I am not from UK, but listen to me if any folks from UK are reading this.
This is one of the things that is harmful to your privacy. Should the list of websites that you visit be available for government unless you are under active investigation? Its not just the list of websites but every packet data that your devices send out, which means government could see your messages, data sent to dropbox, online spreadsheet like google docs etc. This is mass surveillance. You should be proud that your government have a website were you can start petitions. Now please use this feature and sign the petition so that this surveillance law can be repealed.
You sign the petition and ask your close friends and family to do the same. What you do not need is an intrusive government. I am voicing this because even though I am not a UK citizen, I do not want law makers in my country thinking "Oh those chaps has a fine surveillance law and their citizens are okay with it. Lets adopt that law".
As much as I'm strongly against this bill, that petition is so poorly worded that there's no way I'm going to sign it. I did sign a somewhat poorly worded petition before and, not unexpectedly, the condescending "response" merely addressed the more hyperbolic rantings it contained rather than any of the reasons over 100K people signed it.
There really needs to be some way to greenlight draft petitions before they start getting major traction, so that anything that makes it to parliament reads like it was written by either a lawyer or journalist and not some outraged and poorly-informed 14 year old.
I really seems like that site only serves to placate people that might otherwise write to their MP, go out and demonstrate, or take some other form of potentially effective action, while never actually achieving anything.
Write to your MP instead. And please try to present a cogent, well-informed argument that might actually persuade that MP to champion the cause. Rants like this petition might be effective when it comes to preaching to the choir, but it's never going to change anyone's mind.
Don't rely on that one, google for yourself any poll in the last 10 years. In fact, think about just about any issue that you care about but is not current government policy, and google an opinion poll on it. You'll begin to see that democracy functions very effectively indeed. There are exceptions, such as the death penalty in the UK, but mostly legislation follows the opinion of the public (the voting public actually) quite closely, as we see with gay marriage and drug decriminalisation.
A little over half of those polled were okay with "Police and intelligence agencies [having] access to this information for anti-terrorism purposes". The YouGov report also shows that there's much less trust in politicians and civil servants to "behave responsibly" with such data.
The Guardian article says that "[records] will be made available to a wide range of government bodies", which sounds like politicians and civil servants to me.
Given that the government doesn't have a great track record of proportionate use of these powers, I think this isn't the same as the question asked in the poll. (For example, at a local level http://www.telegraph.co.uk/news/uknews/3333366/Half-of-counc...)
You're completely right. I would just point out that it's very close even when the question is explicitly phrased to specify politicians and civil servants (45 - 46%). It's likely that those with more trust in politicians are most more likely to be actual voters.
I'm from the UK, and I'm not signing that petition.
Maybe we do need an intrusive government? Maybe we, as a populace, believe that the data will save lives? That the cost of it existing is worth it compared to the cost of not having access to information on ~insert bad person here~. Maybe you value your privacy differently to us?
That's ok, btw, and I respect your point of view. Please, however, consider that alternative viewpoints are valid before telling everyone else what they must do to ensure their country is governed in a way that suits you.
I don't believe the end justifies the means, nor do I believe that data will be as useful as meatspace intelligence. Terror will continue anyhow. The war on encryption and privacy persists despite the fact that terrorists haven't even bothered to use encryption in the last attacks.
Obviously we don't get to tell you how to run your country, but at the same time we can certainly be troubled by your country's actions.
tbh my personal view is not entirely aligned with the one I made the comment - I just get incredibly frustrated by the tone of some posters. Statements of how all right minded people must behave, because no other viewpoint is valid.
I suspect that many of the people for whom this is a non-issue are demographically similar to those who voted for brexit. Their perspectives are different, and shouldn't be dismissed as merely ignorant.
Of course you can be troubled, and you're free to make arguments for why it may be considered a bad thing™ - influencing Brits to give a shit.
> That the cost of it existing is worth it compared to the cost of not having access to information on ~insert bad person here~
Can you give an example of "insert bad person here", where having more data made a difference?
> Maybe we do need an intrusive government?
We don't need intrusive government any more than intrusive neighbors. How do you even come to a personal preference for invasive government? Seems actively against self interest.
> Maybe we, as a populace, believe that the data will save lives?
Based on what evidence though? And what lives? How many British citizens were killed by terrorism in the last 5 years? You have far more people dying of smoking or car crashes.
> Maybe we, as a populace, believe that the data will save -American- lives?
I'm not trying to be snarky; I'm genuinely confused. Are you saying that UK citizens support surveillance, by and for the UK government, because it might aid the welfare of American citizens?
Alright, but then why are politicians and the media exempt from these data logs? What if you have a double agent in some government position, how would the government audit itself to guarantee it isn't being infiltrated?
Petition
Repeal the new Surveillance laws (Investigatory Powers Act)
A bill allowing UK intelligence agencies and police unprecedented levels of power regarding the surveillance of UK citizens has recently passed and is awaiting royal assent, making it law.
Signed but I suspect this will be treated with as much contempt as other petitions have.
I think the best way of handling this is to have a private code of ethics in the IT industry in the UK. If you are involved in any collection infrastructure, do like a government IT project, and make a complete fucking mess of it I.e. make it cost a fortune and bring bad publicity for any sponsors. Use O(n!) algorithms, use IO heavy storage patterns, piss all over cache lines, spend the entire budget having meetings in Wagamamas, write yourself a new minivan, overestimate everything and play solitaire.
Stick the reply on pastebin with a note explaining how it doesn't stop pedophiles and terrorists, explain how it protects incumbent pedophiles in the political class as per pizzagate, then post it on reddit, 4chan and to the opposition (actually forget the latter as they're just as bad).
I do wonder (perhaps naively) whether this is a genuine misunderstanding of the argument for privacy/encryption or something more malicious. Is it that politicians haven't spent enough time thinking about this or are they willfully ignorant of the wrongness of their argument?
That distinction doesn't really matter. Willful ignorance by anyone in power should definitely be classified as malice. Remember that as your representative, they should be able to explain their actions to you.
It's an interesting point. If they are ignorant (perhaps without the wilful), then perhaps when you present them with facts and information, they might change their mind. If they are malicious, they won't change their mind in the face of any facts or information, because their motivations are underhand and cannot be reasoned with.
I suspect in cases like this it's probably a bit of both (and perhaps in the case of this particular MP, she might just be toeing the party line).
They already are communicating, on huge services like Twitter, that are constantly monitored. ISIS & JaN Surrogate accounts, as well as Assad Regime Loyalists (Which for some, count as Terrorists) freely use online services under the radar.
The time to stop encryption is gone. TOR & Signal have seen to that.
> I do not believe that it is reasonable to allow terrorists, paedophiles and criminals to be able to use these same services out of sight to perpetrate criminal acts which harm UK citizens.
Oh god that must be so much fun. Working on projects with the intent to deliver the worst in every aspect. I'd like to add terrible UI and UX, deliberately throttling any connection to anything and the prerequisite for users to learn obfuscated regex for any simple old search query. Make a ton on teaching absolutely useless knowledge in the process.
In any other circumstances this would be fraud and unethical, sure. But is it when you're preventing digital fascism?
The one I always come back to is the National Road Pricing Proposal a few years ago - a big petition (nearly 2 million) completely killed it. It does require a lot of people to get noticed though.
The privacy concerns nonwithstanding, I'm puzzled how ISPs are supposed to actually implement that load of bollocks.
We're talking DPI here, applied as a dragnet on each and every connection. The bill explicitly states that every connection is to be tracked, which means it disallows the stochastic methods that normally are used for traffic instrumentation.
And even storing "just" the metadata, over the course of a year, that's quite a significant amount of data. Where the hell are ISPs supposed to store that? And store it securely in a way, that only "lawfull" access is possible.
That bill is stupid and ludicrous and the people who came up with it should be institutionalized, IMHO. Not just because of the privacy concerns.
But it's more than that. If it's illegal to spy, that means you can't disseminate the fruits of that spying far and wide. You need to resort to parallel construction and carefully safeguarding your sources.
This allows a massive expansion in the scope of capture and use of that information to more agencies in a "legitimate" manner. At least when it was illegal they had to contain the "conspiracy" lest it get out.
Indeed one way to devalue this information would be to swamp ISP servers with 'fake' data; hide our real activities in the noise. What we need is someone to release a modified versions of Chrome/IE/Firefox that spends all your browsing downtime accessing 'dodgy' sites. If everyone starting using it this information would soon become either impossible to store and pointless as everyone is a criminal according to the data.
The problem I see is not the computational power required for implementing the DPI, but the storage capacity and bandwidth required to implement retention for upo to a year. Lets assume that ISPs were applying a data cap of, let's say 200GiB/month. MTU for Ethernet is 1500 octets, with PPPoE it's 1480. IP Headers are at least 17 octets, so around 1% overhead for a optimally utilized connection. In that situation this gives about 2GiB/month of IP header data. Even if you strip that down to just the source/destination address that would still leave you with 800MiB/(customer·month) of data. That's the bottom baseline you have to provision for.
Of course your typical TCP stream is highly redundant and even simple RLE compression will cut that. But ISPs have to provision for the worst case. Currently there are about 60M internet users in the UK.
That would amount to about 536PiB/year of retention data to be provisioned for (worst case). And even if due to redundancies you can compress that down in practice that's still a lot of harddisks to keep around just to store the bare minimum (who with whom, but without context) of a whole country's internet traffic metadata (about 100k HDDs).
That's a significant investment that's expected from ISPs to be implemented in a very short timespan.
This whole business has got me wondering if it's even theoretically possible to prevent the site identity being visible to middlemen. Like you said below, even without SNI the cert is sent in the clear, and I can't think of a way around that. You'd need to somehow set up a secure channel before communicating site identity, but encryption without authentication is insecure in the face of MITM, and you need to establish site identity before you can authenticate the server.
I suppose, with IPv6, we could do away with shared-IP virtual hosting, and hence SNI at least; and perhaps we could even devise a system whereby the domain is omitted from the cleartext-transmitted handshake, say by using the IPv6 address as the cert's DN instead... but then that numeric address would serve as a surveillable site identifier, and you can still be tracked.
Is there any active research in this area? Is it provably impossible? Anyone know?
The domain (hostname) you request is inside the encrypted communications between you and the remote server. Only the TCP information is visible (IP, source port, destination IP, and destination port.)
It's the DNS request which reveals the domain you requested.
Have a look at https communication in Wireshark for example. What you wrote is incorrect. Https reveals the domain at least one time these days. First, ssl extension SNI (https://en.m.wikipedia.org/wiki/Server_Name_Indication) is sent, which reveals the domain you're requesting. This happens before the keys are exchanged.
Then, the matching certificate is sent (again in plaintext) from the server so that you can verify it and extract the keys. It will contain the domain again, although it may be a partial one like *.example.com
So no, the domain is public. The full URL path is encrypted though.
Disclaimer: I won't claim to have read the law or even caring about what happens in the UK.
From reading related articles, I get the idea its requirements can be implemented in terms of a browsing history, which could point to a date in the internet archive for all the legislator cares. Hint: that's how you compress browsing habits for > quadrillions of requests.
I don't see why one would need complete packet traces of the whole thing.
> From reading related articles, I get the idea its requirements can be implemented in terms of a browsing history, which could point to a date in the internet archive for all the legislator cares.
Good luck doing that with a TLS secured connection. All you see is the TCP stream between the two peers. And thanks to PFS enforced on the server side you can't even go around and force people to escrow their keys.
> I don't see why one would need complete packet traces of the whole thing.
Because that's the only thing an ISP is able to see of a properly encrypted connection.
So ISPs can now be coerced, by law, to allow for MITM in TLS connections. Another reasonable expectation from buyers of DPI products.
Like I said, nothing technically absurd about this law. It is its profound disregard for privacy that we should be discussing, instead of spending our time on technical issues which are solved.
But it's useless to save the encrypted bytes so nobody will do it. It doesn't matter the connection is encrypted - you still get the following information:
Source IP, mapped to customer. Timestamp. Target domain (from SNI or the certificate). Passive system identification (os, browser).
The only thing they're additionally interested in is the link and that's the only thing that encryption hides. I'm not sure they even care about cookies and headers in ICR
Also a few years ago DJB proposed to make a systems hostname the nonce of a key/signature and use secured DNS (DNSSEC or DNSCurve) as a means for establishing a web of trust; a CNAME would be used to for translating www.example.com into ${NONCE}.example.com.
Since DNSSEC (and DNSCurve) allow for signature verfication against a small number of root keys (ATM a single digit number) it'd be trivial to ensure an unbroken chain of trust for name resolution, which essentially completely mitigates a state level MitM attack on DNS.
So by combination of securing DNS and nonceing the hostname into TLS certificates you can throw quite a log into state level crypto circumvention. Of course the critical problem is rolling out all the necessary protocol changes and implementation. And of course DNSSEC is used only homeopathically ATM (and yes, I'm guilty of not having implemented for my stuff as well).
Create 291 days ago | parent | on: UC Berkeley profs lambast new “black box” network ...
Transparent monitoring for your protection
In keeping with this spirit, here is a reminder of how we monitor (your) CERN activities. We monitor all network Traffic coming into and going out of CERN.
Our new analysis infrastructure will be able to cope with the automatic live analysis of about one terabyte of data every day. All this data is stored for one year.
That's traffic analysis, not traffic metadata retention. The problem is not the computational load, but the storage capacity and bandwidth requirements.
And what is stored at CERN is the analysis results of the data, not the data history itself. Also it's one TiB/day in total for the whole of CERN.
Which refers to the result of the analysis. If CERN would retain all the data that crosses their network, or just the metadata they'd have to roll in truckloads of HDDs each day.
I will seriously never understand the imbalance of resources spent and the bills and laws passed in the name of "fighting terrorism" and "think of the children" which affects less people every day than pretty much every alternative way to suffer and die.
It doesn't make any sense. We spent trillions of dollars every year making intelligence and the military war machine one of the largest shadow economies in the world... We could pretty much solve every other form of death and illness with that money in less time, we could raise everyone in the country out of poverty with that money so they could stand on their own two feet. We could educate those that need education so they could get jobs and stand on their own without the need for Government handouts. So what the fuck.
Some days though, all you can do is throw your hands in the air in resignation and say "Fuck it, you're all crazy! You cause problems and you spend billions of dollars to band-aid the symptoms, just like you do with your medical system."
The underlying cancer is this mentality. We'll do what the fuck we want and treat people the way we fucking want because it makes us rich and then we'll spend billions to deal with the symptoms of this dumbass behaviour.
I hope the riches are worth it because the behaviour is (and I don't treat this word lightly, nor do I mean it with any disrespect whatsoever to those that unfairly get labeled with it) retarded.
Yes, it would be stupid as a policy for the common good. But the common good is not really anyone's job. You know that XKCD comic about standards? ("Now you have n+1 of them.") Modern governance after a few centuries of evolution is like that times a million, and this misadapted collective decision-making is the great crisis of our time, a much bigger deal than climate change, for example. (If we could collectively think clearly and coordinate then we'd see climate change as a serious problem needing both immediate action and longer-term research and technology development, but probably well within our power.)
Programmers might help by making better tools for thinking and coordinating. Perhaps with a collective IQ boost for enough of us we can avoid the worst.
Humans are absolutely terrible at assessing risk probabilities.
People worry about flying when stastically they are far more likely to die on the drive to the airport.
They worry about terroism when they are 50lbs overweight.
...and on and on, You'd rather hope the government would be better at assessing these risks in terms of a policy framework but they aren't they appeal to whatever the papers are focussing on and subscribe to the "we must do something, this is something ergo we must do it" school of thought.
I always find myself saying the same about humans... usually when I'm sitting on an airplane:
It concerns me that in approximately 195,000 years of human history (arguably), this is as far as we've managed to come in terms of intra-planetary travel.
It boggles the mind that with the combined ingenuity of the human race, over a period of 195,000 years, we haven't come up with anything more efficient than airplanes. I find it quite pathetic honestly. I expected better of us. It's quite disappointing really.
We wage pointless wars to extract resources from countries we don't want to negotiate fairly with in the name of riches and greed and frankly we've got better things we could and should be doing.
In fairness to humanity, We've been around for 195,000 years but we only hit the critical mass of modern technology in the last few centuries, progress since then has been incredibly rapid against pretty much any natural timescale.
So it's more like 194,700 years of stumbling around tripping over our feet and 300 years of actually making progress.
We went from steam engines to the moon in <300 years.
Yes I'm aware ancient civilizations had made progress and fell back but nothing like the civilizations we have now in an absolute sense, it's really fair to compare a Xeon processor to anything that went before.
Its very possible humans may have been advanced enough within last 30000 years and could've nearly killed itself off the face of earth. We may be descendants of some tribe living in very primitive conditions who started with old generation tech artifacts. Could we have built pyramid with tech we(the current humans) had a thousands of years ago? I think those tech and knowledge has been looted/confiscated by people(us) who invented looting and overtime got destroyed as they didn't have the know-how required to operate or maintain it. Old technologically advanced humans may have never researched on to build weapons as there was no need for it until someone invented killing and looting them, but by then there wasn't enough time to develop defensive weapons. So theyall died and got there tech destroyed and looted by us. We may have only recently within last 2000 years started to develop tech.
Any technologically advanced civilization would have disturbed the earth in ways that would still have shown today (mining, top soil removal, vast irrigation works etc) as well as used at least some of the natural resources, We'd find strangely high concentrations of materials even if it was spoil.
Advanced technologies don't just spring out the ground full formed, you have to bootstrap up the tech tree, something as 'simple' as an iPhone requires vast industrial capabilities backing it from mining and refining the metals, the oils for the plastics, the silicon for the processors, the copper for the traces, each piece of technology is the center of a massive web of interconnected industries and finally people, for advanced technologies you need thousands/tens of thousands of specialists in every single part of the production chain.
AIUI, he is now only allowed to oppose them in private (or leave the cabinet):
"All ministers, whether senior and in the cabinet or junior ministers, must publicly support the policy of the government, regardless of any private reservations."
Depends on how you look at it. Remember that in UK, there's no concept of separation of powers - the Parliament is sovereign, and the executive (monarch excepted) derives all power from it, inasmuch as the Parliament chooses to grant it. And one of those powers is to set policy for the entire cabinet.
In a sense, UK actually has too much democracy, and too few [formal] checks and balances on the power of the elected legislature.
Assuming you are in support of his former public position, I think you'd be shooting yourself in the foot by doing that.
We don't know his private position any more, and it may have changed. But I think it's quite likely that his opinion hasn't changed; he just isn't allowed to state it publicly any more. In this case, it would be better for supporters of this position to keep him in the cabinet, where he can at least have a private influence. Consider this: if we could get everyone in the cabinet to share his opinion, we wouldn't have a problem any more. We need more David Davises in cabinet, not fewer.
The MPs to vote out are all the ones who are publicly in favour of the Snoopers' Charter. We can be far more confident in having an influence in our favour this way.
There is no restriction on where you must live to stand for parliament- I encourage you to stand against him!
Although, I would concentrate on Theresa May herself (I considered doing this at the last election when all this was mooted but blocked by the lib dems, but I stood where I live instead.)
Sounds like it is both intrusive and useless at the same time.
If you're not going to see what people did on a site, what's the point? Presumably nefarious stuff like pedo rings and dark markets will not stay in the same place very long.
At the same time, people can see what kind of politics you're into. Or porn. Or dating. Which is not terribly useful for the public interest, but you can see a cop abusing this for personal gain. I think Snowden mentioned his colleagues used to stalk their exes.
Also, anyone who's accidentally left WireShark open will know how much data you're sucking up. It's not actually a small amount, and it compounds if you're an ISP. And it sure isn't easy to filter huge pcap files, which you'll have to do if you want to find something specific. And then you have to glue the clues together, totally non trivial.
Last, how will this be used in court? Knowing what sites someone visited is not evidence they did something. Some guy visits an ISIS homepage, is that because he's curious or he's getting bomb manuals? At best you can use it to suggest some guy is a sympathiser, when he might well not be.
> If you're not going to see what people did on a site, what's the point?
Because you are not a unique and special snowflake. If you regularly go to /r/The_Donald, it says something specific about your politics (probably). Same for /r/LateStageCapitalism or /r/trees. It might not say much, but it adds up to a profile of who you are and what you think about.
If you are emailing certain people, or tweeting them or whatever, GCHQ can build a social graph of people you know, who they know, etc. If you are the friend (or friend of a friend) of a person of interest, you're more likely to be of interest yourself. There are not many criminals like the una-bomber working entirely on their own - most of us need encouragement and/or provocation, and nowadays much of that happens online.
If your search phrases include things like "how to make a bomb", you're probably going to be on a database somewhere. There have been numerous serious court cases (e.g. murder trials) where the prosecution have presented evidence that the accused's search history included phrases like "how to dispose of a body" or "how to poison someone". In other cases, jurors have been dismissed for using Google to research the background to the case they are serving on. I wonder where the information about these searches came from?
Metadata is important for identifying "interesting" people. When you have found them, you "zoom in" and start hoovering up all the information you can find, not just the metadata. It's the greatest spying tool ever, and a way to implement highly repressive government too - just start monitoring people with different lifestyles or "way out" opinions.
> Because you are not a unique and special snowflake. If you regularly go to /r/The_Donald, it says something specific about your politics (probably). Same for /r/LateStageCapitalism or /r/trees. It might not say much, but it adds up to a profile of who you are and what you think about.
They won't be collecting that information though. They'll only see that you visited reddit.com in all those cases.
AFAIK browsers will not provide a referrer if the previous page in case you go from https to http. Firefox has an option to disable https to https referer sharing btw.
From the article:
"Those ICRs in effect serve as a full list of every website that people have visited, rather than collecting which specific pages are visited or what's done on them."
And from another site on the same issue:
"When you visit a website you usually start at
the websites homepage such as
www.bigbrotherwatch.org.uk/ the
Government define this part of a website
address (the part before the first forward slash)
as communications data which they consider to
be non-intrusive information." (https://www.bigbrotherwatch.org.uk/wp-content/uploads/2016/0...)
In fairness the law mandates they record the domain, it doesn't say anything about capturing more it just sets a standard for the minimum.
Given that the ISP's have now been given cart blanche to collect data that is very commercially valuable I can see some of them doing it with the hope they can sell it later.
Doesn't that social graph require them to know what you're doing on a given site?
I suppose they already have that power, otherwise we wouldn't have what you describe.
But the article says they're only gathering connection metadata, this law anyway. I guess they're already doing even more intrusive things, at least as a way to know who to get "legit" evidence on.
This illustrates how slippery the distinction between communications data and metadata really is. The examples in the first paragraph would all just record that you had been to www.reddit.com.
> If your search phrases include things like "how to make a bomb", you're probably going to be on a database somewhere. There have been numerous serious court cases (e.g. murder trials) where the prosecution have presented evidence that the accused's search history included phrases like "how to dispose of a body" or "how to poison someone". In other cases, jurors have been dismissed for using Google to research the background to the case they are serving on. I wonder where the information about these searches came from
And you can get that straight out the history on the browser of the suspect as well, someone daft enough to google something that incriminating from a machine they own on a connection they own is possibly daft enough to not delete the damn search history.
It's amazing how bad some people are with computers, like astoundingly bad, It's easy to forget as techies/developers that not everyone even understands crudely how a computer works.
a way to implement highly repressive government too - just start monitoring people with different lifestyles or "way out" opinions.
Or even better start using it to monitor opponents and discover their weak points and alliances. If you wanted a recipe for tyranny when a vindictive leader comes to power, this is it.
This is really a legalisation of the law-breaking that has been going on for decades from GCHQ, and the expansion of their data out to a huge number of government departments. There will be abuse of this system at all levels.
As everything else, it takes step at a time... first they will record a website address, the people will calm down and get used to it, ISPs will implement the storage. Then they will find a reason to implement another law that will require to record what we do on the websites. There is no coming back. It will evolve as everything else humans touch.
> I wonder where the information about these searches came from?
I've also wondered about that. Presumably it could simply be from the browser history of a seized computer. But now, who knows?
Will it become standard practice to look up the internet history of anyone accused of any crime? Who decides whether this stuff is admissible as evidence?
I would urge everyone who can to sign the petition against it.
This, in my mind is a problem, not because of the obvious costs (ISPs storing _literally all_ metadata for a year), and the insidous privacy concerns, but how bad Govts are at keeping information secure. Below are 3 recent and well known examples of Government Mass Data leaks- this information will be compromised at some point, for profit or espionage.
IMHO, trotting out "If you've got nothing to hide, you've got nothing to fear" BS doesn't mean that at some point, that data will be misused, even if the UK (My) Government doesn't suddenly turn dictatorial.
Even if, for whatever reason, you agree with governments being able to access this data in extreme cases (suspected terrorism, whatever) and even if we put aside concerns about governments misusing this power, this bill also relies on ISPs keeping data safe. That is a huge risk in itself.
Not to mention the number of government agencies and departments that can access your data [0]. Does the Department for Transport, Food Standards Scotland or the Welsh Ambulance Services NHS Trust really need access to my browsing history?
Might be a flippant comment, but that's the first thing that went through my mind. I've never gone deep into caring much about government overreach, but that was a terrifying subconscious reaction.
This may just be a reflection of the fact that signing petitions (especially online ones) achieves very little. Sure you might get a debate in parliament about it but that debate could involve a handful of MPs and take a few minutes, concluding that everything is fine.
This has already been debated extensively in parliament, and got voted through.
I would urge everyone who can to sign the petition against it.
This, in my mind is a problem, not because of the obvious costs (ISPs storing _literally all_ metadata for a year), and the insidous privacy concerns, but how bad Govts are at keeping information secure. Below are 3 recent and well known examples of Government Mass Data leaks- this information will be compromised at some point, for profit or espionage.
IMHO, trotting out "If you've got nothing to hide, you've got nothing to fear" BS doesn't mean that at some point, that data will be misused, even if the UK (My) Government doesn't suddenly turn dictatorial.
I have lots to hide, and I have plenty to fear from the current government. I sincerely doubt that there's anybody out there who doesn't. I'm not going to worry too much about GCHQ and other Security Services, because I seriously doubt they'll be making any requests - I have no doubt that they have a far more comprehensive database in place already, and they're only included in the proposal to lend an air of legitimacy to the proceedings.
What concerns me is the sheer number of groups that are being given access from the start, not because of who is on it, but because somebody has compiled that list in the first place. It suggests that there is already a longer term plan in place for the use of this data, and these are the entities who will need access to achieve that end. Otherwise, surely the approach would be a lot more cautious - "We'll limit it to GCHQ and the Secretary of State for now, and all requestss can go through the SoS. That will give us an idea of who actually needs this data on a case by case basis, and we can tweak the legislation as necessary based on that."
Then you look a little closer at some of the entries. Why would the Fire Service need access? Nothing in their job involves anything to do with individuals, at least not to the degree that they have any requirement for access to any data about them. Well, it doesn't say Fire Service. It says "Fire and Rescue Authorities under the Fire and Rescue Services Act 2004". Take a look at that act. Unless you're in Greater London, your fire and rescue authority is your local council. Why did they feel the need to slip your council in through the back door like that? Granted, access is limited to "Watch Manager (Control)", which sort of sounds like a Fire Service position, but it's vague enough that you could legitimately assign that job title to a Traffic Warden's supervisor without anybody batting an eye.
Why do the Food Standards Agency need access? Access for them is restricted to Grade 6, which doesn't seem to have any job title definitions, only a pay range - as of August 2015 it was £54,000 to £69,500. So any person who commands that salary, regardless of whether they need it for that job, will have this access? That doesn't seem a particularly clever way to manage data access.
I don't have anything to hide- but a malicious attacker could easily cause me to.
Step One: Maliciously cause the target to click on a link or open a url (Phishing, Exploit, RFE, XSS etc)
Step Two: With JS, one can easy introduce HTTP connections to any number of websites, such as maybe the Taliban's official website (They have one!), Google Searches for (to think of a few) "Gaziantep Places to Stay", "Turkey Flights", "Opposition to the Kuffar at home", "Dabiq Magazine", "how to join the Khalifah" etc
This could easily be done in a realisic appearing manner, especially to ISP/GCHQ filters and alerts.
Step Three: If any of this tallies with any physical activity (Let's say the target wanted to go Clay Pigeon Shooting, or Visited a Gun Club because he has in interest in .22 target shooting), then they have a case.
Sure, it's defendable, and this is a really simplistic example. But it's basically ruined the target's life.
Remember, it's probably not the "Government" doing this, as this info will be leaked.
EDIT: heck, I'll be stuffed- I tend to actively visit /r/combatfootage...
> Granted, access is limited to "Watch Manager (Control)"
FFS, are they deliberately choosing the creepiest sounding job titles to give access to?! Sure, it sounds fine when it's linked to the Fire Service, but it sounds dodgy as hell when applied to the Internet Snooper Service.
Here's a nasty example of where this is going. Agencies will be able to compile "watches" on searches across the UK.
The Food Standards Agency will have a trigger for anyone that searches for "Salmonella" for example. They then cross reference the source IP address to any restaurants. Then they march in there and close it down.
Anyone reading this from the UK: don't lose hope. You can change things. The recent uptick in fascism in the UK is really disheartening but your voice needs to be heard.
For example, they tried to bring in censorship in Australia and failed. Change is possible. Don't be a pushover. You must fight.
I predict that a year from now there will be a massive data leak (perhaps known to some underground circles only) with personal details matched to browser history - why - because most agencies in UK does not know how to handle your data securely.
Meanwhile, you better setup your VPN on DO or one of the cheap ARM-based cloud hosting companies. That's what I did and it works flawlessly for as cheap as $5 a month - or the price of a cup of coffee.
This setup is fine for all types of activities except downloading larger data files, which can be offloaded elsewhere with some clever routing or just jumping on a different box.
I do understand that this might be too much for the average Joe but if you care about your privacy, that exactly what it takes.
> Those ICRs effectively serve as a full list of every website that people have visited, not collecting which specific pages are visited or what's done on them but serving as a full list of every site that someone has visited and when.
So running search engine crawlers like yacy or using browser link prefetchers, could cause sites to appear on this list, you haven't even visited?
Even if you don't use that, you have to investigate every link and external site resource, if it points to a domain/site that also hosts illegal stuff? And how do I do that? Using VPN?
Also content and owner of sites change. I can't imagine such "prove" holding up against a good lawyer in a fair court.
What exactly are they logging? IP addresses, reverse domain names, dns lookups?
They just should provide a white list of sites the lawful citizens are allowed to visit. That would make things much easier and safer for everyone. And the government exists to keep the citizen safe, isn't it?
"The first duty of any government is to keep our country and our people safe." - David Cameron
That will be the ultimate end game: whitelist of sites, all of them large companies controlled by the government. Either do what we require or be eliminated from the list. Even VPNs only work if the connection to the VPN is permitted.
I don't have anything to hide- but a malicious attacker could easily cause me to.
Step One: Maliciously cause the target to click on a link or open a url (Phishing, Exploit, RFE, XSS etc)
Step Two: With JS, one can easy introduce HTTP connections to any number of websites, such as maybe the Talibans official website (They have one!), Google Searches for (to think of a few) "Gaziantep Places to Stay", "Turkey Flights", "Opposition to the Kuffar at home", "Dabiq Magazine", "how to join the Khalifah" etc
This could easily be done in a realisic appearing manner, especially to ISP/GCHQ filters and alerts.
Step Three: If any of this tallies with any physical activity (Let's say the target wanted to go Clay Pigeon Shooting, or Visited a Gun Club because he has in interest in .22 target shooting), then they have a case.
Sure, it's defendable, and this is a really simplistic example. But it's basically ruined the target's life.
Remember, it's probably not the "Government" doing this, as this info will be leaked.
UK citizens, help me out: Is there a way you can appeal against laws like this? In Germany, something like that would be thrown out by the Bundesverfassungsgericht, the federal constitutional court. Is there nothing similar in the UK?
Slightly more complex than that, as the ECHR isn't an EU institution, so Brexit won't result in any significant change to the relationship with the ECHR (it's a little more complex than I've made sound, as there are some relatively minor links with the EU).
However, May has stated her desire to also leave the European convention on human rights (and replace it with a UK owned Bill of Rights). This is not something that's happening as part of Brexit, and no bills have been presented before Parliament with this as a component or purpose.
I would assume that the government would take the pragmatic approach that it's better to focus on Brexit for now, and deal with the ECHR once Brexit is over with. However, I have no inside knowledge of this, and that's just my wild and unsubstantiated assumption.
There is one other relevant complexity. ECHR membership is a condition of being a member of the EU. Brexit has to happen for the UK to depart from the ECHR.
So voting for Remain was also a vote to keep the UK locked in to the ECHR. Voting for Leave was also a vote to release that lock.
The European Court of Human Rights is separate from the EU and the UK will will still be part of it after Brexit. But the political climate might be such that leaving ECHR could follow on from Brexit
It'd be great if the UK had a written constitution. But let's also be realistic here. The US also has a written constitution and the NSA has a database exactly like this one anyway, and such databases are also available to a mishmash of random law enforcement bodies. The constitution didn't help.
Also, the UK is signed up to the ECHR which theoretically guarantees a right to privacy. It's sort of like the US Bill of Rights except useless, because it was drafted by Europeans so every right has a giant get-out clause. In this case the so-called "right" to privacy exists only as long as it doesn't conflict with the "needs of a democratic society". That sort of thing crops up all the time in this document.
It's not sufficient to have a constitution. It must have teeth as well.
Germany has a proper constitution which makes it easy to judge if something is unlawful. In the UK, the constitution is just a collection of ways of doing things. That makes it harder to throw a law like this out.
This is really bad. Using a vpn or other kind of service to hide that data from them will now make you even more of an outlier to even more eyes/people. You will stand out from being hidden, you will stand out for having a minimal "internet history", and you will stand out to those who can really fsck your life.
Unfortunately privacy is not being taught and propagated to the general public in order to prevent this from harming you either you want it or not.
Surely the best thing to do is to install software that constantly randomly browses the internet, and properly clogs up any attempt at total logging and/or extracting anything of value out of it. If you're the only one doing it, it will look suspicious, but if you reach any kind of critical mass, I would imagine that it could be quite disruptive.
My plan is to split my network in half, a lot of the traffic I send I really don't care about been monitored (steam/netflix/even work related stuff about programming) but other stuff I do.
That way I'll have a "plane jane" traffic log and some VPN data which is a profile that anyone who works for a large company from home would have.
Unless you put criminal sites in the filter, I can't see how this will help? And if you do...you it will trigger an alert and then they can hax you...legally.
Alternative product idea: An open wifi hotspot that replaces the User-Agent and other client-identifying headers for each session with consistent values, regardless of who is connected. Anybody looking can still see what "your connection" did, but there's no longer any way to prove that any person in your household was the one who made it.
http2 as a transport, some metadata like url or header as a signal for a load-balancer to route the stream somewhere else (to a vpn endpoint in this case).
The list of agencies that will have access without any form of court order or warrant is truly terrifying. I had not realised it was so severe. It was promoted as being something that can only be "responsibly accessed". But this does not appear to be the case at all?
I'm concerned that information gathered from this will be used in court prematurely to perform "character assassination". And as we know, UK courts have a public gallery full of news reporters searching for juicy stories.
Our whole civilization leap frogged forward with the invention of the Internet. Because it connected us humans mentally. We able to share thoughts and ideas and have conversations with anyone on a planet without physical movement. It is a mechanical telepathy if you think about.
What we are seeing with implementing such laws is a more larger trend. Mental world is being taken under control by Mr. Smiths, agents of the matrix. Our thoughts and self-expressions more than ever are under the surveillance.
What I don't know is whether it is a good or bad thing in general for the mankind, but they way our technology worshipping civilizations develops it seems to be unavoidable. It seems we are way too far in this to go back.
I would imagine telepathy being something more accurate than other forms of communication, this is more like having a transcript of every communication and loosely assigning accountability to content.
Because there is rarely anyone arguing against the state being more involved in peoples lives, against making activities of the state harder by safeguarding systems against abuse.
But why is that? I mean in Hungary (where I live) there were demonstrations against Internet Tax which is a much smaller concern. This is a country where a lot of people live in apathy and there is no true democracy. UK is a much mature democracy where people care. Or not? I don't understand this.
When China does it they just do it without mentioning it.
When we do it, we announce it in the Queen's speech then have a law be published, read and voted through both Houses.
As much as I don't like it, an awful lot of other people either don't care or are fine with it. I wish the result was different but this is what you can get when you have a democracy. I absolutely would not want to swap the systems.
Now is an excellent time to set up a custom home router (I'm thinking pfsense to send all traffic through a VPN).
The excuse of "if you have nothing to hide, you have nothing to fear" is not only intellectually feeble; it permits a gradual erosion of civil liberties that can easily find the average citizen on the wrong side of the law should any agency casually find it convenient for them to be so. It is a snowball.
On that note. What VPN services are recommended and has anyone got some good guides to this?
I suggest AirVPN (no affiliation). I’ve been using it for more than a year, and it’s reliable, with plenty of servers and good speeds. If I am not mistaken, it’s operated from Italy.
Another option is to rent a VPS/dedicated server somewhere outside the UK, with decent bandwidth and data cap, and configure your own VPN between your systems, using the rented server as the internet gateway.
I think for many people nowadays, privacy is a quaint, antiquated notion, like Victorian modesty. Things like social media and YouTube have encouraged people to make their lives public, so having the government gather data seems fairly minor.
I find this all very disturbing, but, having grown up without the Internet, perhaps I'm just a relic from a bygone area. Still, I can't shake the uneasy feeling that this all will lead to a very bad place...
Slightly unrelated, but there have been a couple of stories in this area recently which have been widely circulated here and on Reddit all by the Belfast Telegraph.
I wonder why that is, just really good SEO on their part?
Mostly SEO. The "Bely Tely" has been moving towards more mass-market tabloid for several years after losing the quality market within Northern Ireland to the Irish News.
Yes, within NI a 'southern' paper now achieves about the same circulation as one from Belfast and a considerably better reputation for journalism. Quite a remarkable failure on the BT's part.
As a result the BT has been trying to adapt by widening its news remit and shifting into the tabloid space, as a visit to one of its web pages will quickly show. But most of its 'world news' stories are just AP feed, nothing special.
My neighbour's fiance is a night-club photographer who sells to the BT; 20 years ago such a thing would have been unthinkable in that paper.
I am not from UK, but listen to me if any folks from UK are reading this.
This is one of the things that is harmful to your privacy. Should the list of websites that you visit be available for government unless you are under active investigation? Its not just the list of websites but every packet data that your devices send out, which means government could see your messages, data sent to dropbox, online spreadsheet like google docs etc. This is mass surveillance. You should be proud that your government have a website were you can start petitions. Now please use this feature and sign the petition so that this surveillance law can be repealed.
You sign the petition and ask your close friends and family to do the same. What you do not need is an intrusive government. I am voicing this because even though I am not a UK citizen, I do not want law makers in my country thinking "Oh those chaps has a fine surveillance law and their citizens are okay with it. Lets adopt that law".
It was clear the UK was going this way for a while so I switched to a small cloud host for VPN which exits in another country. $5 a month and it took only a couple of minutes to setup OpenVPN with a simple shell script[0].
Also important is to setup outbound firewall (or other mechanism) so that if the VPN goes down, you don't spew your traffic over the open connection [1].
I don't notice any speed difference from daily usage over the last year. Large file downloads I task my NAS to download outside the VPN.
My purpose is only to prevent the ISP from collecting logs about usage, I don't expect it to have much effect if I'm targeted for surveillance and I'm fine with that. Who knows how ISPs will handle the data (we've seen targeted advertising and content injection in the past) let alone all the agencies with less than stellar security practices.
I've got a couple of cheap VPS's with OpenVPN installed and the bandwidth/latency is best described as "intermittent", as there'll be a lost of hosts sharing it on the low end ones.
NordVPN is one I keep seeing talked about, so I'll be looking into them this weekend :)
I heard good things about NordVPN and ExpressVPN. I've been using PIA for a year and it's about to expire - hence trying to decide what is next!
Advantages of a service seem to be location switching, good apps, cheap, and IP mixing.
Disadvantages are that you have to trust them not to keep logs, and lots of Cloudflare captchas, and they would seem like a good target for being compromised by the government.
Yea I'm in the same boat, seen a recommendation for AirVPN which seems very affordable and easy to use but then also those recommending to set your own up, is this doable without much knowledge in the area of VPNs?
In typical UK surveillance state fashion they pander to base fears and unforgivably overlook how bad censorship and surveillance is in places like China.
It's not that the UK GOV "doesn't understand how the Internet works" as claimed by many on this topic, but that the citizenry don't care enough to encrypt. The citizenry aren't scared enough to encrypt.
Education is the key here, and it needs to be bashed into a citizen's skull that The Internet is not a black box, and that traffic moving en clair is fair game by Governments, even criminal threat actors in Starbucks with their fake Free Wifi.
We need to keep building abstractions on top of The Internet to make it expensive for spying to take place. The usual solutions apply; TOR, VPNs, TLS/SSL, PGP, et al.
Which droplet would be best for between one to three people?
From what I gather, the ISP has to record the sites you visit—but not the specific pages. Does VPN stop my ISP from seeing the loaded sites? Or do I need Tor for that? I’m not too concerned about complete privacy, I just don’t want every website I just don’t want my browsing history to be leaked.
If you route traffic and DNS to a DO droplet outside the UK, all the ISP sees is a connection to that droplet and how much data was sent, not anything about what it was that was sent.
It neatly circumvents this bullshit, some suspect doing so will put you on a list for a closer look but if your traffic is innocuous who cares, I'm more worried about my useless ISP leaking/losing such data than I am about state intelligence.
Just the existence of these databases held by ISP's built under lowest cost bids will make them a massive target.
Possibly but I'd quite like to exit in another country sinces another layer of bureaucracy for them to deal with and not all countries have equal policies in terms of privacy.
Until the UK adopts rules regarding SIM card registration which are effective in some other European countries (I know of Germany and Poland): every pre-paid card must be associated with a specific person and vendors won't issue/activate you one until you present them with your ID card.
How is your opsec - i.e. do you vary your purchasing pattern, using random numbers to pick intervals between purchases and a variety of vendors?
I only ask, because routing everything over a VPN provides the illusion of privacy while flipping contracts every month provides some element of real privacy. It is easy enough to check on the activity of people pretending to hide their activity (assuming GCHQ has access to the same access that the NSA do), but real resources have to be spent tracking down people who actually hide their activity.
I have no idea how they allocate their budget for tracking potential threats, but somebody flipping prepaid sims would warrant a closer look if I was analysing the logs.
Indeed, that's a good point and I'm aware of that. They can absolutely track me given enough effort; they probably do it anyway since I'm a developer, I just try to make it a bit costlier for them I guess. For now, I don't bother much rotating vendors but it should be something I do indeed!
How do they think they can map connection logs with specific persons using the connection? All they can see that from one physical address these particular websites were visited. Sometimes that can actually map to a single person but mostly not. This makes the data more useless than they think but also potentially dangerous if they do not understand what the data means.
The only people that this is good news for are the VPN providers. Do we really trust "the state" with this information. History should tell us that once can never be sure of what use data can be put to by future regimes.
It's time to educate people about the value of encryption and the security and safety it provides, each of us, one by one.
There's currently a very good (and timely) deal on PureVPN lifetime subscription for Black Friday. I have no affiliation here, but figured this might be of interest to a lot of people in the UK.
It's not clear how that would be technically possible. ISPs could report users which use VPNs, but assuming the VPN isn't in UK jurisdiction, the govt has no way of forcing the VPN to keep or hand over logs. Their best bet would probably be to hack the VPN provider...
Reading the legislation its not "Entire Internet history" as most people would understand it. It looks very much like they are asking for NetFlow data without saying that explicitly. They want a Time stamp, port, source and destination IP and amount of data transferred. This is terrifying, I think the “Internet history” narrative is being setup to be deliberately confusing.
casual user doesn't see a reason to care about its privacy anyway.
if it changes its mind, google already has a lot of guides on the first page of like "protect privacy internet".
This is one of the things that is harmful to your privacy. Should the list of websites that you visit be available for government unless you are under active investigation? Its not just the list of websites but every packet data that your devices send out, which means government could see your messages, data sent to dropbox, online spreadsheet like google docs etc. This is mass surveillance. You should be proud that your government have a website were you can start petitions. Now please use this feature and sign the petition so that this surveillance law can be repealed.
The petition against this bill is at: https://petition.parliament.uk/petitions/173199
You sign the petition and ask your close friends and family to do the same. What you do not need is an intrusive government. I am voicing this because even though I am not a UK citizen, I do not want law makers in my country thinking "Oh those chaps has a fine surveillance law and their citizens are okay with it. Lets adopt that law".
Now get to action. Sign the petition at https://petition.parliament.uk/petitions/173199