UK 'Snooper's Charter' Seeks To Eliminate Pesky Private Communications
from the eat-your-heart-out,-china dept
As expected, the UK government has published its Draft Communications Bill (pdf) -- better known as the "snooper's charter," since it requires ISPs to record key information about every email sent and Web site visited by UK citizens, and mobile phone companies to log all their calls (landline information is already recorded).
Since this was only released a few hours ago, people are still trawling through it to find out what delights it holds, but an eagle-eyed David Meyer has already spotted something rather extraordinary: the UK government seems to be proposing to log not just every IP packet, but every physical packet -- and letter, and postcard -- too.
That's thanks to Section 25 of the Draft, which states:
Part 1 [the main requirements to log communications data] applies to public postal operators and public postal services as it applies to telecommunications operators and telecommunications services.
And if you were wondering what "communications data" means when applied to letters and postcards, it includes:
postal data comprised in or attached to a communication (whether by the sender or otherwise) for the purposes of a postal service by means of which it is being or may be transmitted
Letters, telephone calls, email and the Web -- this is a level of total surveillance that countries like China, North Korea or Iran can only dream of. What remains unclear is how the UK government will try to gather this incredible flood of information, and whether it can access it in real time. Here's what the site Privacy International thinks will happen:
The government today published a draft version of a bill that, if signed into law in its current form, would force Internet Service Providers (ISPs) and mobile phone network providers in Britain to install 'black boxes' in order to collect and store information on everyone's internet and phone activity, and give the police the ability to self-authorise access to this information.
That article points out that two important questions on the Internet side of things remain unanswered:
However, the Home Office failed to explain whether or not companies like Facebook, Google and Twitter will be brought under the Regulation of Investigatory Powers Act (RIPA), and how they intend to deal with HTTPS encryption.
When an official was pressed on that last point, he gave a rather disturbing reply:
At this morning's Home Office briefing, Director of the Office for Security and Counter-Terrorism Charles Farr was asked about how the black box technology would handle HTTPS encryption. His only response was: "It will."
This is going to get very interesting.
Follow me @glynmoody on Twitter or identi.ca, and on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: draft communications bill, isp, snooper's charter, uk
Reader Comments
Subscribe: RSS
View by: Time | Thread
It just got all 1984 up in this shit.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Daft
though .. it probably fits just the same!
[ link to this | view in chronology ]
AND??
How much data can be captured before they give up.
Another point..
is to see WHO SUES the UK for invasion of privacy..FIRST
[ link to this | view in chronology ]
Re: AND??
[ link to this | view in chronology ]
And this is how democracy dies...
So when are people going to -wake up- and realize what's happening? Is it time for an armed revolution yet? Because I'm ready for it to begin.
[ link to this | view in chronology ]
Re: And this is how democracy dies...
among other things.
[ link to this | view in chronology ]
Re: And this is how democracy dies...
[ link to this | view in chronology ]
Re: Re: And this is how democracy dies...
[ link to this | view in chronology ]
Re: And this is how democracy dies...
[ link to this | view in chronology ]
Re: And this is how democracy dies...
[ link to this | view in chronology ]
Things That Make You Go Hmm
Hmm.
[ link to this | view in chronology ]
Re: Things That Make You Go Hmm
i am confused about one thing though... last time i'd heard anything about UK privacy laws it was something along the lines of not being able to use cloud services like google and such, because they couldn't be certain US based companies measured up to the much stricter UK data privacy laws.
Did those just get repealed, or is it the usual case of the left hand not knowing what the right just signed into law?
[ link to this | view in chronology ]
Re: Things That Make You Go Hmm
The reason this is enforced against the government on most levels is that unlike other countries, Americans have guns, guns, guns, guns and guns. Lots of them. No matter how powerful your arguments or friends, if you get shot you usually die. Guns are great equalizers of power, because they basically tell our government "If you get too out of hand, we'll fucking KILL you!" on a constant basis.
You could have a Fourth Amendment too if you convinced enough people it was a good idea. It was the English government we started shooting for being oppressive, though, so I wish you good luck.
[ link to this | view in chronology ]
Re: Things That Make You Go Hmm
[ link to this | view in chronology ]
On the plus side, the odds of the surveillence technology performing as advertised are quite astoundingly remote, given our previous history with government IT projects. Either they'll be defeated by the most rudimentary additional encryption measures, or the government will neglect to employ enough people to actually sift through the huge influx of raw data and it becomes nigh-impossible to perform any sort of targeted intercept with probable cause.
[ link to this | view in chronology ]
Re:
Unfortunately, unlike the previous government, this one seems to have realised that and hence they are shifting the requirements (and the work & expense) onto the ISPs. Meaning that it could actually work.
Proxies, encryptions and a little macro to randomly click web-links might be the way forward.
I might start sending empty envelopes around as well.
Actually, if I'm going to that much effort, I may as well set myself up as a full-on spam merchant.
[ link to this | view in chronology ]
Re: Re:
But making it really realistic (i.e. difficult to distinguish the automated and the real clicks) might be a tough problem. Anyway, it could certainly generate more data to sift through.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Maybe it's time to invest in hard drive manufacturers
If they just log basic information like the URL it's trivial to circumvent the logging. If they log every packet sent they are going to end up with a ridiculous amount of data. I have a small, unimportant website but it still often uses 200Gb of bandwidth in a month.
What about larger companies that host servers themselves ? Are they going to log all the incoming traffic too or is using a computer at one of these going to sidestep the logging?
What is to stop people running a program that randomly browses websites to pollute the data and dilute the chance of working out what that person is actually browsing. What about browsers that preemptively fetch web pages, what proof is there that any webpage was actualy looked at?
They are either going to have to do some serious filtering in real time and possibly lose the very details they are trying to find or end up with an humongous pile of data that is going to take some serious data mining to extract anything useful.
To me the whole thing sounds more like a plan to divert some more public money into their friends pockets than anything that is likely to produce useful information.
[ link to this | view in chronology ]
Re: Maybe it's time to invest in hard drive manufacturers
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Make pre-election promises and manifestos legally binding
1. They promise us they will do XYZ.
2. We vote for them based on this promise.
3. They get elected.
4. They break their promises and to ABC.
The same thing happens with every single party. I was stunned at the Lib Dems selling the idea that it's okay to tread all over the rights and freedoms of British citizens. They promised to claw back some of these rights and freedoms, but now are agreeing with the exact opposite (and using the pathetic useless "safeguards" as an excuse).
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
That has to be a bluff. It had better be, because otherwise when whatever method they use leaks out and every script kiddie in the world is able to bypass HTTPS encryption, we're going to have even bigger problems...
[ link to this | view in chronology ]
HTTPS decryption
In other words, the secure channel you think you've established with a web site is in fact a channel to the black box, which records the content and passes on the requests and responses from a central point.
(I am not a security analyst, but I think major corporates already do this when you're inside their firewall)
[ link to this | view in chronology ]
Re: HTTPS decryption
For this to work here, they would have to either install a new certificate authority root on everyone's computers and phones (good luck), or as you said come to an agreement with an existing certificate authority to produce MITM certificates. Good luck on that last one too; ANY certificate authority which allows that is going to be removed FAST from all the major web browsers (the Mozilla Foundation is NOT going to put up with that kind of nonsense, as they have shown in the past).
But then, the answer being only "it will" looks to me as if they did not think this through, and believe that by their ordering so the "techies" will find a way. Somehow.
[ link to this | view in chronology ]
Re: Re: HTTPS decryption
I was thinking the same thing. People will loose faith in the "Trusted" authorities and the ones that cooperate will fail and be replaced.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: cracking https
[ link to this | view in chronology ]
Meh
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Private communication
Every site on the net allowing for anonymous use and submission of text can be used to obfuscate and anonymize communication.
1. Create a Wordpress blog.
2. Create a Dropbox account.
3. Create a Rapidshare/Bayfiles/4shared account.
etc
Upload all your secret messages as 7zipped AES encrypted archives and use physical mail or sneakernet to communicate the URLs to the recipients.
Encrypt the URLs with PGP and send them on an USB stick to the recipients.
No direct IP address connection between sender and receiver other than both having used a very popular file host or blog platform.
Call the files something like RIAA-label -- Artist - Title.7z and you'll be sure that they get taken down. If you want to be sure, just send the hoster a fake DMCA notice or report the files as copyright infringement.
The government now only has a very limited time window to correlate all IP logs and seize and decrypt the content of the messages.
Under the DMCA the hoster has an obligation to delete the files, and if they are already gone when the government comes around demanding preservation of evidence, it's already too late.
Who says that the DMCA is bad for civil liberties?
[ link to this | view in chronology ]
Re: Private communication
This bill is bringing the internet and postal service into line with what the security services can already do with your phone line.
Your local council, for instance, can already ask the police to request your telephone records (who you called, when and for how long). Now they will be able to ask who sent you mail or email and which websites you visited.
None of this enables people to inspect your mail, or email, or your transactions with websites any more than they can eavesdrop on your phone calls.
They will still need a court order to do that.
I don't agree with this bill but we should fight it with facts, not FUD.
[ link to this | view in chronology ]
Re: Re: Private communication
Communication data can mean a lot of things, one of them is the actual contents of what is passing through the channels they are monitoring. I can see a problem with that.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
PS Speaking of Labour, did you notice how suspiciously quiet they are on this issue?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Anonymity solutions
If you build physical infrastructure, you must play by the government's rules.
And if you accept payments -- barring hard to set up Bitcoin - your users can be traced, if for no other reason, that the state wants to tax you.
What we need are a more decentralized VPN solution.
Tor is tcp/ip only, and I2P does not work very well, and OpenVPN is complicated for most users.
Most current anonymity solutions are either bloatware, low latency or only good for socksifying supported applications.
[ link to this | view in chronology ]
Re: Anonymity solutions
I decided to go VPN after hearing about this bill, plus when my ISP censored the Pirate Bay, it tipped my decision. Not that I use TPB - I use Tribler - a distributed P2P system.
I'd really like to see how they get round the 2048 bit encryption from my computer to the VPN server in a foreign country. If they can do this, then online financial transactions are gone forever!
[ link to this | view in chronology ]
Re: Re: Anonymity solutions
What is the difference from a VPN to an ISP or certificate authority?
Any company that have an office and use financial infra-structure to do business will be forced to conform to whatever the government in their neck of the woods say.
Even VPN providers acknowledge that they do indeed give away your data to law enforcement when asked to do so.
[ link to this | view in chronology ]
Re: Re: Re: Anonymity solutions
[ link to this | view in chronology ]
http://uk.news.yahoo.com/councils-lose-data-access-powers-230559438.html
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
At no fucking point did i give my permission to collect data related to me to be stored, did they ask, NO.....fucking pillocks, what gives them the fucking right to even suggest this without our input on the matter
The internet will be an unregonizable place, when power hungery, informational whores get their way, and i think internet companies and isp's need to get some fucking balls, because they most of all will most affected by this
[ link to this | view in chronology ]
Re: HTTPS decryption
Ifyou have visited the site before, you might write down the certificate hash, and check the certificate each time you connect to the server.
[ link to this | view in chronology ]
Re: Re: HTTPS decryption
[ link to this | view in chronology ]
Re: Re: Re: HTTPS decryption
It doesn't matter if the certificate is authentic or not, if the authority issuing that certificate has to give the keys to the government they don't need to issue the certificates they just passively record every bit of data and decode that.
Same goes for VPN or any other means that involves trust in a third party to secure anything, if you corrupt the third party you are owned.
[ link to this | view in chronology ]
Re: Re: Re: Re: HTTPS decryption
With HTTPS, the private key (which is needed to decode the data) is not given to anyone. What the certificate authority receives is the public key, which it signs and gives back. The authority issuing the certificate cannot give the government the private key, since it never had the private key in the first place.
Even with self-signed keys, HTTPS completely defends from passive interception, as long as the server is secure. Passively recording the data does you no good.
What is being talked about is active interception, also called Man-In-The-Middle (MITM). To do a MITM attack, the attacker pretends to be the server to the client, and pretends to be the client to the server. To do that with HTTPS, the attacker needs a certificate trusted by the client, else the client will complain about the server certificate. That is where corrupting a trusted certificate authority is useful for the attacker.
With a VPN it is different; the VPN is already "in the middle", so corrupting it is enough.
[ link to this | view in chronology ]
Re: Anonymity solutions
[ link to this | view in chronology ]
Re: Re: Anonymity solutions
[ link to this | view in chronology ]
Re: Re: Anonymity solutions
[ link to this | view in chronology ]
Re: Re: Anonymity solutions
[ link to this | view in chronology ]
Payment
Only bitcoin is anonymous, and I avoid it because I don't have a GPU for bitcoin mining and don't know which sellers to trust.
[ link to this | view in chronology ]
Re: Payment
Beware of thinking BitCoin is anonymous. It isn't unless you take appropriate steps.
[ link to this | view in chronology ]
Packet inspection? No, just envelope inspection
This is misleading. The countries you mention regularly inspect the content of communications.
The UK is asking for sweeping powers to inspect the envelope of communications - who you communicate with and when.
It will still require court intervention to carry out wiretapping.
[ link to this | view in chronology ]
Re: Packet inspection? No, just envelope inspection
You may not care too much if someone got hold of your browser history for the past day or week (and, I have to say, it wouldn't worry me that much either), but the real danger here is what's revealed when all of these data points are combined over a long period.
As with personally identifiable information, one piece of data (a 34 year old male who lives in Salford) doesn't reveal that much, but combine it with a few others (drives a Mercedes, works for Tesco) and you've pretty soon narrowed it down to 1 or 2 individuals (cf. 2006 Netflix Prize). You then have a pretty full picture of each person's interests, desires, weaknesses, etc. Combine this with information on what others in similar situations have done before (cf. the Target pregnancy NYT story) and you've got something potentially very powerful, and something I'd rather the government didn't have.
[ link to this | view in chronology ]
Re: Private communication
I don't have the time, but it should be easy to write a virtual POP server, where all mails are retrieved from an encrypted file stored on a file host to Thunderbird or even Outlook.
If the government policy ends up promoting FreeNet, I2P and other decentralized onion/garlic/sneakernet routing systems and make them clic and point for the average user, we have won.
My very simple examples have the advantage that the government couldn't block Dropbox, Wordpress or other mainstream hosting services without risking a larger backlash.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Do not CONTROL the internet to enforce the peace
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Easy solution: Drown the snooper tracker
Could the UK (and IPs) really scale up their storage systems to store every packet if many of us were generating low levels of chaff constantly?
Their bill assumes that there is a cost to generating data like the post office, that everything you do has a purpose and cost. Not true.
[ link to this | view in chronology ]
Re: Easy solution: Drown the snooper tracker
[ link to this | view in chronology ]
A few snippets from the police officer: "Usually we do not need IP adresses because we the computer"... "
"I cannot give any examples on the use of session-logging in an investigation. But I am sure it exists, I just haven't brought it"
The minister of justice was pretty clear on telling that it was impossible to scale back on the surveilance and blaming it on "...pressure from my colleagues in EU...".
In total the police seek 20 times more telelogged info than internet-logged info.
http://www.version2.dk/artikel/massiv-logning-af-danskernes-internetbrug-men-politiet-bruge r-kun-ip-adressen-45584
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I have a potential solution...
2. Configure it as a VPN with no logs and your own ssl cert
3. Enjoy your 50Gb of free unmonitored internet!
[ link to this | view in chronology ]
Re: Re: Re: HTTPS decryption
Mozilla is not known for giving the government anything not legally required. The law only applies to the communication providers not to software vendors.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
What a "great" country!
A country that gives 3000 of its citizens a criminal record every single week for not having a TV licence.
A country that routinely collects the DNA and fingerprints of its citizens regardless of whether or not they've done something wrong.
This is "Great" Britain?
[ link to this | view in chronology ]
anonime anonymous ...
[ link to this | view in chronology ]