UK 'Snooper's Charter' Seeks To Eliminate Pesky Private Communications

from the eat-your-heart-out,-china dept

As expected, the UK government has published its Draft Communications Bill (pdf) — better known as the “snooper’s charter,” since it requires ISPs to record key information about every email sent and Web site visited by UK citizens, and mobile phone companies to log all their calls (landline information is already recorded).

Since this was only released a few hours ago, people are still trawling through it to find out what delights it holds, but an eagle-eyed David Meyer has already spotted something rather extraordinary: the UK government seems to be proposing to log not just every IP packet, but every physical packet — and letter, and postcard — too.

That’s thanks to Section 25 of the Draft, which states:

Part 1 [the main requirements to log communications data] applies to public postal operators and public postal services as it applies to telecommunications operators and telecommunications services.

And if you were wondering what “communications data” means when applied to letters and postcards, it includes:

postal data comprised in or attached to a communication (whether by the sender or otherwise) for the purposes of a postal service by means of which it is being or may be transmitted

Letters, telephone calls, email and the Web — this is a level of total surveillance that countries like China, North Korea or Iran can only dream of. What remains unclear is how the UK government will try to gather this incredible flood of information, and whether it can access it in real time. Here’s what the site Privacy International thinks will happen:

The government today published a draft version of a bill that, if signed into law in its current form, would force Internet Service Providers (ISPs) and mobile phone network providers in Britain to install ‘black boxes’ in order to collect and store information on everyone’s internet and phone activity, and give the police the ability to self-authorise access to this information.

That article points out that two important questions on the Internet side of things remain unanswered:

However, the Home Office failed to explain whether or not companies like Facebook, Google and Twitter will be brought under the Regulation of Investigatory Powers Act (RIPA), and how they intend to deal with HTTPS encryption.

When an official was pressed on that last point, he gave a rather disturbing reply:

At this morning’s Home Office briefing, Director of the Office for Security and Counter-Terrorism Charles Farr was asked about how the black box technology would handle HTTPS encryption. His only response was: “It will.”

This is going to get very interesting.

Follow me @glynmoody on Twitter or, and on Google+

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “UK 'Snooper's Charter' Seeks To Eliminate Pesky Private Communications”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Things That Make You Go Hmm

You Americans are so lucky. You have the truly glorious fourth amendment of your constitution protecting your rights. It says: “The right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated …” So naturally, your privacy is respected by your government. None of this intrusive snooping could ever happen in USA.



Re: Things That Make You Go Hmm

Read “Enemies” by Tim Weiner, a detailed history of the FBI and Hoover in particular. You will find that the US govt has only ever treated the Bill of Rights with contempt and ignored it when it interfered with their investigations. The only difference was that they spied only on people and organisations they were obsessed with due to technological limitations. But the US government has never cared in the least about personal privacy save when it became an election campaign talking point. This current stuff is nothing new, rather business as usual.

Jake says:

“Interesting”, you say? I thought understatement was our shtick. I don’t know if I want to man the barricades or man the lifeboats.

On the plus side, the odds of the surveillence technology performing as advertised are quite astoundingly remote, given our previous history with government IT projects. Either they’ll be defeated by the most rudimentary additional encryption measures, or the government will neglect to employ enough people to actually sift through the huge influx of raw data and it becomes nigh-impossible to perform any sort of targeted intercept with probable cause.

Zos (profile) says:

Things That Make You Go Hmm

lmao, you forgot your sarcmark.

i am confused about one thing though… last time i’d heard anything about UK privacy laws it was something along the lines of not being able to use cloud services like google and such, because they couldn’t be certain US based companies measured up to the much stricter UK data privacy laws.

Did those just get repealed, or is it the usual case of the left hand not knowing what the right just signed into law?

tebee (profile) says:

Maybe it's time to invest in hard drive manufacturers

I wonder if anyone has done any calculations as to just how much data is going to be collected ?

If they just log basic information like the URL it’s trivial to circumvent the logging. If they log every packet sent they are going to end up with a ridiculous amount of data. I have a small, unimportant website but it still often uses 200Gb of bandwidth in a month.

What about larger companies that host servers themselves ? Are they going to log all the incoming traffic too or is using a computer at one of these going to sidestep the logging?

What is to stop people running a program that randomly browses websites to pollute the data and dilute the chance of working out what that person is actually browsing. What about browsers that preemptively fetch web pages, what proof is there that any webpage was actualy looked at?

They are either going to have to do some serious filtering in real time and possibly lose the very details they are trying to find or end up with an humongous pile of data that is going to take some serious data mining to extract anything useful.

To me the whole thing sounds more like a plan to divert some more public money into their friends pockets than anything that is likely to produce useful information.

Anonymous Coward says:

Re: Re: Make pre-election promises and manifestos legally binding

I think we need a campaign to make pre-election promises and manifestos legally binding. It’s the biggest flaw in representational democracy at the moment:

1. They promise us they will do XYZ.
2. We vote for them based on this promise.
3. They get elected.
4. They break their promises and to ABC.

The same thing happens with every single party. I was stunned at the Lib Dems selling the idea that it’s okay to tread all over the rights and freedoms of British citizens. They promised to claw back some of these rights and freedoms, but now are agreeing with the exact opposite (and using the pathetic useless “safeguards” as an excuse).

Anonymous Coward says:

Oh, really? A little black box can just “handle” the encryption used to keep online bank transactions secure?

That has to be a bluff. It had better be, because otherwise when whatever method they use leaks out and every script kiddie in the world is able to bypass HTTPS encryption, we’re going to have even bigger problems…

Dominic Sayers (profile) says:

Re: HTTPS decryption

Charles Farr’s remark probably means they have penetrated (or come to an arrangement with) the Certificate Authorities.

In other words, the secure channel you think you’ve established with a web site is in fact a channel to the black box, which records the content and passes on the requests and responses from a central point.

(I am not a security analyst, but I think major corporates already do this when you’re inside their firewall)

Anonymous Coward says:

Re: Re: HTTPS decryption

The way major corporations do it, is by installing an extra certificate authority root on every one of their client computers, and their MITM boxes generate certificates from that fake certificate authority.

For this to work here, they would have to either install a new certificate authority root on everyone’s computers and phones (good luck), or as you said come to an agreement with an existing certificate authority to produce MITM certificates. Good luck on that last one too; ANY certificate authority which allows that is going to be removed FAST from all the major web browsers (the Mozilla Foundation is NOT going to put up with that kind of nonsense, as they have shown in the past).

But then, the answer being only “it will” looks to me as if they did not think this through, and believe that by their ordering so the “techies” will find a way. Somehow.

Anonymous Coward says:

Things That Make You Go Hmm

Actually, unlawful surveillance happens all the time here. The difference is that most forms of government surveillance can’t happen lawfully without a warrant. The unlawful kind happens all the time, but the people they use it against tend to be spy and terrorist types who aren’t exactly going to file a lawsuit over it, especially when the alphabet agencies are likely to just kill their targets outright. Besides, every one of those agencies has official written rules that say “Don’t do anything unlawful. The rule of law trumps national security.” so they have plausible deniability if anyone gets caught.

The reason this is enforced against the government on most levels is that unlike other countries, Americans have guns, guns, guns, guns and guns. Lots of them. No matter how powerful your arguments or friends, if you get shot you usually die. Guns are great equalizers of power, because they basically tell our government “If you get too out of hand, we’ll fucking KILL you!” on a constant basis.

You could have a Fourth Amendment too if you convinced enough people it was a good idea. It was the English government we started shooting for being oppressive, though, so I wish you good luck.

drew (profile) says:


The only thing that is remotely reassuring about this is, as Jake says, that our track-record of delivering large IT systems is sooo bad.
Unfortunately, unlike the previous government, this one seems to have realised that and hence they are shifting the requirements (and the work & expense) onto the ISPs. Meaning that it could actually work.
Proxies, encryptions and a little macro to randomly click web-links might be the way forward.
I might start sending empty envelopes around as well.
Actually, if I’m going to that much effort, I may as well set myself up as a full-on spam merchant.

zub says:


The random-clicking-macro sounds like a neat idea. Gotta do some googling if there’s something readily available. Or just roll my own.

But making it really realistic (i.e. difficult to distinguish the automated and the real clicks) might be a tough problem. Anyway, it could certainly generate more data to sift through.

Hephaestus (profile) says:

Re: Re:

Actually you just swamp them with links. With enough noise you end up with things being randomized to the point where they cant tell what you are doing. With an plugin that does a 1000 to 1 ratio, that does random searches, follows random search results, and follows links on the pages it would obsolete this system rather quickly.

Anonymous Coward says:

Private communication

The bill is daft and is circumvented in minutes.

Every site on the net allowing for anonymous use and submission of text can be used to obfuscate and anonymize communication.

1. Create a WordPress blog.
2. Create a Dropbox account.
3. Create a Rapidshare/Bayfiles/4shared account.


Upload all your secret messages as 7zipped AES encrypted archives and use physical mail or sneakernet to communicate the URLs to the recipients.

Encrypt the URLs with PGP and send them on an USB stick to the recipients.

No direct IP address connection between sender and receiver other than both having used a very popular file host or blog platform.

Call the files something like RIAA-label — Artist – Title.7z and you’ll be sure that they get taken down. If you want to be sure, just send the hoster a fake DMCA notice or report the files as copyright infringement.

The government now only has a very limited time window to correlate all IP logs and seize and decrypt the content of the messages.

Under the DMCA the hoster has an obligation to delete the files, and if they are already gone when the government comes around demanding preservation of evidence, it’s already too late.

Who says that the DMCA is bad for civil liberties?

Dominic Sayers (profile) says:

Re: Private communication

People prepared to jump through the hoops you describe are not the target. They already know how to evade surveillance.

This bill is bringing the internet and postal service into line with what the security services can already do with your phone line.

Your local council, for instance, can already ask the police to request your telephone records (who you called, when and for how long). Now they will be able to ask who sent you mail or email and which websites you visited.

None of this enables people to inspect your mail, or email, or your transactions with websites any more than they can eavesdrop on your phone calls.

They will still need a court order to do that.

I don’t agree with this bill but we should fight it with facts, not FUD.

Anonymous Coward says:

Re: Re: Private communication

Quote:”Part 1 [the main requirements to log communications data] applies to public postal operators and public postal services as it applies to telecommunications operators and telecommunications services. “

Communication data can mean a lot of things, one of them is the actual contents of what is passing through the channels they are monitoring. I can see a problem with that.

Zakida Paul says:

Another Tory election promise down the drain. They promised to stop all the Big Brother crap that Labour started and now here they are planning their own Big Brother plan. Hypocrisy of the highest order. Our only hope is that the Lib Dems (who have been campaigning as champions of human and civil rights for decades) can put an end to this.

PS Speaking of Labour, did you notice how suspiciously quiet they are on this issue?

Anonymous Coward says:

Anonymity solutions

The problem with most commercial VPN and anonymity services is the payment trail and the regulations forcing private businesses to act in the government’s interest.

If you build physical infrastructure, you must play by the government’s rules.

And if you accept payments — barring hard to set up Bitcoin – your users can be traced, if for no other reason, that the state wants to tax you.

What we need are a more decentralized VPN solution.

Tor is tcp/ip only, and I2P does not work very well, and OpenVPN is complicated for most users.

Most current anonymity solutions are either bloatware, low latency or only good for socksifying supported applications.

indieThing says:

Re: Anonymity solutions

You should look at AirVPN – I’ve just started using them and set up is a breeze. Plus it works with all software as far as I can tell.

I decided to go VPN after hearing about this bill, plus when my ISP censored the Pirate Bay, it tipped my decision. Not that I use TPB – I use Tribler – a distributed P2P system.

I’d really like to see how they get round the 2048 bit encryption from my computer to the VPN server in a foreign country. If they can do this, then online financial transactions are gone forever!

Anonymous Coward says:

Re: Re: Anonymity solutions


What is the difference from a VPN to an ISP or certificate authority?

Any company that have an office and use financial infra-structure to do business will be forced to conform to whatever the government in their neck of the woods say.

Even VPN providers acknowledge that they do indeed give away your data to law enforcement when asked to do so.

Anonymous Coward says:

Ill tell you what, if this piece of shit gets passed in the uk, im gonna cancel every non essentiel account and ignore all future websites that ask for personall data…….so bye bye facebook, bye bye forum memberships bye bye to every site who gives in to the uk bullshit demands

At no fucking point did i give my permission to collect data related to me to be stored, did they ask, NO…..fucking pillocks, what gives them the fucking right to even suggest this without our input on the matter

The internet will be an unregonizable place, when power hungery, informational whores get their way, and i think internet companies and isp’s need to get some fucking balls, because they most of all will most affected by this

Anonymous Coward says:

Re: Re: HTTPS decryption

What good does it do when the authority is in collusion with the government?

It doesn’t matter if the certificate is authentic or not, if the authority issuing that certificate has to give the keys to the government they don’t need to issue the certificates they just passively record every bit of data and decode that.

Same goes for VPN or any other means that involves trust in a third party to secure anything, if you corrupt the third party you are owned.

Anonymous Coward says:

Re: Re: Re: HTTPS decryption

I believe you are confused.

With HTTPS, the private key (which is needed to decode the data) is not given to anyone. What the certificate authority receives is the public key, which it signs and gives back. The authority issuing the certificate cannot give the government the private key, since it never had the private key in the first place.

Even with self-signed keys, HTTPS completely defends from passive interception, as long as the server is secure. Passively recording the data does you no good.

What is being talked about is active interception, also called Man-In-The-Middle (MITM). To do a MITM attack, the attacker pretends to be the server to the client, and pretends to be the client to the server. To do that with HTTPS, the attacker needs a certificate trusted by the client, else the client will complain about the server certificate. That is where corrupting a trusted certificate authority is useful for the attacker.

With a VPN it is different; the VPN is already “in the middle”, so corrupting it is enough.

Dominic Sayers (profile) says:

Packet inspection? No, just envelope inspection

“Letters, telephone calls, email and the Web — this is a level of total surveillance that countries like China, North Korea or Iran can only dream of.”

This is misleading. The countries you mention regularly inspect the content of communications.

The UK is asking for sweeping powers to inspect the envelope of communications – who you communicate with and when.

It will still require court intervention to carry out wiretapping.

Andrew (profile) says:

Re: Packet inspection? No, just envelope inspection

This is true, but also rather misleading. The list of URLs I visited on a particular day could tell you a lot about me. It could tell you my sexuality, whether I have a disease, where I’m going on holiday or for work, if I’m seeing another woman (or man). And, for most public sites, entering those URLs into your browser will show you exactly what I saw.

You may not care too much if someone got hold of your browser history for the past day or week (and, I have to say, it wouldn’t worry me that much either), but the real danger here is what’s revealed when all of these data points are combined over a long period.

As with personally identifiable information, one piece of data (a 34 year old male who lives in Salford) doesn’t reveal that much, but combine it with a few others (drives a Mercedes, works for Tesco) and you’ve pretty soon narrowed it down to 1 or 2 individuals (cf. 2006 Netflix Prize). You then have a pretty full picture of each person’s interests, desires, weaknesses, etc. Combine this with information on what others in similar situations have done before (cf. the Target pregnancy NYT story) and you’ve got something potentially very powerful, and something I’d rather the government didn’t have.

Anonymous Coward says:

Private communication

Yes, people who already know how to protect their privacy likely already care about their privacy, but I am sure that it’s easy to automate the process.

I don’t have the time, but it should be easy to write a virtual POP server, where all mails are retrieved from an encrypted file stored on a file host to Thunderbird or even Outlook.

If the government policy ends up promoting FreeNet, I2P and other decentralized onion/garlic/sneakernet routing systems and make them clic and point for the average user, we have won.

My very simple examples have the advantage that the government couldn’t block Dropbox, WordPress or other mainstream hosting services without risking a larger backlash.

Anonymous Coward says:

the reasons given by the UK government, in particular by Theresa May atm for such an invasion of privacy and monitoring of personal freedoms is pathetic and disgraceful. like just about everyone, i understand the need to keep on top of the latest communication innovations so as to monitor suspected criminals ans terrorists. to take things to the level the UK wants to is unnecessary. it will give fuel to the fires of places like Iran and China that do less harsh monitoring now but you can be assured, will be doing so in the near future. how can the need to monitor in the circumstances above be needed for every single citizen? how can all of a sudden, no one have no rights to privacy and freedom? why should even letters etc be brought into play? it’s the sort of thing that happens in prison. this is actually making everyone out to be a criminal with no evidence at all but all the punishments ready to be enforced. think back people to when this monitoring was first introduced, who introduced it and why. look hard enough and, if honest, you will find the answer and you will be disgusted!

Anonymous Coward says:

Easy solution: Drown the snooper tracker

It appears to me that this type of approach would be relatively easy to overwhelm. Simply create a program that runs in the background and spits out email and other requests slowly but steadily 24×7. The emails don’t even have to go to valid email addresses, they are just chaff.

Could the UK (and IPs) really scale up their storage systems to store every packet if many of us were generating low levels of chaff constantly?

Their bill assumes that there is a cost to generating data like the post office, that everything you do has a purpose and cost. Not true.

Anonymous Coward says:

Denmark has had something similar to this for 5 years. They had a policeofficer at the parliament to tell how much they used these informations through those 5 years, 1 month ago.
A few snippets from the police officer: “Usually we do not need IP adresses because we the computer”… “
“I cannot give any examples on the use of session-logging in an investigation. But I am sure it exists, I just haven’t brought it”

The minister of justice was pretty clear on telling that it was impossible to scale back on the surveilance and blaming it on “…pressure from my colleagues in EU…”.

In total the police seek 20 times more telelogged info than internet-logged info.

Anonymous Coward says:

What a "great" country!

A country that spits in the face of “innocent until proven guilty” with it’s fast-track justice “police caution” system.

A country that gives 3000 of its citizens a criminal record every single week for not having a TV licence.

A country that routinely collects the DNA and fingerprints of its citizens regardless of whether or not they’ve done something wrong.

This is “Great” Britain?

steve says:

anonime anonymous ...

They have all go mad ! Do they have legal right to open physical letter to read the content ? I do not think so ! People its time to develop full blown decentralized encrypted network in network something like Ricoh VPN with TOR capabilities for entire network protocols ! Who has the right to stalk me on line ? This make me mad ! If i were pissed off enough i will learn the hard way everything about network and internet and then strike back so hard that opponent will goes to its knee regardless who it is – just like in do-jo in marshal arts stile ! The notorious pathologic mad man’s need in to control and spy on us deserve full blown strike back ! The Anonymous are just the beginning !!!

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop ยป

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...