Internet Privacy and Government Regulation

The government is planning to interfere in your privacy by reading all of your internal traffic.

In the latest meeting with the ISPs and mobile network operators, Home Office has provided the data regarding the hardware to be used for monitoring the traffic flow in the system.

At the moment, while using webmail services like Yahoo and Gmail, you can be sure that the entire webpage is converted to encrypted code before sending it. Such a practice does not let the ISPs to differentiate between the content and message. But the new proposal that is under discussion requires the ISPs to redirect the message to the “black box” that will decrypt the message, header data would be separated and the actual message would be sent for the storage to ISP.

Nothing about this “special black box” has been revealed by the government. However, for clarifying it further, the following assumption has been made. You might find it tricky but you’ll have to bear with it for understanding it completely.

If I’ll write, “I have an embarrassing medical condition”, all this message would be sent into the search engine.                                                                                                                                     

Searching this in a web café and at work could make all your data prone to be read. The new browsers have the tendency to change the color of the title bar to show that the website you are visiting is secure. Even the padlock icon also exists on secure websites.

In order to find the answer to the above-mentioned query, I searched the term on http://google.com/ rather than https://google.com/. If I had used the https version, then it would not have been possible for anyone to look for what I have searched. The conversion of the written search string into the coded one restricts the hackers or any third party to get the information. All this thread string conversion requires clever use of prime numbers of the mathematics.

The public keys can be created by anyone to encrypt traffic. But there is a confusion, how would it be clear that the organization that is encrypting your data is actually the one claiming it. Here is an example of an explanation.

If you’ll try to use Indymedia, you’ll receive the following warning.

By choosing “proceeding anyway”, you can continue browsing. But that can be seen in the red color. A valid certificate is the main issue here. By choosing to proceed, you are making an explicit choice.

By clicking on the padlock, it can be seen that the Certification Authority has issued a valid certificate for the website. This is because no insecurity warning arises here. Some extra information is also provided here.

Web of trust issue these certification authorities. It is a group of bodies that provide validation certification to each other. Go Daddy Secure Certification Authority and other such authorities offer public keys. These public keys are actually electronic files with the special name of a person or organization.

The public key infrastructure has to be applied by the organization. Whenever a new user applies for the certificate, a public key has to be there with a registration authority (RA). The public key helps in the confirmation of the identity of the user. After which the user can sign a digital certificate. The contracting party would check the identity.

If you haven’t understood the above details, even then it does not matter. The only thing that you need to know here is the certificates are issued by the authorities. So, while accessing Gmail, if the website claims that it is Gmail, then you can be sure that it is right.

Theoretically, you can think that these certificates can be abused. However, in February, TrustWave Certificate Authority has revoked a certificate, which was spying on the private email of the employees.

A tamper-proof hardware security module (HSM) supplies the skeleton key CA certificate. It is used in the data loss prevention (DLP) System. These systems are specially created to restrict the leakage of data.

This system can actually fool the browser that a secure connection has been issued. However, in this system, the browser was in communication with the server on the firm’s premises. DLP system should be able to issue different digital certificates. All of this results in a third party attack.

This approach could be used in the monitoring system that the government is using for spying. Web services such as Gmail and Skype would probably be used for this purpose. A few evidence-based eavesdropping incidences have been reported. However, no state-sponsored connection has been developed.

This spying program would work if the UK government colludes with the Certification Authority. Such an incidence won’t just be limited to the company spying on its staff rather it would just be the government spying on every individual and everything. Even the padlock would stay green, so you won’t be able to do anything.

In case the government is planning to spy on you, then changing VPN won’t help. Legislation restricting such acts must be done as soon as possible as this is against the rights of the citizens, especially in a democracy.

Leave a Comment