Monday, 2 April 2012

Prying Dave's Folly

Hello Dave
So the UK government wants to monitor your emails, web usage, calls and texts. Let's all panic.

But, let's not. This government is akin to a racist on Twitter, expelling rubbish directly from their deep, dark fantasies, not allowing the inhibitions to take hold and reign them in. I doubt this one passed the Cabinet Reality Assessment Procedure (CRAP) test before going public. Fabulously they've gone public very prematurely on this one, not bothering to actually consult anyone who knows what they're talking about, or listening to the wrong people, and at the same time showing their hand. While you should worry about the intentions and the implications, you needn't worry about it actually happening. Here's why.

Let's start with web site visits. This is the easy one. There are a few stages involved in getting your computer to communicate with a server somewhere else in the world which serves you web content. The first part is a DNS lookup. You type in and your computer goes to your configured DNS server (usually your ISP) to translate the DNS address to a numeric IP address for direct access. This DNS request in plain text and transmitted in the clear and can be intercepted by your ISP. So it's relatively easy for the government to pressurise your ISP into syphoning off all DNS requests into their own systems to log and analyse. They would be supplied lists of web sites that you have requested in your browser, or indeed, anything that your computer has been instructed to access, either by you or by some nefarious bit of spyware / malware you've been afflicted by. This is also something to be mindful of, not everything your computer accesses is initiated by you.

The next bit is the actual transfer of data, and where it gets interesting.

Years ago, it became apparent that we needed to secure information exchanges across the Internet. Something called Secure Socket Layer (SSL) was invented, and then more recently, a enhanced version called Transport Layer Security (TLS) superseded it. This works by encrypting the data sent between the web site and your computer. For your specific session, it can only be decrypted at your end, or the on the web server serving the content; nowhere in between. 
By now, every web site should be SSL by default. It should be that every web site you visit should make your address bar turn green. Those sites that don't do this just need a little kick up the owners' / administrators' arses. (Conveniently, a good way of doing this is to introduce something which will make users much more likely to visit if they do, such as a government snooping on you...) Then, if web browsers start attempting to connect to web sites using SSL first, and then falling back to plain text with a warning if it can't, all web sites would very quickly be SSL only. 
So that's intercepting traffic in the middle taken care of, but what about the actual web sites? Well, Big Bad Dave can't get every single web site everywhere to log traffic for him, so there's no way they can monitor what you're actually doing on a web site that is secure. They can see where you're going from DNS lookups (and then only maybe, I'll elaborate later), but not what you're doing when you're there.

Now that we've seen how SSL and TLS secures conversations between users and web sites, it makes email security a bit easier to understand. There are 2 major ways people use email; webmail and remote mail servers. Communications with webmail servers happen through your browser and are subject to the exact same encrypted SSL traffic as visits to any other web sites. Take GMail and Hotmail for example, both enforce SSL by default, so sending someone with a GMail address an email from your own GMail address means that the mail never goes outside of Google, and neither your ISP, or anyone else can see anything to do with what's in the mail, who it's for etc. They would need Google to give them info for that...

It gets slightly more complicated when mail goes outside of webmail. If you send an email from your GMail to, and the mail server for is a standard old SMTP server, then the info is likely to be sent in the clear and it can be intercepted. However, any aspiring terrorists (which these plans are made to catch, right?) will encrypt the mail before it gets sent. There is Pretty Good Privacy (PGP), and the later, better version, GNU Privacy Guard (GPG), both of which are personal level encryption standards where it's simple to encrypt a document, or mail etc. The use of these tools is widespread, and will become the default simple way of doing things in mail client programs such as Outlook and Thunderbird, with support in webmail coming soon after.

A final consideration is a Virtual Private Network (VPN). VPNs were invented to provide privacy and security between computers communicating over the Internet. They provide a layer of segregation where the data is being sent over public networks, but the data can only be read if you're part of the private network. In the late 90s and early 2000s, when the arab states started getting more western immigrants wanting the same unrestricted Internet access they'd become accustomed to, they attempted to control access at the ISP level. This caused the users to use VPNs to subvert any interception or security in place, and meant that the ISPs were unable to block specific types of traffic inside the VPNs. I personally supported someone who moved from the UK to Dubai and found that he was unable to use Skype out there as the local ISP had blocked Skype in favour of their own paid-for version. A simple VPN configuration later and he was using Skype and there was nothing the local ISP could do about it. This is also where it comes back to DNS lookups, because if they're done inside of a VPN, they're also encrypted and can't be intercepted. The Tor Project is a mass VPN which allows normal users to remain anonymous in much the same way.

So to summarise, yes, if the government want to snoop on which web sites you're visiting, then it's not difficult for them to do so, unless you use a different DNS server. It becomes almost impossible for them to see what you're actually doing on a web site, unless the site owner is willing to give them traffic logs (which is unrealistic, it places far too much overhead on the site owners). Most people use webmail now so that is already secure and works by the same rules as secure web sites.

What can you do to make sure the government can't snoop on you? Well, start by encouraging the use of web sites which are secure by default. Always type https:// at the start of an address to attempt to connect securely.
Then, use a different DNS server to your ISPs. Nice, reliable DNS servers are Google's which are and It won't stop your ISP from being able to intercept DNS lookup traffic, but they can't just hand over simple logs.
Then, if you're not using webmail, use GPG to encrypt your emails.

In the end, the logistics of the government being able to snoop and log everything everyone does are insurmountable. But they only want you to be worried that they could be looking at any time, the fact they actually can't doesn't enter into it. Even then, it's almost useless for them to do so. This is due to logistics on databases, but that's a whole other topic.

It's also important to distinguish between anyone being able to look at where you're going, and being able to look at what you're doing. The media would like you to believe it's the latter, but this is only in very few cases. So for now, don't worry about it. Just think about your privacy and look for encryption everywhere. The web is built on some pretty solid foundations and a massively right-wing, paranoid, temporary government can't change that.