Hey, welcome back. This post is part-inspired by The Scholar's Stage's look at the wane of blogging on strategy and national security. I've basically been too busy to write a blog, and tip-toeing around a lot, because I'm meant to be a professional. The thing is, some of the most creative things I've ever written have been when making off-the-cuff comments about events connected for my research.
Like today: The UK Government's publication of its draft, 299 page, Investigatory Powers bill.
There's a lot being said about this bill (and no, I haven't managed to make it through 299 pages in a couple of hours because I have copyedits to do and students to advise). From what I can understand, the immediate headline is that the government wants to impose “a legal duty on British companies to help law enforcement agencies hack devices to acquire information if it is reasonably practical to do so” and require “web and phone companies to store records of websites visited by every citizen for 12 months for access by police, security services and other public bodies”. Obviously there is far, far, more to this bill than the above. Much emphasis has been placed on the new systems of oversight, codifying existing authorities into law, and so on. Needless to say, NGOs focused on privacy issues are somewhat up in arms.
What jumped out at me about the headlines was that it reminded me of one of those off-the-cuff posts that I wrote for Kings of War back in 2013, “The Ingression Engine”. At the time, Prism was all over the headlines, and my gut reaction was that “surveillance” was the wrong word to use, because:
I don’t think those terms adequately described what large-scale metadata collection entails. After all, the image conjured by the use of those terms is active investigation, whereas from what I understand of the programmes, most of the metadata collection isn’t actually used, ever. The government doesn’t care about most of us.
Data collection, in my mind, was independent of surveillance, and the real issue was that “the amount of information available to a potential ‘snooper’ is independent of the timing of the act of surveillance” when data is stored forever. In connection with this, I wrote that:
Governments are undoubtedly using mass data collection as a means of identifying and surveilling individuals and groups. But the act of mass data collection isn’t the same as the act of surveillance. Rather, I think the word we’re looking for is access, or ingress – the act or right of entering our private lives. In many ways, I think this is rather worse for the ‘privacy’ of the average citizen than active surveillance.
Two years later, I think I still stand by this statement, but I'm not a hardcore privacy activist. I think the government should be able to access data where it can, when it has reason to (the exact balance of this is for another post, maybe).
In the context of the above, the new draft bill is setting a limit on what has to be collected by entities other than the government. If this bill passes, the government won't be able to reach back into your childhood, but they'll have a lawful right to access your internet history for a year.
My second reaction to all of this was: “Ha. So what?” since if I take moderate precautions, this doesn't affect me. I'm not a PGP addled crypto obsessive, but I do use a Virtual Private Network (VPN), meaning that my internet history (if configured correctly) will read: accessed an IP Address… That's it. Since the BBC has now banned VPNs because it wants to make money abroad, maybe there will be a little identifiable traffic thrown in if I want to use iPlayer, but that's about it. VPNs are apparently not even mentioned in the new UK bill. This is quite funny, since they basically undermine everything the government is trying to do. As Martin Anderson points out:
Anyone using a VPN – which is a simple and cheap (i.e. $20 p/a) piece of software that VPN companies go to extraordinary lengths to make ‘customer-friendly’ – constantly whilst connecting to the internet via a fixed, laptop or mobile device, will have a very dull ICR [Internet Connection Record - the 12 months of data that the govt wants stored] indeed, since it will just show the customer hopping on one time to their ISP and making one final hop into the opacity of VPN tunnelling, after which every transaction, from Netflix blitzes to Facebook-mulling to bomb-making conferences, will simply show up as encrypted traffic.
Since I purchased access to a VPN that doesn't store records, which is located outside the UK, this means that, well, most of what the government is after won't really affect me. So far, so good. I'm sitting pretty, one could say. But then I reflected on the social consequences of this, which is that even though VPNs are cheap, a fair proportion of the country doesn't have 20 quid extra to buy access to one. Furthermore, as easy as this stuff might seem, it's still tricky to set up, if you don't know what's going on. I might be sitting pretty (but I'm smart enough to know that's not the case - I'm pretty sure any government service could hack me if it wanted to) as might legions of people who know how the internet works, and want to take precautions against the government seeing their browsing history, but what about everyone else? It introduces an odd power-division into society: a state that can collect very little from those educated or rich enough to protect themselves, and can collect nearly anything from those that aren't privileged in this regard. I'd have to read the whole bill before passing judgement upon it, but that basic fact makes me uncomfortable.