13 Jan 2015

A cut-out-and-keep guide to snooping in the digital age

Confused by the latest government suggestions on surveillance? Here’s a cut-out-and-keep guide to snooping in the digital age.

Police and intelligence staff involved in surveillance need to do three things: gather, analyse and attribute.

Here’s an example: imagine you write to a friend with plans to rob a bank. Knowing it’s illegal, you use a code for your letter (for example, replacing each letter with the number of its place in the alphabet).In order to foil your plans, the police first need to gather your communications. No problem: Royal Mail handles all the letters, so the police have a central system through which all the letters flow.

Second task: analyse. That means steaming open the letter and cracking your code. Again, simple enough to do.

A lock icon, signifying an encrypted Internet connection, is seen on an Internet Explorer browser in Paris

Third task: attribute. The police find your fingerprints on the letter, or perhaps some DNA, or maybe they match your handwriting. Your accomplice’s address is on the letter. Case closed.

Now let’s translate that to digital communications, and look at the different proposals being applied by the government:

1. Gather

Unlike the postal service, internet communications don’t flow through one central company. There are dozens of players, including your internet service provider (ISP) and your mobile phone company.

The Conservatives’ “snooper’s charter” (as it was dubbed by its opponents, officially called the communications data bill) aimed to solve the “gather” problem, by obliging all communications companies to store communications for a year or more.

It was dropped after opposition by the Lib Dems and privacy campaigners, but could be revived by a future Conservative government.

Here’s what’s weird: thanks to revelations from the whistleblower Edward Snowden, we now know GCHQ has a system called Tempora, which pulls in massive swathes of internet traffic. Why, then, do the Tories want private companies to take on this task?

Perhaps they think they’ll do a better job than government agencies. Perhaps they think it will satisfy people that their data is not being gathered by the government, but by private companies instead.

2. Analyse

How do you steam open a letter in the digital age?

When you log on to Facebook, use Google, visit your bank’s website etc, you’ll notice a little padlock symbol at the top of the screen. That means your communications with that website are being scrambled (or “encrypted”).

In order to analyse those communications, law enforcement agencies have three options: ask the company (e.g. Facebook) for the key to the code; use brute force to unscramble the messages without the company’s permission; or agree with the company that they’ll have access to a “master key”, which can be accessed by law enforcement when they want to unscramble a particular message.

When David Cameron talked yesterday about decrypting terrorists’ communications, this seems to be what he’s talking about.

3. Attribute

OK, so you’ve pulled in some emails, unscrambled them and uncovered a criminal plot. How do you know who’s behind it? As we’ve seen in the Sony hacking case, pointing the finger of blame is not easy.

When you go online, your computer or phone is given a doorway to the internet, called an IP address. These IP addresses can be used to track your route around the web. So if you can match an IP address to a person, then you’re getting close to solving the attribution problem.

This was the proposal put forward by the home secretary in November, which seems to have widespread, if cautious, support.

(There’s a snag, though: if you use your local coffee shop wi-fi, guess who assigns the IP address to your computer? The coffee shop’s wi-fi box. Is your friendly barista really going to keep a record of who got which IP address? Hmmm…)

Inevitably, in the wake of the shocking events in France there are calls from Britain’s spy bosses for more powers in each of the three areas above. They would almost certainly support plans to force companies to gather records of our communications, and the power to unscramble them.

The problem here is targeting: is it right that, in order to catch a tiny number of criminals, everyone’s communications should be gathered and made available for unscrambling?

And the issue of targeting is central to the Paris attacks, as it was to the murder of Lee Rigby. In both cases, the assailants were well known to the intelligence agencies, but at a certain point they were de-prioritised. The failure in those cases seems not to have been the amount of power available, but the way it was exercised.

Follow @geoffwhite247 on Twitter