Licence to snoop: Ipso facto, crypto embargo? Draft Investigatory Powers bill lands The UK government's bid to massively ramp up surveillance of Brits' online activity is due to land imminently in the form of the draft Investigatory Powers Bill. It's not the first time, though: successive UK governments have gone through a series of aborted attempts to push to legislate for the bulk collection of Brit …
In addition to Afernie's apt observation, it may be worth noting that this is not at all about the NSA, but about what is thought to be in a proposed act of the UK parliament. The NSA appears to be quite able to take care of its own interests, which do not include nearly all citizens of the UK, any other Five Eyes country (including the US), or other western European countries.
storage vendors will be rubbing their hands! What a total waste of time and effort this thing is going to be. You might pick up the odd bit of intel from a total feckwit but anyone involved organised crime, pedo's or terrorists are just going to use a PAYG phone and chuck the sim away after they've finished. Once again technical issues being discussed by PPE graduates who's grasp of who these things work is an embarrassment.
Oh I could do much worse with it. This is just the start.
I'd embed javascript into ads or transient stuff that made your browser silently get URLs from 3v1L places without you knowing, then a few months later I'd bring you to their attention by mentioning you in 3v1L places they monitor. After that you'd have to prove your innocence with your no-evidence vs their indisputable computer-recorded proof that you are an evil terrorist Corbynite.
At the very least all your computers, phones and pets are confiscated. With a good roll of the dice it may destroy your career and maybe your life.
Someone, somewhere is determined to make this happen.
I'm going to go out on a limb and say it's nothing to do with trying to prevent what ever BS they talk about; it is entirely to do with getting access to large amounts of data regarding people's habits that they can then market and sell for stupidly large amounts of money.
And being cynical, I'd say that someone, somewhere is pocketing some serious dosh to try and persuade the idiots that sit in the HoC that it is actually for the benefit of everyone.
put Country before career
Not a chance. This is the depth of slime we're currently wading through.
And someone has been DDoSing the fuck out of ProtonMail for the last 12 hours. Just a coincidence, I'm sure.
> If the website uses https then surely all they can store is the IP address you called?
No, they can store the FQDN as well.
That is, assuming the client used SNI when establishing the SSL/TLS session - take a quick PCAP and look at the initial handshake, you'll see the domain name of the site you're visiting in the early packets.
Obviously they still can't see whether you visited https://www.google.com/search?q=cuddly+cats or https://www.google.com/search?q=howto+be+a+terrifying+terrorist but they can see the names of the sites you visited.
A sufficiently motivated attacker could guess what you're looking at from the size of the transactions and other metadata.
For example if cuddly_kitten.jpg is 500k and how.to.be.a.scary.terrorist.pdf is 2MB, it's possible for someone with access to your connection to make an educated guess as to what you're looking at.
>A sufficiently motivated attacker could guess what you're looking at from the size of the transactions and other metadata.
> For example if cuddly_kitten.jpg is 500k and how.to.be.a.scary.terrorist.pdf is 2MB, it's possible for someone with access to your connection to make an educated guess as to what you're looking at.
True. Though if we're staying on one broad domain (for example working from Google's cache) it's not quite so easy to make that educated guess. Yes it probably isn't an image due to size and time between requests, but what else could it be, there's a large variety of options?
That all falls apart as soon as you change between domains though (as you would with a Google search). Even if the FQDN wasn't in the SNI exchange, you've still got to place a DNS query. If you're looking at a lot of different sites during the same browsing session, is there any commonality?
Browsers block it by default now, but one traditional route of leakage was HTTP resources on a HTTPS site, snarf the referrer header from the plaintext requests and you know exactly what your mark was looking at. Something similar can still be done if the HTTPS site is silly enough to carry flash based adverts too.
Basically, yeah, if the person watching is sufficiently motivated, there's not an awful lot you can do to keep that information secret, but there's plenty you can do as a "casual victim" to make it harder for someone to peruse
Is that people who want to keep some data private (or criminals too) will simply use VPNs to countries with more strict privacy rules (or countries that don't give a crap what the UK government says)
Outlaw VPN I hear you say? Well prove it is in use as you can simply do SSL VPN over port 443 which is normally used for encrypted web traffic. Oh wait, lets ban encryption all together so now you must let us see what you do in plain text.
You can no longer speak in code words either, obviously only terrorists do that.
Please stop this planet so I can get off.
- S.A
> Well prove it is in use as you can simply do SSL VPN over port 443 which is normally used for encrypted web traffic
Traffic rate analysis will soon tell you whether it's an "ordinary" HTTPS connection, someone streaming HAS video or a VPN link. So it's not bullet proof, it just increases the cost of the monitoring kit we, as customers, have to pay for
Have you ever tried running and analysing cover traffic? It's not nearly as straight forward to get right as you make it sound.
Not to say it's impossible to do right, just that most attempts at cover traffic are quite easy to spot if you sit and watch behaviour for a while first. What it does do though, is raise the effort and expense of doing traffic pattern analysis, which is never a bad thing
Seriously, watch Spectre. A massive expansion of government powers- disliked /by a bit of the security services that exists to shoot people the government doesn't like/ features heavily.
It should be a piece of piss to get this bill knocked back. But will they?
Well, my analogy is that it is the "Section 28" of the 21st Century: an opportunist attempt to exploit (and indeed encourage) fear and paranoia for the purposes of throwing the increasingly fractious right wing of the Tory party something to chew on. It may even help Theresa May in her leadership ambitions - it certainly didn't hurt David Cameron that he'd campaigned against the repeal of Section 28. On the other hand, once he became leader Cameron had to apologize and perhaps the same fate awaits Ms May.
Where the analogy breaks down is that the early indications from the newly old Labour party are that they're going to back it too, presumably because they feel that their lack of clarity on defence policy needs to be protected from further scrutiny. Unlike their constituents browsing habits.
'It should be a piece of piss to get this bill knocked back. But will they?'
Of course not, the Tories who don't want the state interfering in things that matter are gagging to impose this law. Labour's shadow Home Secretary is Andy bloody Burnham who tried to drive ID cards on to the statute book.
Anyone who stands up against this bill will be portrayed as a Friend of Saville (by the people who protected Jimmy Saville for so many years) or a wannabe jihadi.
The BBC R4 Today programme had two interesting interviews. An IT industry person explained coherently why the proposals are bad. The Police spokesperson making the case for their "Operational" reasons just kept rolling out examples of child abuse and missing teenagers on the run from homes. In other words the only card they are playing is the emotional "think of the children". She apparently agreed that the really big criminals would have the resources to evade the surveillance.
It seems to me that the Police's stated needs are all suspect.
1) terrorists and organised crime aren't going to use the obvious communication channels.
2) most child abuse occurs in the home.
3) the "war on drugs" has never worked. Use should be made legal like alcohol - and the manufacture and sale regulated for safety as a health issue.
This post has been deleted by its author
This post has been deleted by its author
Think yourself lucky that you get to meet your MP.
My constituency is gerrymandered with a vast area of rural England, thus guaranteeing an easy Tory majority regardless of the urban plebs like me. My honorable representative doesn't feel any need to bother with people that don't drink in the same gentleman's club.
Needless to say, any letters to him receive a patronising template reply.
> Needless to say, any letters to him receive a patronising template reply
My MP sends those for any issue she officially disagrees on. More than happy to send something slightly less patronising when she agrees with what you're saying though -they're on our side and all that.
You've met your MP? Mine was parachuted into a nice safe constituency, so has never seen the need to show his face.
I've written to my MP - in a different constituency - before, it was regarding BT's Phorm fiasco. He sent a very nice reply that pretty much quoted Phorm's PR rubbish, with the "opinion" that I needn't worry because they say so.
Interestingly enough, there are some parallels between the two. The difference being that was one to make money and the other is to save us from 8ft tall terrorists with laser beams under their moustaches.
Although sad to say the vast majority of people don't really understand the issues, many people do care or did care. I say did care, they probably still do, but are suffering from fatigue, the powers that be will keep resurrecting these proposals until the pass, ether in whole or as many parts to be assembled later by statutory instrument or generous legal interpretation.
Many that have had the 'pleasure' of seeing the physical inner workings of a UK ISP will know the technical capability has been well established for over a decade.
I repeatedly explain to the 'nothing to hide, nothing to fear' brigade, that I am not that bothered about my Internet activity being examined by the security services, it would be a rather boring waste of their time and our money. I do however want it to be possible for those with power, state authorities and corporations to be held to account when they break the law or act against the public's interest.
At present you have to be pretty dedicated / insane to be a whistle-blower, when it involves any part of government or secret sweetheart deals between big business and government, usually backed by the old revolving door. As HMRC has shown they are happy to use the apparatus of the state, sold to the public on the basis of protecting them from terrorism, to track down those telling the public of private tax deals.
The surveillance is here, it is not going away, it is going to get more pervasive and capable. All we can do is press our so called elected representatives for accountability. I have written to my MP three times over the years, always reasoned polite about the need for oversight.
I only ever received one response which was clearly a stock letter saying that 'there are threats the public are not aware of, and just accept that these powers, although vaguely defined are for my own good'
I must admit fatigue has begun to set in, my MPs clearly don't see it in their interest to fight the tide, and as we more ever closer towards more Corporatist government the best policy might be just to be mindful of what I say and don't draw attention to myself. I don't want to be secretly classified as a 'non-violent extremist' whatever one of those is.
It seems to be that for just about every terrorist atrocity committed in the west, the perpetrators were known to the security services for some considerable time, warranted monitoring of targeted individuals and websites can be done within the existing laws and with considerably less legal/moral issues, monetary expenditure and technical problems than implementing ubiquitous surveillance of the entire population.
This is about something else, money, power and control.
You don't need a tin foil hat to see the money angle, the amounts of taxpayer money being funnelled into this will be huge, hopefully (in the eyes of the beneficiaries) replacing that of traditional military spending, which is proving increasing difficult to justify without actually fighting wars. Wars are proving to be more complex and problematic than they once were. Often it is the same security cleared defence contractors that will be supplying the surveillance infrastructure instead of weapons.
The power and control angle may seem a little more towards the metallic lined head-ware brigade, but it is not hard to see that the world economy is going to be seeing some rather significant 'rebalancing' as globalisation advances. Increased unrest is a likely outcome, so it will become increasing important to control the public narrative. To this end it will be necessary to monitor the public mood and to disrupt and eliminate elements that threaten the official narrative; campaigners, labour unions, activists, journalists, whistle-blowers etc.
That is why surveillance has to be ubiquitous and unaccountable, not targeted or accountable.
</devil's advocate>
30 years ago: British politicians were loudly telling us that life in East Germany was bad and that the Stasi watched your every move, spies everywhere!
Today: British politicians are trying to out spy the Stasi - we are now more snooped on than East Germans ever were and they want to make it worse.
..and those who could access this wonderful store could find/plant anything they desire and use it for leverage on anyone; MPs (government and opposition), Ministers controlling budgets, you, me...anyone...
Large Tinfoil hats all round, chaps... and my coat's the one with just cash in the pocket...
Indeed, one of the big issues raided by the 'licence to hack' is that once a computer is compromised, it is just as easy to upload as it is to download.
As I think has been mentioned in Snowden documents the possibility to upload 'multimedia content' that will result in the target's reputation, social standing and even liberty been taken / destroyed.
I don't have to spell out that that means. Any state hacking needs the be subject to total monitoring and oversight be totally independent authorities, preferably working under double-blind conditions.
When your ISP gets hacked (Talk Talk?) by some script kiddies in (insert random country) and all your browsing history ends up on PasteBin.
I'm sure the prospect of a 2 year stretch for "knowingly or recklessly obtaining communications data from a telecommunications operator without lawful authority" will put the wiilies up them.
The Government already has access to this information, after having installed "black boxes" at all ISP about a decade ago. All this does is put it on a legal footing. James Bamford in his book "Shadow Factor" explains this has been going on for some time (and pre-dates Snowden). See for example:
Government plans for 'black box' web surveillance take shape
Fri Nov 07 2008
http://www.theinquirer.net/inquirer/news/1049564/government-plans-black-box-web-surveillance-shape
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
