a few minutes later:

Looks like this has been killed off – Nick Clegg has come out against it and it will not now appear in the Queen’s Speech. I must say this a good demonstration of common sense and leadership by Nick Clegg which can’t do him any harm in the eyes of the electorate.

Business Regs security surveillance & privacy

The Report of the Joint Select Committee on the Draft Communications Data Bill

Report on Draft Communications data BillThe Report of the Joint Select Committee on the Draft communications Data Bill was issued this morning at one minute past midnight. It’s been in the news this morning with the deputy Prime Minister Nick Clegg calling on ministers to rip up their plans and go to “back to the drawing board“.

The 105 page Report concludes that “there is a case for legislation which will provide the law enforcement authorities with some further access to communications data, but that the current draft Bill is too sweeping, and goes further than it need or should.”

I have always said that the right balance between our personal security and our personal privacy needs to be maintained when considering this subject area and this is the tenet of the Joint Select Committee’s recommendations.

Unfortunately some of the basic conclusions of the report do not put the Home Office in a good light. There would appear to be a widespread failure to consult with many of the stakeholders involved, notably on the costs of the project and what might reasonably be achievable in terms of Communications Data capture and storage. In particular it is recommended that the HO will have to carry out a careful cost/benefit analysis and obtain advice and assurances from a wider body of experts than the companies that stand to earn money from devising secure storage solutions.

The committee recommends that the scope of the Bill be significantly reduced to cover only the retention of IP address data and “web logs” although regarding the latter they also “acknowledge that storing web log data, however securely, carries the possible risk that it may be hacked into or may fall accidentally into the wrong hands, and that, if this were to happen, potentially damaging inferences about people’s interests or activities could be drawn. Parliament will have to decide where the balance between these opposing considerations should be struck.

There is also a concern that web log data also contains content, which due to privacy concerns was specifically excluded from the Draft Bill. The committee has asked the Home Office to review whether it is operationally and technically feasible to only retain web logs of certain types of service where those services enable communications between individuals.

Regarding the storage of third party data traversing a CSP’s network it is recommended that the requirement to store such data only after attempts to retrieve the data from the third party be given statutory force. The effectiveness of this considering the overall objective must be questionable historical data is unlikely to be available in a timely manner for specific crime stopping targets.

The recommendations continue with the suggestion that the Home secretary should not have the power to extend the scope of “permitted purposes” of the bill and that indeed this list of purposes should be examined with a view to shortening it.

It is also recommended that the definitions for communications data under RIPA should be reviewed following consultation with industry with a particular focus on what is subscriber data (ie info on me and you) and what is traffic data.

A specialised SPoC (Single Point of Contact) team should be established that provides a central expertise for the approval of RIPA requests. This in theory should prevent misuse of the system – although Local Authorities are not specifically mentioned amongst the authorities that should be able to access the data under discussion here the committee recommends that bodies over and above the six in the Draft Bill should be considered for inclusion based on their case – notably the Financial Services Authority  and the UK Border Agency. Local Authorities, although representing a fairly small proportion of the nearly half a million RIPA requests each year and 20 times more likely to put in a non-compliant request.

Coming back to costs the committee is being polite when it says “that the Home Office’s cost estimates are not robust. They were prepared without consultation with the telecommunications industry on which they largely depend, and they project forward 10 years to a time where the communications landscape may be very different. Given successive governments’ poor records of bringing IT projects in on budget, and the general lack of detail about how the powers under the Bill will be used, there is a reasonable fear that this legislation will cost considerably more than the current estimates.”

It was nice to get a mention myself in para 276 regarding the effect on small CSPs of having to meet the requirements of this Bill.

The commitment to reimburse CPs the necessary cost of complying with the requirements of legislation should also be written into law and not left in any doubt.

Finally  “the figure for estimated benefits is even less reliable than that for costs, and the estimated net benefit figure is fanciful and misleading. It ought not to be used to influence Parliament in deciding on the relative advantages and disadvantages of this legislation. Whatever the benefits of the Bill, they are unlikely to be financial.”

The cost aspects of the recommendations are pretty damning. It would be nice to think that as much effort is put into all legislation as this committee has put into the Draft Communications Data Bill. I’m thinking specifically of the Digital Economy Act but I’m sure there must be others.

I’m not totally comfortable that any safeguards built into the Bill will really work, especially when it is noted that nobody can 100% guarantee the security of the storage of the data. At least on this occasion  the Government is being sent away and told to get their homework right and the subject of security versus proportionality is highlighted as being central to the debate.

That’s all for now. You can read the whole report here. I’m sure I will have missed something. You can also read my other stuff on this subject – use the search box at the top right hand corner of this page. There is a lot of material.

End User piracy surveillance & privacy

Golden Eye – not just another James Bond villain

You will no doubt remember the case of evil villain ACS Law where consumers were bullied into stumping up cash with the threat of being taken to court for online copyright infringement. Victims often had no idea of the legality of what ACS Law was doing or where the burden of proof lay and often found it easier to just pay up rather than fight their case in court.

The spectre of ACS Law has been released from its high security bottle, has morphed into a new disguise and is once more on the prowl for hapless victims. The name of this new ghoul is Golden Eye. Just hearing that name should make you shudder.

Golden Eye are trying, through the courts, to compel Telefonica UK  to release personal information about O2 customers so that they can spam them with speculative claims about copyright infringement and perhaps grab a  quick settlement fee. Golden Eye are not the copyright owners, but rather hold an ‘enforcement-only’ license with no specific mandate from the 12 other porn studios who they act for.

The Open Rights Group is trying to intervene on behalf of O2 customers. This isn’t about stopping copyright owners pursuing their legal rights although in my mind it is not easy to provide a high enough standard of evidence to prove guilt here. It’s about privacy. The case is currently at the appeal stage because the judge initially did not sanction the handing over of some of the data saying:

“that would be tantamount to the court sanctioning the sale of the intended Defendants’ privacy and data protection rights to the highest bidder. Accordingly, in my judgment, to make such an order would not proportionately and fairly balance the interests of the Other Claimants with the Intended Defendents’ interests.”

Golden Eye apparently takes around 75% of the revenues collected.

There is more detail on the ORG website. I guess the real point of this post is to encourage you you help ORG with their legal costs in pursuing this case by making a donation. In particular if you are an ISP it is in your interest to stop this kind of company coming along and worrying your customers on a speculative basis.

I have made a donation on behalf of Timico and encourage you to follow suit. There is a “donate”  button on the ORG site and I repeat the link here.

Business Regs surveillance & privacy

Draft Comms Data Bill Select Committee appearance for oral evidence #ccdp

portcullisYesterday I gave oral evidence to the Draft Communications Data Bill Joint Select Committee1. It’s the first time I have been asked to give evidence like this and something one has to take very seriously.

I was with three others: Caspar Bowden who is a colleague on the ICO Technology Reference Panel, Dr Gus Hosein of Privacy International and David Walker, a security consultant. The committee has been seeing groups according to their rough views on the draft Bill and readers of this blog will not be surprised to hear2 that this cohort was one that had concerns.

The afternoon’s evidence sessions were reported by the Beeb.

I’m sure that I will already have mentioned that the potential consequences of this Bill becoming Law are so great that it merits the most comprehensive discussion before hand. Today is the last day of evidence sessions with the Home secretary Theresa May being up before the committee.

I don’t have access to the inner thoughts of the committee but I did get a sense of the following:

  1. the fact that many communications use encrypted traffic and that this is likely to cause problems is recognised
  2. the issue of dealing with overseas providers is not likely to be an easy one
  3. the process of oversight of the RIPA system notices needs overhauling, especially if the Bill proceeds
I’m also hoping that the message got  through that nothing can ever be totally secure and that any data gathered under this Bill/Act would eventually make its way into the public domain with disastrous consequences.
I don’t have a handle of the timetable for the rest of this process (enlightenment anyone?) but it wouldn’t surprise me to see the Bill move forward in some reduced form. In the meantime we have to keep up the pressure. More in the fullness of time, a week is a long time in politics etc etc etc.

1 bit of a mouthful/oral evidence/geddit?

2 some previous posts include this one

End User Regs surveillance & privacy

Draft Comms Data Bill written submissions #CCDP #commsdata

portcullisThe written evidence submitted to the Joint Select committee on the Draft Communications Data Bill amounts to 448 pages and is a surprisingly interesting read. Some of you may not have the inclination to plough through the whole lot so just for you I’m going to jot down  few choice bits in a number of posts over the next few days.

In case you didn’t remember the Draft Comms Data Bill is what was labelled the “snooper’s charter” and which caused an outcry a few months ago. There were 91 written submissions in response to the call for evidence. Trawling through them I’d say that 10 were supportive, 69 were out and out against the Bill with most of the remainder having some sort of reservation.

Those for included organisations such as the Home Office, HMRC (they want your money), The Serious Organised Crime Agency and the UK Border Agency. All quite understandable. The Local Government Agency was also supportive but complained that the scope needed to be extended to include them.

The 69 opposing submissions included many from private individuals and also the following organisations:

JANET, Just West Yorkshire, Liberty, LINX , The Newspaper Society, Open Rights Group, Society of Editors, Timico Ltd, The Tor Project, Wikimedia UK, Equality & Human Rights Commission, The Coalition for a Digital Economy, The Bar Council of England and Wales, Privacy International, Big Brother Watch, JUSTICE, The foundation for Information Policy Research.

Many large organisations take a supportive stance when it comes to helping to prevent crime. The larger UK ISPs have a technique whereby they

Business ofcom Regs surveillance & privacy

#DEAct continues to cause problems as Parliamentary joint committee highlights concerns with cost sharing mechanisms

The Digital Economy Act, which you may recall was rushed through by the last government with inadequate consultation in the desperate dying days of its tenure continues to create a stir. This time the joint committee on Statutory Instruments has strongly criticised the Draft Online Infringement (Initial Obligations) (Sharing of Costs) Order 2012 which Ofcom is also currently consulting on.

The Order has been brought by the Department of Culture Media and Sport (DCMS) no doubt trying to clear the decks before they all shoot off to watch the London 2012 perform official duties at the olympics. In its report the joint committee says:

This instrument is drawn to the special attention of the House on the grounds that it gives rise to issues of public policy likely to be of interest to the House and it may imperfectly achieve its policy objective

Criticisms include:

  • Concern that the Order had been laid in the House whilst consultation was still ongoing and is not based on full information
  • Lack of detail from rights holders or a commitment that they would actually use the notification system to its fullest (what’s that all about? why would they go to so much effort to get a law passed to support their private business interest and then not use its powers?)
  • Insufficient evidence is provided to judge whether £20 “appeal fee” is the appropriate amount given that significant parts of the structure of the scheme and the appeal mechanism are still undecided.

The whole sad, sorry story continues.

PS thanks to ISPA for being around to constantly monitor this stuff. Someone has to read through and interpret the detailed legal blurb that comes out of Parliament.

End User Regs surveillance & privacy

Draft Communications Data Bill – a summing up of why it is wrong

Home Secretary Theresa May launched the draft Communications Data Bill yesterday with an interview on the Radio 4 Today programme. She has also written a foreword to the Bill arguing why we need it.

I have already written arguments against why we should implement this act. All of my previous points remain and I will restate the two most important aspects here.

  • Firstly what is being proposed represents a serious threat to our privacy as a nation. The government wants to collect personal information about our private web browsing, phoning, email, tweeting, Facebook and all other internet related communications. They then want to store this information “securely” for one year so that it can be accessed buy anyone granted permission by senior police officers.

I refer you to last week’s LinkedIn password debacle where 6.5 million passwords being securely held on a server were stolen and published on a Russian website. The next time this could be details of websites you visit. It would happen if this Bill moved into law. Guaranteed.

  • Secondly the proposed measures will not catch those who the police et al are trying to catch. If you are hell bent on crime you will easily find ways of going undetected on the web.

Here I refer you to the recent court orders for ISPs to block access to Pirate Bay. One of my most visited blog posts this year and certainly high up on the list of search terms  covers how to bypass these blocks. The same will be true with criminals looking for anonymity.

I’ve been thinking of whether there is a middle ground here where ISPs collect data on specified targets rather than everyone and subject to court orders. This could work though opponents will argue that once the capability has been put in place it will be abused. My second point above would also apply so the effort might be futile and money spent wasted (it would probably cost almost the same as if we were collecting all the data).

On balance we all need to oppose this Bill. Email your MP with a link to this post.

Previous posts on this subject here and here.

Business Regs surveillance & privacy

Legislation encourages tidal wave of new ISPA members – life jackets at the ready

It’s a funny old world. A judge orders ISPs to cut off access to Pirate Bay and visitor numbers to the site increase by 12 million. A government says it wants to increase the amount of regulation on the internet and the membership of the trade association shoots up.

The membership of ISPA normally hovers just under the 200 mark. The nature of our industry is that companies are bought out or merge with others to get scale. So in any given year the we get perhaps 10 or 15 new members but 10 or 15 disappear off the UK internet map and on the whole the number stays the same – ish.

Things are changing. The threat to the  industry stemming from potentially onerous new regulations placed upon service providers, such as the upcoming Communications Bill Green Paper, has prompted six new service providers to join ISPA in the space of one month. This is a veritable tidal wave in the scheme of things.

ISPs are