So… To get my Master Blogger status back, I have been ordered to write some garbage on privacy, on-line security and freedom of speech. I am not really in the mood to make this a well written essay but this is for a weblog so it hardly needs to be Pulitzer material. I may rewrite it one day to make it read better.
I am a big fan of freedom, the right not to be watched 24 hours a day and the right to say pretty much what I want without being locked up for it. This is the reason I am leaving the UK; if you Americans think you have it bad then think again and look what is happening here too. I also think that I know something about on-line security and “Big Brother Monitoring”. I know this because I used to do it.
The problem with all of this is that I am somewhat divided in what I actually believe.
Generally speaking, I couldn’t care less personally about “The State” watching my Internet usage. I don’t do anything interesting enough for them to have any interest in me. Last week I looked up how they went from Nitro-Glycerine to Dynamite and I really didn’t see the need to hide my address when I did so, a few days later I ordered a new shemagh from a large Islamic web site. I think if anyone was monitoring my IRC usage they’d know I was fundamentally opposed to the hanging of Saddam and I have been chatting a lot lately about various socially subversive things that in Orwell’s 1984 would have had my testicles wired up to a flashbulb. The thing is, I am one of 60 odd million people in the UK and the amount of computing power to pick me out and profile me from this sort of usage is far too large for me to assume they are using it. The profile would also be quite wrong, I am not a terrist, I am a dissenter so I have to assume there is some sense there that would make the distinction. There are not enough people employed by the security services for them not to have. Ultimately this whole digital monitoring has to come down to them putting feet on the streets and actually physically watching the people they profile and with the money that our security services pay, this just aint going to happen.
I think it is pretty reasonable for me to make this assumption. As I said I used to design monitoring and profiling systems to watch people doing the things that they did. I worked for one of the biggest military contractors in the world putting in systems to watch the staff. Did we do this because we were convinced that they were selling secrets? Sabotaging systems? Moving satellites with laser death rays off course to blow up Greenwich Observatory? Nope – We did it because the police caught an employee running a kiddie porn operation from company machines and we found ourselves under a duty to do something about it. When we had all the monitoring in place, it’s not like we even did much with it, there were occasional keyword scans and weird activity matches but generally speaking they picked up nothing and there was never even a hint of the higher management or the government being interested in looking at the records we kept. Usually I would be cynical and say “Well the government could just be looking at the traffic elsewhere” but in this case, they couldn’t, the paths were all on hellishly encrypted satellite links; it wasn’t going to happen.
At another company I worked for, we decided to run some test scenarios with the police to see how quickly we could catch somebody if a nasty situation happened. A rather well meaning but somewhat naive member of senior staff there refused to let us put monitoring on their dial up systems which would have made life a little easier for us. All we did was to shift the monitoring systems upstream to the exchange, where he had no access to stop us monitoring whatever we wanted. The upshot of this was that the systems people who actually cared about the rights of users lost control of the monitoring that happened and was going to happen anyway. There is a certain futility in non-co-operation at this level, there are plenty of ways to skin the proverbial cat.
Way back in the early 90’s I was working on the Mitnick case and spotted that he was monitoring everything I did on-line. Every email, every private chat, all my IRC usage, all my secret passwords to other machines. The lot. I had to take a choice as to whether to let him know I had spotted it or to just carry on and watch him, watching me so he could be kept somewhere monitorable that he assumed we didn’t know about. It was an interesting decision and I looked into my past to help me make this choice. I had spent years watching other people; reading all their mails, watching their extra-marital affairs, their various mildly illicit activities and their crap attempts to get various people into bed. For the first month or so, I admit, it was kind of interesting and odd, realising you know things about people they have no idea you know but then, after a while, it stops being a soap opera and starts becoming rather tedious. You start to realise that most people do and say the same things and have the same sort of lives – Most people have secrets that they think are devastatingly personal but most people don’t see in very real terms that just about everybody else has the same secrets. I would hope that if someone is in the position to watch people in his way officially they’d also be the sort of person good at keeping secrets so this knowledge brings no advantages either, if anything, quite the opposite since it makes it a lot harder to talk to some people you know far too much about. Based on this experience, I decided I would have no real issues with letting a Sociopathic Hacker and all the other people who got to read the logs later watch everything I did; I would probably bore him to death well before he would ever find anything useful he could use. It got to the point where after a few weeks I just ignored his watching me altogether. He did at one point try to use some stuff against me but it didn’t do him much good. I never quite forgot I was being watched to the point of giving away anything useful and as I have said before, although some stuff I do on-line may at the time seem really personal, in the grand scheme of the world, it’s not.
Maybe this is the reason I am confused about all the modern obsession with normally sane people wanting all sorts of levels of military grade encryption on the messenger they use to chat to their mum or friends. Although most people will never believe me, very few people really do much on-line that hasn’t been seen a zillion times before. The perceived subversion isn’t really very subversive at all. Having an affair, buying a few grammes of cocaine, chatting with your mate about the latest insurance fraud you are committing; none of it is very interesting, people do it every day and the police aren’t the people who are monitoring your Internets. The Security Services have a lot more things to do than to be interested in general crime and they don’t pass much on to the police unless it is in the National Interest. There are a couple of things to remember, one is that if the police suddenly started to have access to all this extra criminal intelligence they’d have to build hundreds of new prisons and quadruple the size of the force, another is that they’d have to provide an evidence trail in court, and it is very hard to create valid evidence trails from monitored data, trust me, I have spent years trying. There’s also the problem that they may well have to admit to being able to gather intelligence in ways that people don’t know about. Think back to World War 2 and all the things that were allowed to happen just to cover up the fact that the Security Services had broken Enigma, nothing much has changed.
People are watching your Internet usage, I am not arguing that but I will argue that 99.999% of the population have nothing much to worry about from the people who are doing it. The threats on the Internet are not from “The State” they are from organised crime rings and people who prey on the stupidity of people in general. No amount of encryption and things will stop this in fact, the perception that you are safe because of it tends to make people let down their guard and be more and more open to slipping up. If governments want to monitor you, they will, and you won’t be able to do much about it at all. I have watched hundreds of naive people talking about how secure they were and it’s amazing that the more secure people think they are, the easier they tend to be to get evidence on.
I am losing the will to live now, so I will end this here and maybe tidy this up. I don’t think it is quite what the question asked, but then, I don’t care.