Why proposed internet security measures will do more harm than good

Last month I published a piece in The Age about the ‘dark web’ – sites that can only be accessed through anonymity software.

What became lost beneath graphics of demons emerging from computers was a line I wrote in response to proposed legislative changes that could lead to the web history of any device connected to the internet being logged and retained for up to two years for law enforcement purposes:

“But such measures will have no effect on those who conduct their criminal activities on the Dark Web because nothing is logged — there is no history to keep. And some argue such measures will cause more people to seek out anonymity services — the same services that provide access to the Dark Web.”

In researching that article, I spoke to many people – university professors, a representative of Tor and law enforcement – who agreed that the measures proposed by Roxon are a ‘feel-good bandaid’ rather than an effective tool to catch criminals.

Laws that invade the privacy of regular citizens will have the effect that those citizens will seek ways to maintain their privacy.  One way to do this is to use encrypted data and VPNs or surf the web using services like Tor, Freenet or I2P.  Criminals, of course, have had a vested interest in encrypting their communications for some time, because wiretapping by law enforcement is already legal when warrants are involved.

Cybernorms Research group at Lund University, Sweden, found that after the introduction of similar measures (the FRA and IPRED laws), there was a dramatic increase in people using anonymising software.

From what I gather from speaking to experts, what law enforcement can discern when such measures are taken is that encrypted information is going out, but not what that encrypted information is.  In the past, heavy encrypted traffic may have been an indicator of criminal activity; as more people move to anonymising software to protect their privacy, heavy encrypted traffic may just mean a person doesn’t want you snooping into their perfectly legal affairs.

Andrew Lewman, Executive Director of Tor (probably the best known of the anonymous service providers) is exasperated by politicians who don’t understand the internet but react to panic that ‘something’s got to be done’.

“Data retention has done nothing to catch any more criminals in countries that have it, especially in Europe.  It’s created more of a problem because now le has to spend its time learning how to manage data, not to hunt down criminals,” he said.

Lewman told me that the US Government-funded Tor works closely with law enforcement agencies. He said, “Having spoken to SOCA, the Serious Organized Crime Agency, their attitude has been that these laws have made their life much more difficult because most of their techniques and software relied on easy mass surveillance of clear text data to actually target the criminals and ignore 99% of innocent people.  Now everything’s encrypted so, you know, everything looks criminal.  Because the patterns of 12 year-old planning a surprise party looks just like the pattern of terrorists planning an attack.  So they end up wasting resources.”

I don’t take kindly to my privacy being invaded by anyone and it seems to me that this is not even a case of the means justifying the ends, but just politicians trying to be seen as doing something.  Unacceptable.