David Cameron: Idiot, Dangerous or just a lover of soundbites?

We've heard Theresa May parroting the same lines for months, but in the wake of the Charlie Hebdo massacre, David Cameron has joined the choir of people calling for new surveillance powers.

Mr Cameron has stated that if the Conservatives are re-elected, he will ensure that there is no form of communication that cannot be intercepted by the government.

So, one of the question we'll be examining in this post, is - Is David Cameron

  1. An idiot who doesn't understand the technology he's talking about
  2. Demonstrating that pre-election promises are inevitably broken
  3. Planning on introducing a draconian surveillance state
  4. Being mis-informed by other parties
  5. Simply creating sound-bites to raise the chances of re-election

Most of the coverage thus far has focused on option 3 - which seems fair given that it's the inevitable result of actually attempting to do what he is claiming.

We'll also be taking a look at why Option 3 could, and should not happen


Why Not - Privacy

Let's start by ignoring the technical arguments against, and instead examine the philosophical faults with what Mr Cameron is proposing.


Misuse of Power

At it's foundation, the proposal is an absolute and utter invasion of privacy, the UK Government would have the ability to monitor any communication a citizen may make online. Remember, Mr Cameron wants there to be no safe spaces, which by very definition means all encryption is either back-doored or banned.

Of course, there will be 'protections' built into the law

We have a better system for safeguarding this very intrusive power than probably any other country I can think of,

The issue with this, of course, is that it's based on Will Not instead of Can Not. It's not the first time such 'protections' have been used in UK Law, and certainly not the first time that broad, overreaching powers have been abused (RIPA is the most obvious example).

Even the censorship apparatus introduced in order to prevent access to child porn has been re-purposed by the courts in order to try and prevent access to sites accused of copyright infringement (the result of which is that information of bypassing the system is now far more widely shared, and for less nefarious purposes).

Even our existing anti-terror legislation has been criticised for being overly broad.


The Future

But, even if you trust this government, who's to say what future Government's will be like? If in a few years, the BNP were to come to power (as unlikely as that seems), do we trust that this new capability would not be misused? If the Government of the day unilaterally decides that viewing or discussing sexual material is a capital crime, would they misuse the capability.

The point that a lot of politicians seem to miss, is that it's not necessarily about their Government (not that I personally trust any of the current candidates), but also about consideration of the future. It's important to learn from the past, and one thing that history makes abundantly clear is that surveillance powers are always misused eventually. 


Why Not - Technology

Let's take a (very) quick look at the technical reasons why such a surveillance state would fail to meet it's stated aim - catching terrorist communications.

We need to start with an assumption;

Although they may be fundamentalists, not all terrorists are technically inept. The lower hanging fruit may currently use Facebook to communicate, but you can be damn sure that as the risks of doing so increase, the terrorists will up their game. Saying that terrorists are stupid is a little like claiming the police are all thick - some may suffer from terminal ineptitude, but there are likely some very skilled people amongst their number - basing assumptions on a generalisation is a very bad idea when it comes to planning your security.


New Methods of Clandestine Comms

So, let's imagine a scenario where every current means of communication is backdoored. If you open a chat client for any current service, somewhere it Cheltnam a machine whirrs, records your conversation and then proceeds to run analysis on it (or passes it off to someone to do so).

As a Crazy-But-Smart terrorist, what's your reaction to this? Do you carry on using the current services, or do you start looking at more clandestine methods of communication?

We can't use XMPP, so why don't we embed messages into an existing (but non-communication) protocol?

It took me around 20 minutes to design a chat system that uses DNS requests as the transport mechanism; It's got fairly limited capability, but the messages are encrypted with PGP and placing a network tap onto one of the endpoints will only show you which resolver the sender of the message used. Do the Government propose to trap and record every single DNS request in case it contains communications?

If I can design something so simple in 20 minutes, imagine what our CBS terrorist can come up with - he's certainly got more motivation that I have. Even a Crazy-But-Thick terrorist can probably find suitable motivation for someone smarter to devise a means of comms.

Turning back to existing solutions - do the Government intend to intercept and analyse every JPG download in case steganography has been used? Imagine the effectiveness of sending a message to all your terrorist cells by using Stego and then using bittorrent to seed the message, hidden in something incredibly popular (Sony Pictures dump? The fappenning?)


There's a Wide World of Technology

As part of our new surveillance state, we require that all commercial providers of communications software (so think Microsoft, Apple and Google as examples) include backdoors for the UK Government to use.

For some crazy reason the MAG's of the world comply. What to do then about the Open Source projects/Protocols? Assuming we can force compliance with those, there's still another issue:

If the backdoor's are identified, our Crazy-But-Smart terrorist can remove them from the source and recompile. Oops, back to square one.

It doesn't need to be the actual communication apps either, the same remains true for the underlying libraries. If, somehow, you manage to force (another) weakness into OpenSSL, once it's identified our CBS terrorist simply recompiles without, or uses a different library without the known flaw.


Back dooring helps Criminals

Another alternative, and one that we've seen the NSA and GCHQ haven't been afraid of pursuing, is the intentional weakening of cryptographic solutions so that they can later be compromised if required.

The major issue with this is that backdoors aren't particularly selective. Once located, they can be misused by anyone, whether it's GCHQ or a pimply Russian teenager sat in his mother's basement. Deliberately weakening crypto puts every single one of us at risk, and not just from an authoritarian state.

So when asking yourself whether you're happy with the Government weakening (or removing) HTTPS connections - consider what happens with your Internet Banking details when that Russian Oik also finds the weakness.


Cameron's Motivation

Having examined some reasons why it's both unthinkable and unworkable (for further reading on that - look at some of the Middle Eastern states that have tried), let's take a look at the options we presented above

  1. An idiot who doesn't understand the technology he's talking about
  2. Demonstrating that pre-election promises are inevitably broken
  3. Planning on introducing a draconian surveillance state
  4. Being mis-informed by other parties
  5. Simply creating sound-bites to raise the chances of re-election


Being mis-informed

Whenever Theresa May has trotted out the 'more interception' line, I've been working on the basis of number 1, possibly with an element of number 4.

In David Cameron's case, I believe that number 4 is almost certain (if no-one else, Theresa May will likely be giving him 'advice'). 


It's Unworkable - Doesn't Understand the Tech

As I hope I've demonstrated with brief examples above, what's being proposed is utterly unworkable and is therefore an unattainable goal. There's a much more detailed breakdown of the steps that would be required over on boingboing.

Given that Mr Cameron is suggesting we should sacrifice all privacy in order to try and achieve an unattainable view, I strongly suspect it's true that he has no clue about what he's talking about - especially given the strength of his words: if you work with security in an IT context, you know there are never any absolutes.


Introduction of a Surveillance State

Cameron's capacity (or lack thereof) to understand the technical challenges has no bearing, however, on whether he actually intends to attempt implementation. Whilst I suspect there is an element of creating good soundbites, there does seem to be a high probability of him attempting to push this forward  - especially given that this is not the first time we've heard calls to expand surveillance capabilities.



I'm also strongly inclined to think that number 5 is a possibility, though Boris Johnson's words send a cold shiver through my spine

not particularly bothered with this civil liberties stuff

The idea that such a view might be wide-spread amongst the Conservatives (or indeed, political types in general) is a horrific thought. Although Boris Johnson appears a buffoon, it's always struck me that he's quite switched on in some areas - though clearly what the definition of freedom is isn't included in those.

So, whilst I think this was a sound-bite, it's almost certainly not the primary motivation, just a "happy" side effect.


Election Promises

I included this more as a minor dig than anything, but I believe Cameron actually thinks this is an achievable goal.


So, I suspect the answer to our original question is that Mr Cameron is

  • An idiot who doesn't understand the technology he's talking about
  • Planning on introducing a draconian surveillance state
  • Being mis-informed by other parties

 And in doing so just so happens to have created a sound-bite.



There are a good number of reasons why we'd never achieve the level of capability that Mr Cameron seems to want to aim for, not least being that there's the rest of the world to consider (are Russian products likely to be backdoored at the behest of UK spooks?).

The biggest argument against the changes though, is that they prove that terrorism is effective. Why waste life and time bombing large buildings, if you can conduct small-scale ops and watch the target Government massively curtail their own society as a result.

Terrorism is not, and never has been, purely about killing. The killing is a means to an end, and that end is always change of some form (whether it be leaving a country or changing some other aspect of life).

The sheer scale of the security apparatus we've already constructed since 9/11 is overwhelming, and we're now seeing our Government ask us to give up a fundamental right (privacy) in order to further the capabilities of that apparatus. With minimal effort, the terrorists already have us making (or attempting to) massive changes to the Western lifestyle.

Although my interpretation of her words may differ, Theresa May said this week that everyone across society should be working to "ensure that we deal with and eradicate extremism, wherever it exists". This, I can agree with - the solution to bad speech is more speech. Society needs to work together and stand up to extremism - but massive interception capabilities are not a requirement to achieve that end.


In Closing

The Charlie Hebdo massacres were a tragedy that should never have happened, but the reality is that no amount of monitoring will ever be sufficient to prevent such a small-scale operation - the level of sophistication needed to mount such an attack is low, and could easily be perpetrated by relative unknowns.

I don't pretend to know what the victim's views would have been regarding Cameron's proposals, but I've a gut feeling that at least some of them would be horrified that such an agenda was being advanced in their names.