A former advisor to the Prime Minister was recently convicted on charges of downloading indecent images of underage girls.
I don't want to go into detail about whether or not his punishment is adequate, but I would like to talk about this curious remark made by the Judge during his sentencing:
beginning today and lasting for two years, you are prohibited from using any device capable of accessing the internet unless it has the capacity to retain and display the history of internet use and you make the device available on request for inspection by a police officer. You are also prohibited from deleting such history.
On the face of it, this seems quite sensible - but what exactly is "accessing the Internet" and what do we mean by retaining "the history of Internet use"?
By "Internet history", I suspect most people think of a web-browser's "history" function. Silently recording every page that you've visited.
There are two flaws in this thinking.
- All web browsers have an "incognito" mode which prevents a history being created.
- History usually covers pages - not embedded media.
I don't know of any way - short of persistent monitoring of a connection - that you could tell if Incognito mode had been used. That's the whole point in it existing. It doesn't delete the history - it never records it in the first place.
Is it enough for the offender to say "just because Firefox has an incognito mode, that doesn't mean I've used it."? Or are they prohibited from using any browser with such a feature?
Secondly, your browser is recording a visit to this specific page in its history. But it is not recording a visit to the page hosting this image:
It would be possible to craft a page full of forbidden content, yet have the browser only record a visit to a seemingly innocuous site.
Similarly, a history may record that you visited a specific page on YouTube - but if the video is subsequently deleted, there's no way to know what its contents were.
The Internet is not the Web
It is a common misconception that the Internet is the same thing as the Web. It isn't.
There are many different ways to access the Internet on a device. For example, switching on your Internet connected lightbulbs doesn't use the Web.
- Suppose this person has an Internet connected thermostat. Does his smarthome have to retain every time he adjusts the temperature?
- What about email? Can he delete unsolicited spam messages? How about discarding drafts of emails?
- A games console can access the Internet. But generally doesn't record its Internet use. So can he play on an Xbox if it isn't connected to his WiFi?
- Most devices will not have access to the encrypted streams that an app requests. So are all apps out of the question unless they also retain a hstory?
- Consider a Skype video call. Is it enough to preserve the metadata (when was the call placed, who were the participants)? Or does the video and audio need to be preserved?
Is it impractical to completely ban someone from using the Internet given how much of modern life relies on it? If it is, how do you adequately craft an unambiguous order which allows an offender to be monitored without overwhelming complexity?
I'm (obviously) not a legal scholar. The spirit of this ruling seems to be "you can access the Internet only if we're allowed to inspect everything you do" - but the wording seems (deliberately?) vague and technologically naïve.
Does that embolden the guilty party to look for loopholes? Does it give the police too much power to arrest on a whim? Given that it is rarely the "device" which records Internet history, is there any way of practically complying with the order?
What are the alternatives?
- Directly monitor the offender's Internet connection? Wouldn't be able to see encrypted traffic. Doesn't stop someone buying a SIM card.
- Install surveillance software on all Internet connected devices? Impossible for Smart TVs, games consoles, eBooks, smart watches, etc.
- Only use approved apps on approved devices, and ensure that the phone/laptop/games console/etc can't install anything else? Complex and expensive.
- Ban the offender from buying a burner phone / SIM or using Incognito Mode? This seems to be what the Judge wants - but it is almost impossible to detect.
At this point, we're back where we started. The offender has to be trusted to comply with an order which is easy to unexpectedly break, and those supervising him have an almost impossible job detecting unauthorised use.
I'd welcome thoughts from people better informed than I am.