After the ringing endorsement for more “talking rubbish” from Tom in the comments to my last post, I feel newly inspired to spout off.
So, a couple of news items in recent weeks about our government’s incompetent attempts to turn our generally-mostly-well-behaved-as-long-as-you-are-white police force into some kind of robo-stasi. The ethics of these things are pretty obvious, but what perplexes me is how some of these powers are supposed to be used.
First, the Computer Misuse Act (1995) allows the police to hack into “compromised” systems without a warrant. Who knew? Not me. Anyway, apparently they plan to “step up this activity”.
Now as it happens I have briefly met some of the chaps from SOCA, who presumably would be executing this brief. I am sure they are fine upstanding members of the constabulary, but leet haxors they are not. Frankly I think it’s unlikely they could drive a pivot table in Excel, let alone devise a 0-day. The drafters of this act perhaps envisaged the police employing uber hackers from the underground, which superficially sounds quite exciting, but it’s an ITV plot I’m afraid. If the Old Bill know of uber hackers in the UK they’re most likely to feel their collars.
Alternatively of course they could employ russian hackers, but the amazingly bad idea of involving anyone associated with the FSB with sensitive police business may be apparent even to the clouded minds of our senior officers.
Security firms, on the whole, will also try their best to keep the police off your network, since they won’t be able to tell if it’s the police or not. For all the fretting about these powers, in practice it’s only those who take no care at all who need to worry, and their machines are probably infested with viruses already.
Second is the rather more disturbing intention of the Government’s to require ISPs to log every email sent. Again, the ethical problems with this are pretty obvious but the practical implications are bizarre.
When you send an email from your workplace to someone else, it’s very likely that your emails never directly touch one of your ISPs mail servers – your mail goes to your corporate mailserver, then over the internet to your receipient’s mailserver. That mail does traverse your ISPs network, but not their mailservers.
So to log this activity, your ISP would need to run a filter on all TCP traffic for port 25, decode this traffic and extract the headers. Although this is onerous for ISPs, it’s possible. It will inevitably make email less reliable, and slower, but hey who cares, right.
But, and this is a but you could drive a truck through, a whole load of people use opportunistic strong encryption for email. It’s enabled out of the box on all decent mail systems these days, and from watching our own logs I guess well more than half of email is encrypted for transport now.
Cracking this is not only difficult-to-impossible, but illegal in many cases. It certainly is more than onerous.
So, may I just ask, WTF? Are they really proposing on making laws to legislate for the impossible just to irritate everyone?