Sunday 25 November 2012

The "Snooper's Charter"

Yesterday I went to the Open Rights Group meeting to Stop the Snooper's Charter. Whilst there was a lot of talk about the hows and whys of what the Communications Capabilities Development Programme involves, I can't help feeling that they have completely missed an important point.
One part of the meeting involved what we could do to fight back against the bill in the form of a grass roots opposition. One method is to issue Freedom of Information requests to your mobile phone provider to obtain as much data as you can from them about you. This is your data and you have a right to know what they are keeping. This includes things like, location data (which mobile base stations your phone talks to), call data, and of course data data (ie. what your smart phone sends/receives). Now there is a voluntary clause to the existing laws that carriers can record details "up to the first slash". Which means they can identify the websites you visit, but not the actual page on that website. There is just one, major flaw in this. This will work perfectly well on Apple devices, and Androids... but it will fail dismally when it comes to BlackBerry devices.
For one thing, the carriers have no idea what websites you visit. All of this data is carried over the BlackBerry services infrastructure. The request for that website is bundled up, compressed and if you're connected to a BES, encrypted. But it's just as simple for BIS users to also encrypt their data for web access. Requesting this from your Carrier is pointless because they will just shrug their collective shoulders and say that it's nothing to do with them.
If you're on a BES, then the data can be obtained from the company who owns that BES. But for BIS, you'd have to go to BlackBerry. I'm not sure what the legal point of view of BB would be, but in the past they have been happy to provide lawful information for police forces (see the August Riots).
Either way to perform these FOI requests, each person would have to stump up £10 and be prepared to spend at least a month sending letters back and forth whilst the Carriers play dumb about not knowing (or more likely, not caring) about the data you requested.
So lets return to my original important point. Introducing laws and the like involves a serious amount of work. It takes time. A lot of time. Heck there are still pieces of the Police and Justice Act 2006 which have not yet been ratified. But there is one thing that works faster. And that is software development.
Why not make the whole situation pointless in the first place. If everybody's data is strongly encrypted in the first place, then no government can snoop on their citizens in the first place. Why not make sure that all the data that can reveal information about a person is encrypted and protected beyond what can be decoded within a reasonable time frame. After all every piece of encryption can be broken, it's just a matter of making it economically viable. At the moment mobile information can only be securely encrypted on BlackBerry devices. Thats why they have FIPS certification. Surely it's better to put secure communications in place so everybody is secure in the first place?
Oh that's right, I forgot. People don't care about security. The sheep that are out there tweet and farcebook their currently locations and statuses all the time with no thought about how that information gets used (and abused). People just don't care.
People don't care about the laws. They don't care about the software. So long as they can go on living in their own happy world, they can go on. Until they are arrested for being falsely flagged up as a terrorist because they tweeted something obnoxious or were subject to some dodgy app opening a web connection to a dodgy website. So why don't developers protect them from behind the scenes? Because not only do people not care, but companies don't care either... unless it is about their profit margins. After all the "Banks" introduced Chip and Pin as a cheap security measure and that hasn't worked out so well either.

No comments:

Post a Comment