Absurd UK surveillance ideas

Amongst others, the Times Online is reporting on considerations by ministers of the UK government of a plan to store and monitor every email sent by every person in Britain. The supposed reason that such an insane system is need, of course, is to fight terrorism. If we (like almost everyone else in government or the media) set aside the all too salient fact that terrorism typically kills less Britons each year than accidental drownings, and suppose that the government really should be spending time and money trying to do something about it, ample grounds still exist for criticism of this scheme.

While the UK government may conceivably be able to eventually muster the sheer amount of hardware required for intercepting and storing such a vast quantity of emails, it is entirely infeasible that they are ever going to have the ability to read any encrypted emails that they may have harvest. Furthermore, competent terrorists know this. Competent terrorists know they can use PGP or GnuPG to encrypt their emails and rest assured that the UK government simply cannot read them, short of physically apprehending the terrorists and torturing passphrases out of them. The very fact that as soon as a major terrorist incident happens the relevant government starts making loud noises about the threat encryption poses makes absolutely sure that terrorists know they can do this. So they will do it, and this scheme will fail at its intended task, wasting a horrendous amount of taxpayer's money and putting undue strain on the country's internet infrastructure. It's a horrible idea.

But it gets worse.

All the innocent non-terrorists in Britain will, with a few rare exceptions, continue not to encrypt their emails, so these will be collected and stored by the government. This is a cause for tremendous concern because the UK government has recently made it embarassingly clear to the world that when it comes to the secure storage of sensitive data, they are nothing short of incompetent. Just look at these incidents - each of them from 2007. To be fair to the UK government, they're not alone in this regard, and Google will help you find just as many or more breaches of a similar scale by the US government.

Naturally the loss and theft of hard drives and disks is bound to happen from time to time, but the possible impact of these breaches can be reduced to zero by using readily and cheaply available encryption technology. In none of the cases cited above was this data encrypted like it should have been, suggesting that data security is either not taken seriously by the UK government or it is handled by people not qualified to be handling it. When unencrypted disks full of everyday citizen's personal emails are lost or stolen or bribed away from the government's hands - and based on all the evidence we have so far, this is more likely than this email surveillane scheme actually thwarting a terrorist plot - end up anonymously posted to the internet, the consequences will be severe.

Details about people's personal finances, love lives, political and religious beliefs will be exposed for all to see. Commerically sensitive material of every imaginable kind will be available to every company's most feared competitor. Identity theft, industrial espionage, harassment and stalking are all likely consequences. The risk is simply far too great, and entirely disproportionate to any reasonably expectable benefits.

This rant says nothing about the basic principles of freedom and privacy that this issue obviously treads on (for a well-written and concise rebuttal to the standard issue "If you've done nothing wrong then you've got nothing to hide" justifications that are inevitably thrown around on this matter, see Bruce Schneier's excellent "The Eternal Value of Privacy"), which are also well worth consideration. In an attempt to make the rejection of massive government surveillance programs appeal to a wider audience, in this post I've gone with a slight twist on an old saying and not resorted to considering malice where it is adequate to consider incompetence.

Although not relevant here, it bears mentioning in closing that the ideas of government incompetence at secure data storage discussed here should be the first thing that pops into your head when a government suggests (and, depressingly, this really does happen) that they should keep a record of everyone's fingerprints, eye scans, DNA or any other biometric credential. When those details are lost or stolen (and how confident can you be that they never will be?), you can't have them replaced like you can your credit card and passport. They'll be on the internet for good.