The French-British action plan on internet security is likely to make us less, not more safe

Earlier this afternoon the Home Office published a French-British Action Plan on its website. You can read it here

The “action plan” agreed by Prime Minister Theresa May and French President Emmanuel Macron outlines 4 steps for an “initiative to ensure the internet cannot be used as a safe space for terrorists and criminals”.

Whilst we welcome debate and discussion about how people can be kept safe there are some points which raise profound concern.

We are increasingly worried about Governments’ across the globe claiming solutions to these insurmountable problems which will fundamentally alter citizen’s rights and long term could damage the security of all in the attempts to protect us from the few.

Of the 4 points agreed, we are most seriously concerned by point 3 which appears to be the intention to encourage other countries to adopt their own take on the Investigatory Powers Act (IP Act), namely to:

• Seek to preserve the retention and access to traffic and location data
• Enable subscription holders to be identified in all circumstances
• Allow access to encrypted content.

For starters, the intention to retain and access traffic and location data which was passed in the IP Act last year is currently subject to ongoing legal challenge.

The Court of Justice of the European Union (CJEU) in December 2016 ruled on a case against the Government brought by Tom Watson MP (and David Davis MP before he became Secretary of State). The case which challenged the Government’s intention to retain our communications data in a ”general and indiscriminate” way was ruled to be right by the court. This judgment is now set to come before the UK Court of Appeal, but until then, the preservation and retention of traffic and location data remains up in the air. (For more information see our blog)

Secondly, the plan to identify “subscription holders in all circumstances“. The “action plan” says “A single Internet Protocol (IP) address can be shared between hundreds of users accessing the internet or social platforms via their smartphones”.

That means if you happen to go online using the same IP address as someone who looks at terror content you too will be monitored. This will be done in order to determine whose mobile phone, laptop, computer or tablet is the one looking at the inappropriate content.

If it turns out that it wasn’t you, you will be removed from the investigation but thanks to the UK Government refusing to tell innocent people if they have been monitored, you won’t ever know your activity was being looked at and you certainly won’t be told that you for a period of time were a suspect of an investigation. Even if you are totally innocent.

If you stand by the belief that you have nothing to hide and therefore nothing to fear you may wonder what the problem with this is, but think about it outside the realms of the internet for a moment.

This proposition is no different to the police monitoring every flat in a block, or every house on a street in order to determine which person is the criminal. That would mean a police officer camped out in every flat or every house, watching where the residents go, what they do and who they speak to until they can be sure who the suspect is. Imagine if you lived in that flat or on that street, would you be happy for that intrusion?

Finally, the intention to have access to encrypted content. The “action plan” states “this is not about backdoors or banning encryption, but ensuring Governments and companies develop shared solutions to this issue”. They say they are going to “coordinate engagement with the major Communications Service Providers”.

Now we don’t want to interfere with what is clearly going to be a complex conversation between companies and Governments’ around the world, but let’s be clear, creating any copy of a key, or permitting one time access to any system, programme or device will, whether we like it or not, create a vulnerability.

It makes uncomfortable reading but we should not shy away from the fact that a vulnerability won’t exist solely for the good guys. If it slips through their fingers it could fall into the hands of the bad guys who might exploit it for their advantage and our disadvantage. This creates a serious risk to all our safety.

If the weakness is used to establish a large scale cyberattack to our critical infrastructure, it will have the potential to wreak as much harm, if not more, than a terror attack. The recent cyberattack which took out parts of the NHS, the hack of the USA election, the breach on Talk Talk, these are just hints at the dangers which weakening systems or not patching vulnerabilities can unleash. Not messing with encryption is a key part in not creating opportunity for these threats.

We increasingly have no choice about being online. The internet is now a part of our critical infrastructure. None of us want bad people to commit horrific acts and we are all desperate for reassurances to our security, but knowing how to handle and address the challenges brought by the internet and the connected world is not an easy task, it will take years.

Society needs to determine what boundaries of intrusion or weaknesses in security we are prepared to tolerate. We can only do that if we are provided with the facts about the real benefits and the very serious risks. This “action plan” does little to provide realities or facts to the general public.

Governments’ across the globe need to step back from proposing unworkable solutions which they believe can be resolved by technological magic and seek solutions which will not create greater security risks, will not undermine our human rights and will not lead each and every one of us to be a target of surveillance.

Put simply should France and Britain unite to make this “action plan” a reality, they will be uniting to make us far less, not far more safe.