The Draft Investigatory Powers Bill [PDF] presented by the UK Home Secretary Theresa May to parliament today is currently causing some sensation, since it includes the promise of new legislation that will force UK ISPs to keep an Internet Connection Record (now jargonised into ‘ICR’) for the previous 12 months for all of its customers, and also for the fact that it begins to deliver on prime minister David Cameron’s frequently-aired misgivings about zero-knowledge consumer-level encryption, as supplied by the likes of Apple and the Android operating system.
But the most surprising aspect of the document, which outlines a broad raft of legislative measures intended to go before the house for approval in 2016 once clarified and refined, is that Virtual Private Networks (VPNs) are not mentioned anywhere in it, despite their capacity to render the retention of ICRs a completely moot point.
Anyone using a VPN – which is a simple and cheap (i.e. $20 p/a) piece of software that VPN companies go to extraordinary lengths to make ‘customer-friendly’ – constantly whilst connecting to the internet via a fixed, laptop or mobile device, will have a very dull ICR indeed, since it will just show the customer hopping on one time to their ISP and making one final hop into the opacity of VPN tunnelling, after which every transaction, from Netflix blitzes to Facebook-mulling to bomb-making conferences, will simply show up as encrypted traffic.
Vladimir Putin is deeply interested in VPNs, as is China. Both Russia and China have made the connection between the anonymising and controversial powers of Tor and the fact that VPN providers, depending on where they are located, can in effect make a user’s internet activity into nothing more meaningful to investigating authorities than a series of encrypted zeroes and ones. So it is strange that the Draft Investigatory Powers Bill has not a word to say on the matter, when it is establishing so many paedophile scarecrows around its most controversial edicts and promises.
Perhaps the entire matter is covered within the same section of DIPB which, so controversially, would require global giants such as Apple and Google to specifically turn-off end-to-end encryption in iOS8-9 and Android if the user is on UK soil. The bill refers not to ISPs but to CSPs (‘Communications Service Providers’), taking the purview of potential legislation beyond the likes of Virgin Media and directly to the door of hardware suppliers such as Apple. Under proposed changes to the law as described in the bill, no CSP will be able to offer an encrypted service for which it cannot provide a key, as is the case with local encryption on iOS. Can it be that soon in the UK any VPN provider, perhaps especially those based in countries which are committed to protect consumer information from requests from foreign governments, will be required to hand over encryption keys in advance (perhaps in some kind of digital escrow) in order not to be blacklisted by blighty-based ISPs?
Or perhaps the VPN simply has yet to raise its head into the British political and security scene, because so few people understand what a VPN is. Most internet searches around VPN-based subjects still turn up commercial sites rather than news sites, and even today’s Guardian coverage, which advises readers about the potential use of VPNs to obviate the privacy implications of DIPB, seems only semi-informed on the matter.