Watching Big Brother
The Great VPN Shutdown: China and Russia have banned VPNs - is the UK next?
As China and Russia tighten their control over online censorship, blocking VPNs and ramping up punishments for online activity, Eloise McLennan examines how recent policy changes in the UK could spell trouble in the fight for online privacy and data protection
In the battle to protect online freedoms, digital privacy has had a very bad year. Following a contentious fight against bulk data collection legislation in 2016, privacy advocates were dealt a new blow when China and Russia announced plans to block virtual private network (VPN) services, a move that would leave nearly 30% of global internet users without one of the few remaining tools to circumvent online censorship laws.
Neither country has a flawless reputation for human rights; in fact, it’s quite the opposite. And if you had to pick two countries with a notorious history of nefarious online activity, it’s more than likely that Russia and China would be pretty high up on your list. Worryingly, after putting up a public fight against the FBI in defence of encryption systems that protect user privacy from the grabby hands of government, Apple complied with a Chinese Government order to remove VPNs from its Chinese iOS AppStore.
But, while the move against VPNs is nothing new, it is an escalation of an anti-online freedom movement that is quickly finding its feet in the Western world. It’s not often that liberty-touting nations like the UK are viewed in the same realm as authoritarian states when talking about civil rights abuses, but in little more than a year, changes in political discourse and policy have raised serious concerns that similar legislation could be on the horizon for internet users in the UK.
What is a VPN?
If you are a regular internet user, you’ve more than likely come across the term virtual private network (VPN). But unless you are trying to access geo-locked content or are part of a multinational corporation, you may not have had any reason to actually use one. For the most part, VPNs have escaped scrutiny in the UK. They exist in a legal grey area; many big name organisations and even governmental departments themselves use VPNs to securely access and distribute content.
Using a VPN is like throwing a big blackout tent over your house and digging a tunnel underneath
Picture your house. On the front door, just above the letterbox, is your name and address in bright neon letters. That’s what your computer and router look like. Anyone who cares to look can see your address and track your mail from destination to destination. The postman is your internet service provider (ISP). If they don’t like the mail that you receive then they don’t post it.
Using a VPN is like throwing a big blackout tent over that house and digging a tunnel underneath that lets you anonymously transport your mail to a secret safe house. If anyone happens to stumble across this disguised mail, they won’t know who it came from or where it’s going. It masks your computer, keeping your IP address hidden from prying eyes and encrypting connections over the internet, so that if they are intercepted, they can’t be read anyway.
Now you see me, now you don’t: getting around the foundations of a Great British Firewall
Unlike nations such as China and Russia, or even the US where the general public is even warier of political figures, VPNs haven’t quite grasped the attention of internet users in the UK. According to a recent survey by Wombat Security, of 1,000 participants, only 44% of those surveyed in the UK said that they had used a VPN (including free VPNs). It’s not altogether unsurprising that British users have been slow to adopt a digital invisibility cloak. Before 2014, internet users in the UK had little reason to actively safeguard their privacy online. Despite how comfortable we have become with the digital spectrum, the internet remains a vulnerable place for most of us. While big corporations and international businesses may have employed VPNs to ensure that confidential information could safely travel from location to location, private law-abiding internet users had little reason to suspect that their information was of interest to anyone, least of all some of the most powerful intelligence agencies in the Western world.
So, when Edward Snowden revealed that not only was GCHQ unlawfully spying on and collecting browser data from private citizens, but that the organisation had been covertly doing so for more than ten years, it set off some pretty loud alarm bells that maybe, just maybe, the UK Government wasn’t too concerned with breaching one of the fundamental principles of UK law: innocent until proven guilty.
Brexit offered the perfect red herring to push through the third draft of the Investigatory Powers Bill while we were all busy bickering
In a surprising plot twist, the UK Government has decided to overrule the age-old ‘innocent until proven guilty’ hurdle that underwrites our entire legal system, with a ‘guilty until proven otherwise’ authoritarian approach. Suddenly, the words of politicians didn’t seem to match up with their actions in parliament. Significantly the words “There is no programme of mass surveillance and there is no surveillance state,” shamelessly uttered by then-Home Secretary Theresa May in 2014, shortly before she introduced the controversial Investigatory Powers Bill, which effectively cemented the foundations of a surveillance state into the UK.
The first few attempts to force through the bill were knocked back, the second notably dismissed by Nick Clegg for its Russian-style “dragnet approach”. Luckily for Mrs. May, and unluckily for the rest of us, Brexit offered the perfect red herring to push through the third draft of the bill while we were all busy bickering over the political ramifications of leaving the EU. With no Nick Clegg to cast out the draft, it passed with little scrutiny. Well, with just one glaring addendum – MPs were to be spared from the ‘draconian’ authorisation that granted 48 government bodies (including the Food Standards Agency, for some reason) access to 12 months worth of private user data.
With technology as ubiquitous as it is in the UK, our digital footprints provide a wealth of ammunition for those looking to use it against us. Our personal data, professional accomplishments, Google searches, friendships, and private thoughts can be found somewhere on the web. With an increase in web literacy, more and more individual users are also becoming aware of the necessity of cyber security. As awareness about VPNs is increasing, more and more users are using them for their personal use.
How VPNs expose weaknesses in censorship legislation
Have you ever wanted to be in two places at once? Say, if you’re travelling abroad and wished you could be back in the UK to watch Blue Planet II on BBC iPlayer because the on demand service isn’t available in your current location. Well, then a VPN may become an appealing solution.
Every country censors online content to some degree, although very few states go to the extremes that China does to stop users viewing information that the government doesn’t like. Unless you wanted to access geo-locked entertainment content or streaming services blocked by ISPs in the UK, you are unlikely to have stumbled across obvious forms of online censorship. But, when it was announced that under stipulations in the Digital Economy Bill, online porn websites would be legally required to implement age-verification systems that link the personal sexy-time preferences of its visitors with their banking details, VPNs were hailed as a saving grace for the second time in less than a year.
Who in their right mind would hand over their information to a tube site when they don’t have to?
These proposals, along with other recent laws, put the free flow of information at clear risk. Website blocking, organised and implemented by governments and used for content related to copyright infringement, terrorism and adult material, is a very slippery slope. We can barely go a day without some malware or hacking scandal that exposed innocent users to those pesky criminals that the government seems to think dominate the internet.
So, it’s quite understandable that users may be less than willing to link their personal details with their most intimate kinks. That’s exactly the kind of information that can be used to blackmail people – just look at the Ashley Madison hack. Nothing that the members of the cheat-on-your-spouse website were doing was illegal, morally iffy yes, but not against the law. Yet, they became a target for online extortion and doxing.
The majority of the sexy-time practices outlawed under the Data Economy Bill are perfectly legal to perform in the UK, and still exist beyond that invisible curtain of censorship. Accessing them is as simple as switching on a VPN. Voila; suddenly you’re not the depraved wanker looking for more than four fingers in the UK, you’re in Germany and pursuing a wide range of smut without fear of reprisal from nanny-state stuffed shirts, who let’s be honest, have had far more sex scandals than the rest of us. So, the question becomes: who in their right mind would hand over their information to a tube site when they don’t have to? No one would.
And that’s the problem. When it comes to regulating technology, the UK Government has proven itself to be woefully inept. Politicians push through unworkable legislation and then try to patch up the holes with more bills that make it even more dangerous for marginalised groups to access online content. As with the Snooper’s charter, VPNs expose a serious weakness in recent attempts to regulate online activity, which is embarrassing for people who write legislation for a living. And if there is one thing that politicians can’t tolerate, it’s embarrassment.
Technological ignorance puts VPNs in the firing line as MPs attack strong encryption platforms
Growing awareness of VPNs is likely to put them on the radar of easily startled politicians, but what should really concern internet users is that the government has gone after similar platforms in a big way in recent months. I’m not sure when it happened, but at some point over the last eight years, politicians in the UK decided that tech monopolies were in fact in charge of protecting homeland security. Specifically those tech giants like WhatsApp (FYI also banned in China) who employ end-to-end encryption (E2EE) to ensure that the content of messages can only be viewed by the sender and recipient.
Employing a convenient selective memory, our elected representatives choose to overlook the fact that many perpetrators are already known to security services when militant attacks occur on British soil. Instead, they throw their hands up and wail “IT’S THEIR FAULT FOR REASONS THAT I DON’T UNDERSTAND AND ALSO CAN’T TELL YOU.” E2EE services provide many of the same functions that VPNs do, namely concealing information from unwanted eyes, something that has become a bit of a thorn in the side of Theresa May and Amber Rudd.
Home Secretary Amber Rudd may think it doesn’t matter that she doesn’t understand end-to-end encryption, but it really does
The thing is that security agencies already have access to user metadata, which lets authorities see who is communicating with whom, where from and at what time, and there is little evidence to suggest that weakening the service for all users would do anything to combat the actions of those the government claims to be targeting with calls for backdoor entries into encryption. Even if GCHQ, MI6 or Scotland Yard had been able to access the WhatsApp messages of Westminster Bridge attacker Khalid Masood, what could they have realistically done in the two minutes between his final message and the attack?
This is where the discrepancy between knowledge and power is very important. Amber Rudd may think it doesn’t matter that she doesn’t understand end-to-end encryption, but it really does. Because she is the person who has been charged with saying no to people, who may, with all the best intentions, be overstepping their mark in pursuit of a target. If she doesn’t understand what she is talking about, then she puts us at risk.
For better or worse, those charged with dictating the policies that we have to live by have decided to view any platform that cloaks or conceals users with inherent suspicion, whereas the reality is that people who use the internet for really dark purposes aren’t stupid enough to do it openly. That’s criminal 101. Encryption bequeaths stronger encryption. Once one code has been broken, those with the knowhow and determination will simply develop a new way to avoid surveillance. Leaving the rest of us at the mercy of whatever government is in power.
The cat and mouse game of digital democracy
The biggest question is: why now? What would possess the UK Government to follow in the footsteps of autocratic nations with a pretty detailed history of doing dodgy things on the internet? Well, of course, the answer ultimately falls down to the same thread that has dogged every political development over the past year: trying to uphold the ‘Strong and Stable’ party image, despite continued demonstrations of ignorance and incompetence.
Oddly enough, most internet users don’t like being treated as criminals. And, as those who value secure communications – lobbyists, journalists, lawyers to name a few – harkened Mrs. May’s bill to authoritarian powers in – you guessed it – China, information about VPN services began to spread like wildfire. In fact, according to Google trends, interest in VPNs has doubled since the act was granted Royal Assent in late 2016. Despite now-Home Secretary Amber Rudd’s claim that the bill was “world-leading legislation that provides unprecedented transparency and substantial privacy protection,” it pushed the average internet users into the same realm occupied by Russian and Chinese users only a few years ago: a brave new world of top down transparency where the private lives of citizens become public property, while the ruling elite’s remain private.
Because we have the luxury of living in a country that not only criticises politicians, but delights in their scandals and downfalls, it’s easy to dismiss the actions in China and Russia as the quaint idiosyncrasies of foreign governments. Who cares that people can’t send that rainbow Putin meme in Russia when I can tweet out a link to Theresa May’s worst facial expressions of 2017?
Well, if you want a more up to date example to demonstrate just how valuable encrypted VPN systems can be to citizens of a democratic nation, just ask the members of the now-exiled Catalonian Government. During what should have been a peaceful (if technically illegal) vote on 1 October, the supposedly democratic Spanish Government tasked ISPs with blacklisting pro-independence websites, at the same time as pro-independence Catalonians were subject to the same police pushback that you’d expect to see during a prison riot.
Faced with an unmovable object in the ruling government, the digitally minded began to mobilise in a different way – using digital tools. By routing smartphones through VPNs, polling station volunteers created secure data networks to communicate without access to the open (and traceable) internet. This gave voters a lifeline to access information without exposing themselves to surveillance forces. That covert operation, however power-to-the-people it may be, has exposed a big gaping weakness in state control. Namely, that there are ways around current regulation that undermine the changes that politicians have introduced. For now, that might not be enough motivation for lawmakers in the UK to clampdown on unregistered platforms, but if enough users start to employ them to bypass surveillance and censorship laws, you can bet your life that those systems will become a target.
In the run-up to the election in June, the Conservative Government made it very clear that any technology that offers internet users, “somewhere to hide” (as Amber Rudd so misguidedly put it) was a target for further regulation. Granted she was talking about terrorists at the time, but realistically, any attempt to undermine encryption platforms, including VPNs, immediately incriminates all users, law abiding or nefarious. On the slippery slope towards a Great British Firewall, VPNs are a pretty obvious target. Much in the same way that China has moved to block services that are not registered with authorities, banning access to foreign-based VPN services is a logical move for a government looking to solidify its power in a digital age. To complete her masterpiece of a surveillance state, Theresa May needs tech companies to fall into place, giving her unlimited access to the user information of her subjects. And if the crackdown in China has proven anything, it’s that tech companies, despite all airs and graces about privacy, will bow to political pressure.