UK government plans to monitor Internet and email are doomed to fail

BBC News and Press Association are both reporting that the UK government is planning email and web monitoring legislation so that they can compel Internet service providers to provide them with access to real-time Internet communications provided that a warrant has been obtained for doing so.

This is a really bad idea. Not only is it a blow to individual freedom, it isn't even technically possible to do it effectively. This makes it a waste of time and money as well as an invasion of privacy.

Because of the design of the Internet, introducing this legislation would be a bit like introducing new border controls for anyone arriving into the UK by air but not bothering to check anyone who arrives by sea or train.

Let me explain: if the law were to be passed and the government could ask an ISP to provide access to all Internet communications for a particular user, this only paints a partial picture of their web and email activity.

Web access is often secured with encryption - meaning that the ISP could provide the IP addresses to which data is being sent but no details of what is being sent. So for example, it would be possible to determine that I accessed Facebook at a particular time but it wouldn't be possible to find out to whom I sent messages, whose wall I wrote on or what any of the messages said.

It would be a bit like forcing Royal Mail to turn over the contents of PO boxes on the government's request. This would work if all mail resided in PO boxes but since most mail is sent to a recipient's address rather than a PO box, it would be ineffective.

The same is true in the case of email.

As most web-based email services encrypt the traffic between your web browser and their servers, less than 50% of all emails would be accessible via any new legislation. The only data to which the government would get access would be the email of those users whose email is actually hosted by their Internet service provider (e.g. those people who have addresses like joe.bloggs@aol.com / bob.jones@btinternet.com etc). According to this survey of email clients by Campaign Monitor, almost 50% of the email they deliver is accessed by web-based email clients. Assuming this is a fair sample, a minimum of half of Internet users' email is hosted "in the cloud" (people can still use other clients such as Microsoft Outlook to access their web-based email securely so it is likely that more than 50% of people actually use cloud-based email).

Going back to the traditional mail analogy, people wanting to send covert messages would encipher their letters so that even if they were to be intercepted, the messages would appear innocuous or meaningless to the evesdropper. Letters could also be relayed via multiple recipients so that the true sender and receiver cannot easily to known to anyone who intercepts the letter.

There are several techniques that can be used to the same effect with Internet traffic. Tunnelling with SSH or VPN protocols means that it is often not possible to be certain of the final destination of web traffic as it may be routed through several different servers along the way. If web traffic is sent outside of the UK and tunnelled through a server to another destination, it would be very difficult to trace where it is going - let alone find out what the content of the traffic is.

This legislation will no doubt be resisted by the ISPs in the same way that they resisted calls for them to block users who appear to be hosting pirated music. It would be expensive for the ISPs to implement this measure and I suspect they will argue that it isn't their place to regulate user activities.

I personally think that laws monitoring individual Internet activity need to be resisted on the basis of individual freedom and privacy alone. The fact that such monitoring is not likely to be effective is yet another reason why it should not go ahead.