UK Email Surveillance

An Eccentric Anomaly: Ed Davies's Blog

Apparently, and sadly, this Daily Mail article (FreezePage) about the Home Secretary's wish for the security services to have access to records of a lot UK internet accesses is not a spoof. Expressions like “non sequitur” and “foaming at the mouth” float into my mind for some reason. They're followed, not far behind, by “mission creep”.

The BBC manages not to get quite so embroiled in the nuttier aspects of the home secretary's rant. I'm not sure this is entirely good; maybe people need to see the whole thing to make their own (non-clinical) judgement.

Still, from a practical point of view it's interesting to consider what the implications of email logging would be.

As Tim Bray said the other day, amongst other good stuff:

But if only the “controversial” stuff is private, then privacy is itself suspicious. Thus, privacy should be on by default.

If this bill becomes law then anybody in the UK who cares even a little bit about civil liberties could and should find an email provider outside its jurisdiction (somewhere like India or Brazil, perhaps) to route the bulk of their mail through in a secure way.

In theory the government could ban accessing email servers abroad or perhaps just doing so over private connections, but:

Whatever. Technical and social protocols can evolve to work around government interference unless it is so draconian that it'll seriously harm the UK economy. The big question, it seems to me, is whether enough people will care about the matter enough to be bothered to stick their fingers up at this. The number who are willing to use the likes of Facebook and rely on “cloud” services with dubious business models doesn't encourage me to think that many will look beyond their immediate needs.

The Open Rights Group have a good (and rather frightening) page on TLS interception. (Amusingly, but understandably in the circumstances, that wiki doesn't seem to be available over HTTPS.) However, as far as I know SSH is not vulnerable to this sort of messing around because it doesn't rely on centralized certificate authorities. I'm no expert on security but I think it's possible to set up a remote shell account safely even in the face of close monitoring and TLS man-in-the-middle attacks. The authorities could detect what was going on and could disrupt things but, short of a tremendous amount of effort on their part (e.g., simulating the whole shell account in the UK), it'd be possible to see evidence of this tampering, abandon the account and try a different approach.