The Guardian reports the following this afternoon:
Liberal Democrats and civil liberties campaigners have welcomed new measures requiring internet service providers to keep data that identifies online users, but said it must not be seen as a way of reviving the “snooper’s charter”.
The Tory MP and civil liberties campaigner David Davis MP said the measure to link subscribers’ data to specific smartphones, laptops or other devices through their internet protocol (IP) addresses was a sensible change, but that it should not be used as a “stepping stone back to the old snooper’s charter”.
Considering the number of criminals apparently operating within the spheres of politics, security and policing over the years, I’m not sure this is actually the sensible change we’re being told it is.
One thing does occur to me, however – something which I’m sure others will also comment, but which I haven’t yet seen mentioned widely. An example which happened to me the other day, as an example of what I’m talking about.
Some weeks ago I was cold-called by someone trying to convince me I had a problem with my computer. It was the same old scammy script as always: “We’re calling about your Windows computer – it looks like it has a virus on it.” They generally pretend to be phoning on behalf of Microsoft. And thus it was this time round. I acted with the caller as I do with Jehovah’s Witnesses, when I forestall their patter by telling them I’m a Catholic – in the case of my computer, the message I transmit is analogous: I only have Linux. That soon enough frightens them into putting the phone down, way before I need to do the same.
On Thursday, I believe about the same time as the previous occasion, I received a second call with the same approach. This time, however, the caller claimed to be calling from an ISP – I’ll spare their blushes and not say which. The interesting thing was that the ISP they claimed to be calling from is actually, really, my ISP. Whether really, actually, it was my ISP making the call in question is, of course, still under investigation. They promised to call me back when they had more information. I’m awaiting that call.
So. To the bright idea of tying in some database or other users and their devices to specific IP addresses. Great idea; it’s frequently the case anyway; in fact, if you have a blog with a stats plug-in, you often have a fairly good idea of where many of your readers hail from. If it’s that easy to know without more complicated tech, it really can’t be difficult for the security forces to be doing the same.
It may, therefore, be that Theresa May’s proposals are little more than a formulating and legalising of current practice out there.
What I’m really worried about is a rather different set of circumstances: imagine that scammy call which claimed to be from my ISP, and which was looking to install a piece of spyware on my computer in exchange for my credit-card details, was made on the basis of customer data sold on by someone who shouldn’t have sold it on to anyone. Imagine, now, tying specific customers and specific devices to IP addresses becomes evermore common practice, and gets registered and deposited in multiple databases all over: that’s a trail of identity information criminals could use to track, follow and hack very precisely not just into any old objective of random botnet construction but also targeted individuals and concrete profiles. That governments who we would like to believe are not criminals need to do such stuff is bad enough. But that the facilitating of such process and procedure makes it easier for the bad guys to do the same … well, it doesn’t bear thinking about.
In a sense, we could argue by making more common the practice of matching users with IP addresses, we’re not just allowing our legitimate security services to ensure we’re not doing stuff we shouldn’t – we’re making it easier for criminal elements (whether scandalously within governments or traditionally without) to enter our consequently unprotected homes.
In my ignorance of the matter, all I can see is this: the government, while looking to make the web a better and safer place, is going to be giving the criminals – who, alongside us, clearly co-exist in this virtual world – the already vulnerable keys to our sitting-rooms.
And that really can’t be a good idea, can it?