Tuesday, 24 November 2015

Changes to IP Bill?

What changes would I like to see to the Draft Investigatory Powers Bill - particularly with regard to data retention?

Obviously I'd like it dropped, but given the push on this in DRD, and DRIPA, I can see that may be a challenge, so simple changes :-
  • I'd like to see transparency of retention orders - they are not specific to individuals or cases and so have no reason to be secret - however, sharing the details between ISPs helps establish best practice, common solutions, and so on. We need the gagging provisions dropped for these.
  • I'd like to see retention only apply to data which the ISP is already logging to some durable medium, or that is reasonably practical to do so. I.e. existing logs but kept for up to a year. This would greatly simplify what was logged. This does mean that email and VoIP and so on end up kept for a year if logged at present, and if the services are provided in the UK.
  • I'd like to see the "processed or generated" clause be included as per previous regulations, but also "processed" exclude "simple passes through". A definition such as "data is only 'processed' if it is logged already or used in some part of a decision process by the CPs systems". This stops us having to look deeper in to any packet than we already do, and hence avoids the possibly huge cost of DPI equipment, and risk of third party control of such kit and feature creep of logged data.
What would this mean? Well, it would not stop all of the intrusions in to privacy, and it would mean :-
  • Anyone using any UK email server will have their emails logged
  • Anyone using any UK VoIP server will have their calls logged
  • Anyone using a CP that operates a transparent web proxy, as some mobile providers do, will have some of their web pages (not full URL, just site name) logged
This last point appears to be what the government want as far as we can see.

However, it also means that the logging is even easier to bypass. A&A can, for example, stop providing email in the UK and move to a foreign data centre and company - bingo, no hassle with logging. We could do the same with VoIP, but getting it to be on the bills may be harder - perhaps a link to an off shore https that provides the itemised bills. We don't run a web proxy so no logging there. Transparency of orders would allow end users to choose ISP based on the level of snooping without the small extra hassle of having to VPN or Tor everything.

I am not trying to make the provisions useless - IMHO they already are useless, as criminals can use Tor and VPN and many other measures. I am trying to make it easier for normal innocent citizens to have the same level of privacy as those criminals without quite as much hassle (not that such things are a lot of hassle).

No comments:

Post a Comment