09 January 2009

Opting Out of the Communications Database

I was considering posting about the government's plans for a centralised database of all internet and e-mail traffic, but then I realised there was probably no point. I'm confident anybody looking at this will already know about the plans and I don't think it needs me to spell out how horrific an abuse of power and invasion of privacy it is. With the government we have, I don't think any amount of public outcry or reasoned argument will stop them pressing ahead with it either.

So rather than spelling out my objections to the plan, I thought I'd tell you what I'm doing to "opt out." I'm not massively technologically knowledgeable, but I've taken a few fairly simple steps to ensure that my entry on the database will be as small and uninformative as possible.

As I've said previously, I use free and open source (FOSS/FLOSS) software. I use Ubuntu as my operating system, Firefox as my web browser, Truecrypt for file encryption and GNUPG for e-mail encryption. I think that approach is a no-brainer if you want to protect your privacy; if what's going on under the bonnet of your software is hidden from you, you've no way of knowing what it's doing with you data.

The centralised database won't create any new security issues, but it will make one problem worse - Your ISP will be a massively increased security risk. You have to assume that any information they obtain about your internet use will automatically be provided to the government, with no guarantee about how it will be used. On that basis I think it makes sense to limit the amount of information they have.

The first step I've taken is to install
Tor and Tor Button. In combination, they allow you to move your Firefox internet traffic through the Tor network, which, in simple terms, passes your traffic through a number of third parties, so at no point does anybody in the middle know who both the recipient and the sender are. There is a trade-off, in that it slows down the connection speed, but it is easy to turn off if needed and for websites without too much multimedia content, I've found the speed tolerable.

E-mail presents a separate problem. I already encrypt my e-mail using
GNUPG when possible, which keeps the contents of the e-mail hidden, but it does nothing to conceal who you are sending the e-mail to. There are ways of making a desktop e-mail client more secure, but it's difficult not to leak some data, such as who your e-mail provider is. The solution I've gone for is to use webmail filtered through Tor. For encryption, the FireGPG add on for Firefox performs GNUPG encryption in the browser. An important security consideration now is using an e-mail provider you trust not to leak your information, ideally located in a more privacy friendly jurisdiction than the UK. There's possibly also some value in using an e-mail address that doesn't contain any identifying information, like your name, so it's less easily tracked back to you, because once the e-mail has left your provider, the privacy of the data depends on the steps taken by the person you're sending it to.

No system of privacy protection is ever going to be perfect, but I'm fairly confident that the steps I've taken should make it much less likely that my data will fall into the wrong hands.


AntiCitizenOne said...

You could use a foreign mail server on a non standard port (say US [POP3|IMAP]/SMTP) with the traffic encrypted to really screw with them.

This snooping is designed to snoop on the average UK citizen, not anyone with any real security awareness.

Paul Lockett said...

This is at the margins of my knowledge, but the only thing that puts me off that approach is that, while POP3/IMAP would be fine, I believe Tor blocks SMTP traffic, so any outward e-mails would have to pass through the ISP without the destination server being concealed.

If SMTP was carried out with SSL encryption, that would hide the body of the message, recipient, etc., but the ISP would be able to see which e-mail service provider you use.

While it wouldn't generally be a huge problem, I'd still rather starve them of that information so that they wouldn't have any idea who's processing my e-mails.

I might be wide of the mark with some of that, so I'm ready to be corrected!

Anonymous said...

Quick question - does anyone know what the hell they will do with the data when they get it?

Paul Lockett said...

I think the simple answer is "whatever they feel like at the time."

For example, copyright enforcement seems to be high on the government's agenda, so it wouldn't surprise me if they had plans to monitor traffic on behalf of the film and music industries.