Controversial New UK Internet Powers Bill Makes No Mention of VPNs (thestack.com) 115
An anonymous reader writes: The Draft Investigatory Powers Bill presented by the UK Home Secretary Theresa May to Parliament today has caused controversy because it proposes new legislation to force UK ISPs to retain an abbreviated version of a user's internet history for a year, and would also oblige vendors such as Apple not to provide consumer-level encryption that the vendor cannot access itself in accordance with a court order. But perhaps the most surprising aspect of DIPA is that Virtual Private Networks are mentioned nowhere in its 299 pages, even though VPNs are a subject of great interest to Europe, Russia, Iran, China and the United States.
The contriversial parts in brief. (Score:5, Insightful)
Demands to ISP:
1. Log every website any of your customers visits and store it for a year.
2. We're not going to tell you how. That's your problem, but if you can't figure out a way we'll probably fine you. No, we're not excluding SSL.
3. You are paying for it too. Just pass the costs on to your customers or something.
Re:The contriversial parts in brief. (Score:5, Insightful)
Yep, it's the web tracking that makes this bill awful. If it weren't for that section the bill wouldn't actually be that bad as security bills go because it's largely an improvement on the status quo - i.e. bringing the judiciary into the issuing of warrants for digital searches and interception is a good thing and an acceptable measure IMO. We already allow judges to issue warrants to smash people's doors down and that's typically seen as acceptable, so I have few qualms with a digital equivalent. Our judiciary are typically good on this front and I have far more trust in them than I do the Home Secretary. The other stuff about banning VPNs and encryption was, as I suspected, bullshit, and the bill says nothing about these things contrary to claims in the summary.
But the web tracking needs to be stopped, Theresa May has completely understated the implications of what she's proposing claiming it's just like an itemised phone bill. It's not. An itemised phone bill at best tells people who you've called. A list of domains you've visited can tell people everything from your sexuality, to where you shop, to where you bank, to where you plan to go on holiday, to where you work, to who your service providers are, whether you're having or seeking to have an affair (e.g. Ashley Madison), where you get your news from, and so on. As I understand it, the security services weren't too bothered about this power (presumably because they're already intercepting way more than this), and it was actually the police that pushed for this particular measure and yet it's the police I trust with access to this data the least because the police have the lowest barriers to entry, the largest staff count, and the greatest interaction with the public that they can now spy on and so are the most likely to abuse it.
It's this argument I'll be making to my MP but I don't hold up much hope for this being blocked given that unsurprisingly Labour backs it in part because one of the biggest slimeballs in partliament, Andy Burnham backs it, and Corbyn still seems to be unable to find anything even slightly representing a spine when he now needs it the most since he's, you know, supposed to be some kind of leader now. Mass use of VPNs by the public will be the only realistic option to fight this.
Re: (Score:2)
It's not true to say that they can't tell which individual pages you have visited either. If you visit a page that pulls an image from random-cdn-732420.com, and it doesn't appear on any other page...
Re:The contriversial parts in brief. (Score:5, Insightful)
I've been following this issue and have not yet heard the following question/argument raised.
Leaving aside all the usual privacy arguments and the slippery slope case of a reasonable regime now going bad in the future, there's still a practical question which would have less impact on privacy and costs.
"Why are you tracking all the users and generating a huge 'haystack' of noisy data when you could track the 'needle' instead?"
In other words, why track every member of the public to see if any of them view moneylaunderingterroristpaedophiles.com instead of just looking at subscribers to that site?
Focusing on a small range of IP addresses and then looking at address headers should be relatively easy.
Even the effort of maintaining a 'naughty list' of 'bad' sites must be easier than sifting through petabytes of ISP logs.
Re: (Score:2, Insightful)
Both too many needles and too much hay. Looking at relationships, though: if you and I both go to MadMidnightBomber.com then we may know wach other, at least tangentially, and if we also go to a few other obscure forums then it becomes more likely. It's a Big Data approach that ... might work.
And in the meantime, it lays a wonderful volume of data for scope creep and data leaks (see Talk Talk - yay kid, all your porn habits are public in the brave new world). The fact that the ISP is supposed to secure t
Re:The contriversial parts in brief. (Score:5, Insightful)
In other words, why track every member of the public to see if any of them view moneylaunderingterroristpaedophiles.com instead of just looking at subscribers to that site?
You've completely missed the point of why they want to do this.
They don't care at all about this data. What they care about is that GCHQ, MI6 etc can continue to capture everything in a dragnet (something that they claim was already allowed but was kept so secret that even most of the people in the organizations that were doing it didn't know it was happening.
They need a way to use that dragnet without admitting to actually capturing everything and possibly decrypting some of it. They'll use the records collected by the ISP to build a case against someone.
Once they get good at bulding cases that judges like they can use those skills to take the data from the ISPs to build a case against anyone they don't like for any reason.
Given the dozens of different domains that data is fetched from for any given page I suspect there's an almost unique fingerprint of connections for many webpages.
If this bill passes you will also no longer be able to trust things like the raspberry pi - in fact, any hardware made or assembled in the UK will be suspect.
Re:The contriversial parts in brief. (Score:5, Interesting)
"You've completely missed the point of why they want to do this."
EXACTLY
And, being an old cynic, that is probably why this question has never been aired on the news, TV, radio... etc (newspapers are a lost cause in the UK).
Re:The contriversial parts in brief. (Score:5, Interesting)
Yes, this has always been my concern with most internet monitoring laws, and Theresa May even said it herself once without quite grasping what she'd actually said, saying one thing and thinking it meant another. She once said "We need to build a bigger haystack". No we don't Theresa, we need to get better at finding the fucking needle, not make it harder to find.
Perhaps the biggest argument I've often made for this is the fact that every single time there is a fucking terrorist attack in the West, it turns out that the perpetrator was known to security services. Lee Rigby's murderers were held by Kenyan security services and MI5 tried to recruit them. The 7/7 and Glasgow airport attackers had all previously been on MI5's radar. The Charlie Hebdo attackers were known to French security services, as was Canada's parliament attacker. The US security services had been alerted to the Boston bombers by the Russian security services. It's the same story time and time again, these attackers don't turn up out of the blue, consistently they're people who have long been on the radar and have reached a point of radicalisation where they decide to cross the line. If we can't even stop people that we know think this sort of terrorist attack is okay, then what the fuck will logging everyone's data achieve? Already security services can't properly vet the risks of people they know about, so even if they get good at pulling additional people out of this data, then what use is that if they still can't properly vet them anyway?
Given that this is something that's being pushed for by the police, my suspicion is that they're basically asking the UK to give up privacy simply so that the police can catch the low hanging fruit - people who visit known paedophile sites without any kind of obscuring of that fact (for example, by using Tor). They want to be able, once a year, to grab the list of data, compare it against a list of known paedophile websites, and then go out and do a massive publicity gandering raid where they bust down the doors of the hundreds of people they find on this list and then claim yeah, we smashed a massive paedophile ring, not giving a toss about the innocents caught in the crossfire because their PC had been hacked and used as a proxy for the actual perpetrator, just like last time they did this sort of thing after the authorities in America sent them a massive list of credit cards used on such a website.
You'll have to excuse me therefore if I'm not convinced that this justifies the death of privacy.
I think you're right to cast aside the slippery slope argument FWIW, I don't put much weight in that view. Frankly if government goes bad, then it'll do that anyway regardless of what the law says - I've not seen the US constitution have any effect on flagrant violations by successive governments in the US since 9/11 for example. I don't think it's worth worrying about slippery slope stuff because if government goes bad you're already fucked regardless of what the law at that point pretends your rights are.
I think it's far better to concentrate on the actual problems here and now, rather than worrying too much speculating or screaming about slides towards police states and so on- that type of argument never gets us anywhere, because most people in the general public scoff at it and see it as nonsense. It's far better to simply focus on making it clear to people that this move wont have any impact in preventing terrorism, and will mean the police will know everything about their lives.
And another thing (Score:3)
I know replying to yourself is bad form but...
The second question that's never asked is
"If you can remotely 'hack' phones and computers to eavesdrop, surely you can also place evidence and forge records"
In other words, how on earth can this 'evidence' be considered reliable and trustworthy?
Re:And another thing (Score:5, Interesting)
The problem is that such evidence is usually secret, so it is impossible to argue against in court. The security services get to show it to the judge, and it's up to him to question if it would allow evidence to be planted. The defendant and their legal team doesn't even get to see it, or know the nature of it.
There is also parallel construction, which would mean that evidence of hacking could be hidden entirely from the court.
Re: (Score:2)
Theres already a precedent for that in the USA; plea bargaining "I know I'm innocent but I agree to lie under oath to get a reduced sentence since you are going to find me guilty anyway".
I don't think they allow quite this level of judicial corruption in the UK *yet*.
Just a power grab (Score:3)
If we can't even stop people that we know think this sort of terrorist attack is okay, then what the fuck will logging everyone's data achieve?
Power. Influence. Fear. Control.
This has nothing to do with terrorism and never did. "Stopping terrorism" is just a means to an end, not the end itself. Like you point out, I'm not aware of a single instance where the criminals were not already known to the authorities for reasons that had nothing to do with their facebook status. This is the police and intelligence services doing a power grab under the fig leaf of "combating terrorism". Much like the TSA in the US it won't result in any actual terro
Re: (Score:3)
Perhaps the biggest argument I've often made for this is the fact that every single time there is a fucking terrorist attack in the West, it turns out that the perpetrator was known to security services.
While I agree with your sentiment, the corollary to that is just how many people are known to the security services? How many people do they try and recruit? We're turning into East Germany in the 1970s except that we have better technology and we're actually voting the fuckers in.
Re: (Score:3)
Two reasons. Firstly they want the ability to retroactively spy on people. If they have a suspect they don't want to wait to see what they do in the future, they want to fit into their past behaviour. There may be evidence of crimes in there, they argue.
Secondly, any kind of targeted monitoring will attract additional oversight. They don't want that. The current proposal is that a police officer would ask his colleagues for "permission" to view someone's browsing history, with minimal paperwork and scrutiny
Re: (Score:3)
"Why are you tracking all the users and generating a huge 'haystack' of noisy data when you could track the 'needle' instead?"
A possible scenario is that Joe Bloggs is arrested for say drug dealing. They find that Joe Bloggs has 3 mobile phones and 1 ADSL connection. They contact those providers for a list of domains/times/IPs which messaging services were accessed. They use those details to make a request to the messaging providers for access to their messages to see who he contacted.
I imagine this would be cheaper/quicker than trying to forensically examine the devices. It won't catch any savvy criminals but that also wouldn't h
Re: (Score:2)
Re: (Score:1)
Yes it does. It doesn't hide the *domain* you visit. Excepting multiple CN / wildcard certificates (where you still know approximately the site they visited) and certificates where the common name doesn't match the domain you entered.
Re: (Score:3)
And the government knows that, and in fact May has said repeatedly that the data stored wouldn't include the specific pages you visit but only the name of the website.
The Tories, of course, are painting this as a nuanced compromise with civil libertarians rather than what it is - a pragmatic acceptance that SSL isn't going anywhere so the SNI field (and IP addresses) is all the ISPs can actually see.
Interestingly, there are proposals to encrypt the SNI. That would lessen the data ISPs can log yet again, pro
Re: (Score:3)
We really need to keep pushing hard to encrypt everything that it is possible to encrypt. Progress is already being made on having most sites use HTTPS by default, and SNI looks like a good target for an RFC because once adopted by a relatively small number of CDNs it will do an huge amount of good.
DNS requests and email headers are the other two big issues that needs to be addressed. I'm surprised there is no standard for encrypted DNS yet, can someone explain why it isn't a thing? Even email looks doable,
Re: (Score:1)
I'm surprised there is no standard for encrypted DNS yet, can someone explain why it isn't a thing?
Isn't that what DNSCurve (http://dnscurve.org/ [dnscurve.org]) is about?
Re: (Score:2)
Great. So why hasn't it been adopted? Wikipedia seems to imply that it works and Google liked it.
Re: (Score:1)
Reading the draft bill it's not just web tracking - all IP connecttions would be covered...
Quote:
INTERNET CONNECTION RECORDS
What are they?
44. A kind of communications data, an ICR is a record of the internet services a specific device has connected to, such as a website or instant messaging application. It is captured by the company providing access to the internet. Where available, this data may be acquired from CSPs by law enforcement and the security and intelligence agencies.
45. An ICR is no
Re: (Score:2)
Reading the draft bill it's not just web tracking - all IP connecttions would be covered...
Quote:
INTERNET CONNECTION RECORDS
What are they?
44. A kind of communications data, an ICR is a record of the internet services a specific device has connected to, such as a website or instant messaging application. It is captured by the company providing access to the internet. Where available, this data may be acquired from CSPs by law enforcement and the security and intelligence agencies.
How are they intending to which Specific Device on a LAN behind a router using DHCP is making the connection? If there are connections, at different times, to a number of services from a particular IP address, how can they tell if it is same device connecting to those services?
Re: (Score:2)
Technical issues like that are for the ISPs to figure out. The government only demands they do so somehow.
Re: (Score:2)
...web tracking that makes this bill awful.
That and the fact that the authorities won't need a warrant to access this data. fishing trips are going to get very popular.
Re: The contriversial parts in brief. (Score:2)
Re: (Score:2)
Re: (Score:2)
A list of domains is also fairly useless, for instance advertising banners often reside on different domains to the site displaying the ads so the logs will show that you visited the domain on which the banner is hosted.
Re: (Score:2)
It's enough to know that you visit squidporn.jp every week or so, which is quite enough to be useful if you threaten the powers that be.
Re: (Score:2)
Not really, it's enough to know that a user from your line retrieved at least one file from squidporn.jp, but you cant tell if they actually visited the site or visited another site which had an advertising banner or included script.
Re: (Score:2)
It would give approximate frequency of access too. There has to be a time limit for considering multiple connections part of one session.
Re: (Score:2)
>bringing the judiciary into the issuing of warrants for digital searches and interception is a good thing
It doesn't do that though.
The warrant is issued by the politician, the judge merely assesses whether it's all been done according to the offical proceedures in place; the judge doesn't determine whether it's a legit target or is proportionate or anything.
The politicians and their corporate sponsors are still fully in charge.
Re: (Score:1)
I do not read this as a blanket demand that all ISPs log everything, it is a lot more targeted than that, there are very definite limits on what kind of data can be held and retention notices must be issued and justified.
Clause 71: The Secretary of State may order an ISP or group of ISPs to log specific data for a max of 12 months (type of data defined and restricted elsewhere)
Clause 72: They cant just order it willy nilly, it has to be appropriate and feasible
Clause 73: Any such ISP can appeal, the board a
Re: (Score:2)
Demands to ISP:
3. You are paying for it too. Just pass the costs on to your customers or something.
Wouldn't that be the saving grace? If every ISP in the UK add a 5 GBP/Month surcharge to cover expenses, people will notice and react.
Re: (Score:2)
All you need to prevent this type of idiocy is a law that requires:
4. The politicians who pass this law will be the first ones monitored as the law requires, and the results of said monitoring will be fre
Re: (Score:2)
The bill explicitly excludes them from monitoring by making it clear that the Wilson Doctrine also applies to internet traffic.
The commoners get to be monitored by the government, but MPs still value their own privacy.
The previous article was speculation (Score:1)
The draft bill says nothing of the sort.
It does say something that suggests existing law (RIPA) already made this the case, but if that was the case, vendors would not be providing unbreakable encryption.
Re: (Score:1)
Re: (Score:2)
Encrypt everything (Score:3)
Encrypt everything and take no prisoners. Bring the control freaks down. The future will not be stopped.
Re: (Score:2)
Good luck with that? My VPN endpoint is in another country as is the company. They're going to have to do a ridiculous amount of enforcement and blocking, much of which would wind up contravening WTO treaties, to actually limit it.
Of course the fact you need this service is still ridiculous.
Reciprocal Round Trip VPN (Score:1)
I could see ISP's automatically pass all client connections through dedicated VPN services of reciprocal ISPs who are out of juristication and just wipe their hands of the whole mess as all their clients are only visiting the same website in country XYZ.
So UK ISP sends all client traffic to FR ISP's VPN and the FR ISP round trips that traffic back through the UK ISP's VPN. So when the UK government ask the ISP's where their citizens are websurfing they can just say France. Of course latency will suck but i
Re: (Score:2)
It doesn't work this way. Novadays e-commerce websites love to use GeoIP to locate their customers.
So, when I connect Moscow, Russia online shops via VPN endpoint on Germany, I typically see just "This item doesn't ship to Germany". So, I have to maintain sophisticated proxy configuration, to distinguish between local online services, which I have to go directly and informational web sites, which I can access via proxy to bypass Russian internet censorship.
Of course, it makes my ISP able to tell police whic
Re: (Score:3)
Re: (Score:1)
GeoIP is overrated. VPNs help make it meaningless.
I believe that, but you need to convince the CEOs of all the online stores, content providers, etc. They don't care about losing the 1 or 2 out of 100 customers who actually know what a VPN is and bother to use one. They're OK with GeoIP being "eh, close enough" as long as it prevents some fraud/content being viewed in a different country/etc. It's one thing if you're just reading text-based sites over your VPN, but if you try to conduct any business at all, you soon realize how many companies are sold on t
Re: (Score:2)
BBC iPlayer is probably more of an issue that e-commerce ever will be.
They say you get the government you deserve... (Score:2)
Great job electing a bunch of right-wing assholes yet again, England.
Re: (Score:3)
Only 24 out of every 100 adults voted for the asshats. It's the electoral system that screws us, but the only people who can fix that are the very asshats themselves... well, until the revolution! Now if you'll excuse me, it's Nov 5, I must... attend to other matters.
Re: (Score:1)
If we switched to proportional representation, then we'd have a Conservative/UKIP coalition. Is that what you'd prefer?
Re: (Score:2)
And a further 33.9% didn't care either way...
As they say on Wikipedia: [citation needed].
Those 33.9% weren't asked how they felt about this particular issue. Maybe they really didn't care which representative got elected, when none of the available (and viable) candidates actually represented their views. Maybe they did care, but voting for a candidate whom they agree with on this issue would mean compromising on some other issue that matters to them at least as much; it's not uncommon or unreasonable to have more than one issue that matters to you. O
Re: (Score:2)
This bill is supported by both Labour and Conservative. So that means at least 44% of voters voted for the "asshats". And a further 33.9% didn't care either way so I don't see why their opinion matters.
Alan Johnson didn't even know what it says. Watch from 11 mins: http://www.bbc.co.uk/iplayer/e... [bbc.co.uk]
If we switched to proportional representation, then we'd have a Conservative/UKIP coalition. Is that what you'd prefer?
Only if people voted exactly the same way (which they wouldn't) and we didn't use an electoral system that asks the voters about their opinions on all the candidates eg STV.
Re: (Score:2)
I don't think we can lay all the blame on the asshats. The British people were given a choice to reform or stick with what we have. The Alternative Vote might not have been perfect, but it was a lot better than what we have. The main objections people seemed to have were "I don't understand it" and "the loser can win", which both boil down to basically the same argument: "hurrr duhhh I'm a fucking moron who is too apathetic to understand a concept easily graspable by the average 8 year old".
I fear that even
Re: (Score:2)
The problem is that the UK elects almost entirely based on economic competence. I believe that not one election in the last 100 years has been won by anything other than the party that was polling highest in public perception of economic competence at the time.
The fact is, that this election, the Tories were the only ones that put forward a compelling argument that they were the most economically competent. Labour was still fumbling over what it's economic policy even was frequently contradicting past claim
To paraphrase a music industry executive ... (Score:2)
âoeMost people, I think, don't even know what a rootkit is, so why should they care about it?â
âThomas Hesse
âoeMost politicians, I think, don't even know what a VPN is, so why should they care about it?â
"Communications website" (Score:1)
From BBC news: the Home Secretary said, "They would only be able to make a request for the purpose of determining whether someone had for example accessed a communications website, an illegal website or to resolve an IP [internet protocol] address where it is necessary and proportionate to do so in the course of a specific investigation."
Tell me minister, what's a non-communications website? Last I heard, communications meant literally any situation where information is transferred, from checking rugby scor
Excludes VPNs? I am not sure this is true. (Score:2)
Peaceful Protest (Score:2)
I would like to suggest a peaceful protest:
On Monday the 9th November, the day after we remember the men and women that fought for our freedom, don't throw your poppy away instead mail it to your MP at the House of Commons in protest against the Investigatory Powers Bill. Perhaps if they get enough poppies they will remember.
House of Commons
London
SW1A 0AA
Brilliant - This means... (Score:5, Interesting)
That the Gov cannot gain access to modern Apple and Microsoft devices. This legislation wouldn't be necessary otherwise. Microsoft and Apple have genuinely closed the encryption / key loopholes that would allow the authorities to force them to unlock these devices.
This is excellent news, now just to get this bill junked.
Jason.
Re: (Score:2)
No they can just demand you hand over the password, and if you don't throw you in jail for up to three years. Now of course is the evidence on the device might put you in jail for more than three years it would make sense to refuse to hand over the password, especially as almost all sentences in the U.K. run concurrently.
Re: (Score:1)
Re:Brilliant - This means... (Score:4, Interesting)
It's been suggested that if manufacturers are forced to remove encryption from their devices they should simply leave the UK market. I'd support that. Voters are pretty apathetic but take away their iPhones and there will be a revolution.
Re: (Score:2)
Re: (Score:1)
The U.K. government.
It actually says nothing of the U.S.A.
why to use a VPN (Score:2)
Politics will always run behind state-of-the-art (Score:2)
We do not know what we are doing. (Score:1)
If I want a job in IT, I need to learn it, understand it, get experience, pass an interview and, most importantly, know what I am doing. Whereas politicians just need to be elected and have a network of connections. I wish one day politicians would have to take mandatory 'entry exams' related to the department they are applying to. A degree in the field wouldn't be bad either. Perhaps then we would have the rig
VPNs will come later (Score:2)
Re: (Score:2)
No, they have a weak majority in the commons and no majority in the lords. They've actually scaled back a lot of controversial parts of the bill for this reason - they want it to pass, that's why apart from web tracking this is a relatively tame bill.
Things like VPN blocking were axed because they couldn't face yet another rebellion in the commons, or another defeat in the Lords. 75% of the governments bills in the 6 months they've been in power have been defeated in the Lords so far.
VPN blocking wont be co
Re: (Score:2)
If you look at the draft it doesn't mention ISPs either - VPN providers are just "telecommunication operators" providing a "telecommunications service", see Section 193-195 for the definitions used:
>"Communication”, in relation to a telecommunications operator, ..." //
telecommunications service or telecommunication system, includes—
(a) anything comprising speech, music, sounds, visual images or data of any description
(b)
Also the definition of data made be chuckle, it means anythin
Re: VPNs will come later (Score:2)
Re: (Score:2)
The lack of new laws or gov demands that VPN's in the UK are transparent to or responsive to UK law enforcement requests is telling.
A weakness in the code use, OS or networks would seem to allow gov's to track back the original ip.
Use a proxy (Score:2)
The bill says that ISPs are to store the domain name that you visit and not the page or anything you pass to it. So they could tell that you would have gone to Google or Bing but not what you searched for. But if you sent everything to a proxy server beyond your ISP then all they see is a bunch of connections to the proxy.
Re: (Score:2)
There's a reason for that that has nothing to do with government intentions.
Google and others have enabled full encryption for even search terms. Without SSL man-in-the-middle attacks that are plainly obvious on systems affected by them (depending on the root certificates chosen to be trusted), you can't even get that information.
And going through Google "officially" was something they always could have done. They have no interest in actually obtaining warrants etc. to do this. They want to just sniff tr
Re: (Score:2)
I just used Google and Bing as an example. I know that the when using SSL they can only see the host. But my point was if you are on a site that doesn't support it and you visit abc.co/page1.html then the bill says the ISP only has to store abc.co.
But if you set up something so that all of your browsing looked like
redirect.me/abc.co/page1.html
redirect.me/abc.co/image1.png
then all the ISP would ever save is the redirect.me for all of the sites that you ever visit.
Re: (Score:2)
The GCHQ has a few options to get past the average VPN use. Credit card use would point to a user buying the service. A change in a users logs from varied every day domains to a wall of VPN use.
The very act of buying into a VPN is removing anonymity detectable on any UK providers logs.
The question then becomes who is the user, why are they not trusting in their own nations data safeguards and risking their UK data with other random nations staff for ~$5~$1
Rise of the Corporations? (Score:1)
It would certainly provide a simple & effective (if costly/expensive) solution to the issue for the big Orgs (eg Apple, Google, etc).
If Apple & Google were to stop selling all of their tech products in the UK, and add a disclaimer to anyone buying their equipment that it is not legal to purchase it in the UK, then I suspect the outcry would be heard on Pluto :P
If ALL of the tech companies that support encryption did this, the UK would quickly find itself sliding into tech oblivion, if it didn't chan