Computer vaccine? #IPBill

There are many computer viruses, and there are quite a lot that spread but otherwise remain dormant - just checking with a "command and control" means of some sort waiting to be part of some bot-net attack one day.

But I wonder if there is merit in the concept of a virus you choose to contract, sort of like a vaccine that promote the creation of anti-bodies.

I was thinking of something that uses a small amount of traffic (so low cost) to access web sites. Nothing more than a basic http request on the main page - maybe not even finishing the TCP connection to load the whole page even, but enough to be logged in an "Internet Communications Record" as envisaged by the Draft Investigatory Powers Bill.

The virus would connect to all of the popular social media and email sites and make connections, and then on to the less popular sites to do with terrorism or porn or anything else. It is technically a really simple virus.

The concept is two fold:
  1. Poison the logs of Internet Connections Records with crap making the whole IP Bill even more pointless than it is now. After all, any serious criminal will use Tor or VPNs and so on.
  2. Create plausible deniability - you can claim any Internet Connections Record found relating to you must be the work of the virus. The virus would deliberately have no logs and deliberately include totally random web sites.
Then we have the fun of Data Protection Act Subject Access Requests, where people ask the ISPs for all of the data they have on them including all Internet Connection Records, just for fun. If ever A&A become subject to a retention order, I will be asking for money to pay for handling all of such requests for data I would not previously have retained.

Well, let us hope this bill is amended to hell and does not have the mass surveillance, bit if it does, the "mass" can make the surveillance "interesting" at least.


  1. Isn't there already a Firefox addin (e.g. Trackmenot???) that does pretty much this already????

    On a related subject, maybe I've missed something, but where is there any kind of evidential-quality link between any given computer and the person using it? Does this law really assume (as the discussion mostly does) that any given client IP address(internet session) as seen by the ISP corresponds to exactly one real-world person?

  2. Might be an issue in terms of monthly data allowances, but would running a Tor exit node not serve the same purpose? You'd have the plausible deniability of your IP address being on the exit node list Tor maintains too.

    1. It would have the same affect, but in either case I'm not sure "plausible deniability" will save you from a dawn raid confiscating all your kit for six months while they look for any sign of wrongdoing.

  3. I'm involved in a legal action against a spammer at the moment (in fact, I have several on the go!) and they wanted me to sign a release to allow them to ask my ISP if I'd visited a certain website, but worded so they had all my records. I declined their fishing trip, mainly out of principle but also because I knew that VM wouldn't have the data anyway.

  4. That's an interesting point. If you can't divulge if you are requested to keep ICRs and be forced to lie about it. I suspect you won't have to provide the ICRs as part of a SAR?
    Otherwise I'm happy to pay A&A £2/month for a SAR requesting my ICRs. Will obviously stop once I receive a CD instead of an empty envelope.

  5. Supposing a communication provider receives a retention notice. If the provider is not currently collecting the requested data, there would be a need to commence a project to implement the required logging of data. If this project exceeded the length of time it took to wind up the company and sell any interesting assets to a new company which itself is not subject to a retention order, would this not sidestep the requirement of the order? You couldn't even tell the new company that the old company had a retention order in progress because it was secret... and a company would not be financially responsible to continue with a project with no discernable purpose.

    1. Indeed, and if you also arranged the set of companies so that the assets are owned by a separate company that leases them but does not itself operate a telecommunications network, then the target company may have no assets or profits at all - so really simple to wind up, leaving the other companies in a position of having to create a replacement company to do the same job, but being unaware as to why the old one suddenly got wound up :-)


Comments are moderated purely to filter out obvious spam, but it means they may not show immediately.

TOTSCO changing the rules again

One of the big issues I had in initial coding was the use of correlationID on messages. The test cases showed it being used the same on a se...