Adrian Kennard is the Director of Andrews & Arnold, a british Internet Service Provider. He tells Valerie Gauriat of the industry’s concerns over the Investigatory Powers Act, deemed too intrusive,costly, and easy to bypass.
“We are a relatively small provider, we are about 20 staff. We are not expecting to be targeted by this thankfully because it would be very disruptive for a small company like us to get any of the orders under this act. So thankfully we think we’re going to be fairly safe.
But we can’t rule out that there might be the possibility of intercepting, and monitoring, and recording of data done in the back-all carriers we use.So it’s possible they could go after someone like British Telecom and our customer traffic might be snooped on without us even knowing, which is a bit worrying.
There are parts of the act that seem to suggest they’de have to come to us to monitor our customers. But we’re not sure that the Home office will necessarily interpret it that way. so they might go after people like BT. And like most Internet Service Providers, we use carriers like BT and Talk Talk and various others to connect our customers to us before we connect them onto the internet.
The act itself is a huge invasion of privacy. And we’ve heard from the European court of justice that it’s not just an invasion of privacy. it’s talking about monitoring what you’re doing on the internet for everybody, even people who are innocent of any crime or not even suspected of a crime.
But it’s also an issue with freedom of expression.
There’s a big concern that if everybody in the country feel everything they’re doing on the internet is being monitored, that will curb what they do and where they go, what websites they look at and what they say. And that’s a very repressive regime to live under. So just that’s worrying. And that’s before we think about what it does to us as an ISP.
If we got an order under this it would be hugely expensive, and there’s no guarantee those costs will be paid for by the government.
They’ve said they would pay 100 percent of the costs but they’ve refused to put that in the act itself. All they guarantee to pay is a pound.
“If you’re looking for a needle in a haystack, you don’t need to make the haystack bigger”
The retention of data, as a blanket thing provides huge amounts of information. And if you’re looking for a needle in a haystack, which in theory police and security services are doing, you don’t need to make the haystack bigger. So it doesn’t necessarily help with that.
As an internet provider even though we’re very concerned about privacy and human rights and peoples’ concerns about this. We’re not really against properly targeted surveillance against a suspect and a crime, if you’ve got a judge to grant a warrant to monitor someone, thats helping the police, thats helping investigate crime, and we all want criminals caught.
The big issue here is the blanket surveillance, where you know you’re looking at people that are innocent, people with no suspicion of any crime, and you’re collecting all of that data and it’s not really helpful.
And its also worth bearing in mind that criminals can avoid that anyway. There are ways with Virtual Private Networks (VPNs) and Tor, and any number of ways to hide what you are doing.
They are a little bit more work than most people would want to do, so instead of actually going to those measures, those people will curb what they’re doing and be repressed.
Criminals can hide what they’re doing
But for criminals of course, it’s worth that little bit of extra effort to hide what they’re doing. And they’ve always been able to hide what they’re doing. And nothing in the law changes that.
There’s two separate things here. We’ve got secret services, GCHQ and so on that do their thing to try and keep the country safe.
It’s very difficult to tell exactly what they’re doing because they’re so secretive Thats one aspect, they have behind the scenes been monitoring lots of things.
This brings monitoring what people are doing into normal run of the mill policing. Without any sort of warrant, a police officer or someone in charge of dozens of different agencies,e everything to the Foods Standards Agency, could ask an ISP for details about the internet connection records, the logging of what you’re doing on the internet, of anyone they feel they have any possibility of being a suspect.
They can extract that information without even a warrant. And thats much more invasive than security services doing their spook thing in the background if you see what I mean.
A request could be made to find out everybody in the country who’s accessing a certain website. It’s easy to see how that could be misused.
I could imagine the Food standards agency might have someone, off the top of my head, someone selling unpasteurised milk, that’s unsafe or something like that, on some website. And says we need everybody in the country that accesses this website. Except it’s content delivery network. And there’s a thousand other websites on the same IP address. And all the information goes to them. And they’ve got all of that data just because they asked.
It’s scary how much personal information could be collected and processed and people have good cause to be worried about this.
It’s partly why the European Court of Justice said it’s not on, and the United Nations have said the same. Blanket surveillance is not acceptable in a modern society.
Theres a real risk that all this money is spent and it doesn’t actually help. It’s easy to see how criminals can bypass this. And ordinary people concerned about their privacy will learn to.There’s already lots of information on the internet about how to bypass this sort of monitoring. And there’s foreign companies offering virtual private network, VPN services in the UK, specifically because of this act, so that you can hide what you’re doing. They’re selling services to allow you to access to the internet through another country.
The best thing we can do as an ISP is to try and keep our customers informed and educated. To make sure people are aware that anything they do on the internet could be monitored somewhere. This bill is hugely intrusive.
But even without this there’s a danger that criminals somewhere can be monitoring what you are doing. So you need to take precautions Accessing websites using secure website access. This is becoming more and more common. It’s a big drive in the industry to make every website secure, so that people can’t tell what you’re doing on a website if they’re monitoring in the middle somewhere. It doesn’t stop logging that you went to the website, but there’s even steps to try and make that harder as part of this. Using VPNs is one of the things we can educate people on where they can access through another country. You have to be a little careful because of course you’re then trusting a VPN provider not to be monitoring what you’re doing.Theres always going to be some trust. But it’s clear that there’s people who would trust some foreign VPN provider, before they trust our government with the data. Which says a lot of our government.
There are things like that which can be done. There are some things we can do to help. If we had to monitor all the email access for example, which is something we could be ordered to do, we could move the email service to another country.
And set them up under another company, and move them out of scope of this, or out of the enforcement of this.
The bill claims to have scope outside the UK but it’s impractical to enforce it in most cases.
There’s things we could do like that but mostly it’s about education and keeping our customers informed. One another thing to say is that as an ISP we’ve never had a retention order or an intercept capabilities order. So we don’t have at the moment in our network any intercept or monitoring for the government. It doesn’t mean they can’t come along later but to the day, they haven’t given us an order under this or the previous legislation.
We try and keep it that way so we would try and challenge any order if there was any coming in.
As a small ISP, the costs could be huge . We obviously have some simple personal data on our customers, names addresses things like this.
And they’re kept on services securely locked in a data centre. But this is so much personal information.
A costly, mammoth task
If we had to start retaining this we’d be looking at separate locked cages in data centres, and of course another data centre for backup. We would be looking at security vetted staff, and a whole lot of procedures and costs in collecting this data, keeping it secure and safe, and then making sure the access to that data is following all the right rules when we do get requests. And that would be very expensive for a small company like us.
Even if they paid for the equipment just the time and effort for our staff would make that difficult.
The scale of collecting this amount of data is just horrendous. From a technical point of view it’s quite tricky to do this. Now there are companies that sell equipment that can manage this scale of collection, but very expensive equipment, for very good reason. It’s a mammoth task. So even the big companies won’t want it,because they have so much more data to collect, its still going to be expensive.