The Investigatory Powers Bill – keeping your data to yourself. Part 1

I steer clear of giving my political opinions in posts here. This post is an exception. I’m not in the business of putting on daft Guy Fawkes masks and ranting at a camera – I only get involved in things like this if I can actually make a difference. And this time I can.

 

The Investigative Powers Bill otherwise known as ‘The Snooper’s Charter’ became law last week. Hardly anyone cares about it (more on that later). Long story short, it gives a number of government agencies some pretty alarming levels of access to your personal data. I am strongly of the opinion that mass government surveillance is unnecessary, draconian and leads to a culture of oppression. Therefore, I am presenting two solutions to keep your web browsing data secure from anyone who tries to access it – not necessarily just the government. But first, I’m going to scare you.

 

What is the Investigatory Powers bill?

I will not be referring to it as ‘The Snooper’s Charter’ because that makes it sound kind of harmless.

I’m not going to go into the legal details because I’m not a lawyer. This bill introduces a number of measures, some of which I find absolutely terrifying. It allows police agencies to hack into personal computers, it forces companies to comply with operations to bypass encryption and it compels your Internet Service Provider (ISP) to keep a record of your web history for the past 12 months.

In case you missed that last one, your ISP will soon be keeping a record of every website you visited in the past 12 months. That record can be accessed by any of these agencies (have fun scrolling through this):

 

Metropolitan police force

City of London police force

Police forces maintained under section 2 of the Police Act 1996

Police Service of Scotland

Police Service of Northern Ireland

British Transport Police

Ministry of Defence Police

Royal Navy Police

Royal Military Police

Royal Air Force Police

Security Service

Secret Intelligence Service

GCHQ

Ministry of Defence

Department of Health

Home Office

Ministry of Justice

National Crime Agency

HM Revenue & Customs

Department for Transport

Department for Work and Pensions

NHS trusts and foundation trusts in England that provide ambulance services

Common Services Agency for the Scottish Health Service

Competition and Markets Authority

Criminal Cases Review Commission

Department for Communities in Northern Ireland

Department for the Economy in Northern Ireland

Department of Justice in Northern Ireland

Financial Conduct Authority

Fire and rescue authorities under the Fire and Rescue Services Act 2004

Food Standards Agency

Food Standards Scotland

Gambling Commission

Gangmasters and Labour Abuse Authority

Health and Safety Executive

Independent Police Complaints Commissioner

Information Commissioner

NHS Business Services Authority

Northern Ireland Ambulance Service Health and Social Care Trust

Northern Ireland Fire and Rescue Service Board

Northern Ireland Health and Social Care Regional Business Services Organisation

Office of Communications

Office of the Police Ombudsman for Northern Ireland

Police Investigations and Review Commissioner

Scottish Ambulance Service Board

Scottish Criminal Cases Review Commission

Serious Fraud Office

Welsh Ambulance Services National Health Service Trust

Let’s address the problems with this, starting with something I hear alarmingly often:

 

Why should I care? This is going to stop the terrorists and I have nothing to hide

This argument is common and I really can’t understand why. Let’s tackle the issues here one by one:

 

‘The Terrorists’

I have no idea what proportion of the UK would rank terrorism as a top 3 issue, but I bet it’s way above 50%. I understand that footage of terrorist attacks is scary but the fact remains that only 4 people have been killed in the past 10 years in the UK in terrorism incidents. Even then, I’d argue that the two incidents were just crazy people with a knife. Like ‘the immigrants’, I just see ‘the terrorists’ as a fictional group of people proliferated by gossip, facebook and the tabloids.

I also think there’s a lot of silly ego and nationalism behind this too, as in ‘France got attacked but they won’t get us because we’re brilliant’.

 

‘Stopping the terrorists’

I was going to present a series of arguments on why mass surveillance does little to stop terrorism. But, I’ve decided that argument is redundant. Regardless of whether it is effective or not, I do not think there is any justification for a government to monitor its’ citizen’s web activity. It leads to a culture of fear and is utterly against the ethos of the world wide web in the first place.

Regardless of this, let’s step back and consider the bill itself. Everyone assumes it’s about stopping terrorism, but it isn’t. Look at that list of agencies; does the Gambling Commission having access to your browsing history prevent terrorism? Of course it does not. This bill is about increasing the capability of the entire government obtaining private data on you which could be used for a whole host of purposes later down the road.

While we’re on this subject, this bill is absolutely nothing to do with ‘stopping hackers’. Some people I have spoke to seem to be under the impression it is – again, I’m not sure why – they are probably just misunderstanding what little news there has been on it (which is absolutely fair enough).

 

‘If you have done nothing wrong you have nothing to be worried about’

Rule of thumb: if you hear someone say that, something is about to go terribly terribly wrong.

I don’t really know exactly what I can say to turn people off this argument. It’s an odd one because I just can’t get into that mindset. I once spoke to someone who adamantly insisted he would have no issue with being constantly monitored on CCTV all day, every day, as long as it wasn’t in his house. He just couldn’t understand why I would have a problem with that.

I also know someone, who is highly intelligent academically, who believes that anyone suspected of anything related to terrorism, regardless of the quality of the evidence, should be detained indefinitely until a case can be brought against them.

I can only assume the awful way the popular news covers pretty much everything is responsible for people believing this kind of thing.

I’ve already spoke of how this thinking creates a culture of oppression. Maybe we should consider examples where mass surveillance is a reality. There are currently individuals in Iran, who are in prison for uploading material about women’s fashion. In Tajikistan individuals are frequently arrested for criticising the government on social media. China is the most famous example, ask Google too many questions about the Tienneman Square Massacre there and you may find a government official at your door.

The bottom line is that I believe I should be able to look at whatever I want to online without having to think about someone else keeping an eye on me. We’ve all been there are well. I bet a good half of my UK readers would be hesitant to put the following phrases into Google in quick succession: ‘nitrate fertilizer’, ‘BNQ nails’, ‘Car access for Heathrow Airport’.

 

The indended use of the bill – some scenarios

Ok, so let’s take the best case scenario where the agencies above have free access to your data. By the way, if they access it, it’s illegal for your ISP to report that now. Anyway, here’s the sort of situations I can envisage off the top of my head. Nothing too extreme will happen immediately – I hate to use the phrase ‘slippery slope’, but mass surveillance is the kind of thing that is introduced gradually. That way no one really notices or complains.

There are a lot of police agencies on that list. We always hear how the police are understaffed and underfunded. A record of a detainee’s web history could be pretty useful to them. Imagine being in court, with the press there, knowing that your browsing history could be brought up as evidence. Do you think the press would report on the material relevant to the case, or would they rather tell the world about that weird porn site you visited? Maybe a guilty confession would be better than your friends and family finding out about that…

How about something completely different. Imagine being unemployed. You go to collect your social security allowance but are refused this week. You are informed the department of work and pensions have been monitoring you and you have spent more than your allocated 10 hours per week on Youtube and they therefore don’t think you are trying hard enough to find a job.

Finally, let’s just do a really simple one. You are arrested for ‘unusual web activity’. You are taken to the police station and answer their questions honestly but are confused. You genuinely have no idea what they have found. After a while you are told there has been a mistake and you are free to go. I bet you’d be apprehensive to do anything slightly abnormal online for the rest of your life.

 

Unintended Consequences – data leaks

This is the bit I had fun writing because it’s really hard to see a lot of this not happening. Honestly, when you see someone saying ‘our system is leak proof because…’, I can assure you millions of people hear that as ‘COME AT ME!’.

Do you know how much a database of a few thousand people’s browsing histories could be worth to those wanting it? Do you know hilariously prevalent data leaks and hacks are?

 

How much could the data be worth?

There is no straight answer to this. Let’s say I get hold of your browsing history. I threaten to post it to all your facebook contacts unless you pay me (just) $100. Would you pay it? Let’s say 10% of people would pay the ransom (I think the real life number would be much higher). That data would be worth half a million dollars to me – and that’s for just 50,000 people’s records.

So yeah, these records will be worth an absolute fortune. One of the number 1 rules of statistics is that where there is an incentive, someone will always take it.

 

You are now trusting your ISP

 Again, I’m not going to beat around the bush here. Loads of us have things in our browsing history we wouldn’t want others to find out about. That information is sensitive, therefore you should be the person responsible for keeping it secure. The new Bill mandates that ISPs must store this data. Do you trust them with it? They aren’t getting paid for it, and most of them are against keeping it in the first place so they don’t actually have much incentive to keep it secure. Let’s look at some ways it could be leaked.

Note, this list is ridiculously brief. God knows how many creative and ingenious ways there are of getting hold of data illegally that are beyond my creativity and understanding.

 

Bribery

Like most of these, this is straightforward. Someone offers a government agent, or worker at an ISP, or third party contractor or……well anyone else who has access to the data a few thousand dollars for some of the database records. That’s enough said really. I don’t know how many people will have access to this data but it’ll probably in the thousands. That’s thousands of potential failure points. Prior to this bill there was just one failure point – you.

 

Accidental data leaks

I will be astonished if this doesn’t happen. I have handled commercially sensitive data in my job, along with numerous other colleagues. We are always told how important the data is and not to print it off, or take it home on a pen-drive etc. Someone always does.

It’s just not convenient to follow protocols all the time and go through the hassle of encryption/ensuring you are on a secure network, etc.  By the way, protocols for handling such data at my workplace are often terrible, so I don’t see them being much better at every ISP and government agency.

Is it really hard to imagine a government worker copying plain text from a database, so it’s easier to work with, and accidentally leaving it on a train? Oh wait, that sort of thing happens all the time!

Again, there are thousands of potential failure points.

 

Stupidity

Basically an extension to the above:

‘Right I’ll just send the database extract to my manager – oh god, I’ve accidentally sent it to the entire NHS!’

 

Opportunistic hacking

I don’t even like to use the word ‘hacking’ because it conjures up images of a socially awkward genius working from a basement in Russia. Most ‘hacking’ is guessing passwords (seriously, ‘password’, ‘qwerty’ and ‘123456’ could probably get you millions of dollars worth of info if you want to risk going to jail) and similar trivial messing around.

I’ve already discussed how a hacker could use this data for ransom money but I’m sure there are countless other ways they could profit from it.

As I keep stressing, even a well-intentioned security team can make just one small mistake and it compromises everything. Anyone who’s worked with the UNIX command line knows how easy it is to screw things up.

 

Actual hacking

As I keep saying, this information is going to be worth a lot of money. And it’s going to be stored all over the place – every ISP stores their own respective users’ data. I mean, it almost makes me want to have a go at hacking it! I’m probably capable of having a shot at it but luckily I am financially stable and I believe it would be unethical so I do not have a strong enough incentive to do so.

Of those three things, millions of people worldwide have the first – they are capable of some degree of hacking. Millions do not have at least one of the second two. So there you go, a potential pool of millions of hackers.

For fun, let’s think of a few ways I would go about getting this data. As I said, I have minimal experience with this kind of thing so this is just the really basic stuff. I dread to think how an expert would go about it.

 

1) SQL Injection (or similar). This is a classic. Most databases are stored in SQL. Any database connected to the world wide web is potentially vulnerable to SQL injection. By necessity at least part of a web-history database will have to be connected to the world wide web. If a web designer makes a single error in the reams of code for the front end webpage, the database can be vulnerable. Getting started in SQL injection is easy. In a search box you could try your luck by typing:

Item’); SELECT * FROM users; SELECT * FROM passwords; —

Although DO NOT actually do this – it’s illegal. But you get the point, it’s easy to get started with. The list of UK companies (which includes ISPs by the way) that have been hacked by SQL injection is too long to even bother going into.

2) Unsecured wifi. This is really easy too. You know when you use your phone/computer in public and connect to public wifi? The data you send to the router is often unencrypted. All it takes is someone with a laptop and a couple of wifi dongles to set up a fake hotspot and you can see info from anyone that connects to in. Any readers ever emailed sensitive data from a public hotspot? Don’t lie, I bet you have…

3) Team effort. With enough computing power you don’t need to be clever. If you could borrow all of Googles computing power for a day, you could brute force encryption on basically anything. There are plenty of organisations with that kind of computing power at their disposal. I like to imagine a scenario where a huge collection of hackers all chip in $1 to rent a ton of cloud computers for a day and use it to crack the encryption of some stolen data. I’m not aware of it ever happening but I see no reason why it couldn’t. I mean, thousands of people crowdfunded a huge pointless hole a couple of weeks ago.

 

Other options off the top of my head could be malware/ransomware, keyloggers and side channel (RF, audio etc) attacks on database servers.

 

Right, I’m scared now. But how did we get here?

I really don’t know the answer to this. I do think that most politicians are good people at heart and are trying their best so I find it hard to understand why anyone would want to bring this bill in. Here are my theories:

  • Politics is short term. We run on a 4 year election cycle. The majority of people seem to be terrified of terrorism so any quick fix which seems to solve this can be hugely favourable to an MPs career. It’s like a fad diet, no one wants to admit that it takes prolonged work and effort to lose weight – everyone wants a quick fix. Thing is, they never work.
  • The group effect. Have you ever been on a committee making a decision where something could go wrong? As an individual you’d probably discount all the really unlikely risks. Somehow when things are discussed in a group, everyone manages to convince each other that the most extreme and draconian measure is necessary to reduce the risks to a manageable level. I’ve seen this happen a lot – I have no idea whether this is a known psychological effect. But it does feel that MPs debating on counter-terrorism measures manage to convince themselves that extreme measures are necessary when none of them would think that on an individual level.
  • Poor understanding. I don’t think most MPs have any idea what this bill is actually proposing or the implications. For one, 2016 has been a particularly busy year and I doubt most of them have gone though it in detail. More telling was David Cameron’s proposal last year to ‘ban encryption’. I feel they really showed their cards here. ‘Banning encryption’ is a ridiculous proposal – the internet would literally be impossible without encryption. As always, no one seemed to notice or care about this because ‘as long as X Factor is on tv, who cares about our rights to privacy?’
  • The media. No point going into this. Much of the UKs media is owned by one person. Fear sells newspapers. Enough said.

 

 My solution – VPN

There are a number of ways to make your browsing history invisible to anyone who tries to get hold of it. Here I’ll present use of a Virtual Private Network, or VPN.

When you browse web pages, your router sends a request to your ISP who forwards it on to the relevant IP address. Your ISP can see this request as it is unencrypted, so they can record it.

A VPN is a private network which you can ‘tunnel’ through to privately. Your request is sent to the VPN’s server which forwards it onto the relevant IP address. Your ISP can see that your traffic went to the VPN but that’s it. They cannot see beyond that point. Someone monitoring the VPN server would see the requests from everyone using it but would not know which ISP address (ie user) each request came from. So, there is no reasonable way of knowing who visited which web page.

presentation1

How your traffic is normally router vs how it is routed via a VPN.

There is, however, a catch. You need to trust your VPN provider. In theory, a nefarious provider could log your data. It is therefore essential that you choose a well established provider. That means DO NOT USE A FREE VPN PROVIDER – they have an incentive to leak your data. It is depressing that it is now necessary to pay for privacy, but I pay something like $4 per month for my VPN access which isn’t much in the grand scheme of things.

There is an easy way to set up VPN access, and a more difficult but more comprehensive way, which I will cover in part 2. You need to do the easy method first before doing the difficult method, so there is absolutely no harm signing up for access to a VPN before i get my next post up.

 

Option 1 – the easy option

 This is really simple so I don’t really need to give much instruction.

First you need to choose a good VPN provider. I use NordVPN who currently have a good 2-year offer running. They have a strict no logging policy, worldwide servers, and multiple encryption options. I have also read good things about ExpressVPN if you’re looking for an alternative.

Visit their website and sign up. Download their software as instructed. From there it is a simple case of picking your server (NordVPN chooses one automatically at first – it chose one in the Netherlands for me) and connecting. You can change the settings so NordVPN starts up whenever your computer is turned on. That way, you will be protected as long as you are connected to the internet. You can also set a kill switch which will automatically stop your browser from sending requests if the VPN server goes offline.

And that’s it. As long as you connect through your VPN, your ISP will not be able to see your browsing history.

 

Extra benefits

It’s worth mentioning that accessing the internet through a VPN has other benefits which, alone, are probably worth the fee:

  • Since your IP address is hidden, it is now much harder to steal your personal details – you have improved your web security.
  • You can use it to access foreign services. Want to watch BBC iPlayer from abroad? A VPN is for you.
  • Companies can no longer track you, so no more irritating personalised adverts. And no more of them gathering data on you without your permission.

 

Normally posts on this blog are mainly about making and doing thing. But in this case, the actual ‘doing’ involved only a couple of paragraphs. Unfortunately this post has been pretty wordy (although I think we all know I don’t do brevity at the expense of providing good information), part 2 will involve a lot more making.

 

Option 2 – automatically route all your web traffic through your VPN

This option is the reason this post was delayed. I spent last weekend going through the stress of a thousand suns to turn a Raspberry Pi into a Wifi access point that directs all traffic through NordVPN. That way, every device in your home is automatically routed through the VPN and is safe from monitoring.

However, the instructions for making this are pretty lengthy. So, I’m going to need a few more days to put them together. So, unfortunately option 2 will have to be covered in a separate post in a few days time.

Until then, I strongly recommend finding a good VPN provider and signing up. That way, you will be protected. Writing a letter to your local MP regarding the bill is probably not a bad idea either – I try to stay away from politics but this isn’t politics. Until then, try not to be too paranoid!

 

Links and Further Reading

I usually send people to this video when they ask about mass surveillance or privacy issues:

 

UK government page for the bill itself:

http://services.parliament.uk/bills/2015-16/investigatorypowers.html

 

NordVPN – my VPN of choice. I’m not affiliated with them in any way:

https://nordvpn.com/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s