back to article What the Investigatory Powers Bill will mean for your internet use

Through pressure from Google, Facebook, and other major providers such as Yahoo and Apple, the world wide web is slowing becoming more secure, with web services using HTTPS to encrypt web traffic by default. However, the arrival of the draft Investigatory Powers Bill raises questions about who can potentially get access to what …

  1. Wupspups
    Big Brother

    Surely the only way Google knows what you have searched for only if you log in to Google? (and why would you want to do that)

    1. Anonymous Coward
      Anonymous Coward

      Big tech create virtual profiles even for non-users. G+ and Facebook like bugs, Recaptcha, Google analytics. Since ADSL IPs tend to be pseudo-static these days this can be pretty accurate.

      Google is a bit of a bastard when it comes to cross-domain cookies. I'll log in to Chrome dev forums, but forget to logout, then visit youtube. Bam, still logged in. More data added to that profile.

      1. Roland6 Silver badge

        >"Since ADSL IPs tend to be pseudo-static these days this can be pretty accurate."

        Don't forget what the Google Streetview rumpus, back in circa 2010, was all about, namely the collection of wireless data such as router MAC address, SSID's etc. Given all this information is also readily available to your browser, these could be used to further refine data and identify individual devices and their user(s).

    2. veti Silver badge

      Quite. I just clicked on the Google link, to "Visit my Web & App Activity Page", and it asked me to log in. So I'm thinking it doesn't know who I am.

      I'm under no illusions that Google could work that out, if they wanted to, and very likely they already do that in a number of systems. But there's still, as yet, no single joined-up system that actually links and tracks all that information.

    3. Permidion

      people search using google

      people use google DNS

      people are tracked by adv. cookies and most of these are handled by google

      that cover already most of anyone internet usage

  2. Dan 55 Silver badge

    Google doesn't know what I've accessed

    No Google account, don't use Chrome, I use another search engine unless I have to, and a dynamic IP.

    Also the HTTPS question doesn't take account of client-based encryption and PFS.

    The mail answer doesn't take into account a MITM fiddling with strings to stop STARTTLS from working.

    The password answer talks about data in transit but doesn't say that data at rest can be stored without encryption (Talk Talk).

    Probably others. Someone else will comment.

    And the obligatory question - when is El Reg going to switch to HTTPS?

    1. druck Silver badge
      FAIL

      Re: Google doesn't know what I've accessed

      PlusNet doesn't support any encryption for POP3 or IMAP either.

      1. choleric

        Re: Google doesn't know what I've accessed

        >PlusNet doesn't support any encryption for POP3 or IMAP either.

        Good job it's only 1997 then. Oh, hang on...

    2. Roland6 Silver badge

      Re: Google doesn't know what I've accessed

      Do you clean your site visit history and cookie cache before accessing Google on whichever non-Chrome browser(s) you do use?

    3. Doctor_Wibble
      Headmaster

      Re: Google doesn't know what I've accessed

      But don't forget google-analytics, doubleclick, and any other google-pwned or related thing out there, unless you blocked them of course... So - true, google doesn't have everything but don't mistake that for meaning 'nothing' and there are plenty of others who get rather more than we might expect.

      e.g. the various 'share button bar' services which pull in data without needing a click, and watch out for that 'mouseover' thing that I'd swear people put in to places just to piss me off (though some have the manners to at least have a delay) but which activates all manner of evilness.

    4. phuzz Silver badge
      Big Brother

      Re: Google doesn't know what I've accessed

      "No Google account, don't use Chrome, I use another search engine unless I have to, and a dynamic IP."

      So when the IPB comes into force, GCHQ can find you just by looking for the only connection in the UK that isn't sending packets to google.

  3. Anonymous Coward
    Big Brother

    How long will it be before Parking Eye is allowed to access your web data for £2.50 ?

    No way Gov !

  4. CAPS LOCK Silver badge

    If I was upto-no-good...

    ... I'd assume all computer activity could be observed and not use one. But I'm not - Hurrah!

    1. Anonymous Coward
      Anonymous Coward

      Re:If I was upto-no-good

      "If I was upto-no-good..." define "upto-no-good*"...

      why should I have to be upto-no-good before I care about my privacy

      once I was innocent until I did something wrong, now I'm guilty unitl someone (anyone) can check I'm not 'upto-no-good' when did this become acceptable?

      *e.g. I would define everything George Osbourne does as 'upto-no-good' but I imagine he may disagree.

  5. damian fell

    you've forgotten about something

    In your paragraph about https you've stated that :

    "Only the IP address of the destination (and the port used, usually 443) can be determined"

    Actually the domain name is also visible to the ISP as it's needed to request the correct certificate as part of the initial handshake (to accommodate servers hosing multiple domain names), so even if everything you use is HTTPS and you use DNSCrypt or local DNS resolution, your ISP will still be able to see the domain name of the server you contacted.

    https://en.wikipedia.org/wiki/Server_Name_Indication

    1. Anonymous Coward
      Anonymous Coward

      Re: you've forgotten about something

      Actually the domain name is also visible to the ISP as it's needed to request the correct certificate as part of the initial handshake (to accommodate servers hosing multiple domain names),

      When you're doing HTTPS you negotiate the certificate before you say what website you want to access. HTTPS servers that need to host multiple website either need to use certs that cover multiple website (which doesn't work with older browsers) or they need to use multiple IP addresses.

      1. damian fell

        Re: you've forgotten about something

        That's not my understanding of how the TLS handshake works in most modern browsers.

        The very first "client hello" packet will normally contain the server name, so that the "server hello" packet can respond using the correct certificate for the domain name.

        I'll admit that whenever I've used this for performance tuning, I've seen it on the same client device as the browser, but I'm pretty sure that it would also be visible on the wire, as wireshark is only viewing the transport layer.

      2. Ben Tasker Silver badge

        Re: you've forgotten about something

        When you're doing HTTPS you negotiate the certificate before you say what website you want to access. HTTPS servers that need to host multiple website either need to use certs that cover multiple website (which doesn't work with older browsers) or they need to use multiple IP addresses.

        Christ, when did you last touch a HTTPS server? RFC 3456 was back in 2003, what you've said above hasn't been true since shortly after then

    2. chelonautical

      Re: you've forgotten about something

      Yes, Server Name Indication is visible on the wire in plaintext as part of the initial TLS Client Hello. I've seen it myself in Wireshark traces of HTTPS connections. Use of SNI is common nowadays since many web servers host multiple sites and need that information to present the correct server certificate.

      Don't forget that the domain name of a web site could potentially reveal a great deal of personal information about the person accessing it, even if the individual pages and requests are hidden. Visiting a website for a divorce lawyer likely indicates a relationship in trouble, visiting certain adult sites may reveal sexual orientation or fetishes, visiting a payday loan company could reveal financial troubles etc etc. For this reason we should still be concerned about government plans to keep lists of visited domains. Also, whilst "use HTTPS" is good advice as far as it goes, there's a danger that the manta becomes a substitute for deeper understanding of the risks involved.

      Having said that, thanks for doing an article about internet security in simple language. I've been looking for something I can show friends and family about the topic in words they can grasp. I'm not ready to show it to them in its current form: many commenters have pointed out various flaws in the text as written. With a bit of redrafting, it could become a really nice starter article for those who want to improve their awareness.

    3. Doctor_Wibble

      Re: you've forgotten about something

      On a similar note I've definitely seen SMTP server certificates on the wire when fixing email problems, these were definitely in the clear complete with the admin contact details etc.

  6. John Robson Silver badge

    And which machine is in use behind NAT can be inferred from UA headers etc. Which can easily be enough to ID a user...

    1. frank ly Silver badge

      Isn't the UA header only seen by the web server you're accessing (after decryption at that end)?

      1. This post has been deleted by its author

      2. John Robson Silver badge

        Assuming HTTPS - then yes. But since they can just issue a warrant for those logs anyway (assuming a UK server)

        My only point was that NAT isn't a perfect anonymisation tool as implied in the article. There is alot of information leakage...

    2. GrumpenKraut Silver badge

      You beat me to it. At least after changing "which of us at home is accessing" to "which computer at home is accessing" then it seems the answer more of a 'yes', at least with some extra effort by the interested party.

      Admittedly I am not sure about this, comments appreciated.

  7. Alister Silver badge

    Will investigators have powers to examine web server logs?

    Yes, for those based in Britain.

    So, as someone who currently hosts a load of websites for friends, when am I going to be instructed as to how long I need to hold web log data from my servers?

    And. as a Sys Admin for a company that hosts thousands of web sites in the UK (but is not an ISP by current definition) when are we going to be formally informed as to our obligations regarding log data? At present there doesn't seem to be a clearly defined period for which we have to hold logs, nor is there much information about when we should destroy log data.

    1. Anonymous Coward
      Anonymous Coward

      Re: Will investigators have powers to examine web server logs?

      Well I'm not logging anything I don't feel like. Fuck the PO-LICE. When hosting contract ends I'm moving the last few servers out.

    2. Gordon 10 Silver badge
      Thumb Up

      Re: Will investigators have powers to examine web server logs?

      @Alister - you have a good amount of time yet. The bill is only just up for discussion. Nothing has been passed as yet.

    3. SImon Hobson Silver badge

      Re: Will investigators have powers to examine web server logs?

      > ... when are we going to be formally informed as to our obligations ...

      Oh you naive fool !

      They don't inform you, you have to know - that's the basis that laws work under. They may well inform some larger operators simply because there'll be a certain amount of "negotiation" involved over technical specs to allow automated access, but in general it is your responsibility to know the law.

      In a completely unrelated business field I have a hat for, there are some laws recently come into effect, and others coming into effect soon. The government have made little (if any) attempt to inform anyone, and it's being left to trade groups and the like to get the message across. For those that aren't members of one of the trade bodies, they may be in for some uncomfortable shocks.

      But that's not uncommon.

      1. Anonymous Coward
        Anonymous Coward

        Re: Will investigators have powers to examine web server logs?

        That's the consequence of any law.

        'Ignorance is no excuse'

    4. Roland6 Silver badge

      Re: Will investigators have powers to examine web server logs?

      "So, as someone who currently hosts a load of websites for friends, when am I going to be instructed as to how long I need to hold web log data from my servers?"

      Well firstly, congratulations you've just qualified as a "Communication Service Provider", so this Bill will apply to you, unless in the actual bill they qualify a CSP to be a 'major' whatever. So take it that you've just been notified that you will need to be looking to store 13 months worth of log data.

      "At present there doesn't seem to be a clearly defined period for which we have to hold logs, nor is there much information about when we should destroy log data."

      Well currently you aren't a telco or ISP so there seems to be no official obligation for you to retain logs. As for the destruction of log data, that is up to you and given the example of Enron (taken to court for failing to destroy records in a timely manner), I would look up "Records Management" and write up a policy asap.

      Plus you may wish to check to see whether you should be on the ICO - Data Protection Register with respect to your friends hosting...

  8. Anonymous Coward
    Anonymous Coward

    So, who really knows what I access? Google

    This is incorrect, isn't it? Or, strictly speaking, for the user-accessible search history it is correct ONLY if you have a google account. Naturally, one can assume, that such web search is also stored for non-google-account users, but google offers no way for the minions to retrieve that. Perhaps it'd be useful if you clarifien if google is allowed, legally, to hand over this data to our intelligence services. Or do they not bother, as they can get the same in other ways?

  9. Anonymous Coward
    Anonymous Coward

    tor browser

    is this correct, i.e. even the main page you open (e.g. I-love-spooks.org.uk) is hidden from the spooks while using tor browser?

    1. Yet Another Anonymous coward Silver badge

      Re: tor browser

      If you are using tor then everything that goes over Tor, dns requests, web pages, email is secure.

      Unless all the Tor nodes are being run by the spooks or you are sufficiently of interest that they are monitoring a majority o the network and can do timing attacks.

      But against general data gathering it's pretty secure.

  10. tabman
    Meh

    VPNs

    I presumed that if I used a VPN to access web sites the IP address provided by the VPN would be logged not mine. For example, VPN turns on as soon as I connect to the internet. It gives me a IP address from London or Manchester even though I am in the Highlands. If I then do a google search, with the VPN turned on, doesn't google record that search as coming from the VPNs IP address (and therefore location)?

    1. Steve Evans

      Re: VPNs

      The search engines and other sites aren't just building a profile of you based on IP. They leave ID cookies on your machine which are passed as part of the HTTP(S) request.

      It doesn't matter how the data gets to Google/facebook etc, if the ID cookie is there, it knows who you are, and anything you then do over that connection will be added to the profile.

      If you want to be completely unrecognisable you'd need to block or delete the cookie so the target website won't recognise you from the last time you visited, and use a VPN, and home HM Gov haven't got a warrant for the VPN company's logs.

      If you only ever access the 'net via VPN, the only info the search engines etc will be missing will be your location... Although your search history, maps use and site visit history will probably give a good indication...

      Scare yet?

      1. Ben Tasker Silver badge

        Re: VPNs

        You'll also need to make sure your VPN Fails closed.

        It's something a lot of people seem to miss, VPN drops for a few seconds and a bunch of their requests go out from their source IP

  11. Anonymous Coward
    FAIL

    if you see HTTP...

    Dear professor, please return to your lessons, and this time, please pay more attention. By default, Firefox and Chrome both hide 'http://' in the address bar, so I'm not going to bother reading the rest of your statements.

    1. GrumpenKraut Silver badge
      Boffin

      Re: if you see HTTP...

      One can switch that (IMO annoying) behavior off. In about:config set browser.urlbar.trimURLs to false.

  12. Vince Lewis 1

    I was wondering when the Reg would start reporting on this

    I read about this on the BBC News. From what I read there, the IPB will require ISP's to log all DNS look-ups.

    Which to me seems like the absolute maximum an ISP could do with out serious impact on cost or speed.

    It also will have zero effect on any criminal with 1/4 ounce of IT knowledge.

    I'm setting up my own DNS server anyway to increase our own security and web safety.

    1. alain williams Silver badge

      Re: I was wondering when the Reg would start reporting on this

      It also will have zero effect on any criminal with 1/4 ounce of IT knowledge.

      Exactly: so it could help to catch small time crims/paedos/terrists - but not the clever, well organised ones - ie this is designed to not catch the people who it is supposedly aimed at.

      1. Vince Lewis 1

        Re: I was wondering when the Reg would start reporting on this

        But it could also bring a lot of false positives.

        If included as general back ground check for unrelated offences (such as speeding, shop lifting) it could throw up DNS results from an disreputable Advert or malware.

        1. Ben Tasker Silver badge

          Re: I was wondering when the Reg would start reporting on this

          > If included as general back ground check for unrelated offences (such as speeding, shop lifting) it could throw up DNS results from an disreputable Advert or malware.

          Given that both Chrome and Firefox use pre-fetching, there's also no real guarantee that you actually visited a page/domain either - certainly not from the DNS logs or even just a list of FQDN's that TLS handshakes or port 80 GET's have been seen for

      2. Yet Another Anonymous coward Silver badge

        Re: I was wondering when the Reg would start reporting on this

        >ie this is designed to not catch the people who it is supposedly aimed at.

        It's designed to make ordinary people think twice before looking at "dodgy" sites, like Al Jazera, CND, Greenpeace, Medicine Sans Frontiers or the Labour party - if they think these are being logged and will be made available to an employer, local council or the policeman that stops you for speeding

    2. Your alien overlord - fear me

      Re: I was wondering when the Reg would start reporting on this

      Want to flood the DNS server logs? Download AOSP, 10-20 Gig depending on which version you download. The Git/Repo command downloads gazillions of small packets, each one requiring a DNS resolve.

      Google actually tells you to set static IP addresses for the download servers to stop DNS overload !!!

      1. alain williams Silver badge

        Re: I was wondering when the Reg would start reporting on this

        The Git/Repo command downloads gazillions of small packets, each one requiring a DNS resolve.

        Any sensible system setup will have a local DNS cache, so only the first one would be logged.

  13. Anonymous Coward
    Anonymous Coward

    Ha-ha

    Quote

    No. Typically, home broadband connections share a single, traceable public internet IP address between many computers and smartphones using what’s called Network Address Translation (NAT). Your ISP will log only the single public IP address assigned to your home router, not which individual device in the home was using it at the time.

    Until IPv6 that is. Isn't NATting V6 supposed to be verboten?

    I think I'll be keeping a V4 lan for a while yet (double natted from the internet).

    1. Arthur the cat Silver badge
      Big Brother

      Re: Ha-ha

      "Until IPv6 that is."

      And coincidentally, BT have announced that IPv6 will be deployed across their entire network by December 2016, with 50% roll out by April.

      1. Yes Me Silver badge

        Re: Ha-ha

        This isn't a problem with IPv6 if your computer does what it's supposed to do: randomise your interface identifier ('Privacy Extensions for Stateless Address Autoconfiguration in IPv6', RFC3041 from 2001, updated by RFC 4941). Any reasonably modern IPv6 stack supports this as the default.

        1. Roland6 Silver badge

          Re: Ha-ha

          >This isn't a problem with IPv6 if your computer does what it's supposed to do: randomise your interface identifier

          The IP address of your router is defined and provided by your ISP... So all you are doing is to make it difficult (or impossible?) to backtrack your external communications through Internet Connection Records to a specific machine/device behind your router.

          In fact, it is probably less secure than using IPv4 and NAT!

          This is because with NAT the IP address of the end system never gets beyond your in-house router, ie. all systems within your network share the same IP address, namely the one provided by the ISP.

          With IPv6 SLAAC, the router address is simply the forwarding address to the given address. Hence the IPv6 SLAAC address gets beyond your router, which means that it can be collected, and there is probably sufficient data in the clear for different sessions to be narrowed down to say a Windows 10 workstation with a reasonable level of confidence. In a large organisation, your system will be hiding in a crowd, in many home's it is probably the only such system...

          1. Yes Me Silver badge

            Re: Ha-ha

            All of that applies to a NATted IPv4 session: the apps metadata is the same. Anybody who thinks that NAT protects them from pervasive surveillance is dreaming. With both NAT and IPv6 they'd have to come to your home to tie the traffic to a specific person using a specific computer.

  14. Anonymous Coward
    Anonymous Coward

    It seems to me...

    That the lying bastards (aka HMG), will only be able to access the browsing history of the innocent and the stupid criminals/terrorists.

    Anyone else (i.e those of "interest") will be using VPNs, Proxy Servers, TOR etc. Not to mention, that there's no way to identify an individual from an IP address - especially if it's publicly accessable.

    More public funds being wasted on a pointless excercise. The real criminals and the real danger to the public comes from muppets like Teresa May and Iain Duncan Smith.

    It's definitely about time we brought out the pitchforks and burning brands...

  15. Dazed and Confused Silver badge

    Can my ISP determine which of us at home is accessing a certain site?

    You say NO,

    But this could be "perhaps"

    I've got Internet connections from A&A and from BT. The A&A connection uses a mix of static and NAT based addresses, the static ones are obviously easily traceable whois will do it for you, but the NAT based ones on this link would be hidden from the ISP since the DHCP and the NAT is being done by my local Linux boxes.

    For the BT the BT supplied router knows which devices are been allocated which internal IP addresses and could be logging the translations, so I don't know whether they could map the sites visited back to the individual gadgets used within the house. I have also seen my phone connected the generic BT WiFi at home rather than the local WiFi, so they could be logging things that way.

    For my Linux managed NAT I can it I have to map the NAT'd connections back to the local device, so there is no reason to believe that BT Internet can't do that too, if the guys in the black helicopters ask nicely.

    1. Velv Silver badge

      Re: Can my ISP determine which of us at home is accessing a certain site?

      Far simpler than that. A simple profiling of the websites visited is likely to indicate which users are online from a single IP, as most of us multitask in a repetitive fashion. Who visited Peppa Pig website and who visited the Bullingdon Club website are likely to be two different members of the family...

      1. Mike Richards Silver badge

        Re: Can my ISP determine which of us at home is accessing a certain site?

        'Who visited Peppa Pig website and who visited the Bullingdon Club website are likely to be two different members of the family...'

        Lord Ashcroft's book suggests they could be the same person.

        1. Lyndon Hills 1
          Pint

          Re: Can my ISP determine which of us at home is accessing a certain site?

          Comment of the day.

    2. Roland6 Silver badge

      Re: Can my ISP determine which of us at home is accessing a certain site?

      >"But this could be "perhaps""

      Agree particularly if, like most residential broadband, the use of the ISP supplied router is mandated.

      From a tech call with EE, I know they have full access to the admin console on my Brightbox 2. So they have full visibility of all my attached devices.

  16. Anonymous Coward
    Anonymous Coward

    Indeed, Google does not know what I am up to because I very rarely use it. Duckduckgo or similar is a good alternative.

    I also have a linux VM that has a VPN to the Netherlands. I made a gmail account on that and I use that when i really want to see something on youtube.

    However, some times when I think I have done enough I end up getting scuppered by someone close to me. So I have a facebook account, but it has a sound like name not my actual name and my family and non work friends all know its me. However some plonker in work looked over my shoulder (I was trying hard to keep a distance between work and home life) and he saw the name and invited me to be his friend and now EVERY FUCKER AT WORK is trying to do it. What a shithead.

    1. 2460 Something
      Joke

      Easy fix for you. Set up a new Facebook account and whenever you need to access it at work jut get a big box that covers your head and the monitor, that way nobody can see your screen.

      1. phil dude
        Coat

        that was worthy...

        of "Top Tips" in Viz.

        P.

    2. Tim99 Silver badge
      Black Helicopters

      If you use DuckDuckGo you can precede your search with !g to return an encrypted Google search. If you want to do a Wikipedia search use !w - Other "bang" searches are !a for Amazon and !yt for YouTube.

      1. DropBear Silver badge
        Trollface

        "If you want to do a Wikipedia search use !w"

        Wait, wait, I'm confused. If I want a Yahoo! result, do I use !y, y! or !y! ?

        1. VinceH Silver badge
          Coat

          None - for Yahoo! it's clearly got to be !y!

  17. Chris Miller

    Can anyone* see my web requests if I use HTTPS?

    They can if you don't have complete control over which certificates are (pre-)installed on your system. So work machines (and maybe Lenovo computers) may be vulnerable to MITM.

    * Slightly ambiguous - I'm taking it to imply "no-one can see my web requests if I use HTTPS", but it might mean "not just anyone".

    1. AdamT

      Re: Can anyone* see my web requests if I use HTTPS?

      Absolutely true. Where I work this is specifically mentioned in our employment contracts (or at least in a policy doc that is deemed part of our contract). Effectively they MITM every HTTPS because they can set whatever root certificates they like on our workstations. They have legitimate reasons to do this but as a consequence get to sweep up all such data. I'm also presuming that any legislation will at least attempt to be sufficiently broad that they can get such logs from employers too.

      If you don't like this then you should only browse personal stuff at home. I nearly added "or on your smartphone" then I laughed at myself.

      1. DropBear Silver badge

        Re: Can anyone* see my web requests if I use HTTPS?

        " I nearly added "or on your smartphone" then I laughed at myself."

        Why? After all, there is an off switch for WiFi on most of them... and if they can legally get your 3G browsing history, they can also get your home one...

    2. Fitz_

      Re: Can anyone* see my web requests if I use HTTPS?

      "They can if you don't have complete control over which certificates are (pre-)installed on your system"

      Hands up anyone who doesn't think that the UK and US security services don't have copies of major root CA private keys.

      1. koolholio

        Re: Can anyone* see my web requests if I use HTTPS?

        "copies of major root CA private keys"

        Why bother with that? Just go for implementation flaws and protocol vulnerabilities... SSL 2 is obsolete, SSL 3 is vulnerable ... and SSL in itself is potentially flawed... TLS isn't so perfect either...

  18. Cynical Shopper
    Facepalm

    Any properly designed website login system uses HTTPS

    Nice to hear the Reg publicly accept that its site is not properly designed.

  19. Thomas Steven 1

    I'm already subject to a MiTM attack at work

    My workplace already has a MiTM attack vs HTTPS installed. Blue Coat https://bto.bluecoat.com/webguides/proxysg/65/acceleration/Content/01Concepts/ssl_proxy_co.htm.

    'One of the functions of the SSL proxy is to emulate server certificates; that is, present a certificate that appears to come from the origin content server (OCS). '. Oh dear.

    Ironically these clowns call themselves a security company and my employer appears to have lapped it up. I guess whatever passes through this can be 'requested' by the security services and they don't have to do any work at all.

  20. Anonymous Coward
    Anonymous Coward

    Apparently this is also in the bill.

    http://news.slashdot.org/story/15/11/10/0154242/uk-govt-can-demand-backdoors-give-prison-sentences-for-disclosing-them

  21. Panicnow

    Politician signing their own death warrant

    It is only politicians that are worth snooping on. Look at how Gordon Brown got pilloried for buying Champagne a few ears ago, when his credit card account was hacked.

    Apple, Google FaceBook can make dangerous associations between politicians (E.g. two mobiles in the same hotel room overnight) and then have power over them! I'm sure the current management of these august companies wouldn't stoop so low, but an unscrupulous policeman using these powers?

    Us hoi poloi have little to worry about, apart from this type of abuse of our politicians!

  22. VinceH Silver badge

    "So, who really knows what I access?

    Google. You can even download your complete history of every search you’ve ever made."

    ORLY?

    "Archive for [me]

    Nov 10, 2015 5:25:17 AM PST

    Google Takeout

    1 Google product

    0.0 bytes total

    Learn more about Google archives.

    Searches

    Searches

    No data found

    Searches

    No data found"

    All it takes is a little care when you use the intertubes.

  23. Anonymous Coward
    Anonymous Coward

    So, I have BT Internet at home but I force all the devices to use OPenDNS server via DHCP.

    In theory then, BT DNS has no record of any of our devices doing DNS lookups.

    Is OPenDNS subject to the proposed ISP laws in this bill, ie ist it an ISP in the defined sense?

    1. damian fell

      That really depends how they capture and log this stuff...

      Remember that unless you're using DNSCrypt, all your queries to OpenDNS are in plain text, traversing your ISP's network, so even if you don't use their servers they can still see it.

      The actual legislation proposed wisely doesn't seem to dictate any specific technical mechanism, so they've got two options:

      1. Log your DNS queries to their servers, along with anything other DNS traffic traversing them (easy cheap but not very comprehensive, as many devices and browsers will use a local DNS cache).

      2. Inspect the packets exiting your network and process them to capture more accurate destination information (more processor intensive and complex, resulting in a larger data storage volume).

      My guess is the smaller or less competent ISPs (hello TalkTalk!) will go for option one, but that the larger ones will be leaned on to go for option 2 (and let's face it ,BT has some history of using deep packet inspection technology).

      1. koolholio

        webcaching --- theres the simple answer, oh wait they implemented that on most ISPs about 5 years ago...

        if any request frame passes through port 80 or port 443 then cache... log data of what IP, time and URL requested (in the frame)

        Similar to how a proxy works... its just mandated at the router...

  24. koolholio
    Headmaster

    DNSSEC / EDNS0

    You forgot to mention the TCP port 53 fallback and DNSSEC / EDNS0...

    You also forgot the technical detail that a DNS request can be "edns-udp-size 4096 ;" yes 4096 bytes of data...

  25. dntopping

    Carrier Grade CGNAT / LSN

    Has any thought been given to how the SnoopersCharter will work when Carrier Grade NAT (CGN/LSN) is used (RFC7021 s3.4, RFC6269 s13.1 )?

  26. femanon666
    Trollface

    I'll just leave a couple of things here...

    1. Tor hostspot using a raspberry pi

    https://learn.adafruit.com/onion-pi/overview

    2. Coming to the register via an exit node... password compromised for lack of https, throwaway account.

    3. Use tor for all browsing (I have "nothing to hid" but fuck off with your spying)

    4. Python script running on said pi to generate a shit load of random web browsing meta data (enjoy storing it ISPs!)

    5. (cheap) VPS in foreign lands tunnel shit load of data over ssl

    I'm not a criminal, nor are any of these measures difficult to implement. I'm sure if I really wanted to I could create an even more obscure and secure route to the sewage pipes that is the internet.

    Actually now considering becoming a private contractor for people interested in not having their cat videos snooped on.

  27. a53

    I use DuckDuckGo. Who apparently don't keep records.

  28. Panopticon

    What it means...

    Can anyone see all my web requests?

    Yes - Should be No not if you use opportunistic TCP encryption such as TCP/Crypt.

    Can anyone see my web requests if I use HTTPS?

    No - Should be Yes if they've inserted there own Root CA.

    If I use HTTPS, will anyone be able to access my details from the remote web server logs?

    Yes - Should be No - Not if you've fudged there Geo-location and forged your Headers.

    Can my DNS requests be logged?

    Yes - Should be No, not if your using DNSMasq and an OpenDNS uses unencrypted UDP on port 53 so obviously you should encrypt your UDP as well as your TCP.

    Can my ISP determine which of us at home is accessing a certain site?

    No - Should read yes, if they're using immortal cookie technique!

    If I connect to a website using a VPN, will my requests be logged?

    Perhaps should read as Depends on who owns the VPN.

    If I use a Tor browser, will my ISP be able to log my web requests?

    No - Should again read Yes because of all of the above.

    How can ISPs trace me?

    A session cookie is used for each user’s web browsing session which can not always be harvested if you disable JavaScript and use a browser that refuses 'Cookies'

    Will investigators have powers to examine web server logs?

    Yes - Should read No, not every country is going to kiss your ass!

    Could there be a “man in the middle”?

    Perhaps - Should read Yes there can be which is why you need to take steps.

    Will an investigator see my passwords?

    No - Yes, they'll see them being typed in if you use Android or X11

    So, who really knows what I access?

    Good question!

  29. Anonymous Coward
    Anonymous Coward

    Well, as a result of this, I wrote a script in mIRC that'll connect to a random website via sockets from a list every five minutes. (Unless it only logs if connecting to a website via a web browser.)

    Some I do legitimately use, some I don't. So, if worst ever comes to worst, the authorities can have fun trying to figure out which are real, and which aren't.

    What I didn't know about was that all my DNS request would be logged.

    Guess I'll have to write another script to cycle through and DNS every IP.

    1. Panopticon

      What I didn't know about was that all my DNS request would be logged!

      Of course that's because Google wants to own all your DNS requests as well as your CA on your phone and thieve Java so they can spy on your Droid hence why privacy advocates use "X-Privacy" which completely screw's up the Geo-Location features and disables all there advertising, the back-door is widely published as being the "Talkback" service programmed into the device.

      In point of fact there are plenty of solutions to these carefully crafted problems that Google has deliberately created to dominate it's marketing position on the web as a search giant. You only have to look at how they fly off the handle at rouge "CA certificates" to see there's something clearly very wrong with the security of all Certificate Authorities, such as TurkTrust ie: we spied on Turkey!

      "Guess I'll have to write another script to cycle through and DNS every IP"

      That's not a bad idea, nor is the idea of using "Peer Guardian" to banish all IP addresses belonging to advertising firms like there's along with all IP addresses belonging to the US Government.

      ie: IP addresses in the ranges of: 6 - 7 - 11 - 21 - 22 - 24 - 25 - 26 - 29 - 30 - 49 - 50 - 55 - 62 - 64 - 128 - 129 - 130 - 131 - 132 - 134 - 136 - 137 - 138 - 139 - 140 - 143 - 144 - 146 - 147 - 150 - 152 - 153 - 155 - 156 - 157 - 158 - 159 - 160 - 161 - 162 - 163 - 164 - 167 - 168 - 169 - 194 - 195 - 199 - 203 - 204 - 205 - 207 - 208 - 209 - 212 - 213 - 216.

      Erm, nearly half of the internet would appear to be there military IP Ranges and they claim, they're not "out of control" and don't "have a problem?!"

      TCP/Crypt - SSHNet - OpenBSD - Bitrig - Oberon - Bell-Labs Plan9 & LibreSwan with your own CA's pre-programmed inside Key Manager and exported from Firefox for the Win. Time to banish all those rouge CA certificates that you didn't write or place into your Open Source OS in the first place, hence why there secret secure OS doesn't use CA's except the ones you've written yourself!

      They have indeed annexed the internet - Thank "Ken" & Bell-Labs - Who have a long history of always giving the US Military what they want, whilst at the same time they've developed quite a "cult" following hence "hackin9"

      1. Panopticon

        Re: What I didn't know about was that all my DNS request would be logged!

        When I say a "Cult" I mean a "Cult" they're known as the Masters and they follow the 9 Keys of Enoch - Council of Nine

        Amongst it's collective and most prominent members are - where:

        Gene Roddenberry was part of that inner circle in 1974 and 1975 (Deep Space 9) (7of9) - Andrija Puharich, James Hurtak and Richard Hoagland have all lectured at the United Nations in New York. And individuals all connected with "Nine" are also known to have had influence over Vice-President Al Gore - President Bush Sr - President Bush Jr - President Clinton - President Obama - President Ronald Reagan etc, etc..

        Known simply as 'The Nine', its disciples include cutting edge scientists, multi-millionaire industrialists and leading politicians.

        "I am the beginning. I am the end. I am the emissary. But the original time I was on the Planet Earth was 34,000 of your years ago. I am the balance. And when I say "I" - I mean because I am an emissary for The Nine. It is not I , but it is the group - We are nine principles of the Universe, yet together we are one."

        Perhaps the most disturbing aspect of the history of the Nine is its relationship to the career of Andrija Puharich. Recent research has revealed Puharich to have a distinctly sinister side. As an Army doctor in the 1950s, he was deeply involved with the CIA's notorious MKULTRA mind control project. He together with the infamous Dr Sidney Gottlieb experimented with a variety of techniques to change or induce actual thought processes even to creating the impression of voices in the head.

        As president Putin has already said a CIA Mind Control experiment & Zionism (they're all Jewish!) pure and simple!

    2. Panopticon

      SSL

      It has everything to do with what Robert Morris a Cryptographer who worked at the NSA & Bell-Labs actually did to the SSL layer, you see you believe that SSL is Secure Sockets Layer that is in point of fact incorrect it's Secure Sockets Record!

      Why reveal the 9 - Because I would think of myself as "Horus", being of two world's "stealing the all seeing eye!"

  30. boatsman

    all of this assumes you can trust verisign, thawte etc. DO YOU ? REALLY ??

    if you dont understand it, then start educating yourself :-)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019