61 posts • joined 13 May 2009
Re: Well we almost had it
I don't think that is entirely true. Sure, the N900 only sold to geeks (like me) but my wife is a normal business user and she really dreads the day she is going to have to stop using her Blackberry with its usable keyboard, and go to a touch keyboard. I still think the problem is that Blackberry really screwed up, lost its business customers to the (shiny) iPhone and collapsed in market share. Now no one is willing to buy Blackberries (no apps, end-of-life could happen any day, no one has a BES any more) even though a lot of the business users would really like a keyboard.
No review of punishments for misuse of our data?
Have I misunderstood the article or does it really say that the current government review of the penalties is only about the penalties for stealing the data, not the penalties on data controllers for losing or misusing the data? This seems to be about increasing the punishment for the evil hackers instead of increasing penalties for those who do not apply sufficient care to protect our data or (worse) deliberately misuse the data.
Fines aren't about justice -- that is what prisons are for. Fines are about deterrence -- make it cheaper to comply with the law than to break it.
@Chris Miller: Although fines do, indeed, end up paid by customers, they do have a very material effect on the company. In particular, if fines are heavy enough, they don't end up being paid at all: they cause a change in behaviour (which is what we want to achieve) because good behaviour becomes much the lower cost (thus maximising the shareholders' benefit).
This is an important analysis, although I suspect that the main giveaway is that I visit the site at all (which HTTPS does nothing to hide). If I visit lend-me-money-at-extortionate-rates.com then I am probably having a financial crisis, and if I visit cancer-information.com then there is an increased likelihood I have a serious illness.
But it is important to know that this fairly obvious theoretical attack is actually quite feasible and gives quite high accuracies. It is a useful data-point to feed into the work on the next versions of the protocol to minimise what can be achieved with this approach.
Re: While I can't argue with the conclusions in the article
I agree -- I think the main purpose is defensive. Although I don't think they see WhatsApp itself as a competitor, it would be a good social network to base a Facebook competitor on, so they want to buy it before someone else can.
Shooting themselves in the foot
I agree with the posters who think that Aereo is a win for the broadcasters. Of course, Orlowski and others point to the high prices Aereo currently charge and want a cut of it. But Aereo are charging what the market will bear. There is nothing to stop NBC or anyone else setting up a similar service -- the barriers to entry are not particularly high. Of course, once the legal situation is clarified, that is exactly what many competitors will do and Aereo's prices will fall, to be litle more than cost. The result will be that the networks gain more viewers and a few companies make a little bit of money out of it. Sounds perfectly reasonable to me.
The supreme court should rule that as long as the service (content and ads) is not being modified in any way it is perfectly legal. And. while they are about it, they should kill the cable charges (unless the cable company is showing its own ads, in which case they should have to buy the content at commercial rates).
Re: Security Theater Only
I never thought I would write a comment supporting Microsoft -- I am as much an MS hater as almost anyone here. However, I think that btrower is being a little unfair to Microsoft.
Adding encryption to inter-datacentre links is definitely a significant improvement. This encryption will presumably not be TLS based so the fact that Verisign will print a certificate for the government whenever asked won't help. And even the FISA court won't be able to order MS to release the keys for those internal links (MS would fight that one all the way, and start to call in some really high level favours). I believe that Microsoft will succeed in actually making those links secure.
That is an improvement, not just security theatre, because the NSA will then have to fall back on actually asking MS for data about customers. MS can then possibly take legal actions and, in any case, will know (even if it is not allowed to tell anyone) that the action has happened. The NSA will know that a record exists, inside Microsoft, of their actions -- which could come to light at a later date. That is an improvement over the case today where the NSA just watches the links and not even MS knows what is being caught.
Of course, MS should have done this years ago. And it should do much more (the announcement, for example, does not say they will fight gagging orders for individual customers, only for business customers). And the NSA still has massively over-reaching legal powers available to it. But at least this announcement closes down one important part of the NSA toolset.
I agree completely that the right thing is for MS to stop having the keys to anyone's data. This makes providing some of their higher value outsourced services hard (how does an outsourced office system send an out-of-office response if it cannot look at the message without the user being online?). But they have some really good R&D people and they should redirect them to work on these challenges on being able to do (limited) processing on encrypted data without decrypting it.
Time for some damping
I am no economist, but I don't see that the article's conclusion follows from the premise. I am willing to accept that the (pseudo-scientific) consensus is that a complete market, with shorting and speculation, is required for the EMH to work and even that the housing market might work better if that was possible. However, I do not see any consensus that high-frequency trading is required (or even a good idea), nor that a small amount of friction introduced by a tax would seriously damage the EMH. A lot more work would be required to demonstrate either of those propositions.
My gut feel is that modern markets (particularly stock markets and currency markets) are suffering from far too much incentive for both market manipulation and for magnifying small oscillations into larger swings. My control theory course from 30 years ago would suggest to me that a little damping might be a good idea.
How is anonymisation done?
The important point here is that this is more or less intrusive depending on how well the anonymisation is done. For example, if the Dept only receives the analysed trafic numbers (73 cars entered the motorway at J3 and exited at J8 between 8 and 9 AM) that would be very unintrusive. On the other hand, they almost certainly receive much more itemised data. Then we have to ask: how often is the "pseudonymous id" (used to correlate different position reports to identify the various points on someone's journey) changed? Every hour? Every day? Never?
The principle is that every time personal data is used to create "anonymous" data sets, the details of how the anonymisation is done must be published so that people affected can check.
Ideally, experts in anonymisation should be involved to create the algorithm, tailored to the particular need and carefully designed to leak the minimum of information. This is a difficult task, that requires considerable experience in privacy, that is almost certainly just being left to programmers today.
Bottom line: anyone who passes on personal data should be required to describe the anonymisation in detail. And public bodies (at least) should be required to do an expert privacy analysis of data they either acquire or release.
Re: And from our
If the police believe that an individual is in possession of highly sensitive stolen information that would embarass the government, then they should act and the law provides them with a fig-leaf to harass and intimidate whistle-blowers. Those who support this sort of action need to think about what they are condoning.
Re: "Legally and procedurally sound"
But what makes you think they give a flying fuck about public disapproval?
What they do care about is the risk that their supporters will turn to 3rd parties (LibDems or UKIP). The last thing they want is to have to share power in a coalition. That is about the only weapon we (the people) have against them. We saw that with the U-turns on immigration to appease UKIP sympathisers.
Now we need to convince the politicians (and their friends in the newspapers) that both Labour and Conservative supporters are in danger of switching to the LibDems over this issue of authoritarianism.
Re: "Legally and procedurally sound"
Then it seems that we need to change the laws and procedures. I guess that's where our MPs come in.
I have written to my MP (who happens to be Dave) demanding that the law be changed and asking him to pass on my requests to both the Home Secretary and Foreign Secretary to resign over the disgraceful actions of their departments in abusing the existing laws.
I'm not holding my breath but if others feel the same then a few letters may help them understand the level of disapproval of actions which belong in a tin-pot police state.
He didn't cross the border -- he was in international transit.
Itmight be reasonable to investigate him if he was suspected of terrorist crimes as there would be an airport safety issue. That is why the law is there. It was abused.
and why does opposing council not label it a clear case of 'excrementum bovum'?
Because there is often no opposing counsel in these cases.
Might be better to join an existing project
Keep an eye on the PRISM Break site for suggestions for alternatives. Bitmessage is working on an approach that is a similar to what you describe. I am sure there are others as well.
Re: I know what *would* be nice
What would be really nice, would be a machine-readable indication of whether what is being broadcast was editorial content or advertising
Now that would be actually be the government doing something useful for us for a change. It might actually win votes!
People tend to consider connected TVs to be a TV-like experience and expect to be more protected than they are from content accessed through PCs and laptops.
No they don't. If they have bought a connected TV they have bought it to access the Internet. People understand the difference and don't need the nanny state to warn them.
Re: Selective pricing quotes?
The point is Google don't have the Ashes at any price, they have cat videos
I am no fan of the Google device (just how much info will Google be collecting about me?) but I will point out that although they may not have the Ashes, they certainly have a lot of content I am interested in. For example they have the America's Cup, and the Extreme Sailing Series. At the moment I have to download those using get_flash_videos so that I can play them on my TV streamer -- direct YouTube access (at a low price) is a major selling point.
mainstream hardware like game consoles or smart TVs
Games consoles are mainstream hardware? I think not -- gaming is a limited market. I suspect that this device (with Google's name attached and its cheap price) will outsell any games console once it is available. Smart TV's are more mainstream but are expensive (and bring a big concern over whether the software can/will be upgraded over their full lifetime).
It is just a shame it is Google doing it, with their hidden price of tracking everything you do. I would rather pay double for the same features without the tracking.
Re: One small problem
Interesting comment. But I assume this is not necessarily focused on the US. Plenty of other countries with spent fuel rods.
In many serious cases, it becomes important to know where the subject of interest went before he was known to be "of interest"...
If this is true (which I doubt -- "useful", yes, "important" no) then it will have dramatically reduced the costs of investigations of these serious cases -- no need to go around looking for witnesses to the movements, or tailing the suspects. So, I propose that the budgets for these cases be cut by 50% and the funds transferred to CEOPS.
Let's make this offer to some senior CID officers and see what they say... if ANPR is so important to them they will happily take the offer. My bet is that they would choose to give up the ANPR and keep the budget.
The police can't have it both ways: if surveillance, ANPR, snooper's charter, etc are what they want then they have to give up the people budget. The government should be using the funding to make sure the police are asking for what they really need.
Re: No, no, no, no and no - this is NOT a technical problem
One way or another a government is GOING to get their hands on your data.
I would put this a little differently... you cannot stop a government from getting their hands on your data if the REALLY want to. However, I believe you can make it harder and more expensive. Possibly so expensive that if you are not a major target they will choose to spend their resources elsewhere instead. And, of course, that also helps with protecion against more run-of-the-mill thieves who do not have the resources of governments behind them.
But that is a small disagreement really. I agree with your point that "We're entering an era of unprecedented interaction with companies sovereign to powers we have no rights with". The only way Microsoft or Google or Amazon are going to get international cloud service business from now on is if they successfully get their government to provide their users (even when not US citizens) with significant rights.
It will take a while, but I think it will happen eventually -- the campaign contributions from US high-tech companies will dwarf even those of Hollywood. And we all know how many laws they bought!
Re: @Frances Banana
But is the percentage of CEOs dumb enough to think that European governments don't do the same, also growing?
That isn't the issue. If you live and work in country X and are CEO of a company based in country X you have no choice but to trust (to some extent) the government of country X. You may campaign for more openness or regulation of your own government or to change your own government but ultimately you have no choice to either abide by the laws of your country or leave.
That doesn't mean you also have to trust the US government! A government over which you have absolutely zero influence, which may dislike you more than your own government do, which may choose to favour your competitors, or (like in the UK) be a tool for your own government to get around restrictions on its actions.
Any CEO of a company based outside the US can readonably expect to be fired by his shareholders as soon as they discover that he has decided to expose them not just to the vagaries of their own government but to the US as well.
Re: Damage Limitation
Not a bad idea. I noted that one of the reports last week said that although the government had collected all that phone data, they had only searched it about 300 times last year. That is perfectly manageable with warrants. So, your idea of requiring a warrant to access the data scales perfectly well.
Although I am still keen on my suggestion for limiting the damage: dramatically CUT both police and spy budgets. As technology now means they can "tail" people while sitting at a desk (and even after the fact) all that money previously spent on people to follow and watch suspects should be returned to the public purse. Seriously cutting budgets would force senior management to make some hard decisions about what they REALLY need -- not just collecting everything in case it might be useful one day. And it would be appropriate in these times of austerity.
Re: Seems unlikely they would be used for cut-off...
The cut-off capability is my most serious concern. I raised all these points in my response to the government consultation.
1) My electricity supply is unreliable enough as it is. ANY switch (even if there are no deliberate attempts to use it) will decrease that reliability even further -- some proportion will malfunction. I asked for the government to require that overall power reliability (measured at the consumer's side of the meter) should have to IMPROVE as part of the programme. But there is no such requirement -- does anyone know how much it will actually decrease?
2) Reducing the costs to the energy companies of cutting people off is extremely bad social policy. It will encourage the companies to cut people off in cases which are marginal today. Cutting someone off should be an absolute last resort -- and the cost to the companies of doing it must be kept very high for that reason. If their promises that disconnections will decrease because of smart meters are right then it doesn't matter how expensive disconnection is -- no need to reduce the costs!
3) I have, in the past, had a problem with my energy company collecting their bill payment -- they messed up the direct debit but didn't notice. The first I heard about the problem was receiving a call from a debt collector. Of course, I got this resolved (after some weeks) and a suitable compensation payment and apology made to me. But with a smart meter, might the first thing I heard about this be a "load limitation" or even a disconnection?
4) And then there is the hacker/security problem. How long before it will be possible to remotely disconnect someone for kicks or as part of a harassment campaign or protection racket?
For all these reasons, I asked that the government require that there be a physical by-pass for the remotely operable switch which can be installed by the householder and can only be removed by the electricity company if they have a court order (and physical access). The company could even be allowed to put you on a punishingly expensive tariff if you use the local override (so you would only use it if you knew you were in the right and they we wrong), but it should be there. It hasn't happened of course.
Why it matters
Many people don't seem to realise why this matters. Here is an example which seems to be real in the UK today...
You drive somewhere to join a rally or demonstration about something (anything: Iraq war, abortion, anti-abortion, immigration, anti-facsism, animal rights, ...). You are picked up on ANPR as being in the general area. Do that 2 or 3 more times and the analytics can easily spot you as a trouble-maker, particularly combined with the make of the car (BMW and Mercedes drivers are obviously not militants), and your postcode (protestors don't live in Conservative-voting streets). You then find yourself stopped for "random checks" much more often than other people, particularly when in the areas of future demos, or trying to cross the "ring of steel" in central London.
This seems to be real. Even 15 years ago, police were parked in all the lay-bys near Witney recording the number plates of cars around the times of the cat farm protests. They were also stopping anyone in old cars, or VW campers, or who looked young for 5 miles around (I live around there and was never stopped -- but then I drove an expensive car).
Earlier this year judges forced police to delete surveillance records it had kept on 88-year-old John Catt. The judges said "Mr Tudway states, in general terms, that it is valuable to have information about Mr Catt's attendance at protests because he associates with those who have a propensity to violence and crime, but he does not explain why that is so, given that Mr Catt has been attending similar protests for many years without it being suggested that he indulges in criminal activity or actively encourages those that do."
Obviously, now that police can record all the people who turn up at demonstrations they have decided they should do so.
Re: Don't blame Microsoft but...
Don't blame Microsoft, BUT: Blame the big brother government of the United States instead.
Blaming MS, and costing them some international business, might actually cause some change -- their campaign contributions count for a lot more than votes!
Re: Not just Microsoft
As I said on slashdot the other day...
My email is very dull and boring. But there are people I respect who's email is NOT dull and boring. Campaigners, activists, journalists, even lawyers and policiticans. Unless I protest nosily, and adopt privacy tools myself, the government can get away with recording the correspondence of people for whom it does matter. In fact, they can even spot the ones to watch because they are the ones using encryption and privacy tools.
Remind yourself of https://en.wikipedia.org/wiki/First_they_came
It may be that this access to monitor us non-US people is a legal requirement and that Yahoo, Microsoft, etc had no choice. However, fortunately for us, using Yahoo, Microsoft, etc is not a legal requirement. We can take our business to companies which are not US-based and do not have to follow US law.
There may not be many of them so far, but this will encourage a lot of non-US competitors to spring up.
Every CIO I know already understood the risks of storing data in the cloud, outside their control and even outside their legal remit, but was under pressure from their CEO and CFO to do it for cost reasons. This whole scandal will give them ammunition to fight, or at least to use a local competitor (who may be more expensive but at least is in the same legal jurisdiction).
The impact to the campaign contributions from major US companies seeing loss of international business may well be an interesting factor.
Different from PRISM
This French news is very different from PRISM: PRISM was about the co-operation of commercial companies, allowing NSA to look at the unencrypted services being provided. The French, on the other hand, seem to be limited to watching the traffic on the wires.
If people use encryption to access their Google/Microsoft/Facebook/... services then watching the traffic on the wire tells them nothing. That is why PRISM exists: to be able to see the actual service being provided.
Of course, almost all email is still unencrypted so, if the DGSE can catch the email in transit, they can capture it.
What are you doing to protect us against the US?
The Council of Europe's commissioner for human rights has just said, "European states are obliged to protect individuals from unlawful surveillance carried out by any other state". How much of the money designated for "further investment in the protection of UK interests in cyberspace, making it harder for hostile states and criminals to target the UK" will be spent on protecting people and businesses in the UK from the US government and companies?
@Tom 13 Re: hints that the Commission will look at claimants being an actual tech company,
In your scenario, Mr. Smythe couldn't complain to the ITC but he can still sue in the US courts.
That seems reasonable: the ITC process should be about stopping unfair impact on the US home markets by imports which will be later declared illegal. Personally I don't think it should extend to patents at all, but I have no problem with it being restricted to use by US companies selling real products in the US market. And I am a Brit!
Re: @sisk It's not illegal, but it is uncool
They can make it "legal" (if it isn't already) and they can fool the (supine) American voters with the usual Four Horsemen but they can't undo the damage internationally.
Of course anyone who thought about it knew the NSA were tracking everything entering and leaving the US but we didn't think about it. Nor did we realise that they were looking at corporate data from the inside.
But now we are thinking about it. The backlash has begun: companies and individuals are switching from US IT and cloud providers to ones in their own country, or personal clouds, or third countries with less sophisticated spying capabilities. The EU will be forced to terminate the discussions on companies being allowed to store personal data in the US without telling their customers. Encryption is becoming more routine (and less suspicious) -- how many downloads of Https-Everywhere have happened since Snowden?
People are thinking and caring more about what data is stored and transferred, by whom, and where.
Re: immigration/visa check
My understanding is that having made a reasonable attempt to check is a valid defence, and that the law (or the courts) recognise that we are not experts in validating passports. Although it is wise to have a written policy and to keep a record that you can produce if asked. Of course, IANAL.
This does lead me into a concern about this app, though. If an app like this is available, many people might decide they need to use the app, and record the details, to protect themselves. For employers keeping records of right to work it might be reasonable, but how long before a local pub or club decides that you have to produce and scan your passport in order to get in? And then come under presure to turn over the records to the police when they discover that a terrorist suspect had been in the pub??
In other words, with apps like this around, a passport could become a de-facto national ID card, by the back door. I, for one, will not be producing my passport for any UK business that wants to do business with me.
Follow the money
One of the most worrying aspects here is the apparently tiny amount of cost involved. Of course the NSA can turn their hand to snooping anything -- the protection that society needs is to make sure it is expensive!
The difference between a democratic society and a police state is not so much about the legal powers of the police as the resources they have to use those powers. As long as it is expensive to track people, to record their conversations, to read their email, to monitor their cars, we have reasonable protection from a police state. But the point of the Communications Data Bill and, apparently, of PRISM, is to make it easier for the police and the spooks. That is why it needs to be resisted.
Those capabilities need to be very expensive to use. That way they cannot be used routinely or widely but will be kept in reserve for limited use.
Re: Google, the law, and morality
Morals (as opposed to laws) are purely personal. What I consider immoral and what you do are completely separate. It may be grandstanding from the PAC but I think it is very valuable to have the actions of these big corporations exposed. Then we can each make our own decisions on the morality and on whether that changes my willingness to do business with them.
Some people require the companies they do business with to follow moral standards which are different from those enshrined in law. That is their right: they can do business with whomever they choose.
I think that this publicity is likely to cause some of these big companies to be less aggresive in their tax avoidance as they will see a public relations benefit (i.e. increased sales) in being perceived by people to be "not doing evil".
Re: 5G WHY at All ?
For things like (future better versions of) Google Glass -- full video feeds of everything you look at stored in the cloud for you (or the spooks) to go back to later, overlaid with full augmented reality overlays and head-up displays, etc. Specialised video and data feeds (two way) for various jobs (emergency services, doctors, ...). Automatic monitoring and control of high speed machines (driverless cars, drones, etc).
And a whole lot of other things we haven't thought of yet which can be enabled by having cloud-based (i.e. network based) services with access to a personal or mobile environment at speeds which are currently only available for local storage and processors - saving power, weight, cost, etc.
Sure, wired connections will always be faster/cheaper but they are neither personal nor mobile.
Re: They have the authority
The issue isn't really about whether they should have that authority -- it is about what controls are on using that authoriy and who takes responsibility and feels consequences for using the authority.
It is very similar to the case here in the UK where the tax authority have admitted abusing their similar powers (designed to root out major criminal tax fraud conspiracies) to track down the whistle-blower who reported to a parliamentary committee that the head of the inland revenue had agreed a deal to let a major financial firm off their unpaid tax, after a nice lunch.
Should they have these powers? Probably. Should they be required to get a judge to approve? Absolutely (exceptions for urgent cases need to be genuine exceptions, not the rule). Should the senior manager who approves the request be fired if it is later determined the powers were abused (for example the judge was mislead)? Certainly. Should they be subject to civil or criminal penalties? In some cases, yes.
Check out ORG blog
Unfortunately there is also nothing in there which says they can't. And they would claim that if it is "anonymised" then it isn't personal data any more. And where can we (or the data protection authorities) check up on how well it is "anonymised"?
That is why the latest Open Rights Group blog calls for: "Ask for users’ permission before offering their anonymised data. Make this legally required in data protection, helpfully being debated right now."
Privacy, not fraud
I am less worried about fraud than I am about privacy. I don't worry too much about fraud. Travelling for work, I use cards all the time, all over the world, in some quite dodgy places: I have rarely been a fraud victim and when I have been it has been sorted out.
But I do worry about the privacy & safety implications. I don't want shops to be able to track my coming and going, particularly in a way which they could relate to my card number (and hence my purchases). More seriously, I don't want a criminal to watch for people leaving a train station carrying Gold AmEx cards (or something) because they are likely to also be carrying more cash. Worse still, I don't want it to be easy for the terrorist to set up their IED to explode when someone carrying a Western credit card walks past.
In other words, my credit card information is mine, and private to me. I don't want some device broadcasting it to anyone nearby who asks. NFC could, and should, have required that the user press a physical button to enable the read-out. As they didn't, it is dangerous.
Re: Do they realize what they just said?
No, that isn't the point of EME at all. The entire point of EME is to provide a W3C-approved veneer of a standards-based tag to invoke those same proprietary plugins. Microsoft's Silverlight will still be the most widely used EME.
As far as I know, no one is working on, let alone proposing to W3C, "non-proprietary components for content rights management".
EME is not Open DRM
Unfortunately, batfastad, EME us not what you are looking for: it is not, in any way, "an open and cross platform DRM system". All it is is a set of new tags for invoking proprietary, service-specific, closed, browser plugins -- it is just a new "object" tag, but one which can claim that DRM is now endorsed by W3C. That is it. No change to the current "horrible proprietary browser plugins".
Silverlight will still be one of the (most popular) choices for the EME (although Microsoft might give it a new name). There certainly won't be any discussion "sensibly in an open environment, by adults, with a technical background, ending up with me being able to play back media on any device/platform I choose".
That is why the FSF and others are complaining about the proposal.
Re: AC dribble
I realise you were trying to simplify, for the purpose of this discussion, but actually BT gets two separate pieces of information about the originator when the call is handed over from another UK operator: the calling party number and the CLI are separate (and may be different, for several legitimate reasons). All BT is permitted to tell the user is the CLI. It can't change that (there used to be an exception that if it didn't trust that the originator was following the CLI rules it could replace the CLI with UNAVAILABLE, but that was all, and I am not sure if that still exists).
Even if BT was allowed to use it, the calling party number may not be useful to the called party. It might not be a valid, callable, number -- it might not even be a sequence of digits. It's main use is for reconciliation in case of inter-carrier billing queries or fault handling.
Re: AC dribble
No, the point is that BT are one of hundreds of licensed operators nowadays, most of whom are in the international call business and many of whom are focused on business users.
Most businesses who make a lot of calls find that other operators are a lot cheaper than BT. That applies both to UK callers and to international callers. So, most of these calls originate outside the BT network. If you don't have a BT line the call won't touch the BT network at all. Even if you do have a BT line, the regulations require BT to accept the call and to believe what the other licensed operator tells it. BT can only impose its own rules when the call originates on BT or when they are the international carrier. Both are unlikely to be the case for these sorts of spammers.
That said, I think actual forgery of UK CLIs is quite rare in the UK. It is illegal and it is much, much easier to (legally) withhold CLI or provide a presentation number (a different number but which is required to be dialable, not premium rate, and get back to the calling company). Most spam I receive with UK numbers is using 08-series numbers, which will be legally compliant presentation numbers.
Re: So just like Opera Mini then?
Yes. And I don't like it there either.
But at least Opera Mini is optional and is open about its approach. It's FAQ page explans how it works and that for end-to-end ecyption you should use Opera Mobile instead. It even says "If you do not trust Opera Software, make sure you do not use Opera Mini to enter any kind of sensitive information."
Nokia is being considerably less open about what is going on but I don't believe they are actually using an Opera Mini approach (with a rendering engine in the proxy). I think the phone is more powerful than the "featurephone with MIDP" targetted by Opera Mini and I suspect Nokia are just doing things like compression. In that case I don't see how they justify the intrusion into SSL. In any case, they need to be open about what is going on and make sure that there is a way for people to turn it off (or download an alternative browser). Where is Nokia's equivalent of http://www.opera.com/mobile/help/faq/?
Re: Boffin needed...
This is a cheap phone with a slow processor, not much memory and on a slow network. Modern web sites take a lot of processing power, memory and bandwidth. So Nokia are pushing the problem off to their server, which accesses the site and simplifies/optimises it to make it easier for the phone browser to display. It is a bit like they are splitting the browser between the phone handset and their servers.
The idea, of course, is that it keeps the phone cost down while making it more attractive to punters than the phones from cheap chinese knock-off manufacturers.
Normal proxy servers (as deployed in most offices), only proxy unencrypted (http:) traffic. Encrypted (https:) traffic is normally passed straight through the proxy. This is the way SSL (http encyption) was designed to work: it is end-to-end, between the browser and the server, and nothing in the middle can see the traffic (unless they have GCHQ-style equipment to do codebreaking).
Man-in-the-middle attacks in proxy servers are becoming more common and are quite easy (play with mitmproxy if you want to see how easy it is). However, the browser can, in principle, detect that it is happening: the certificate it receives is from the proxy, not from the server. But the browser won't complain to the user if the browser has been told to trust those spurious certificates. Some (but not many yet) businesses now configure corporate PCs to trust certificates from their own proxies, so that they can do MITM monitoring of HTTPS in their proxy. It is rumoured that some governments have forced either browser vendors or major certificate authorities to co-operate so that they can do MITM monitoring for law enforcement. This article alleges that Nokia have pre-configured the browser on this phone model to accept certificates from their proxy so they can do MITM "optimisation".
So, this is very different from the way a normal proxy works. And it is a really bad idea. Although many device vendors and network operators impose a proxy on their users, I am not aware of anyone else who has been accused of using a MITM attack on encrypted traffic.
I don't think anyone thinks Nokia is doing this to steal passwords or break into bank accounts. It is a misguided attempt to improve the browsing experience for their users. But it is still an incredibly bad idea to look into traffic the user has asked to be secure. Far better to let https: sites be "unoptimised" even if it means they work less well on the phone.
The cat is out of the bag
Fortunately this debacle has at least had some lasting benefit: the next time some government wants to sign up to a treaty that restricts a future government from reducing copyright terms we can point out that "even the US Republican party is having a robust debate on reducing copyright terms -- clearly no one should be removing the ability for a future parliament to change the existing terms in any way they wish". The RSC has done us all a massive favour just by raising this as a valid isue for serious debate.
I look forward to using this in my next letter to my MP/MEP about the next ACTA-style stich-up attempt.
Re: 'the verb "medal" (from the Olympics)'
It seems like a perfectly reasonable usage to me. English has a long and glorious history of verbing nouns ("to google" being the most obvious recent example). Of course, "to medal" could have been adopted to mean "to hit the gold medallist over the head with your silver medal in frustration" but "to win a medal" is probably more useful.
Re: I quite literally now have something (to do) for the weekend...
I had a bunch of old, small giveaway USB keys that my customers would be insulted if I gave to them nowadays, so I posted them on freegle/freecycle. Several people were interested. The guy who came to collect them said something about a model train group... I didn't bother to find out more!
And kettle leads and figure-of-eight leads are things I seem to use every couple of months. Figure-of-eight cables are useful for iPad chargers, particularly if they have a foreign plug -- I find they are less weight to carry on a short trip than a plug adapter, if I only need to be able to charge my phone and my iPad.