Wednesday, December 03, 2014

Cory Doctorow on practical privacy

Privacy as Innovation with Cory Doctorow from Lovisa on Vimeo.

Cory has:
  • An encrypted hard drive on his computer
  • An encrypted phone
  • He installs a jail broken version of Android (CyanogenMod) which has lots of better privacy stuff built in
  • He uses Cryptocat to have sensitive real-time communications
  • He uses PGP for email (full disclosure - it was Cory that finally prompted me some years ago to dust off my PGP keys)
  • He tries to use PGP routinely with everyone he knows who has a PGP key hence routine email traffic is all encrypted and any interceptions can't been instantly filtered as the potentially interesting or sensitive ones because they happen to be the only ones encrypted
  • He uses The Pirate Bay's Peter Sunde's IPREDator proxy service to proxy his traffic especially on untrusted networks
  • He uses SSL and TLS on his server, to allow him to communicate with it securely and the same with boingboing
  • All his passwords are very long, randomly generated strings; ideally 128 printable characters, all kept on a file separately encrypted on his computer hard drive but nowhere else (apart from a backup). When he needs to enter a password he goes to that file and copies and pastes the passwords but doesn't remember them. He has only one password he can remember - to access the encrypted file of passwords
  • He has an encrypted hard drive he backs up to at the office and another that he backs up to at home
Things need to be a bit simpler for ordinary people... 

He does believe though we have not reached peak surveillance, we may have reached peak indifference to surveillance. So people may now start asking for built in privacy features in technology to a degree that will rein in the dominant surveillance business model of the internet and the surveillance state.

Monday, December 01, 2014

Email to MP re Counter Terrorism and Security Bill

The 2nd reading of Counter Terrorism and Security Bill is due in the House of Commons tomorrow.

Prompted by the Open Rights Group I've written to my MP, Nicola Blackwood, about it. Copy of my email below. Some of ORG's concerns are outlined in their briefing on the Bill.
Dear Nicola,

The latest government proposal, the Counter Terrorism and Security Bill, gives me cause for significant concern.

The ill-judged Data Retention and Investigatory Powers Act was, as you know, rushed through as emergency legislation without proper parliamentary scrutiny in the summer, the week before MPs went on holiday.  The use of the murder of Fusilier Lee Rigby as an excuse for introducing these new measures, expanding DRIPA and the further expansion of additional surveillance powers, is unconscionable.

With an election round the corner, we should hardly be surprised that party managers might be encouraging senior figures to ramp up their “tough on terrorism” rhetoric. However, Lee Rigby, who dedicated his life to defending the freedoms we enjoy in the UK, deserves better from our political leaders.

The UK survived two world wars, the cold war, multiple other military adventures and domestic bombing and violence orchestrated by groups like the IRA. Yet in the face of small numbers of violent religious extremists, successive UK governments, in the past 15 years, have normalised mass surveillance and done more damage to the legal infrastructure protecting our fundamental freedoms than any collection of deranged vicious clowns with access to dangerous weapons could do in a lifetime.

The Counter Terrorism and Security Bill is unfortunately building further on that trend.

1.       It introduces an obligation on public bodies including universities, schools, nurseries and councils to prevent terrorism. I've read this section 21 provision of the Bill repeatedly in the hope of making some sense of it. Yet the truth is, as a university educator with an interest in law and technology, I have genuinely no idea of what it is going to mean in practice.
2.       It expands the kind of meta-data that ISPs are being required to hold onto to help identify our IP addresses. This fundamentally misses the subtlety that an IP address denotes a device, not a human being.

3.       Mobile Phone companies do not currently log IP addresses because of differences in the technology to mainline broadband providers. They have been told they have to find a way. This will cost the taxpayer £100m over 10 years.

4.       The problems with the Bill are much wider than digital rights concerns. It also includes temporary exclusion orders, banning suspects from Britain for two years, even if they are British citizens.

5.       We are not currently facing a national emergency, so Parliament should not rush through this kind of legislation. We need proper scrutiny by MPs, Peers and civil society.

6.       The European Court of Justice (in the Digital Rights Ireland case this year) ruled that blanket data retention was incompatible with of articles 7, 8 and 52(1) of the Charter of Fundamental Rights of the EU. New laws should comply with that judgment. Neither DRIPA nor this proposed new Bill do so.

7.       The ECJ said that there should be a relationship between the data being retained and a threat to public security. However there are no restrictions to time, place or people in this Bill.

8.       DRIPA is even now the subject of a legal challenge, brought by the Open Rights Group and Liberty challenge. It may well be found illegal, while these new provisions are still being paid for.

Could I recommend for your review, the same Open Rights Group's analysis of the proposals in this Bill, available at  

Again you will not be surprised, given our previous correspondence, that I'm of the view that existing mass surveillance activities and powers need reigning in not expansion. Indeed the coalition government came to power on a promise of cracking down of the worst excesses of the previous government's database state. Rather than fulfilling that promise the current government has normalised and expanded these operations and powers. I hope when history comes to be written it will not judge the coalition's performance favourably on that score. Only then will we be sure that fundamental freedoms, under sustained attack by comparatively tiny numbers of terrorists and the bulk of the current, often well-intentioned but scientifically, mathematically and technically illiterate mainstream political classes, have survived intact.



Sunday, November 30, 2014

Unconscionable political exploitation of Lee Rigby murder

Copy of my article in The Conversation about the ISC report into Fusilier Rigby's murder below.

The Intelligence and Security Committee (ISC) of Parliament has now released its 191-page report into Lee Rigby’s murder. The report concludes that even though the ISC “discovered a number of errors,” the murder could not have been prevented by the intelligence and security services.

Instead, the blame seems to have been put decisively on Facebook, which one of Rigby’s killers apparently used to discuss “killing a soldier” several months prior to the murder. This despite the fact that the security services were apparently well aware of the killers and their motives, independent of their social media presence.

Michael Adebolajo, the controlling mind in the murderous attack on Fusilier Lee Rigby, was first arrested in 2006 at a protest against Danish cartoons he perceived to be insulting to the prophet Muhammad. By the autumn of 2008, he was on MI5’s radar as having potential connections with al-Qaeda and by 2011 was the object of close surveillance.

Between then and April 2013 – when the intensive surveillance of Adebolajo was cancelled since there was “no indication of a national security concern” – he had multiple encounters with police and security services. A month later, Rigby was brutally murdered.



Adebolajo claims MI5 attempted to recruit him as an informant – claims the UK government refuses to comment on, citing national security – and accuses MI6 of tacit complicity in alleged beatings and torture threats he received when detained by Kenyan police in 2010. He had travelled to Kenya with the apparent intention of joining extremists in Somalia.

Adebolajo’s partner in the murder, Michael Adebowale, came to MI5’s attention in August 2011 as a result of his interest in online extremist material and the intelligence services were aware of the two’s close connections. They nevertheless eventually considered Adebowale a low-level threat unworthy of their continuing attention.

By detailing various communications problems between police and security services and between the various branches of the intelligence services themselves and the inferences drawn from knowledge of the activities of Lee Rigby’s attackers, the report does a decent job of illustrating that security and intelligence systems are imperfect.

We can never be 100% secure, because these systems and agencies can and do fail – they fail naturally through human and technical and communications errors and they can be made to fail by actors with malign and, in this case, murderous intent.

What seems odd about the report and the ensuing media frenzy, however, is how Facebook has been framed as the single entity that could have prevented the murder.

Paragraph 17 of the report notes:
We have found only one issue which could have been decisive. This was the exchange – not seen until after the attack – between Adebowale and an individual overseas (FOXTROT) in December 2012. In this exchange, Adebowale told FOXTROT that he intended to murder a soldier. Had MI5 had access to this exchange, their investigation into Adebowale would have become a top priority. It is difficult to speculate on the outcome but there is a significant possibility that MI5 would then have been able to prevent the attack.
Paragraphs QQ to VV of the recommendations and conclusions go into this claim in a little more detail, saying: “Adebowale expressed his desire to murder a soldier “in the most explicit and emotive manner.” It then criticises US big tech companies for their lack of cooperation with government on fighting terrorism.

Happy though I usually might be to criticise Facebook or big tech – if more for their own anti-privacy practices than their lack of co-operation in counter-terrorism – it’s a bit of a stretch to suggest a giant beam of enlightenment would have engulfed the security services if Facebook had only shouted loudly enough, “look at this!”.

They were already aware of extreme views expressed by Adebowale on the net – and even Adebolajo, considered the more dangerous of the pair, was providing no continuing indication of a national security concern.


For David Cameron and Theresa May to turn the deranged murder of a young soldier by damaged extremists into a political device for rehashing discredited surveillance proposals is unconscionable. It’s also not supported by the report: two members of the ISC have already criticised the notion that their work supports the further expansion of surveillance powers the government is now proposing.

Of course, with an election round the corner, we should hardly be surprised that party managers might be encouraging senior figures to ramp up their “tough on terrorism” rhetoric. The sad thing is to see how the media has uncritically swallowed the “blame Facebook” mantra hook, line and sinker.

Lee Rigby, who dedicated his life to defending the freedoms we enjoy in the UK, deserves better from our political leaders, from our media outlets and frankly, from all of us.