So Journos get a bit more Protection, what about the rest of us?

The Daily Mail is crowing over its small victory but, as usual, hasn’t grasped the bigger picture.

The Authoritarian Law (RIPA), whose abuse they have reported on for years, is about to be tweaked with another Law forbidding cops from prying into Journalists’ phone records without more serious oversight than the pathetic “superintendent level authority” required for the police to carry on spying on the rest of us.

First, it’s a VERY small victory. It reputedly only even attempts to improve the protection for Journalists. Not citizens. So, at most, a few hundred of our fellow, more privileged citizens, will be “protected” by the proposed new restrictions.

But second, note the quote marks around “protected”. That’s no accident. The truth is that the Law does NOTHING to protect us from abuse of surveillance powers and never has. At most it might deter those who think they are at risk of being caught snooping, which given the fact that they are not being snooped on themselves, is a very low risk.

But, as the RIPA saga amply illustrates, the vast majority of its abusers don’t even grasp the concept of “Abuse” in this context. They have routinely justified their illicit access as “proportionate and necessary” in pursuit of their aims to pursue petty criminality, littering, illegal parking, dog fouling, fly tipping, cheating to qualify for access to favoured schools and other matters of dubious relevance to our “National Security” which RIPA was deemed necessary to protect. And what we’ve suffered here in the UK is trivial compared to the institutionalised abuse and assault on civil liberties arising from the wholly illicit USAPATRIOT Act and its associated legislation in the United States.

This kind of mission creep is rampant around the world. The USA clearly does it most egregiously and most “professionally” but while they’re among the worst offenders, there is probably no government on the planet which doesn’t routinely abuse its authority to obtain illicit access to private data for reasons which no intelligent citizen would approve.

And anyone who thinks “The Law” can protect them from this kind of abuse doesn’t begin to understand the problem. The only way to prevent such abuse is to make it technically impossible to spy without audited authority. Wot that mean?

It means that it has ALWAYS been technically possible to control access to the data they want to snoop on. It means that such control can easily be made to include a form of authentication and authorisation which ensures that all the relevant data is captured to an audit trail which cannot be tampered with by those requiring the authorised access. It means that, though we can never guarantee to prevent illicit access, we can guarantee that we can always discover it and who was responsible for it.

Laws which make something illegal and threaten sanctions are, at best, only a minor deterrent, as we see in real life every day (think War on Drugs, Fraud, Burglary, Rape etc etc as well as the routine abuses by the Authorities themselves).

Conversely, the near certainty of detection is a major deterrent.

The audit trail would, itself, contain no sensitive data and could thus be entirely publicly accessible. It would serve three functions.

First, all requests for access could be technically blocked and only permitted to proceed on receipt of a key from the audit trail. That one time access key would only be issued once the audit trail has been persuaded that the requestor was a) authorised to make such requests and b) had proved deposit of the documentary evidence required to justify the reason for access.

Second, the public audit trail presents to the world an anonymised record, in real-time, of what the authorities are doing. That public record would not, for example, reveal whose phone records they had just requested access to, but would reveal that one or more such access requests had been made in the last few seconds or minutes. Nor would it reveal who had requested access. But it would reveal at least the organisation responsible for the access request. That might be as vague as “The Home Office” or “NSA” or it might be as specific as “Precinct 99” or “East Devon County Council”. That’s a matter for negotiation.

Over the course of days, weeks, months, it would reveal the extent of surveillance activity against the citizens and the patterns of what authorities were doing what kind of snooping.

The third function of the audit trail would be, in the event of any challenge to the authorities, over a specific access session, to verify (or falsify) their claims as to why they did what they did. Remember the one time access key? That only gets issued if the authority requesting access asserts that it has documentary evidence supporting its reasons for the request and that they meet the terms of any relevant laws. They have to “prove” the existence of that evidence by lodging its digital fingerprint (a “hash” for those who aren’t yet familiar with this incredibly useful crypto tool) with the audit trail.

Come the challenge, they must present that documentary evidence to the auditors and, possibly, a court. The beauty of the Hash is that, while maintaining the complete confidentiality of the evidence, it proves unequivocally whether or not the documents they present are identical to those they claimed, at the time of the request, supported their access request. If they don’t match, or if they are found to be attempting to bypass the audit trail altogether, they are automatically committing a criminal offence.

If they do match, the auditors/court can now study the documentation to make a judgement as to whether their reason for access was legitimate or not. If not, then, once again, they’ve committed a criminal offence. If they do match, then it’s a fair cop!

None of the above is rocket science. It doesn’t require any new technology. It does require some new programming and authentication procedures but nothing dramatic, even though the effects would be.

There are two roles for the Law in this area. First – what they already do – they need to define what we democratically agree to be acceptable and unacceptable practice, with a view to enabling appropriate sanctions against those we find in breach of the law. Their second, so far absent, and more important role, is to mandate the implementation of the kind of technical protection which makes the abuses we’ve forbidden impossible to hide. No more, no less.

If the media, including the Daily Mail, could understand this issue and campaign for the introduction of such legally mandated technical protections across the planet – or at least in their own backyards – then they might actually improve the human condition, and not just protect their own interests.

Now that would be something worth crowing about.