Techdirt. Stories filed under "vpns"

Kiwis Want To Spy On All Communications, VPNs, And Be Able To Use Secret Evidence Against You

Glyn Moody — Thu, 16 May 2013 05:38:00 PDT

Although New Zealand's decision not to allow patents for programs "as such" was welcome, other moves there have been more problematic. For example, after it became clear that the New Zealand intelligence service, the Government Communications Security Bureau (GCSB), illegally wiretapped and spied on Kim Dotcom, the New Zealand government announced that it would change the law so as to make it legal in the future to snoop on New Zealanders as well as on foreigners. Judging by a major new bill that has been unveiled, that was just the start of a thoroughgoing plan to put in place the capability to spy on every New Zealander's Internet activity at any moment. Here's an excellent analysis of what the bill proposes, from Thomas Beagle, co-founder of the New Zealand digital rights organization Tech Liberty: The TICS [Telecommunications (Interception Capability and Security)] Bill is a replacement for the Telecommunications (Interception Capability) Act 2004. This law forced communications providers (ISPs, telcos, data networks, etc) to provide "lawful intercept" capabilities so that the Police, SIS and GCSB could access communications once they had a suitable warrant. The new bill expands and clarifies these requirements.

However, the addition of the word "security" is the key to what has changed. The new bill now gives the GCSB sweeping powers of oversight and control over the design, deployment and operation of all data and telecommunications networks run by network providers in New Zealand. The stated reasons are to both protect New Zealand's infrastructure and to ensure that surveillance agencies can spy on traffic when required. As part of this, the GCSB will have the power to stop network providers from reselling overseas services that do not provide these capabilities.
As Beagle goes on to explain, this will have a number of implications, including a requirement to build backdoors into all telecoms networks: From the Bill:
A network operator must ensure that every public telecommunications network that the operator owns, controls, or operates, and every telecommunications service that the operator provides in New Zealand, has full interception capability.
Note that the surveillance agencies still need to have a legally issued warrant (under the Search & Surveillance Act, NZ SIS Act, or GCSB Act) to actually intercept any communications and there are obligations to avoid capturing communications that are not covered by the warrant.
Here's one way that could dramatically impact Internet users in New Zealand: It then goes on to give the Minister the power to ban the resale of an off-shore telecommunications service in New Zealand if it does not provide interception capabilities. This could stop the resale of foreign-hosted VPNs, instant message services, email, etc.
Another clause could have major implications for Megaupload: Network operators must decrypt the intercepted communications if they have provided the encryption, but there is no obligation to do so if the encryption is provided by others.

What does this mean for providers such as Mega (file locker) or LastPass (password storage) who have a business model based on the fact that they supply a cloud product that uses encryption but have deliberately designed it so that they can not decrypt the files themselves? This gives users the assurance that they can trust them with their data. Will the government close them down unless they provide a backdoor into the system?
One deeply troubling aspect is the following: There is also a provision that allows the courts to receive classified information in a court case in the absence of the defendant or the defendant's lawyer. This applies to information that might reveal details of the interception methods used by the surveillance agency or is about particular operations in relation to any of the functions of the surveillance agency, or is provided as secret information from the surveillance agencies of another country. It can also be used if that disclosure would prejudice security of NZ, prejudice the maintenance of law, or endanger the safety of any person.
As Beagle notes: particularly offensive to civil liberties are the provisions for convicting people based on secret evidence. How can you defend yourself fairly when you can't even find out the evidence presented against you?
He concludes with an important point: One must ask where the justification for this expansion of power is coming from. Has New Zealand already been materially affected by attacks on our communications infrastructure? It seems clear that while the GCSB may not be that competent at exercising the powers they already have, they have done a fine job of convincing the government that they can handle a lot more.
That's a question that needs to be put to the governments of other countries, like the US and UK, that are also seeking to extend massively their ability to spy on their own citizens. What evidence do they have that such extreme, liberty-threatening powers are actually necessary, and will make the public safer, rather than simply being a convenient way for governments to identify whistleblowers who expose their incompetence and corruption, say, or to spy on those who dare to oppose them?

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Permalink | Comments | Email This Story

China Tries To Block Encrypted Traffic

Mike Masnick — Mon, 17 Dec 2012 14:53:21 PST

During the SOPA fight, at one point, we brought up the fact that increases in encryption were going to make most of the bill meaningless and ineffective in the long run, someone closely involved in trying to make SOPA a reality said that this wasn't a problem because the next bill he was working on is one that would ban encryption. This, of course, was pure bluster and hyperbole from someone who was apparently both unfamiliar with the history of fights over encryption in the US, the value and importance of encryption for all sorts of important internet activities (hello online banking!), as well as the simple fact that "banning" encryption isn't quite as easy as you might think. Still, for a guide on one attempt, that individual might want to take a look over at China, where VPN usage has become quite common to get around the Great Firewall. In response, it appears that some ISPs are now looking to block traffic that they believe is going through encrypted means.

A number of companies providing "virtual private network" (VPN) services to users in China say the new system is able to "learn, discover and block" the encrypted communications methods used by a number of different VPN systems.

China Unicom, one of the biggest telecoms providers in the country, is now killing connections where a VPN is detected, according to one company with a number of users in China.

Of course, there are countless ways to encrypt traffic, so all this really does is spur a cat and mouse game -- and the best that can be done is having the system block any traffic that it can't understand. Of course, once you go that far, you're in for a lot of trouble, because there's just a ton of legitimate content you're going to block, pissing off a lot of people. Also, as this game goes on, it'll just spur people to encrypt traffic in a matter that looks identifiable, but which really is not identifiable. Fighting against encryption is a game that can't be won in the long term.

Permalink | Comments | Email This Story

Iran Outlaws VPNs Or Any Other Attempt To Get Around Filters

Mike Masnick — Thu, 27 Oct 2011 09:31:00 PDT

If you're going to censor the internet, I guess you also have to criminalize attempts to get around the filters. That appears to be what's happened in Iran, where any kind of system to get around the filters, including VPNs, has been criminalized. Iran now gets to join Pakistan in banning VPNs.

“Based on the law, the use of VPNs or other antifiltering software is forbidden and considered a crime,”

Amusingly, the reasoning given is that VPNs are part of a "soft war" from Western countries, and blocking them is a way to "confront" such Western aggression.

Permalink | Comments | Email This Story

Does Your ISP Care About Protecting Your Privacy?

Mike Masnick — Mon, 31 Jan 2011 07:36:39 PST

We recently wrote about how Swedish ISP Bahnhof had announced plans to use a VPN to encrypt all traffic running over its network, thus making any log files it was required to store under data retention rules useless. Slashdot points us to the news that ISP Review, over in the UK, has asked a bunch of UK ISPs their thoughts on encrypting all traffic, and questioning whether they would do the same to protect user privacy.

The answers are pretty interesting. None of them seem interested going as far as VPNing all traffic, with some suggesting that it's just too expensive. One ISP, AAISP, says that there's a better solution than VPN, which is to just switch to a carrier grade NAT, for which there are no requirements to log those sessions. IDNet suggested that it might consider making such a service "opt-in," since some people might want it, but it creates other downsides that not all customers appreciate. The one response that struck me as questionable was from Entanet, who seemed to indicate that the only reason to encrypt traffic was if you were doing something wrong:

As a responsible communications provider, we don't advocate any steps to proactively create the ability to avoid the identification of parties who are deliberately committing acts of data piracy.

The focus is not to "avoid identification" of people involved in "piracy," but to provide privacy in general. Given just how many examples we've seen of governments spying on users' data habits with very little legitimate purpose, it seems like an ISP that actually protects its users privacy should be seen as a good thing.

It makes me wonder if we'll start to see more ISPs like Bahnhof pop up, with a focus on promoting the fact that they protect your privacy. In an age when so many people flipped out about Google's WiFi sniffing, you would think that these same people would celebrate ISPs that automatically encrypt traffic, as that would solve such problems. Yet, instead, it seems like the very same people are suggesting that such encryption is only for bad purposes.

Of course, here in the US, there are almost no choices among ISPs, and the ones that are available all have strong and close relationships with the government (hi, AT&T!), so it's not like they have any interest in protecting customer privacy. Though, this also explains why there's nothing serious in any US-based broadband plan around increasing competition. If there were real competition, perhaps some providers would look at better ways to protect user privacy. So, as long as the government can keep competition limited to a few entities who rely on the government, the government knows it can always get the info it wants, no matter how dubious the legal rationale.

Permalink | Comments | Email This Story