UK 'Snooper's Charter' Seeks To Eliminate Pesky Private Communications
from the eat-your-heart-out,-china dept
As expected, the UK government has published its Draft Communications Bill (pdf) — better known as the “snooper’s charter,” since it requires ISPs to record key information about every email sent and Web site visited by UK citizens, and mobile phone companies to log all their calls (landline information is already recorded).
Since this was only released a few hours ago, people are still trawling through it to find out what delights it holds, but an eagle-eyed David Meyer has already spotted something rather extraordinary: the UK government seems to be proposing to log not just every IP packet, but every physical packet — and letter, and postcard — too.
That’s thanks to Section 25 of the Draft, which states:
Part 1 [the main requirements to log communications data] applies to public postal operators and public postal services as it applies to telecommunications operators and telecommunications services.
And if you were wondering what “communications data” means when applied to letters and postcards, it includes:
postal data comprised in or attached to a communication (whether by the sender or otherwise) for the purposes of a postal service by means of which it is being or may be transmitted
Letters, telephone calls, email and the Web — this is a level of total surveillance that countries like China, North Korea or Iran can only dream of. What remains unclear is how the UK government will try to gather this incredible flood of information, and whether it can access it in real time. Here’s what the site Privacy International thinks will happen:
The government today published a draft version of a bill that, if signed into law in its current form, would force Internet Service Providers (ISPs) and mobile phone network providers in Britain to install ‘black boxes’ in order to collect and store information on everyone’s internet and phone activity, and give the police the ability to self-authorise access to this information.
That article points out that two important questions on the Internet side of things remain unanswered:
However, the Home Office failed to explain whether or not companies like Facebook, Google and Twitter will be brought under the Regulation of Investigatory Powers Act (RIPA), and how they intend to deal with HTTPS encryption.
When an official was pressed on that last point, he gave a rather disturbing reply:
At this morning’s Home Office briefing, Director of the Office for Security and Counter-Terrorism Charles Farr was asked about how the black box technology would handle HTTPS encryption. His only response was: “It will.”
This is going to get very interesting.
Follow me @glynmoody on Twitter or identi.ca, and on Google+
Filed Under: draft communications bill, isp, snooper's charter, uk
Comments on “UK 'Snooper's Charter' Seeks To Eliminate Pesky Private Communications”
Welp.
It just got all 1984 up in this shit.
Re: Re:
It’s been 1984 for a while now. We’re easily at 1993 by now.
Daft
For a second, I thought it said “Daft Communications Bill”…
though .. it probably fits just the same!
AND??
lets see..
How much data can be captured before they give up.
Another point..
is to see WHO SUES the UK for invasion of privacy..FIRST
Re: AND??
This does seem to violate EU law.
And this is how democracy dies...
Alright I want off this damn planet…
So when are people going to -wake up- and realize what’s happening? Is it time for an armed revolution yet? Because I’m ready for it to begin.
Re: And this is how democracy dies...
Nah, they prepared for that by banning firearms. It’s back to pitchforks for our revolution.
Re: Re: And this is how democracy dies...
Don’t forget the torches. Very important for symbolic reasons, and remember, the UK has removed fire extinguishers from many buildings because they were hazardous to residents in the event of a fire.
Re: And this is how democracy dies...
Looks like we have another one trying to hide, track their I.P. Address, and update their security protocol.
Re: And this is how democracy dies...
Me too 🙂
And this is how democracy dies...
probably once they figure a way to throw off US influence that doesn’t end in nukes landing on their heads if they actually manage to win…
among other things.
Things That Make You Go Hmm
You Americans are so lucky. You have the truly glorious fourth amendment of your constitution protecting your rights. It says: “The right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated …” So naturally, your privacy is respected by your government. None of this intrusive snooping could ever happen in USA.
Hmm.
Re: Things That Make You Go Hmm
Read “Enemies” by Tim Weiner, a detailed history of the FBI and Hoover in particular. You will find that the US govt has only ever treated the Bill of Rights with contempt and ignored it when it interfered with their investigations. The only difference was that they spied only on people and organisations they were obsessed with due to technological limitations. But the US government has never cared in the least about personal privacy save when it became an election campaign talking point. This current stuff is nothing new, rather business as usual.
“Interesting”, you say? I thought understatement was our shtick. I don’t know if I want to man the barricades or man the lifeboats.
On the plus side, the odds of the surveillence technology performing as advertised are quite astoundingly remote, given our previous history with government IT projects. Either they’ll be defeated by the most rudimentary additional encryption measures, or the government will neglect to employ enough people to actually sift through the huge influx of raw data and it becomes nigh-impossible to perform any sort of targeted intercept with probable cause.
Things That Make You Go Hmm
lmao, you forgot your sarcmark.
i am confused about one thing though… last time i’d heard anything about UK privacy laws it was something along the lines of not being able to use cloud services like google and such, because they couldn’t be certain US based companies measured up to the much stricter UK data privacy laws.
Did those just get repealed, or is it the usual case of the left hand not knowing what the right just signed into law?
Maybe it's time to invest in hard drive manufacturers
I wonder if anyone has done any calculations as to just how much data is going to be collected ?
If they just log basic information like the URL it’s trivial to circumvent the logging. If they log every packet sent they are going to end up with a ridiculous amount of data. I have a small, unimportant website but it still often uses 200Gb of bandwidth in a month.
What about larger companies that host servers themselves ? Are they going to log all the incoming traffic too or is using a computer at one of these going to sidestep the logging?
What is to stop people running a program that randomly browses websites to pollute the data and dilute the chance of working out what that person is actually browsing. What about browsers that preemptively fetch web pages, what proof is there that any webpage was actualy looked at?
They are either going to have to do some serious filtering in real time and possibly lose the very details they are trying to find or end up with an humongous pile of data that is going to take some serious data mining to extract anything useful.
To me the whole thing sounds more like a plan to divert some more public money into their friends pockets than anything that is likely to produce useful information.
Re: Maybe it's time to invest in hard drive manufacturers
Time to invest in VPN software manufacturers. Anonymisation of traffic will take off big time as people will seek out ways of protecting their rights and keep private communication private.
Didn’t the British government decry these practices when the Stasi did the same thing to the people of East Germany during the Cold War?
Re: Re:
Not only that, Liz, but the Tories promised during the last election to scale back on the Big Brother state and now here they are in power (albeit in a coalition) and they are carrying on Labour’s work.
Re: Re: Make pre-election promises and manifestos legally binding
I think we need a campaign to make pre-election promises and manifestos legally binding. It’s the biggest flaw in representational democracy at the moment:
1. They promise us they will do XYZ.
2. We vote for them based on this promise.
3. They get elected.
4. They break their promises and to ABC.
The same thing happens with every single party. I was stunned at the Lib Dems selling the idea that it’s okay to tread all over the rights and freedoms of British citizens. They promised to claw back some of these rights and freedoms, but now are agreeing with the exact opposite (and using the pathetic useless “safeguards” as an excuse).
Re: Re:
Actually, no.
Oh, really? A little black box can just “handle” the encryption used to keep online bank transactions secure?
That has to be a bluff. It had better be, because otherwise when whatever method they use leaks out and every script kiddie in the world is able to bypass HTTPS encryption, we’re going to have even bigger problems…
Re: HTTPS decryption
Charles Farr’s remark probably means they have penetrated (or come to an arrangement with) the Certificate Authorities.
In other words, the secure channel you think you’ve established with a web site is in fact a channel to the black box, which records the content and passes on the requests and responses from a central point.
(I am not a security analyst, but I think major corporates already do this when you’re inside their firewall)
Re: Re: HTTPS decryption
The way major corporations do it, is by installing an extra certificate authority root on every one of their client computers, and their MITM boxes generate certificates from that fake certificate authority.
For this to work here, they would have to either install a new certificate authority root on everyone’s computers and phones (good luck), or as you said come to an agreement with an existing certificate authority to produce MITM certificates. Good luck on that last one too; ANY certificate authority which allows that is going to be removed FAST from all the major web browsers (the Mozilla Foundation is NOT going to put up with that kind of nonsense, as they have shown in the past).
But then, the answer being only “it will” looks to me as if they did not think this through, and believe that by their ordering so the “techies” will find a way. Somehow.
Re: Re: Re: HTTPS decryption
“ANY certificate authority which allows that is going to be removed FAST from all the major web browsers”
I was thinking the same thing. People will loose faith in the “Trusted” authorities and the ones that cooperate will fail and be replaced.
Re: Re:
Regarding https, if they have a collection of the master certificates that usually only reside on the webservers I think decrypting will be possible.
Re: cracking https
All they have to do is mandate ISPs to configure the black boxes to act as a “man in the middle” to capture https traffic.
Re:
Oceania vs. the World
Meh
I guess we’ll start getting TSA style ‘you got checked’ flyers in our postal mail?
Things That Make You Go Hmm
Actually, unlawful surveillance happens all the time here. The difference is that most forms of government surveillance can’t happen lawfully without a warrant. The unlawful kind happens all the time, but the people they use it against tend to be spy and terrorist types who aren’t exactly going to file a lawsuit over it, especially when the alphabet agencies are likely to just kill their targets outright. Besides, every one of those agencies has official written rules that say “Don’t do anything unlawful. The rule of law trumps national security.” so they have plausible deniability if anyone gets caught.
The reason this is enforced against the government on most levels is that unlike other countries, Americans have guns, guns, guns, guns and guns. Lots of them. No matter how powerful your arguments or friends, if you get shot you usually die. Guns are great equalizers of power, because they basically tell our government “If you get too out of hand, we’ll fucking KILL you!” on a constant basis.
You could have a Fourth Amendment too if you convinced enough people it was a good idea. It was the English government we started shooting for being oppressive, though, so I wish you good luck.
Why don’t they just do it like we do here in America. Spy on people then lie about it for 30 years.
Re:
The only thing that is remotely reassuring about this is, as Jake says, that our track-record of delivering large IT systems is sooo bad.
Unfortunately, unlike the previous government, this one seems to have realised that and hence they are shifting the requirements (and the work & expense) onto the ISPs. Meaning that it could actually work.
Proxies, encryptions and a little macro to randomly click web-links might be the way forward.
I might start sending empty envelopes around as well.
Actually, if I’m going to that much effort, I may as well set myself up as a full-on spam merchant.
Re:
The random-clicking-macro sounds like a neat idea. Gotta do some googling if there’s something readily available. Or just roll my own.
But making it really realistic (i.e. difficult to distinguish the automated and the real clicks) might be a tough problem. Anyway, it could certainly generate more data to sift through.
Re: Re:
Actually you just swamp them with links. With enough noise you end up with things being randomized to the point where they cant tell what you are doing. With an plugin that does a 1000 to 1 ratio, that does random searches, follows random search results, and follows links on the pages it would obsolete this system rather quickly.
Re: Re: Re:
That’s when they start making you pay by the kilobyte.
Re: Re: Re: Re:
no that is when you pay kilobyte fees per bit.
Private communication
The bill is daft and is circumvented in minutes.
Every site on the net allowing for anonymous use and submission of text can be used to obfuscate and anonymize communication.
1. Create a WordPress blog.
2. Create a Dropbox account.
3. Create a Rapidshare/Bayfiles/4shared account.
etc
Upload all your secret messages as 7zipped AES encrypted archives and use physical mail or sneakernet to communicate the URLs to the recipients.
Encrypt the URLs with PGP and send them on an USB stick to the recipients.
No direct IP address connection between sender and receiver other than both having used a very popular file host or blog platform.
Call the files something like RIAA-label — Artist – Title.7z and you’ll be sure that they get taken down. If you want to be sure, just send the hoster a fake DMCA notice or report the files as copyright infringement.
The government now only has a very limited time window to correlate all IP logs and seize and decrypt the content of the messages.
Under the DMCA the hoster has an obligation to delete the files, and if they are already gone when the government comes around demanding preservation of evidence, it’s already too late.
Who says that the DMCA is bad for civil liberties?
Re: Private communication
People prepared to jump through the hoops you describe are not the target. They already know how to evade surveillance.
This bill is bringing the internet and postal service into line with what the security services can already do with your phone line.
Your local council, for instance, can already ask the police to request your telephone records (who you called, when and for how long). Now they will be able to ask who sent you mail or email and which websites you visited.
None of this enables people to inspect your mail, or email, or your transactions with websites any more than they can eavesdrop on your phone calls.
They will still need a court order to do that.
I don’t agree with this bill but we should fight it with facts, not FUD.
Re: Re: Private communication
Quote:”Part 1 [the main requirements to log communications data] applies to public postal operators and public postal services as it applies to telecommunications operators and telecommunications services. “
Communication data can mean a lot of things, one of them is the actual contents of what is passing through the channels they are monitoring. I can see a problem with that.
No comment
Another Tory election promise down the drain. They promised to stop all the Big Brother crap that Labour started and now here they are planning their own Big Brother plan. Hypocrisy of the highest order. Our only hope is that the Lib Dems (who have been campaigning as champions of human and civil rights for decades) can put an end to this.
PS Speaking of Labour, did you notice how suspiciously quiet they are on this issue?
Re: Re:
The Lib Dems will not help us. Their fearless leader is saying that the Bill is okay because he (the Lib Dems) have put a handful or useless “safeguards” in place to protect the public. Nick Clegg cannot be trusted.
Anonymity solutions
The problem with most commercial VPN and anonymity services is the payment trail and the regulations forcing private businesses to act in the government’s interest.
If you build physical infrastructure, you must play by the government’s rules.
And if you accept payments — barring hard to set up Bitcoin – your users can be traced, if for no other reason, that the state wants to tax you.
What we need are a more decentralized VPN solution.
Tor is tcp/ip only, and I2P does not work very well, and OpenVPN is complicated for most users.
Most current anonymity solutions are either bloatware, low latency or only good for socksifying supported applications.
Re: Anonymity solutions
You should look at AirVPN – I’ve just started using them and set up is a breeze. Plus it works with all software as far as I can tell.
I decided to go VPN after hearing about this bill, plus when my ISP censored the Pirate Bay, it tipped my decision. Not that I use TPB – I use Tribler – a distributed P2P system.
I’d really like to see how they get round the 2048 bit encryption from my computer to the VPN server in a foreign country. If they can do this, then online financial transactions are gone forever!
Re: Re: Anonymity solutions
???
What is the difference from a VPN to an ISP or certificate authority?
Any company that have an office and use financial infra-structure to do business will be forced to conform to whatever the government in their neck of the woods say.
Even VPN providers acknowledge that they do indeed give away your data to law enforcement when asked to do so.
Re: Re: Re: Anonymity solutions
There’s a difference between a VPN service provider handing over the details about a particular targeted user (a “person of interest”) when legal procedures and warrants have been obtained, and just letting the government monitor every single VPN user by default.
And of course, the illustrious Theresa May has trotted out the “if you’ve done nothing wrong, you’ve got nothing to fear” argument.
http://uk.news.yahoo.com/councils-lose-data-access-powers-230559438.html
Re: Re:
Cuts to the NHS, against the disabled and pensioners, politicians talking every day about the lack of public money; and we can still afford to blow ?1.8 billion on this bollocks?
Re: Re:
Does this mean that Theresa May will allow a pilot program to be run on her connections open to the public to review?
Re: Re:
So we can look forward to the government publishing the NHS Risk Register? 🙂
Ill tell you what, if this piece of shit gets passed in the uk, im gonna cancel every non essentiel account and ignore all future websites that ask for personall data…….so bye bye facebook, bye bye forum memberships bye bye to every site who gives in to the uk bullshit demands
At no fucking point did i give my permission to collect data related to me to be stored, did they ask, NO…..fucking pillocks, what gives them the fucking right to even suggest this without our input on the matter
The internet will be an unregonizable place, when power hungery, informational whores get their way, and i think internet companies and isp’s need to get some fucking balls, because they most of all will most affected by this
HTTPS decryption
Can’t you just use a portable and separate instance of Firefox in a vm with all other CA’s disabled or blacklisted?
Ifyou have visited the site before, you might write down the certificate hash, and check the certificate each time you connect to the server.
Re: HTTPS decryption
Take a look at the Certificate Patrol Firefox extension. It writes down the certificate hash and checks the certificate each time you connect the server, which is exactly what you want.
Re: Re: HTTPS decryption
What good does it do when the authority is in collusion with the government?
It doesn’t matter if the certificate is authentic or not, if the authority issuing that certificate has to give the keys to the government they don’t need to issue the certificates they just passively record every bit of data and decode that.
Same goes for VPN or any other means that involves trust in a third party to secure anything, if you corrupt the third party you are owned.
Re: Re: Re: HTTPS decryption
I believe you are confused.
With HTTPS, the private key (which is needed to decode the data) is not given to anyone. What the certificate authority receives is the public key, which it signs and gives back. The authority issuing the certificate cannot give the government the private key, since it never had the private key in the first place.
Even with self-signed keys, HTTPS completely defends from passive interception, as long as the server is secure. Passively recording the data does you no good.
What is being talked about is active interception, also called Man-In-The-Middle (MITM). To do a MITM attack, the attacker pretends to be the server to the client, and pretends to be the client to the server. To do that with HTTPS, the attacker needs a certificate trusted by the client, else the client will complain about the server certificate. That is where corrupting a trusted certificate authority is useful for the attacker.
With a VPN it is different; the VPN is already “in the middle”, so corrupting it is enough.
Anonymity solutions
I meant to add that I now have access to the American video sites when I choose to use an American VPN server – I can finally watch Hulu – hurrah !!
Re: Anonymity solutions
huzzah !! 🙂
Re: Anonymity solutions
huzzah !! 🙂
Re: Anonymity solutions
lalalalalalalalalalalalala!
Payment
How did you pay? if you use Paypal, Visa or bank transfer, you have already left a big paper trail.
Only bitcoin is anonymous, and I avoid it because I don’t have a GPU for bitcoin mining and don’t know which sellers to trust.
Re: Payment
Not exactly a paper trail, but I know what you mean.
Beware of thinking BitCoin is anonymous. It isn’t unless you take appropriate steps.
Packet inspection? No, just envelope inspection
“Letters, telephone calls, email and the Web — this is a level of total surveillance that countries like China, North Korea or Iran can only dream of.”
This is misleading. The countries you mention regularly inspect the content of communications.
The UK is asking for sweeping powers to inspect the envelope of communications – who you communicate with and when.
It will still require court intervention to carry out wiretapping.
Re: Packet inspection? No, just envelope inspection
This is true, but also rather misleading. The list of URLs I visited on a particular day could tell you a lot about me. It could tell you my sexuality, whether I have a disease, where I’m going on holiday or for work, if I’m seeing another woman (or man). And, for most public sites, entering those URLs into your browser will show you exactly what I saw.
You may not care too much if someone got hold of your browser history for the past day or week (and, I have to say, it wouldn’t worry me that much either), but the real danger here is what’s revealed when all of these data points are combined over a long period.
As with personally identifiable information, one piece of data (a 34 year old male who lives in Salford) doesn’t reveal that much, but combine it with a few others (drives a Mercedes, works for Tesco) and you’ve pretty soon narrowed it down to 1 or 2 individuals (cf. 2006 Netflix Prize). You then have a pretty full picture of each person’s interests, desires, weaknesses, etc. Combine this with information on what others in similar situations have done before (cf. the Target pregnancy NYT story) and you’ve got something potentially very powerful, and something I’d rather the government didn’t have.
Private communication
Yes, people who already know how to protect their privacy likely already care about their privacy, but I am sure that it’s easy to automate the process.
I don’t have the time, but it should be easy to write a virtual POP server, where all mails are retrieved from an encrypted file stored on a file host to Thunderbird or even Outlook.
If the government policy ends up promoting FreeNet, I2P and other decentralized onion/garlic/sneakernet routing systems and make them clic and point for the average user, we have won.
My very simple examples have the advantage that the government couldn’t block Dropbox, WordPress or other mainstream hosting services without risking a larger backlash.
Stealing from your citizens, pure and simple
the reasons given by the UK government, in particular by Theresa May atm for such an invasion of privacy and monitoring of personal freedoms is pathetic and disgraceful. like just about everyone, i understand the need to keep on top of the latest communication innovations so as to monitor suspected criminals ans terrorists. to take things to the level the UK wants to is unnecessary. it will give fuel to the fires of places like Iran and China that do less harsh monitoring now but you can be assured, will be doing so in the near future. how can the need to monitor in the circumstances above be needed for every single citizen? how can all of a sudden, no one have no rights to privacy and freedom? why should even letters etc be brought into play? it’s the sort of thing that happens in prison. this is actually making everyone out to be a criminal with no evidence at all but all the punishments ready to be enforced. think back people to when this monitoring was first introduced, who introduced it and why. look hard enough and, if honest, you will find the answer and you will be disgusted!
USE the internet to help enforce the peace
Do not CONTROL the internet to enforce the peace
Can someone please fast forward the movie for these fools so they can see the downfall of the government at the end?
Easy solution: Drown the snooper tracker
It appears to me that this type of approach would be relatively easy to overwhelm. Simply create a program that runs in the background and spits out email and other requests slowly but steadily 24×7. The emails don’t even have to go to valid email addresses, they are just chaff.
Could the UK (and IPs) really scale up their storage systems to store every packet if many of us were generating low levels of chaff constantly?
Their bill assumes that there is a cost to generating data like the post office, that everything you do has a purpose and cost. Not true.
Re: Easy solution: Drown the snooper tracker
I’ve already considered this just to spoof Google but it was too much trouble. But to combat info-totalitarianism, I’d seriously consider it.
Denmark has had something similar to this for 5 years. They had a policeofficer at the parliament to tell how much they used these informations through those 5 years, 1 month ago.
A few snippets from the police officer: “Usually we do not need IP adresses because we the computer”… “
“I cannot give any examples on the use of session-logging in an investigation. But I am sure it exists, I just haven’t brought it”
The minister of justice was pretty clear on telling that it was impossible to scale back on the surveilance and blaming it on “…pressure from my colleagues in EU…”.
In total the police seek 20 times more telelogged info than internet-logged info.
http://www.version2.dk/artikel/massiv-logning-af-danskernes-internetbrug-men-politiet-bruger-kun-ip-adressen-45584
I wonder how long before they allow the ****fias et al access to the data ?
I have a potential solution...
1. Get a free cloud server eg. http://www.nephoscale.com/cloud-computing-cloud-storage-starter-package
2. Configure it as a VPN with no logs and your own ssl cert
3. Enjoy your 50Gb of free unmonitored internet!
HTTPS decryption
Couldn’t someone just set up his own CA and get browser vendors to cooperate?
Mozilla is not known for giving the government anything not legally required. The law only applies to the communication providers not to software vendors.
It always go back to terrorism, child porn and pirates.
What a "great" country!
A country that spits in the face of “innocent until proven guilty” with it’s fast-track justice “police caution” system.
A country that gives 3000 of its citizens a criminal record every single week for not having a TV licence.
A country that routinely collects the DNA and fingerprints of its citizens regardless of whether or not they’ve done something wrong.
This is “Great” Britain?
anonime anonymous ...
They have all go mad ! Do they have legal right to open physical letter to read the content ? I do not think so ! People its time to develop full blown decentralized encrypted network in network something like Ricoh VPN with TOR capabilities for entire network protocols ! Who has the right to stalk me on line ? This make me mad ! If i were pissed off enough i will learn the hard way everything about network and internet and then strike back so hard that opponent will goes to its knee regardless who it is – just like in do-jo in marshal arts stile ! The notorious pathologic mad man’s need in to control and spy on us deserve full blown strike back ! The Anonymous are just the beginning !!!