Tag Archives: Politics

Untangling DRIP

There’s already been a lot of commentary on the government's attempt to railroad through the Data Retention and Investigatory Powers Bill, known to its opponents as DRIP. According to the government, DRIP represents a simple piece of emergency legislation designed to preserve powers which are about to lapse. To its opponents, it represents a genuine threat to privacy. But which is it?

Does DRIP extend the government's powers or not?

The key question with DRIP is whether or not its clauses represent a simple reaffirmation of existing powers, or an extension of RIPA. As David Allen Green has cogently argued, over half of the text of the bill is devoted to amendments to RIPA rather than reaffirming the data retention regime. The clauses which deal with RIPA – 3, 4 and 5 – all amend it ways which the government claim are “clarifications” but which Green (and I) both think go well beyond that, into the area of new or extended powers.

Clause 3 feels like the work of the Liberal Democrats, “clarifying” the ability of the government to intercept communication on the basis of “economic well-being”. Few would object to this, but – as Green points out – this is not something that requires emergency legislation or, I'd argue, should form any part of a bill which isn't going to be scrutinised.

Clause 4, on the other hand, is pretty noxious: it extends the scope of RIPA to any company providing services to UK citizens, even if they (and their data) are based abroad. As Green points out, this is more than a simple clarification or cosmetic change, and therefore shouldn't be in an emergency bill.

What does Clause 5 do?

In the grand tradition of leaving the worst till last – when hopefully scrutineers will have tired eyes and fogged brains – Clause 5 is possibly the one which is the most despicable. It focuses on the meaning, in RIPA, of “Telecommunications Service”, and extends that definition way beyond the original bill.

At present, RIPA defines “telecommunications service” thus:

“telecommunications service” means any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system (whether or not one provided by the person providing the service).

The DRIP Bill will add this:

For the purposes of the definition of telecommunications service in subsection (1), the cases in which a service is to be taken to consist in the provision of access to, and of facilities for making use of, a telecommunication system include any case where a service consists in or includes facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system.

Why the change? The government insists this is primarily to clarify that the bill includes services like webmail. However, read more loosely it could include the entire contents of your Dropbox, or Google Drive, or anything else which “facilitating the creation, management of storage of communications”. Is sharing a document from Google Drive “communications”? With the boundaries between file storage and email blurring, you can bet it will be interpreted that way.

It also, of course, definitely includes the likes of Facebook and Twitter, cementing the intelligence services view that such services are fair game without any additional warrant. I'll come back to that in a minute.

Evidently, this goes well beyond simply clarifying what RIPA means: it's a clear extension of the scope of the law, and as such it shouldn't be part of an emergency bill even if you accept the government's argument that such a bill is necessary. The principle that granting intelligence services additional powers should only be done with the full scrutiny of Parliament and its committees except in the direst national emergency is one which is incredibly important, because without it democracy itself effectively ceases to function. This is particularly true when the measures have the backing of all the parties, because it's not like we can simply blame the government in vote in a party with clean hands.

External communications and RIPA

It's also worth remembering the government itself rarely understands the full implications of its own legislation, particularly in the fields of technology and security. There's two reasons for this. First, government ministers only occasionally have more than a layman's interest in technology. Today, you might find MPs who are brilliant users of Twitter, but finding one that understands the nuances of global TCP/IP routing is much harder.

That's not itself a problem, but unfortunately the experts ministers consult on technical matters tend to be fairly useless too. When you have a government which consistently believes the promises of the likes of Capita about what technology can achieve, the independent advice it is seeking clearly doesn't amount to much.

The second issue is the role of the security services. Security services are, by designed, both cautious and prone to high levels of suspicion. When dealing with external threats, this is actually a positive factor: protecting a country's citizens is a great responsibility, and you want organisations to do it with extreme caution and rigour.

However, this naturally leads security organisations to request more and more access to data, “just in case” something important might be missed. Again, demanding this is in itself not a negative thing. The job of an intelligence agency is to make sure it doesn't miss vital intelligence, not to make judgement calls over whether a specific tool oversteps the mark and leads to violations of individual privacy.

That is the job of the law, and creating a clear and well-written legal framework is the job of the politicians. And unfortunately, as we've seen, even with vast amounts of scrutiny, politicians are fully capable of making bad law which opens the doors to surveillance which the general public would find unconscionable.

Remember the recently revelation that the spooks regard services like Facebook and Twitter as fair game for interception, without an individual warrant? This happened because the last government allowed the warrantless interception of any “external communications” – a message sent or received outside the UK. Stand.org highlighted this at the time – and even, I am told, warned several newspaper editors about its implications – without much in the way of an outcry. The only MP to pick up on the issue during the bill's passage through Parliament was Richard Allan, who persistently questioned ministers about it.

Charles Clarke's answers to Allan are revealing, not only for their evasiveness masquerading as openness but also for their lack of foresight about technology. Clarke persistently comes back to the point that an individual warrant would be required in any case where either the recipient or sender of a message was in the UK, clearly understanding RIPA as intended to cover messaging services following an email-like, person-to-person model. The notion of a service like Facebook, where “the recipient” is much less clear but where there is an expectation of privacy and where everyone who reads a post may be in the UK, clearly wasn't thought about.

Did Clarke intend this all along? Did Parliament intend to give security services carte blanche to look through every kind of communication that UK citizens send without a warrant? I doubt it. The notion that politicians sit around toasting marshmallows while plotting to get nebulous rules they can exploit through Parliament is wide of the mark. They're not a sinister cabal.

Perhaps, though, this is the intention of the Clause 5 amendment: to clearly enshrine in law the spooks' right to intercept every Facebook post you make without a warrant. Perhaps that's what the government means when it says these clauses “clarify” existing powers. But if it is, then surely that's exactly the kind of thing which deserves full and proper scrutiny and debate in Parliament.

It is clear from Hansard that Parliament was thinking of email-like person-to-person communications when it passed RIPA, despite Allan and Stand.org's warnings. Now, having seen the hole in the phrasing and run through it with the enthusiasm of a Brazilian football fan fleeing a semi-final, the spooks have come to rely on the ability to intercept everything you and I post on Instagram. And rather than say “actually, that's not what we intended with RIPA, you can stop doing it please” the government is simply handing them the full legal power without a proper debate.

Fast law makes bad law

If a law can go through the amount of scrutiny that RIPA originally attracted and still end up badly-framed and grant wider powers than Parliament intended, just how bad can a law which has almost no scrutiny be? I'll leave that for you to consider, but the fact is that fast law makes for bad law.

The exception is fast law which is extremely narrow, but, as we've seen, that isn't the case here. DRIP goes beyond preserving the existing requirement on telecoms companies to retain data and into the realm of “clarifying” – which really means enhancing – RIPA. Not satisfied with doing something which, while objectionable, could at least be justified as preserving the status quo, the government is seeking to sneak in additional clauses which add more powers.

Does the government really intend that Clause 5 can be used to allow the spooks to trawl through any UK citizen's Dropbox? Probably not. But that's kind of the point: laws which are rushed through like DRIP are, inevitably, going to contain roughly-drafted clauses and definitions which are too broad, or too narrow, or just don't make sense. If this was a normal law, affecting, say, motoring, it's bad enough. When it deals with the rights of citizens to private life AND national security, it's incredibly bad.

If the government were to withdraw clauses four and five of DRIP, I could understand it as an emergency measure needed to retain existing powers. That both the Liberal Democrats – who, remember, argued they could act as a brake on the illiberal tendencies of the Tories – and Labour have been suckered into supporting the bill is a shocking display of their inability to properly scrutinise legislation. If they can fail to see the obvious additional powers in a two page bill, how much are they missing in larger, more complex legislation? Or are they so blinded by the magic words “national security” and stern-faced briefings from MI6 that they find it impossible to say “hang on a minute…”

Just what is the TSA looking for?

NBC News on the decision of the TSA to not allow electronic devices on to planes unless they are charged up:

A U.S. source familiar with the matter said laptop computers are among the devices security screeners may require passengers to turn on. U.S. officials are concerned that a cellphone, tablet, laptop or other electronic device could be used as a bomb.

Some people have questioned why this measure is necessary, given that a potential terrorist could simply pack a device with explosives while retaining the ability to turn it on, but I think they’re missing the point. My guess – and it is a guess – is that someone has worked out how to create an explosive mixture which, when passed through a scanner, looks the same on the screen as a battery. This means you could replace the battery with explosive, but putting it elsewhere would still stand out as abnormal on screen.

Hence the threat: it’s not that someone can pack a device with explosives (something they’ve always been able to do), it’s that they can now do it undetected.

Privacy will die, but not because of corporations or governments: Because of you

Edward Snowden used his alternative Christmas message to highlight the death of privacy, and he’s right that privacy as we’ve all known it will die. But he’s wrong to focus on what governments are doing. Governments aren’t the ones that are going to kill privacy.

Neither are corporations the ones to blame. Google, Amazon and the like will know more about us than any company has ever known about its customers, but they aren’t the ones who will kill privacy.

No: the ones responsible for the death of privacy will be you and me.

What happens when the technology of surveillance - surreptitious cameras, tiny drones,  spyware – becomes available to every individual on the planet? What happens when every parent can follow their children’s activities 24/7, online and offline?

History tells us that technology starts off expensive and big, the domain of governments and corporations, and ends up small and cheap, available to every individual. Surveillance tech is going to follow the same pattern. And that, not corporations and governments, will be what kills privacy.


Did the NSA pay RSA $10m to weaken encryption?

According to a story by Reuters, the NSA paid encryption company RSA $10m to deliberately weaken one of its products by using an encryption algorithm which, presumably, the NSA had already cracked.

Sounds plausible. After all, we know the NSA at least attempted to influence standard-setting bodies to adopt weaker levels of encryption.

But there’s something about this story which doesn’t add up. Once you begin to think about it, this kind of deal doesn’t make sense for either the NSA, or for RSA.

For RSA, doing something like this would be a brain-dead move. Yes, as the Reuters report says, $10m looks big in the context of the $27m made by the division of RSA which allegedly received it. But for the company as a whole, it amounts to less than 2% of its annual revenue of $525m in 2007. And a decision to accept that money would almost certainly have to have been board-level: so why would they have accepted it? Would they undermine their own product – and in a way which they must have known would almost certainly leak at some point? It just looks unlikely.

For the NSA, why bother when there are more effective and secretive ways of achieving the same goal? Why not simply plant an employee in RSA with access to the code? Why not quietly pay a very senior individual (or individuals) to buy their compliance? Why not hack into the company and plant your own back door? After all, this is an organisation capable of planting malware in top secret nuclear facilities of another country – breaking into a commercial organisation, by comparison, is trivial. And using methods like bribery, “human intelligence” or hacking gives you a level of plausible deniability that no direct deal with a company could.

Paying the company money – money which would have to be accounted for somehow “through the books” – is the least secure, most probable to leak and thus least-effective option. It seems pretty unlikely to me that an organisation like the NSA would choose to do that, rather than use one of the more covert (and effective) options at its disposal.

UPDATE: RSA has “categorically denied” it was paid to weaken its security. It’s worth reading this post in its entirety, because it includes some details about its decisions.

Obama is playing a smart game with Syria

It strikes me that Obama is playing a very smart game with his decision to ask Congress for the authorisation to act against Syria. If he can get the backing of a Republican-controlled Congress, he can play the “America is unified” card.

That makes his position much stronger with other countries. He will have not only (as he sees it ) a moral mandate, but also a democratic one. And where David Cameron lost because the people's representatives weren't behind him, Obama would have that backing.

And if he loses? To my mind, he's in something of a no-lose situation. If he loses the vote, he can simply blame the Republicans.

Nerd supremacy

Jaron Lanier gets it:

“What I’m seeing in my nerd brethren is an increasing combativeness, a loss of empathy, and creepiness,” said Jaron Lanier, a critic of digital culture and a pioneering computer scientist who helped develop virtual reality. “It’s just another supremacy movement, ultimately. It just happens to be nerd supremacy.”

(via ‘Hactivists’ fight for their cause online – Los Angeles Times)

There is a particular arrogance, a particular vision to impose their will upon the world, that’s developing in some branches of nerd culture. It’s… disquieting. One to watch.

“Will to power” is the phrase that pops into mind. And that’s not something that makes me comfortable.

(Image by Suzie Katz  - http://flic.kr/p/8Y8Pai)

How the Amazon debacle shows the dark side of social networks

There’s no point in recapping how the “Amazon de-lists GLBT books” meme developed, because other people have done a far better job than I. But what it illustrates ably, I think, is the dark side of social networks and how they spread news.

There’s a meme which appeared a while ago about a statement a kid made about news, which has been passed on as a truism about the new media landscape. He said “if something is important to me, it’ll find me”. Behind that is a simple idea: if news matters to me, it will matter to my friends, and they will pass it on to me. If someone isn’t a friend, I’m probably going to be much less interested in it – so there’s no point it getting to me.

If people you know and trust tell you something, you are much more inclined to believe it, and less inclined to stop and think critically about what they are saying. That’s the way we’re wired: we trust our tribe to tell us that we’re in danger, or that there’s a new source of food, or that going that-a-way leads to water, and that-a-way to a nasty other tribe.

Then add in another factor: our reverance for the written word. We have a couple of thousand years of cultural history that makes us much more likely to believe something we see in text. Bibles, text books, newspapers, fake diaries of Hitler – if it’s written, we’re much more gullible about about.

Finally, add in a third factor: the impossibility of making a nuanced, balanced statement in 140 characters.

As social networks increase in influence, this is going to happen more and more, and sooner or later individuals will be physically hurt because of it. Like every village, the global one can turn from warm community to pitch-fork wielding insanity as fast as it takes someone to misread “paediatrician” as “paedophile”.

Reblog this post [with Zemanta]

Why bank lending can never be the same again

The government has said on a number of occasions that it wants the banks to resume lending money to home-buyers and small businesses at the same levels as before the start of the credit crunch. There’s only one problem: doing so would be a sure-fire way to bankrupt the banks. And either the government doesn’t know it (in which case it’s stupid), or it does know it (in which case it’s lying to the public).

If you want to understand why bank lending can never be the same, look no further than Robert Peston’s post on HBOS’s last financial results as an independent entity. HBOS was amongst the most willing of lenders to both companies and home-buyers, and it has ended up with 47% of its business loans going bad. And, when you’re lending a total of £116 billion to business, that’s a lot of potential for loss – a risk which will now have to be paid for by the taxpayer.

Continue reading

Where did it all go wrong? When Labour started telling lies – Telegraph

Link: Where did it all go wrong? When Labour started telling lies – Telegraph.

"A senior academic from Imperial College says that universities have to run catch-up classes for many students with excellent A-levels. And the National Audit Office reports that poor A-level results were the main reason why state school pupils fail to get into a decent university."

It’s worth noting that this isn’t something you can actually pin totally on Labour. When I was a postgrad back in the early 1990′s, the quality of writing ability in students dropped notably over five years – despite them all apparently getting better A level results.

The reason, of course, was the massive expansion of higher education initiated by the Tories and continued under Labour. It was, and is, a classic case of putting the cart before the horse.

Continue reading