by Mike Masnick
Wed, Jun 8th 2016 11:23pm
by Mike Masnick
Fri, Mar 18th 2016 6:18pm
from the concerns-can-be-ignored-when-you're-in-power dept
As more and more complaints about the bill were raised, we noted May decided to try to rush the bill through, along with a healthy dose of "if you don't do this we're all going to die!" FUD. That included releasing a new draft of the bill, which pretended to address the privacy concerns people raised, but which did so basically by just adding the word "privacy" to a heading and making no substantive changes to protect privacy at all (and possibly changes that made things worse).
Rest assured that a lot of people are seriously uncomfortable with all of this. A group of over 200 leading lawyers in the UK have sent a letter slamming the bill:
At present the draft law fails to meet international standards for surveillance powers. It requires significant revisions to do so.Meanwhile, internet service providers, tech companies, and civil liberties groups have asked the government to delay moving forward with the bill, but it does not appear that May has any interest in doing so.
First, a law that gives public authorities generalised access to electronic communications contents compromises the essence of the fundamental right to privacy and may be illegal. The investigatory powers bill does this with its “bulk interception warrants” and “bulk equipment interference warrants”.
Second, international standards require that interception authorisations identify a specific target – a person or premises – for surveillance. The investigatory powers bill also fails this standard because it allows “targeted interception warrants” to apply to groups or persons, organisations, or premises.
Third, those who authorise interceptions should be able to verify a “reasonable suspicion” on the basis of a factual case. The investigatory powers bill does not mention “reasonable suspicion” – or even suspects – and there is no need to demonstrate criminal involvement or a threat to national security.
These are international standards found in judgments of the European court of justice and the European court of human rights, and in the recent opinion of the UN special rapporteur for the right to privacy. At present the bill fails to meet these standards – the law is unfit for purpose.
On Tuesday, the House of Commons had its "Second Reading" of the bill, and the debate about it allowed some to raise concerns, but with various parties deciding to abstain from voting, rather than vote against it, the bill moved forward easily (it'll come back to Parliament after the House of Lords goes through the bill). Even worse, the main "opposition" to the bill was not that strongly raised:
Andy Burnham, former Home Office minister, stood to offer the Labour party's official perspective. If there is substantive opposition to the contents of the IP Bill within the Labour party - and I know there is from MPs like Tom Watson and David Winnick - then there was little evidence of it from Mr Burnham's contribution to the debate. He opened by trotting out the dire need to combat the four horsemen of the infocalypse and the false and distorting 'balance security with privacy' dichotomy. From those foundations he was highly unlikely to get anywhere enlightened.While we're fighting against backdoors and for encryption here in the US, it looks like the UK government is potentially moving very much in the other direction.
by Mike Masnick
Tue, Mar 1st 2016 3:24am
from the get-the-damn-thing-through-and-then-spy-on-everyone dept
Of course, this seems like standard operating procedures these days. Two years ago, the UK government did the same thing with its data retention bill. It's almost as if the UK government would prefer cutting off debate on these issues, and just rushing through much greater surveillance powers for the government.
by Glyn Moody
Wed, Jan 20th 2016 3:23am
from the words,-words,-words dept
As numerous Techdirt stories make clear, the particular words used to describe something can make a big difference in how it is perceived. For example, intelligence agencies like to avoid the use of the bad-sounding "mass surveillance," with its Orwellian overtones, and prefer to talk about "bulk collection," which can be presented as some kind of cool big data project. No one is more vociferous in insisting that they are not engaged in mass surveillance, but merely bulk collection, than the UK's Home Secretary, Theresa May. She was pushing that line again last week, during a grilling by a UK Parliamentary committee about her proposed Snooper's Charter. As BBC News reported:
She said the security minister, John Hayes, had written to the committee of MPs and peers scrutinising the draft bill to give the reasons why the government did not want to reveal the kinds of data investigators were accessing.
Given what we know that GCHQ is already doing, and adding in what the UK government says it wants to do, that seems an absurd thing to say. But Paul Bernal, Lecturer in Information Technology, Intellectual Property and Media Law at the UK's University of East Anglia, thinks that there is more to this than meets the eye:
She insisted the practice -- and the sweeping up by the security services of large quantities of internet traffic passing through the UK -- did not amount to "mass surveillance" as civil liberties campaigners claim.
"The UK does not undertake mass surveillance," she told the committee.
Precisely what constitutes surveillance is far from agreed. In the context of the internet (and other digital data surveillance) there are, very broadly speaking, three stages: the gathering or collecting of data, the automated analysis of the data (including algorithmic filtering), and then the 'human' examination of the results of that analysis of filtering. This is where the difference lies: privacy advocates and others might argue that the 'surveillance' happens at the first stage -- when the data is gathered or collected -- while Theresa May, [former GCHQ director] David Omand and those who work for them would be more likely to argue that it happens at the third stage -- when human beings are involved.
If surveillance occurs through the act of gathering personal data on a large scale, then clearly what the UK government does (and wants to do more of) is mass surveillance. But if surveillance only takes place once a human operator looks at some of the gathered data, then Theresa May can plausibly argue that what the UK government is engaged in is not mass surveillance, because relatively little personal data is scrutinized in this way. So the question then becomes: at what point is it most appropriate to say that surveillance has occurred? Bernal offers a helpful analogy. What the UK government wants to do with the Snooper's Charter would be like:
installing a camera in every room of every house in the UK, turning that camera on, having the footage recorded and stored for a year -- but having police officers only look at limited amounts of the footage and only when they feel they really need to.
Most people would probably find the automated video recording of everything they did in the privacy of their own home intrusive, and clearly a form of surveillance, even if it was unlikely the footage would ever be seen by a human being. And in Europe, the question has already been settled by the courts:
Does the surveillance happen when the cameras are installed? When they’re turned on? When the footage is stored? When it’s filtered? Or when the police officers actually look at it.
Privacy invasion occurs when the camera is installed and the capability of looking at the footage is enabled. That’s been consistently shown by recent rulings at both the Court of Justice of the European Union and of the European Court of Human Rights. Whether it is called ‘surveillance’ or something else, it invades privacy -- which is a fundamental right. That doesn’t mean that it is automatically wrong -- but that the balancing act between the rights of privacy (and freedom of expression, of assembly and association etc that are protected by that privacy) and the need for 'security' needs to be considered at the gathering stage, and not just at the stage when people look at the data.
That's important, because it is precisely this issue that the courts will have to consider when the inevitable legal challenges are brought against the UK's Snooper's Charter once some version of it becomes law. In the end, whether the Home Secretary thinks what she is doing is mass surveillance or merely bulk collection is irrelevant -- the UK and EU courts will be the ones that decide whether it's allowed.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
by Mike Masnick
Tue, Dec 29th 2015 8:29am
UK Home Secretary Wants Everyone's Metadata; But If You Ask For Hers, Gov't Says You're Being Vexatious
from the funny-how-that-works dept
Soon after that, we noted that UK resident Chris Gilmour sent in a FOIA request for May's metadata. Specifically, he asked for the following:
1) The date, time, and recipient of every email sent by the Home Secretary during October 2015.Not surprisingly, it appears he was not the only one to do so. UK newspaper The Independent sent in a FOIA request asking for:
2) The date, time, and sender of every email received by the Home Secretary during October 2015.
3) The date, time, and recipient of every internet telephony call (e.g. "Skype" call) made by the Home Secretary during October 2015.
4) The date, time, and sender of every internet telephony call (e.g. "Skype" call) received by the Home Secretary during October 2015.
5) The date, time, and domain address of every website visited by the Home Secretary during October 2015.
... the web browser history of all web browsers on the Home Secretary Theresa May's GSI network account for the week beginning Monday 26 October. Feel free to redact any web addresses relating to security matters."There may be other such requests as well -- but both of these requests got back the same basic response from the UK government. In both cases, the government rejected the requests, claiming they were "vexatious." Here's the response to Gilmour's:
We have considered your requests and we believe them to be vexatious. Section 14(1) of the Act provides that the Home Office is not obliged to comply with a request for information of this nature. We have decided that your request is vexatious because it places an unreasonable burden on the department, because it has adopted a scattergun approach and seems solely designed for the purpose of ‘fishing’ for information without any idea of what might be revealed.It appears that The Independent got an identical response (word for word). The folks at The Independent seem reasonably annoyed by this.
The requests are similar in nature to a request the Home Office received in 2014 that the Information Commissioners Office (ICO) agreed was vexatious. The decision notice in question can be found at this link: https://search.ico.org.uk/ico/search/decisionnotice?keywords=FS50544833
Guidance issued by the ICO on vexatious requests can be found at this link: https://ico.org.uk/media/for-organisations/documents/1198/dealing-with-vexatious- requests.pdf
While the Government is widening its own powers to access the information of citizens, it is watering down the public’s right to access the Government’s information.Either way, there seems to be a legitimate question to ask Theresa May: if there's no big deal about having the government go through your metadata and it's "just like an itemised phone bill," then why is it so "vexatious" for the public to ask for May's metadata?
by Tim Cushing
Tue, Dec 1st 2015 3:15am
from the ALL-ACCESS-PASS dept
The UK's "Snooper's Charter" was already terrible. The draft bill, finally released earlier this month, confirmed the UK government would be mandating encryption backdoors and requiring the retention of citizens' web browsing history. On top of that, the bill confirmed dragnet surveillance by UK agencies was already in place (unbeknownst to its "oversight") and, in fact, is looking to legalize the snooping after the fact.
The Investigatory Powers Act, as can be inferred by its name, would obviously allow any number of intelligence and law enforcement agencies to access the data and communications retained by ISPs. But it's not just GCHQ, M16 and various police forces being granted access to UK internet users' web browsing history. As Joseph Cox at Motherboard points out, it's also several agencies with seemingly no need for additional access to communications data.
On page 210 of the draft Investigatory Powers Bill, a planned piece of UK surveillance legislation that was announced earlier this month, is a table of “relevant public authorities.” These authorities would “have the power to obtain communications data,” according to a briefing paper on the Bill.Despite the parade of child-murdering, drug-dealing, criminal-masterminding horrors that serve as slightly-less-dry interludes to the bill's text, access to "all" retained data will be provided to a long list of mundane regulatory agencies, presumably for the sake of the children.
As you might expect, the list includes various police forces, the Secret Intelligence Service (MI6), the UK's signals intelligence agency GCHQ, and the Ministry of Defence. However, it also includes agencies such as the Department of Health, the Department for Work and Pensions, and the Department for Transport, whose need for such surveillance data is less obviously clear.
Most of these agencies are granted access to all "communications data." The justification for this is laid out in the table starting on page 210 of the pdf, with most of these agencies utilizing Section 46(7)(b) ("for the purpose of preventing or detecting a crime or of preventing disorder").
- Her Majesty’s Revenue and Customs
- Department for Transport
- Department of Enterprise, Trade and Investment in Northern Ireland
- A fire and rescue authority under the Fire and Rescue Services Act 2004
- Food Standards Agency
- Gambling Commission
- Gangmasters Licensing Authority
- Health and Safety Executive
- National Health Service Business Services Authority
- Duty Manager of Ambulance Trust Control Rooms
- Northern Ireland Ambulance Service Health and Social Care Trust
- Northern Ireland Fire and Rescue Service Board
But the bill contains several other justifications for the obtaining of user data, not all of which seem severe enough to warrant special legislation -- like "collecting any tax, duty, levy or other imposition" or "exercising functions relating to financial stability."
Not exactly the terrorist-hunting, child kidnapper-finding wonderbill it's being depicted as -- often in its own pages. Worse, the stuff authorized here is already in place and has already been used. Jim Killock, executive director of the Open Rights Group:
“This is already happening under RIPA—there were around half a million data requests made last year. Many of these were by the police but also by organisations such as Royal Mail, the Department of Work and Pensions, and local authorities.” RIPA, or the Regulation of Investigatory Powers Act 2000, is another controversial piece of UK surveillance legislation.In other words, the new bill is codification redundancy. The UK government is hoping to ensure the snooping it's been doing for years, via a variety of agencies, will be solidly in place for years to come.
by Mike Masnick
Mon, Nov 30th 2015 11:38am
andrews & arnold
from the surveillance-magic dept
A key element in the bill is the demand for "internet connection records." The draft bill has a whole section on these "ICRs" which it defines as:
A kind of communications data, an ICR is a record of the internet services a specific device has connected to, such as a website or instant messaging application. It is captured by the company providing access to the internet. Where available, this data may be acquired from CSPs by law enforcement and the security and intelligence agencies.That definition, by itself, seems somewhat self-contradictory, but we'll leave that aside for now. Adrian Kennard, the head of a small UK ISP, Andrews & Arnold, has filed some comments highlighting how technically clueless this idea is:
An ICR is not a person’s full internet browsing history. It is a record of the services that they have connected to, which can provide vital investigative leads. It would not reveal every web page that they visit or anything that they do on that web page.
The explanatory notes, and one of the clauses in the bill, make use of the term “Internet Connection Record”. We are concerned that this creates the impression that an “Internet Connection Record” is a real thing, like a “Call Data Record” in telephony.From there, it goes even further, pointing out that the justification for needing these non-existent ICRs was a statement from UK Home Secretary Theresa May about how useful such info would be in finding a missing girl:
An ICR does not exist - it is not a real thing in the Internet. At best it may be the collection of, or subset of, communications data that is retained by an operator subject to a retention order which has determined on a case by case basis what data the operator shall retain. It will not be the same for all operators and could be very different indeed.
We would like to see the term removed, or at least the vague and nondescript nature of the term made very clear in the bill and explanatory notes.
"Consider the case of a teenage girl going missing. At present we can ask her mobile provider for call records before she went missing which could be invaluable to finding her. But for Internet access, all we get is that the Internet was accessed 300 times. What would be useful would be to know she accessed twitter just before she went missing in the same way as we could see she make a phone call"Except, as Kennard points out, that's not how the internet actually works. You don't "connect" to Twitter like that, because you're constantly connected to Twitter:
...in yesterday’s meeting I, and other ISPA members immediately pointed out the huge flaw in this argument. If the mobile provider was even able to tell that she had used twitter at all (which is not as easy as it sounds), it would show that the phone had been connected to twitter 24 hours a day, and probably Facebook as well. This is because the very nature of messaging and social media applications is that they stay connected so that they can quickly alert you to messages, calls, or amusing cat videos, without any delay.This seems like a rather important point: the people who put together the Snooper's Charter for spying on the internet don't seem to understand the first thing about how the internet actually works. And yet we're supposed to give them sweeping powers to spy on it? How does that make any sense?
It should be noted that it is quite valid for a “connection” of some sort to last a long time. The main protocol used (TCP) can happily have connections for hours, days, months or even years. Some protocols such as SCTP, and MOSH are designed to keep a single connection active indefinitely even with changes to IP addresses at each end and changing the means of connection (mobile, wifi, etc). Given the increasing use of permanent connections on mobile devices, it is easy to see how more and more applications will use such protocols to stay connected - making one “internet connection record” which could even have passed the 12 month time limit by the time it is logged.
Connections are also typically encrypted and have some data passing all the time, so it would not be practical for an ISP, even using deep packet inspection, to indicate that the girl “accessed twitter” right before she vanished, or even at all (just that there is a twitter app on the phone and logged in).
by Mike Masnick
Fri, Nov 6th 2015 9:32am
Snooper's Charter May Not 'Increase' Surveillance... But Tries To Legalize Over A Decade Of Secret, Illegal Mass Surveillance
from the oh,-look-at-that dept
That's kind of astounding.
And, amazingly, the government is using this fact to argue that the new bill is a good thing because it actually "limits and restricts" activity that it secretly engaged in for years and years. Everyone feared the "new" powers in the bill. And the astounding thing is that the government is now twisting this to quietly reveal that it secretly and illegally spied on people for years.
The government finally admitted on Wednesday that the mass surveillance of British citizens began in 2001 after 9/11 and was stepped up in 2005, using powers under national security directions largely hidden in the 1984 Telecommunications Act.It seems like it took a day or two for people to realize all of this, as everyone was so focused on the "new" powers they expected to be in the bill. It took everyone by surprise to find out that the bill was more about trying to "legitimize" illegal mass surveillance that had been going on without any oversight for over a decade.
It is not known if government law officers sanctioned the use of the act in this way, but it appears the intelligence and security committee responsible for parliamentary oversight was not informed, adding to the impression of a so-called deep state operating outside the scrutiny of parliament.
by Mike Masnick
Wed, Nov 4th 2015 9:34am
from the and-off-we-go dept
First it notes that under RIPA (the Regulation of Investigatory Powers Act), "CSPs" are already required to maintain "the ability to remove any encryption applied by the CSP to whom the notice relates." In other words, the government is already claiming mandates to backdoor encryption, and then goes on to note:
The Investigatory Powers Bill will bring together these obligations in a single, comprehensive piece of legislation. It will provide an explicit obligation on CSPs to assist in giving effect to equipment interference warrants. Only intercepting agencies will have the ability to serve such warrants, which must be authorised by the Secretary of State. The draft Bill will not impose any additional requirements in relation to encryption over and above the existing obligations in RIPA.So... is that mandating backdoors? It seems pretty likely that the government will use this combination of factors to do exactly that, but claiming that such backdoors are already required under RIPA -- and thus it's not "expanding" those powers, even as it also says that the new bill requires providing "wider assistance to law enforcement" and "intelligence agencies." The explanation does note that "overseas" companies may have some exceptions, but again it's vague. First it notes that "the draft Bill places the same obligations on all companies providing services to the UK or in control of communications systems in the UK" but then the vague exception: "the draft Bill will include explicit provision to take account of any potential conflict of laws that overseas companies may face."
The draft Bill will provide for the Secretary of State to require CSPs to maintain permanent capabilities relating to the powers under the draft Bill. This will replace the current obligation to maintain a permanent interception capability and will provide a clear basis in law for CSPs to maintain infrastructure and facilities to give effect to interception and other warrants.
The new power will also require CSPs to provide wider assistance to law enforcement and the security and intelligence agencies in the interests of national security. This will replace the general power of direction under the Telecommunications Act 1984. The new power will be subject to strict safeguards that will prevent it from being used to authorise any activity for the purpose of interference with privacy, such as authorising or requiring the disclosure of communications data.
Right. Clears everything up.
Meanwhile the draft bill has tons of other problematic language, including requirements for data retention for your web browsing history. Also, it broadens GCHQ's ability to hack into computers around the globe, with the innocuous sounding phrase "authorisations to interfere with property." Specifically with regards to the GCHQ, the bill states:
GCHQ can 'make use of' as well as 'monitor or interfere with electromagnetic, acoustic and other emissions and any equipment producing such emissions and to obtain and provide information derived from or related to such emissions or equipment and from encrypted material'. This clarifies that GCHQ may, in the performance of its functions, make use of communications services in the manner in which it was intended they would be used. This could be used for public communications as well as for investigative purposes.Home Secretary Theresa May's introduction to the draft claims that:
Powers to intercept communications, acquire communications data and interfere with equipment are essential to tackle child sexual exploitation, to dismantle serious crime cartels, take drugs and guns off our streets and prevent terrorist attacks.In fact, the draft is weirdly peppered with "case studies" about gangs, criminals, exploited children and more as if to scream out "WE'RE SPYING ON YOU FOR YOUR OWN GOOD AND THE CHILDREN, SO SUBMIT." This bill is not about protecting the public. It's about giving much more surveillance and spying power to the government. It's about fearmongering to get you to give up your privacy and safety so that the government can have more powers over the general public.
by Mike Masnick
Wed, Nov 4th 2015 6:38am
from the crypto-wars-move-overseas dept
And, now we know that includes mandatory backdoors into encryption -- a stupid and dangerous policy that will directly put UK citizens at risk. While, thankfully, those pushing for crypto backdoors in the US have realized that it's a politically untenable idea, the UK's new "Investigatory Powers Bill" has gone in the other direction, and will mandate encryption backdoors and ban any encryption offerings where there is no backdoor for law enforcement.
Companies such as Apple, Google and others will no longer be able to offer encryption so advanced that even they cannot decipher it when asked to, the Daily Telegraph can disclose.UK Prime Minister David Cameron and Home Secretary Theresa May will undoubtedly make a big show of this over the next few months, claiming that they need this to keep the public safe, but that's a load of hogwash. Backdooring encryption does the opposite. It puts everyone at serious risk. It's a technically dangerous solution by technically clueless people. If there are backdoors in encryption you are opening up a massive attack vector for those with malicious intent -- and that doesn't even get into the question of authorities abusing such powers. This has been explained over and over again, and it appears that Cameron's government simply decided to ignore all the technical experts and go with a "but they have to!" approach.
Measures in the Investigatory Powers Bill will place in law a requirement on tech firms and service providers to be able to provide unencrypted communications to the police or spy agencies if requested through a warrant.
If you recognize the long history of governments using surveillance powers for nefarious reasons this should worry you. But even if you 100% trust the government, this should worry you, because what they're asking for, on a technological basis, is to make your information significantly less safe and much more open to hackers and online criminals.
A Home Office spokesman said: “The Government is clear we need to find a way to work with industry as technology develops to ensure that, with clear oversight and a robust legal framework, the police and intelligence agencies can access the content of communications of terrorists and criminals in order to resolve police investigations and prevent criminal acts. “That means ensuring that companies themselves can access the content of communications on their networks when presented with a warrant, as many of them already do for their own business purposes, for example to target advertising. These companies’ reputations rest on their ability to protect their users’ data.”This belief that law enforcement needs this information to do its job is hogwash. For all of history prior to this, people have had methods of communicating entirely in secret, and since the dawn of civilization it was still possible to track down criminals and conspirators through traditional detective work. This belief that the content of these communications is absolutely necessary would seem to suggest that UK law enforcement is currently terrible at doing its job. I'd like to believe that's not true.
The big tech companies may now face a pretty big fight in the UK. Over the last few years, they've increasingly ramped up their efforts to provide more real privacy solutions that can actually protect your information. The UK wants to send things back to the stone age, and that's dangerous. Hopefully, companies like Apple -- which has made a big show of pushing non-backdoored-encryption -- take a stand here and refuse to give in. And, other tech companies that haven't been quite as vocal, including Google, Facebook, Microsoft and Twitter need to speak out against this, potentially to the point of threatening to pull out of the UK if the government doesn't adjust its policy. Without such a strong threat, it seems unlikely the UK government will recognize just how much danger they're putting the public in with this proposal.