If you thought the “snooper’s charter” went a bit far, you should see what the French have planned. You’ll recall that I pointed out in my blog post on the UK’s plans to collect browsing data that VPNs, TOR and shared WiFi would defeat it? The French response – ban them all.
If you want prima facie evidence that Europe’s law-makers have no idea how anything works anymore, here it is. Banning TOR is one thing – after all, those bastions of freedom Russia, China and Iran have already done so, and if you have nothing to hide, you have nothing to fear, right? I mean, it’s not as though TOR was originally funded by the US government to give dissidents a way to protest anonymously against oppressive regimes or anything, is it? Oh.
But seriously – ban shared WiFi, demand decryption keys for encrypted connections? Someone somewhere has decided that it would be easier to track terrorists if everyone had a dedicated IP address. Obviously that means no more open public WiFi; I suppose you could still have secure WiFi where user registration was tied to a contract cellphone number, but that’s about as far as it goes. 3/4g network saturation, here we come. Oh, and we’d better get IPv6 working, since we’ve already run out of IPv4 addresses. Perhaps we should just tattoo everyone with an IP address – maybe inside their left forearm.
Security is always in an uncomfortable balance with liberty. I’m not merely making the obvious argument that if we take away these liberties, we’re letting the terrorists win. I’m making two other points. Firstly this approach won’t work. Never mind the – real – technical difficulties of doing it in the first place; we’ve seen already that the problem with preventing the Paris attacks wasn’t terrorist information security – they barely had any – but failure to share and act on information already available to security agencies. Having more information that you can’t process and don’t use won’t stop any terrorists – after all, if commercial organisations, with a clear and simple set of motives and metrics, don’t make use of the data they collect, what hope is there for intelligence services already drowning in the stuff?
Secondly, the economic cost will be enormous. Not just the massive increases necessary to fund all this additional data acquisition and analytics, or the cost to ISPs of implementing the relevant capabilities, or the judicial cost of enforcing these laws; I’m talking about the real economy cost of taking mobile working back to the 90s. No more frictionless switching between cellular and WiFi; no more secure VPNs to the office; no more softphone client for your office VoIP; no more ecommerce – would you trust your card details to a connection if you knew the private key was floating around inside the bureaucracy somewhere?
If we’re prepared to accept even 10% of that economic impact, we can afford instead to fund proper human intelligence-gathering, effective military intervention and the long-term education campaign that is the only real answer to the problem.