Address omitted in published version.29 April 2009Dear Sir,I write in response to the consultation document “Protecting the Public in a ChangingEnvironment”. I am a computer scientist with a detailed knowledge of the Internet and itsprotocols, and I have watched the growth of information and communication services on theInternet for over 20 years. I believe this gives me an insight into the likely impact of these serviceson the ability of the authorities to access this data and the mechanisms required for them to do so.As the consultation document explains, existing legislation draws a clear distinction betweencommunications content and communications data. The latter is the data used to identify theparticular equipment (e.g. a computer or cell phone) and hence the person doing thecommunicating. The case studies in the consultation paper make it clear that the Governmentrequires information about who people are associating with on-line. The problem faced by theGovernment is that on the Internet a communication is no longer a simple point-to-point connectionthat exists at a defined time. For instance, if I use a web-based email service then all the Internetpackets might go between my computer and the email server (which might be outside the UK). Butthis is no use to the Government: it needs to know who I am emailing. This information isembedded in the data exchanged between my computer and the email server. At present this isconsidered to be part of the communication between my computer and the email server, and hencecannot be collected. Therefore the Government is seeking to expand the definition ofcommunications data to include this information.

Q1: On the basis of this evidence and subject to current safeguards and oversight arrangements,do you agree that communications data is vital for law enforcement, security and intelligenceagencies and emergency services in tackling serious crime, preventing terrorism and protecting the public?

I agree that communications data is of great utility. However I disagree that it is “vital”. If thiscapability were lost then the proportion of crimes solved would decrease. I do not believe that thispresents a significant threat to the rule of law in this country.The Government argues that if this were to occur then lives would be lost, implying that no degreeof loss of privacy is worth a life. However this argument can be applied to any invasion of privacy.For instance the “telescreens” of Orwell's 1984 might well have saved the life of Baby P bydetecting and providing clear evidence of abuse. Does this justify mass surveillance of people intheir homes? Of course not.Furthermore the existence of the data in question also creates opportunities for serious crimesagainst innocent people, including blackmail, stalking and intimidation of witnesses. Theconsultation paper proposes various legal and technical safeguards that will certainly constrainpublic servants who seek to do their work within the law, but will have little impact on criminals. Apractical policy cannot assume that all those entrusted with data will be honest.

Q2: Is it right for Government to maintain this capability by responding to the new communicationsenvironment?

The question assumes that maintaining this capability is a feasible proposition. However there isgood reason to suppose that this is not the case, at least for serious crime conducted by intelligentcriminals. Of course many criminals are not intelligent and will not have the ability or foresight tohide their identities and associations. However such people are likely to be caught by other meansin any case.The consultation document considers a scenario in which three friends use differentcommunications systems in the course of a single evening without any intention to conceal theiractivities, but it does not consider the options available to criminals with a strong incentive to

remain hidden. The following is a list of some of these options:

•

Conspirators might use public message drops for encrypted messages. Many services inmany countries allow users to place data for others to download later. Perhaps the bestoption for a conspiracy would be the venerable Usenet service (seehttp://en.wikipedia.org/wiki/Usenetfor a technical overview). This service was originallycreated in the 1980s as a distributed discussion forum, but in practice today most of theUsenet data by volume is audio and video, and most of that is pirated. A group ofconspirators could agree on a newsgroup and then leave encrypted messages for each other.The Government could tell that they had accessed Usenet but not that they hadcommunicated with each other. Alternatively encrypted messages could be embedded using“steganography” within image files on photo sharing services such as Flikr.

•

The “Freenet” system (http://en.wikipedia.org/wiki/Freenet) is a peer-to-peer data sharingsystem designed to be resistant to government censorship and monitoring. Again, a group ofconspirators could easily use it to exchange secret messages without their associationbecoming visible to the Government.

•

The TOR network routes HTTP connections randomly around a network of volunteerrouters in many countries, so that the origin of a request for a web page is impossible todetermine.

•

Anyone wishing to use the Internet without being identified can sign up to one of a largenumber of cheap “SSH tunnel” services. Examples includehttp://www.guardster.com/,https://secure-tunnel.com/andhttp://www.privacy.li/, and there are many others. The service works by setting up an encrypted “tunnel” between the client and the provider androuting all internet data through it. The client can then use any Internet software as normal.If, for instance, the client accesses a website through the tunnel then the web server will seea connection from the tunnel provider rather than the client. The client's ISP can see that theclient has connected to the provider by an encrypted tunnel, and may be able to infersomething from the pattern of data transfers (e.g. web browsing versus VOIP phone), butnothing more.Plainly there are many ways for a moderately careful conspiracy to conceal itself, and for manyforms of serious crime to continue undetected. The only way for the Government to maintain fullcoverage of communication data would be to tightly regulate cryptography, banning all use ofcodes that the Government cannot decipher. This approach has already been rejected as impracticaland dangerously illiberal throughout the Free World. Too much Internet commerce depends onstrong encryption, and encrypted connections are difficult to identify.It might be argued that most people have no particular interest in hiding from the Government, andhence those that do stand out from the crowd. However this is not the case. The music industry hasconducted a sustained legal campaign against file sharing, and this has led many otherwise law-abiding people to hide some of their online activities. Some ISPs have used packet inspection toblock or slow down particular Internet protocols, and this has led software developers to mask theprotocols that their programs use, or to use HTTP (the Web protocol) as the foundation. Both ofthese trends will make it more difficult for ISPs to implement effective monitoring on behalf of theGovernment.Therefore I believe that the Government’s options are more limited than the question assumes. Ifcommunication providers could easily record all communication data on the Internet then it mightbe right to do so. However in practice the Government can only obtain partial coverage that is easyto evade, and as I shall explain in the next section it can only do so by creating an expensive andintrusive surveillance system. I do not believe that the benefits of this system will justify the costs,both in financial terms, and also from intrusion into privacy and increased opportunity for crimecreated by the data itself. Therefore I do not believe it is right for the Government to attempt tomaintain its current capability in this area.

Q3: Do you support the Government’s approach to maintaining our capabilities? Which of thesolutions should it adopt?

There are a number of fundamental issues with the proposed approach:1.As explained above, it will not provide coverage of anyone with an incentive to hide and amodicum of technical knowledge. Many of these are exactly the people that theGovernment most needs to catch. The remainder are those who either lack all technicalexpertise (a shrinking minority, especially amongst the young) or believe their crimes to betoo minor to be worth investigating. Hence the Government will increasingly find itselfusing an expensive and intrusive surveillance system to detect mundane offences whileserious crimes are clearly going undetected.2.As the consultation document points out, existing law makes a clear distinction betweendata

about

a communication (such as the parties and the time) and the contents of thecommunication itself. However the proposed data retention regime would find it difficult tomaintain that clear distinction. Take, for instance, the URL of a web page. This consists ofthree main components:a)The identity of the machine that serves the website.b)The name of the page within the website.c)Optionally, a query string that is processed to generate a “dynamic” web page, suchas the result of a search for a keyword.Clearly the identity of the server is “communications data” since it is a physical party to thecommunication, but what of the other components? If I am browsing a website such as NHSDirect where a page stores information about a specific disease and searches are made fordisease names or symptoms, then a good analogy would be a telephone consultation inwhich I ask a medical practitioner for information. So it seems clear to me that in this casethe (b) and (c) components are part of the communication (as current law states). Howeverif I browse a website such as Google Groups, where groups of people can form simplewebsites with newsletters and mailing lists, then browsing a page such as“http://groups.google.com/group/privacy” (a fictional example) will bring me into contactwith other privacy activists while “http://groups.google.com/group/dog-owners” will not.So here the page name shows who the user is associating with, and hence would be soughtby the Government. In legal terms, when someone posts information to a Google Group, thegroup name is used as an identifier for all the equipment that subsequently accesses thegroup, and hence it falls under the definition of communications data. In this case Googlehave chosen to use the page name to distinguish between groups, but they could just haveeasily used a query string instead, with URLs like “http://groups.google.com/group?privacy”(the question mark denotes the end of the page name and the start of the query).Thus there is a grey area of data that can be communication content in some contexts andcommunications data in others. Automatic collection systems cannot distinguish betweenthe two. Even if some websites can be given special rules (e.g. NHS Direct page names arecontent, but Google Groups names are communication data) the Web is too big and changestoo rapidly for such a system to work in general. Furthermore this is only a single exampleof a much more general dilemma: many communications protocols have combinations ofcommunications data and content that fall into this grey area.3.New communications technologies are being introduced all the time, and people find newways to use them even faster. Every time a new protocol is introduced the collectiontechnology will have to be adapted to correctly identify it and collect the right data, and asthe use of a protocol shifts the technology will have to be modified. This would presentISPs with an onerous burden. They will never be able to collect everything without alsointercepting some communications content as well, but it will be difficult to determine howmuch effort will be enough to be deemed compliant with the regulations.