Monday, June 5th, 2017 (5:47 pm) - Score 1,887

The Internet Service Providers Association (ISPA) has today warned the Prime Minister of the United Kingdom, Theresa May, that there is a risk of “unintended consequences that could undermine our defences” if she forces through aggressive new measures to tackle online “extremism“.

Tragically London was hit by yet another significant terrorist incident over the weekend and politicians from all sides promptly condemned the attack, although the Prime Minister also went one further by saying “enough is enough” and pledging that, if re-elected, she would press forward with tough new measures to stop terrorists from abusing the Internet.

Theresa May, UK Prime Minister, said: “We cannot allow this ideology the safe space it needs to breed. Yet that is precisely what the internet – and the big companies that provide internet-based services – provide. We need to work with allied, democratic governments to reach international agreements that regulate cyberspace to prevent the spread of extremism and terrorist planning. And we need to do everything we can at home to reduce the risks of extremism online.”

As usual there was a distinct lack of detail in May’s speech, although she does appear keen to pursue companies that use end-to-end encryption to protect private communications, such as by forcing them to hand over the content of those chats. But for that to work those companies would need to weaken encryption and we’ll come back to that later.

The recent Conservative Party manifesto (here) also included vague references to tackling online bullying and “horrific content,” which always sounds fair on the surface but often ends up overlooking the realities of human behaviour and how the internet / ISPs actually work. Once again we don’t yet have any real details of the policy.

At the same time both Internet CONTENT and Internet ACCESS providers (each requires a different approach but sadly UK laws are often generalised for both) have warned that they already put a huge effort into tackling such content.

A Spokesperson for the ISPA said: “We condemn the attacks that took place on Saturday night and our thoughts are with the victims and their families. The Internet industry takes this issue very seriously, and together with relevant authorities and civil society, continually looks to improve processes and ways of removing content. Significant steps have been taken over recent months and years to limit the ability of terrorists to misuse the internet and social media. The UK Government and the security services already have substantial powers in this area and the Internet industry complies with the laws and regulations in the UK and elsewhere. When considering the need for more powers to regulate the Internet, policymakers need to be fully aware of the effectiveness of existing powers, resources to deal with the threat and the impact any new measures may have, including unintended consequences that could undermine our defences – for instance the weakening of cyber security. Technology is only one part of the wider approach to dealing with radicalisation, which is a complex international challenge that requires an international response.”

Arguably the Government has already moved a bulldozer onto the lawn by successfully passing the Investigatory Powers Act (IPAct) into law, although this still hasn’t been fully implemented due to some complex legal, cost and technical challenges where the Government has yet to provide a complete answer (example).

In other words, it could be argued that the security services already have a wealth of data at their disposal but what they lack is the manpower to monitor suspects in the off-line world, which is incredibly difficult to resolve. We recall one police force saying that it’s possible for up to 60 offices to be involved with the monitoring of just a single individual and if you have thousands of potential targets.. trouble.

The question of tackling end-to-end encryption is similarly difficult. Encryption is of course used all over the place, for everything from securing your credit card transactions to keeping your messages private. It is an essential tool and one that only works if the decryption keys are kept hidden, sometimes even from the service owner.

As security experts so often warn, you can’t allow one state or group to have special access and then expect that not to be abused by others (e.g. hackers or less democratic countries). On this point the Government are perhaps guilty of not being very worldly, since weakening the encryption supplied by British firms will do little to stop its use by criminals or terrorists.

Encryption is not Apple, Facebook or Twitter. Encryption is a method that anybody or country can setup and use. A clever terrorist probably has better ways to keep in touch with their fellow nut-jobs than to post a message on Twitter or Facebook, although the latter do make for useful promotional tools.

On that front Internet firms face the same impossible challenge to their resources as the police. In the online world a single person can easily setup a website that allows hundreds of thousands of people to communicate and this is one of the key ways in which the online and off-line world differs.

For example, Twitter has 313 million “active” users but only 3,860 employees. Obviously that means that when such companies are forced to filter then they often have to become increasingly reliant upon automated systems, which are just as likely to stifle free speech as they are to tackle terrorist content.

Lest we forget that there’s also the very problem of how you define “extremism” in the first place and then separate it from criticism of the same subject, satire, the right to cause offence and so forth (context is very important). On that point we’ll finish by quoting from the boss of UK ISP Andrews and Arnold (AAISP).