We have a new prime minister. The Right Honourable Theresa May MP took on the UK’s top job last week. Oh dear. It could have been worse, of course, her only serious challenger was Andrea Leadsom, a person who is on record as saying that marriage should only be for straight Christian couples. Delightful.
Leadsom dropped out, leaving May as the only contender, so the Conservative party didn’t bother to hold an election, and we now have our third unelected PM in my lifetime. Now, I don’t have a particular problem with this: we have a parliamentary system, not a presidential one, and the PM is the leader of the party that can “command the confidence of the House”. Theresa May is the legitimate PM and that is how the system works. The thing I do have a problem with, however, is policy.
In recent years, as Home Secretary, May has been pushing for mass surveillance of the entire internet-using population of the country. She has been guiding the Investigatory Powers bill through parliament which, amongst other things, imposes a duty on all internet service providers to log (using deep packet inspection) every single HTTP request (website visit) and the SMTP headers (every e-mail you send or receive) of every single user and retain the data for 12 months. Just in case.
Now, why does she want the UK to pursue surveillance powers only used by North Korea, China and Iran? Well, it seems that she doesn’t much like encryption. Modern cryptography is pretty good and it means that UK citizens can communicate with each other without the intelligence services being able to tap the line. She neglects to mention many problems with this, of course. Having the data is not the same as being able to find the data. The challenge faced by the security agencies is a considerable one. Going from not much data to having all the data turns it from trying to get hold of the relevant data to trying to find a needle in an entire nation of haystacks. Except that these haystacks are made of needles.
When the Paris attacks were analysed post-fact, it turned out that the people who arranged the atrocity weren’t actually using encryption at all, and that the security services probably had all the data they needed: they just didn’t know it until after the fact. Giving them terabytes of irrelevant data for every day of the previous year isn’t really going to help.
Then there is the problem of information security. The only way to properly secure a computer is to disconnect it from everything, encase it concrete and bury it in a very very deep hole. Then back-fill with more concrete. This has obvious disadvantages, of course. If the ISPs spy database is to be made available to police services, it is going to have to be accessible. This data is going to be the target of the large body of computer crackers who seem to relish the challenge of grabbing hold of data that others want to keep safe. At some point, at least one ISP’s database is going to be leaked. I wonder which ISP the PM uses at home. I’d put money on that ISP being the first to go.
But it’s OK. I have nothing to hide.
After all these years, it looks like time to turn on TLS on my mailserver. Sorry, Mrs May. Years of effort thwarted by a two-minute change of configuration. Now, if only there was a way to do that for outgoing web requests. Or a cheap and easy project that made the whole thing trivial.
Pointless and counterproductive laws anyone? It’s what we do best. Welcome to the United Kingdom.