EU Moves Forward with Data Retention

KokoBonobo writes " euobserver.com reports on controversial proposals to require EU service operators to retain data about telephone calls and e-mails as part of an overall fight against crime and terrorism. The retained data would not only consist of logs, but of entire conversations and contents of the e-mails and SMS messages. This document from the European Commission's Information Society goes into further detail."

Tools

[Apathetic1]

Well, if anything is going to drive people to personal encryption, this type of brain-damaged legislation will be it.

Re:Tools

[casuist99]

Judging by your username (Apathetic), I would think you'd realize the one fundamental fact about the public (in general): We're apathetic about things we SHOULD care about.

We can shout at people that the government can read our email and chat logs, but very few people will make the move to encryption. People are apathetic and lazy - unless encrypted email and chat is enabled BY DEFAULT in the next version of email and chat programs, people won't do it.

Re:Tools

[Apathetic1]

I've showed half a dozen people how easy it was to use GPG with the Thunderbird Enigmail extension and they've never looked back. Many people are ignorant of the alternatives rather than simply being lazy.

Re:Tools

[TheRealSync]

Actually, I only think the ones doing any encryption will be the ones that the government/police would actually be interested in tracking.

The majority of people don't care about this. All too often have I raised the question of whether society is getting too "big brother"'ish - most responses I get indicate that the average Joe is ready to give up personal freedom in order to feel just a little bit safer.
That's just the way people see it.

Re:Tools

[Apathetic1]

If the only people using encryption are the people with something to hide I'm not seeing any advantage to a law like this. It's frightening to think that legislators might be that out of touch with reality.

I have no problem giving up a little bit of personal freedom for a genuine increase in safety (e.g. drunk driving laws, fire regulations) but trading freedom for the illusion of safety provided by airport spot checks and the like just doesn't fly with me (so to speak).

Re:Tools

[krymsin01]

Actually, I only think the ones doing any encryption will be the ones that the government/police would actually be interested in tracking.

What about the companies that encrypt their data so that their competitors don't get the edge on them? Or online bank transactions?

Re:Tools

[Library+Spoff]

so how do i go about encrypting my sms messages?

Re:Tools

[drgonzo59]

I think most people would agree that they would like to keep their conversations private, even if they talk about the weather. But most people will not go through complicated motions of setting up complicated security options. I for example, am guilty, I don't want Uncle Sam, or Papa Putin to read my emails, and I did generate public and private keys, I've tried using them, but I just don't bother anymore, it's too much of a hassle.
If the tools were simpler to use and if a couple of law suits about how people were interogated and their property searched based on the content of snooped emails would hit the media, then more people would start using encryption/authentication regularly. Right now if the govt. sees you using it, immediatly they assume some terrorist or illegal activity. Encryption should be the norm not the exception, maybe some day it will be.

Re:Tools

[HoneyBunchesOfGoats]

But how many more people simply can't bring themselves to change? There are tons of people who, after having Firefox installed to them and shown how to use it, search through the start menu for Internet Explorer instead of using the Firefox shortcut on the desktop. People like what they're comfortable with. Even if there are other concerns, they'll just make themselves forget, so that they can stay in their comfort zone. Willful ignorance is an unfortunate fact of modern society.

Re:Tools

[NumbThumb]

Have you tried the enigmal extension? It doesn't get much simplet than that. Setting it up is not completely seemless, but easy enough. Using it is just a matter of klicking the "encrypt" button.

Re:Tools

[plague3106]

have no problem giving up a little bit of personal freedom for a genuine increase in safety (e.g. drunk driving laws, fire regulations) but trading freedom for the illusion of safety provided by airport spot checks and the like just doesn't fly with me (so to speak).

I'm always curious about this. You say that 'drunk driving' laws are a necessary encroachment on freedom. What specific laws are you talking about? The checkpoints, taking away licenses?

If you support checkpoints, I have to ask you..why do we even need a seperate law for drunk driving? Should someone be killed by a drunk driver, couldn't we keep that under existing laws? Murder 2 perhaps?

Same with laws stating that its illegal to shout fire if there's really no fire. Why are we restricting speech, when there are other alternatives, such as making the one who shouted fire pay for the expense of bringing emergency officals out, liable to be sued by someone who lost their house from a real fire b/c the fire trucks were at the wrong place, and something like muder 2 to cover anyone that died?

Those seem much more reasonable to me then taking away freedoms. I have a serious problem with the notion of punishing someone b/c something bad MIGHT have happened due to their behavior. Seems like you can say just about anything MIGHT hurt someone, then ban it.

Re:Tools

[Lamieur]

Here in Poland there was a proposal similar to the one described above. It contained a clause that all the information logged by providers have to be available to the police in unencrypted form, which basically means: if one of my clients uses SSH to connect to some foreign host in Iraq or Afghanistan, it's my responsibility to decrypt it and present raw transmission data to the authorities.

Not mentioning the amount of storage needed to keep everything transmitted over a relatively slow network (a megabit per second link can give you 3754 terabytes a year), imagine the processing power needed to decrypt few SSH sessions. Then imagine a price of link to an IAP having 100 clients, each of which have to pay for 1/100 of IAP-s supercomputer ;)

I haven't RTFA, but I hope the EU won't try to push a project similar to the one which didn't work in Poland (for now, I'm sure there's new version in the works).

Re:Tools

[ThaReetLad]

Well take drink driving for example. Driving while drunk is equivalent to playing russian roulette with someone elses head (never mind your own). I think it is probably I good idea to punish people who recklessly or willfully endanger other peoples welfare or other human rights. Where your "right" to be stupid starts to interfere with my "right" to be safe there has to be laws to safeguard the rights of the passive party to the conflict of interest.

Sure, these things are always a balancing act, and often kneejerk legislation goes way too far, but in my experience people who are moaning about their freedoms being eroded are often playing the "rights" card in order that they can selfishly indulge in ignoring other people's rights and freedoms.

Re:Tools

[ThaReetLad]

I've just noticed who I'm arguing with (again). One of these days we're gonna have a serious disagreement. ;)

Re:Tools

[bdcrazy]

Making it simpler to set up, and just allowing people to click send and it could happen. Asking people to do anymore than they are already doing and people won't do it.

Re:Tools

[Apathetic1]

Supply and demand. If people want encrypted SMS badly enough somebody will start offering it (unless or until it's declared illegal, of course).

Re:Tools

[tomjen]

Yes but if you are afraid to get cought, it might stop a few people. The geeks on the other hand will use http://ciphersaber.gurus.com

Re:Tools

[aminorex]

the purpose of multiplying laws without end is to insure that everyone is guilty, and lives or dies at the whim of the state. the legislators who "represented" you to institute this system are the ones who turned your children and grandchildren into slaves. the slaves won't revolt as long as their lives are full of comfort and pleasure, so total slavery will continue at least long enough to insure that the slaveowners have a place to hide while the surface of the earth is cleansed of the human infestation.

Re:Tools

[cayenne8]

"If you support checkpoints, I have to ask you..why do we even need a seperate law for drunk driving? Should someone be killed by a drunk driver, couldn't we keep that under existing laws? Murder 2 perhaps?"

Well, I can see your point in a way. For instance, why do we have/need "Hate Crime" laws...a murder is a murder, no matter the reason. A murder because someone hates you (race, sex, etc)...is no worse than any other murder.

However, laws against driving drunk, have nothing to do with possible consequences that might arise from it. You can be arrested from DWI, even if you have done nothing wrong. Say you are driving fine, no weaving, going speed limit, in other words, your driving while intoxicated has caused you to infringe on no laws. But, say you have a tail light out. You get pulled over for that...and the officer smells liquor on you. You can get busted for DWI, but, no other laws were broken. Now if you are drunk, and kill someone...you'll get slammed for two laws....drunk driving, AND probably something like negligent homicide....

Just to point that DWI and homicide are two different things....hence two separate laws. But, a premeditated hate crime murder is the same as any other premeditated murder. Why two laws?

Re:Tools

[plague3106]

Where your "right" to be stupid starts to interfere with my "right" to be safe

I'm not so sure about a right to be safe...life is after all dangerous, and any illusion that its not is, well, an illusion.

But lets examine your statement a bit. Your 'right' to be safe may be interefered with if you're on the sidewalk and there's a drunk driver within 200 feet. I can buy that.

What if he's now 5 blocks away? Is it now ok for him to be drunk and driving? He's not interfering with your 'right' to be safe is he? What if you're on the 2nd floor of a building? Across town? What if he's the only one within 1/4 mile of any other living human? The only one he could possibly harm is himself, so it should be perfectly legal then.

So it seems that if other people are adequitly protected (by being indoors) or far enough way is a big factor in interfering with your 'right' to safety, so shouldn't that also be captured within drunk driving laws?

Also consider the example where you are on the side walk and within 200 ft...he's drunk, you feel threated, but he doesn't hit you and continues on..what harm have you suffered? You got scared? It seems to me that people pay to scare themselves (movies, amusement parks, etc)...but if you are scared against your will, should that be a crime too?

There are all kinds of things that COULD harm you, but do we start banning everything? Even following the rules its possible for you to be struck and killed by a driver. I'd really like to see the # of people killed by a non-drunk driver compared with a drunk one. Is the difference so astronomical? Even if it is, we have methods to deal with 'reckless endangerment and disregard' as these can help determine Murder 1 from manslaughter.

Re:Tools

[plague3106]

Heh..didn't reconize your name, but apparently we butted heads on a censorship article a few days ago.

Well nothing wrong w/a healthy debate is there?

Re:Tools

[plague3106]

Just to point that DWI and homicide are two different things....hence two separate laws.

I understand that, I'm arguing against having checkpoints / DWI laws at all.

Say you are driving fine, no weaving, going speed limit, in other words, your driving while intoxicated has caused you to infringe on no laws. But, say you have a tail light out. You get pulled over for that...and the officer smells liquor on you. You can get busted for DWI, but, no other laws were broken.

Exactly my point. You now have broken a law that crimializes something that may NOT have harmed anyone else. What is the justification for penalizing someone that hasn't actually caused harm to anyone else? When they do, fine, charge them with something, probably adding various reckless charges.

But, a premeditated hate crime murder is the same as any other premeditated murder. Why two laws?

I agree; in both cases, the person is still just as dead. Hate crime laws seem to say 'its not as bad to kill someone for money as it is b/c they are black, white, whatever.'

Sentencing is best left up to judges and juries, not legislators.

Re:Tools

[plague3106]

Letting police have the power to search anyone's home at anytime may stop alot of crimes too, but do you think we should really be doing that?

You can argue that just about any action MIGHT harm someone else and now, according to your logic, that thing should be banned. Where do you draw the line?

People die, whether from drunk drivers or heart attacks. Someone that kills another from drunk driving won't be on the street again anytime soon if convicted of a murder charge.

Re:Tools

[Trejkaz]

Even if it's enabled by default, users still have to learn how to use keys. Otherwise the company might as well issue every user "secure" keys and just not tell everyone that they can decrypt anything encrypted to those keys.

Re:Tools

[ThaReetLad]

The point is that the drink driver has no way of knowing when he may or may not be putting someone else at risk, and no-one else know whether or not the driver of the next vehicle is drunk or not. It not the interference per say that is the issue, but the reckless disregard for the safety of other people, and the potential for harm that your action caused. Notice the word potential, which means that you have to take into account those things that were unknown or unknowable to the actor at the time of his dangerous actions. In the case of a drunk that include the possible presence of other people, not the actual presence of other people.

The problem with what you propose is that someone would have to be killed before a habitual drink driver was taken of the streets, which has got to be a crazy way to run a country.

Also consider the example where you are on the side walk and within 200 ft...he's drunk, you feel threated, but he doesn't hit you and continues on..what harm have you suffered? You got scared? It seems to me that people pay to scare themselves (movies, amusement parks, etc)...but if you are scared against your will, should that be a crime too?

what if you suffered a heart attack, or were put so on edge that you walked in front of another car while crossing the road? I think actual damage inflicted should be counted for damages, but society cannot allow people to endanger other people without a very good reason.

I think it is right and proper for a government to outlaw actions that have a good chance of hurting innocent bystanders

Actually deliberately being scared against your will can be against the law. Threatening behavior and making threats are both illegal.

There are all kinds of things that COULD harm you, but do we start banning everything?

depends upon the relative risks and benefits. Speeding, knives, guns, smoking in a public place. All these things are up for discussion here.

I'd really like to see the # of people killed by a non-drunk driver compared with a drunk one.

Probably a bad statistic to use but 15% of all road deaths in the UK, alcohol was a factor. Now the question is, are more or less than 15% of all road miles driven, driven by drunk drivers? If 1% of all road miles are driven by drunk drivers (which is probably massively too high) then drink drivers are 15 times more likely to cause an accident than sober drivers. I suspect it's actually much less that 0.1% which makes the ratio more than 150 times more likely to die in an accident if you've been drinking than not.

According to dutch figures, if you have a blood alcohol concentration of more that 0.15% you are 200 times more likely to die in a road accident than a sober driver.

If someone dies, that is too late.

Re:Tools

[ThaReetLad]

it was the religion thing

Re:Tools

[NumbThumb]

Hail spelling nazi!

Seriously: I'm not a native speaker, and my spelling is bad enough in german, too. Also, i often don't proof read my contributions to messages boards. Sue me.

Re:Tools

[plague3106]

Yes, which stemmed from a censorship article :-)

Rules are made to be broken... VOIP loophole?

[buro9]

It seems that with the rapid pace of new technology and the slow pace of legislation, that this will be largely ineffective.

Already it's easy to see how existing technologies could be used to effortlessly circumvent the proposals.

"Telephone calls", does this cover Skype? Does it cover VOIP in general which is just data passing over the network and could always be wrappered, encrypted, or routed via several points (to ensure no single intermediary could capture the whole conversation).

It's great that our politicians can find ever increasing ways to enforce a climate of fear whilst wasting the monies that could help alleviate problems fced by the citizens that they represent.

Damn! Now I've posted what do I do with these mod points!?

Re:Rules are made to be broken... VOIP loophole?

[nayigeta]

Already it's easy to see how existing technologies could be used to effortlessly circumvent the proposals.

The tricky thing is.. while such legislation is targeted at big crimelords and terrorists, it is more likely that the data will instead be used against the civilians with petty crimes. I am not saying that the petty criminals don't deserve it though.

Re:Rules are made to be broken... VOIP loophole?

[nayigeta]

Yucks! Click submit instead of preview. *yawn*

Anyway, my key point to the quote is - circumvention is an act of having something to hide. And if one has something to hide, chances are, whatever one is hiding is likely to be more valuable information.

You see, there are people that lives thinking they have nothing to hide, so they do not see any need to circumvent. And these are the group of people that will be unfortunate target of this legislation if they unwittedly performed petty criminal act.

So, the tricky thing is.. while such legislation is targeted at big crimelords and terrorists, it is more likely that the data will instead be used against those who commit petty crimes. I am not saying that these petty criminals don't deserve it though.

I rather have my privacy respected, than encrypted.

Re:Rules are made to be broken... VOIP loophole?

[DigiShaman]

Skype communications are encrypted by default for both file transfer, chat, and VIOP in real-time. Question is, how long before Skype is outlawed from the EU?

Re:Rules are made to be broken... VOIP loophole?

[oolon]

The thing about voip to voip is the servers tend to hand over the routing to the internet in general, the packets go from the sender to the reciever and not via the "phone company". Only when terminating with a PSTN or vocal mail do the calls normally go to the phone service. The phone only gives status information to the "server". To intercept a voip call, you have to decide to tap it before its being made and the call will be routined to your service first. Of course this means you can tell by the packet destination if you could be being tapped.

James

I Farted!!!!!

HAHA

Now you have to retain this comment in this thread in order to combat terrorism or something.

Re:I Farted!!!!!

[ThaReetLad]

surely that depends upon whether or not your farts can be classified as WMDs. That would make your anus an illegal delivery platform, and lunch would be a WMD program. Lock him up I say.

So much for European data privacy

[IO+ERROR]

From the article:

This decision, which passed quickly through Council, was prompted by the recent case of the serial killer Michel Fourniret who was able to carry out his crimes for years by exploiting the poor communication between French and Belgian authorities.

Now I know the Belgians can speak French. If they can't communicate properly, this data retention law isn't going to help at all. What would help is for the various member states to get their act together and start working together more closely on international crimes.

Re:So much for European data privacy

[andr0meda]

It's not a matter of language, it's very simple. Every nation has it's own recherche and police force, and on top of that is Interpol. All of them have serious ego problems. And there is your answer.

I live in Belgium and I am as equally appaled by the fact that this data was not already shared between nations. On the other hand, I think this data retention proposal is even more scary. I hate the idea that the people in Italy can track down my adress and phone number and harass me at night.

Pro-actively harvesting these large amounts of data provides not one but 2 opportunities. It can serve law enforcement in EU memberstates, but it can also fall into the wrong hands and wreak havoc on people's personal privacy. And nobody asked *ME* personally about giving up MY privacy. If people want to sacrifice *their* privacy because it makes them feel safer, sure, but just like you're on my private property: "get the hell off!"

Same thing for the US's requirement to get all personal data from people flying into the US. I'm simply not flying into the US anymore.

Re:So much for European data privacy

[avdp]

Some of them speak french. Others speak dutch or German. But that's beyond the point, we're not talking about language barriers. We're talking about territorial pissing contests.

Why don't they just use Echelon?

[tpgp]

Just ask friendly ol' uncle Sam for the Echelon logs?

No need to duplicate!

Re:Why don't they just use Echelon?

[FrYGuY101]

Why would they bother with Uncle Sam?

The United Kingdom is a member of echelon with fill rights to the data gathered. Seeing as they're a member of the European Union, one'd think they'd be the ones being asked...

On a clear disk you can see forever...

[beerygaz]

Now's the time ti sign up with EMC and get your sales boots on! Think of the disk required to store all of that drivel!

Re:On a clear disk you can see forever...

[KlaymenDK]

...k.

It's "On a clear disk you can seek forever".

I don't even know why I bother with this. Well, here's another comment for /. to log for all eternity.

Re:Encrypt your data/files

[tektek]

I like the name. :P Pretty good, but not quite good enough? Sounds like a name that someone could get into if they really wanted to~ (the govt.)

Even Encryption won't help in the UK

[amigoro]

Since 1998, the police have the right to demand your encryption keys. Here's an old article about that.

Moderate this comment
Negative: Offtopic Flamebait Troll Redundant
Positive: Insightful Interesting Informative Funny

Re:Even Encryption won't help in the UK

[malsbert]

well it may be law but it will never work in practical terms. people forget there passwds (i would like to help but i can not). friends use there computers (with the normal user acct any file could be something they did). most computers are not up2date (an evil hacker did it). 1 or 2 cases where "normal" (read: do not know the first thing about computers) people gets in a jam and this thing will
fall.

Re:Even Encryption won't help in the UK

[TheRealSync]

Since 1998, the police have the right to demand your encryption keys.

"I'm sorry officer, but I just don't recall..."

Re:Even Encryption won't help in the UK

[Eudial]

>Since 1998, the police have the right to demand your encryption keys

You can still "forget" that 35 letter password of yours.

Re:Even Encryption won't help in the UK

[Darren+Winsper]

One of the big problems with the RIP act is that it assumes guilt until proven innocent. You have to *prove* you don't know the password. The government can lock you away without trial until you do cough up the password, even if you can't.

Re:Even Encryption won't help in the UK

[SenseiLeNoir]

This may be a "law", but in all practical terms, it will never work.

as said, people forget passwords, etc.

All it takes is one high court case, observed by our sensationalistic media, and that law will be consigned to the gutter.

Re:Even Encryption won't help in the UK

[julesh]

Yeah, and according to the law, unless you can _prove_ you've forgotten it when there's _reasonable evidence to suggest_ that you know it, you're still going to go to prison.

Re:Even Encryption won't help in the UK

[malsbert]

did not know that and it scares me.
what will stop me from sending an encrypted e-mail to an english citizen and calling the police?
the recipient will not have the passwd and as long
i use the word "pedophile" in the anonymouse (sp?)
call made i can be sure this will be acted on.

Re:Even Encryption won't help in the UK

[Darren+Winsper]

That's pretty much it. When law students study the RIP act, the smart ones will often e-mail an encrypted message to their lecturer and ask them to keep hold of it for a presentation. When the presentation comes about, the law student then points out that the lecturer can't prove he is unable to decrypt it and thus could be locked away indefinitely for even having it.

Re:Even Encryption won't help in the UK

[Alioth]

That would be all well and good - but the RIP act makes forgetting a password a criminal offence. If you can't remember your passphrase, and your private key is demanded, you can be prosecuted for that instead.

Fortunately, although I live in the British Isles, I don't live in the UK - and the RIP act was never passed here.

Re:Even Encryption won't help in the UK

[91degrees]

There are techniques. Diffie Hellman key exchange will provide a disposable key that is - by design - secure against eavesdropping, and there is absolutely no need to keep a record of the key after the session, which should be adequate proof that you no longer have the key.

Re:Even Encryption won't help in the UK

[16K+Ram+Pack]

I think you should read that article again. IIRC the legislation did not end up being as the article says .

Re:Even Encryption won't help in the UK

[julesh]

All it takes is one high court case, observed by our sensationalistic media, and that law will be consigned to the gutter.

The law includes secrecy provisions. Anyone charged under it will have their hearing in a closed session, and are strictly prohibited (penalty of 5 years imprisonment) from informing anyone other than their lawyer, so media coverage seems unlikely.

(4) A person who makes a disclosure to any other person of anything that he is required by a section 49 notice to keep secret shall be guilty of an offence and liable-

(a) on conviction on indictment, to imprisonment for a term not exceeding five years or to a fine, or to both;

(b) on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum, or to both.

Re:Even Encryption won't help in the UK

[malsbert]

maybe a similar "demonstration" of the problem could be made by sending such e-mails to all members of you parliament. well maybe you would just be arrested for disturbing the peace :(

Re:Even Encryption won't help in the UK

[Eudial]

Doesen't the law go with innocent until proven guilty in the UK?

It should be up to them to prove you havn't forgotten it.

Re:Even Encryption won't help in the UK

[Richard_at_work]

Unfortunately, with several recent laws that presumption of innocence is being deminished. Hell, Labour is even trying to take away our right to a trial by jury, and so far its made it possible to jail foreign terrorist suspects without trial, allow the prosecution to present evidence to the Judge without making that evidence available to the defence or defendant. These are jsut a few of the really bad laws recently passed.

Re:Even Encryption won't help in the UK

[MadMoses]

Would it help if you'd store your decryption key on a USB stick and lose/destroy it?

Re:Even Encryption won't help in the UK

[julesh]

If you could prove you'd done so, yes.

Re:Even Encryption won't help in the UK

[Anonymous+Brave+Guy]

The law includes secrecy provisions.

Convenient, that, isn't it?

Anyone charged under it will have their hearing in a closed session, and are strictly prohibited (penalty of 5 years imprisonment) from informing anyone other than their lawyer, so media coverage seems unlikely.

You must be new here. :-)

Do you really think the media will care about a privacy restriction like that if they've got a solid story to run backed by solid evidence? The media getting hold of things like this brings down governments, and their oppressive laws with them. Such is the benefit of having a free press.

Re:Even Encryption won't help in the UK

[avdp]

How do you prove you've forgotten something?

Re:Even Encryption won't help in the UK

[Joules+Burn]

Don't they just exclude themselves from from any laws they pass that might be personally annoying?

Re:Even Encryption won't help in the UK

[ultranova]

What problem ? The purpose of these kinds of laws is to make sure that everyone is guilty of something. Combined with selective enforcement, this allows the government to lock anyone up anytime they wish, in practice changing the rule of law into the rule of absolute monarch.

So, for the rulers, there is no problem - the law is doing exactly what it was designed to do: making everyone into a criminal.

"It's so convenient to have a system where everyone is a criminal" - A. Hitler

But who knows, maybe the germans will act as liberators this time around ?-)

Re:Even Encryption won't help in the UK

[bluGill]

And how long will that law stand once the media finds a juicy story? It won't be long when every politician is getting quoted on editorial pages on "why it is a good thing that the media can't example this case against an innocent man". The facts won't even matter. What will matter is that it is a slow news week and the media is looking for a big evil government story to sell. I'm sure there are a number of reporters and editors who are holding this story up for a time to release it when they can do maximun damage.

Re:Even Encryption won't help in the UK

[Anonymous+Brave+Guy]

You're talking about the US, home of Fox News. I'm talking about the UK, home of the BBC. Take a look at the coverage of the Iraq war on both sides.

BTW, the whistleblowers are alive and well in the UK, as MI5/6 are well aware after several very high profile cases recently. There's also been a lot of pressure about things like holding foreign suspects withot charge or trial at Belmarsh (our Gitmo), which in fact was ruled illegal by our highest judicial authority just this week. It will be interesting to see how our new Home Secretary deals with that one; having made a big thing about continuity of his predecessor's policies as he was appointed, that probably wasn't the best news he could have had on his first morning in the job...

Re:Even Encryption won't help in the UK

[julesh]

Exactly. See, for instance, this project (google cache as the original server seems to be down at the moment) which provides an implementation of this idea as a Linux filesystem.

my own direct experience on this topic

[tuxette]

I participated in an open hearing (in Norwegian only, sorry) on this very topic last year in Oslo. Participants included representatives from telecom companies, top IT companies, government agencies, interest groups, etc. While there was sympathy for the need to fight terrorism, nobody was in favor of long-term storage of traffic data. The reasons varied, all from privacy concerns to costs to contractual expectations. Nobody was able to see how this long-term data storage would be useful for fighting terrorism. Yes, they understood the alleged theories, but were able to slam these theories with real world examples.

The one representative who was supposed to speak in favor of it never showed up (remember Inger Marie Sunde?), nor did she send a replacement. Now what kind of message does that send? It gives the impression of "the majority doesn't care for long-term storage of traffic data, but we don't care what the majority thinks. We're going to impose our way on you whether you like it or not."

Re:my own direct experience on this topic

[mpe]

I participated in an open hearing (in Norwegian only, sorry) on this very topic last year in Oslo. Participants included representatives from telecom companies, top IT companies, government agencies, interest groups, etc. While there was sympathy for the need to fight terrorism, nobody was in favor of long-term storage of traffic data. The reasons varied, all from privacy concerns to costs to contractual expectations. Nobody was able to see how this long-term data storage would be useful for fighting terrorism. Yes, they understood the alleged theories, but were able to slam these theories with real world examples.

Even if such an approach could be demonstrated to have potential benefits these need to be weighed against the risks relating to the data being available to any entity with the resources to get hold of it. Which includes organised crime, terrorists and foreign governments.
If police forces can't keep criminals out of their databases it's unlikely that telecoms companies will be able to do so.

Re:my own direct experience on this topic

[16K+Ram+Pack]

It gives the impression of "the majority doesn't care for long-term storage of traffic data, but we don't care what the majority thinks. We're going to impose our way on you whether you like it or not."

You are not "the majority", nor are the majority of people on /. "The Majority" are shit scared of all sorts of things that governments and media have whipped up stories about. A lot of them aren't on the internet and couldn't care less about your rights, as long as they can still sit in front of the football with a beer and aren't going to get bombed by evil terrorists.

Re:my own direct experience on this topic

[Dionysus]

In Norway, the media doesn't spend the majority of the time trying to scare people shitless. We still have reasonable debate programs and interviews (favorite is actually a Swedish program called Global Axxess).

And the country isn't as polarized as the US currently is (which makes debate possible).

Re:my own direct experience on this topic

[16K+Ram+Pack]

One problem in the UK and US is that we have electoral systems that impose polarity - it doesn't matter if you come 2nd in the presidential election by 1%, you lose - in the UK, you can get 5% in all 600+ seats and get nothing. It makes more sense to have systems where electoral share is proportioned.

I find it all quite amusing really....

[B747SP]

IIRC, this isn't the first time someone senior and clueless got it in their heads that it would be a great idea to just store everything that ever passes across a given network. They tend to go really quiet right after someone sits them down in a quiet room and spells out a few of the 'practical' details of what they think they're going to do...

"You mean we're gonna need how much disk space exactly?". "We're gonna have to invade which small nation just to get enough physical space to store all this stuff?".

Worry not, it will blow over soon enough :-)

Re:I find it all quite amusing really....

[decoy-nameless]

well the nice thing about this is that not the governement is going to pay for this but they force ISP's to arrange storage space aswell how to get all this data copied somehwere somehow. you see that it wont affect the governements money pocket but it will be charged upon the users by just raising the contract fee's. but i have to agree on how much diskspace this is going to take aswell how much diskspace this will take in the future its going to be tremendous

Re:I find it all quite amusing really....

[IO+ERROR]

"We're gonna have to invade which small nation just to get enough physical space to store all this stuff?".

It should all fit in Liechtenstein. If not there's Luxembourg.

Re:I find it all quite amusing really....

Wouldn't France be easier to invade?

Re:I find it all quite amusing really....

[16K+Ram+Pack]

Actually Liechtenstein is not a bad choice for hosting. It's outside the EU and the USA. Maybe Switzerland will become the hosting capital of the world.

Laws like this are a pretty good way of destroying your web hosting industries and getting them to move elsewhere.

Re:I find it all quite amusing really....

[Ben+Hutchings]

The thing is, this isn't the intent. The summary is wrong. The proposal is about storing "traffic data" which means things like From and To addresses, request URLs, and so on. Now even URLs can reveal quite a lot of information, but not so much as the whole session.

Re:Encrypt your data/files

[jargonCCNA]

I think you missed the point. Encryption of your local files is a moot point if the data being transmitted is what's being retained.

That's not to say that encrypting your files isn't a good idea, just irrelevant in this case. Use of PGP/GPG for email, however.. in this case, is a bloody well fantastic idea. If everyone you communicate with has a key pair, you just have to remember to encrypt (and, if you aren't completely braindead, sign) everything you send and you'll have one less things to worry about. Keeping your web traffic under wraps might be a little more difficult.

I just need to find a cheapass CA (or track down the requisite software to do it myself) and I'd be happy as a clam. Of course, the challenge would be convincing everyone I know to start using it, as well. Although, at least that way I could make a certificate for my own servers so that, when I eventually do get my own server up and running, I can keep all traffic using https.

not that bad

[retards]

First, this is an invitation to discussion.

Second, it states that data should be kept only as long as needed for billing and such, unless there is a specific request from the authorities to keep other data (and only data from the date of the request onwards). The text lists valid reasons for retention as investigations and prosecutions, so a lot hangs on the fairness of the legal process.

This is not necessarily a bad thing, the authorities should be allowed to look for evidence in a criminal case. However, they should have to get a warrant to do it.

Encrypt if you are paranoid. Scratch that, always encrypt so it becomes commonplace before some moron calls for its criminalization.

Re:This is new....

Hrmf. WTF are you even talking about? Something like this tried in the USA would result in a ton of out-of-work Congress folks. The EU, on the other hand, has already proven that it will vote however it wants, regardless of how the actual people in the member countries feel about things (the patent issue). That's what you get for being represented in the EU by appointees. That's also what you get for believing in the compete-with-the-US propaganda that got you the EU in the first place.

Instead of storing all that data, the EU should just ask the CIA for the data nicely. :P

you've missed something...

[tuxette]

Second, it states that data should be kept only as long as needed for billing and such, unless there is a specific request from the authorities to keep other data (and only data from the date of the request onwards).

This is the way things are now. The proposal is to keep all traffic data for at least a year, if not longer. I've read in some places that they want to keep data for up to seven (!!) years!

Re:you've missed something...

[jawtheshark]

Seven years? Do these people know what kind of storage one would need for that? I don't think so... Plus, it has to be easily searchable to have any kind of value.

I have worked for banks: they are required to store all important paper from the last X years (could be 7 or so). I've seen these storages, not very practical. Many banks are now digitizing this stuff, but thats a lot of work. Here we're not talking about paper, but about Audio...

Re:you've missed something...

[kesuki]

Seven years worth of 100% internet data archive would require 6.1299821634635554334333881086012e+223 bytes of data storage. that's
1.4272476927059598810582859694494e+212 400 GB HDs
This is assuming growth rate trends etc..
Okay I admit it I pulled the number outa my ass,
I started with the number of pages indexed by google, 8,000,000,000 then assumed for each page linked to google 100 pages weren't directly linked to google I then assumed that each page took an average of 100k (some taking more some taking less) I then assumed that the internet doubled in size every year for 7 years. I also for good measure assumed that e-mail/im/irc/p2p traffic made up at least as much traffic data as the entire world wide web by itself. I then devided my first number by the number of bytes in a 400GB HDD (since that is the largest individual data storage unit I'm aware of) to come to the insanely impossible size of storing the entire internet for 7 years.
Yes i'm bored.

Re:EU 1984?

[WIAKywbfatw]

I love it when people set up new accounts so that they can troll without prejudice.

See what small-print does...

[Ev0lution]

Article 19 of the Universal Declaration of Human Rights:

Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.

Can't really argue with that, but in in the European Convention on Human Rights it becomes

Article 8:

1. Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers.

2. The exercise of these freedoms, since it carries with it duties and responsibilities, may be subject to such formalities, conditions, restrictions or penalties as are prescribed by law and are necessary in a democratic society, in the interests of national security, territorial integrity or public safety, for the prevention of disorder or crime, for the protection of health or morals, for the protection of the reputation or rights of others, for preventing the disclosure of information received in confidence, or for maintaining the authority and impartiality of the judiciary.

Just cry "crime and terrorism" and that small-print in 8(2) takes it away again...

Re:See what small-print does...

[CrimsonAvenger]

Article 29 (2) of the Universal Declaration of Human Rights:

In the exercise of his rights and freedoms, everyone shall be subject only to such limitations as are determined by law solely for the purpose of securing due recognition and respect for the rights and freedoms of others and of meeting the just requirements of morality, public order and the general welfare in a democratic society.

is enough of a qualifier that you could get away with most anything, if you were to make a serious effort.

Including this. I think any lawmaker worth his salt could make this an issue of "public order and the general welfare" without too much trouble.

That's the trouble with Rights with qualifiers attached - it's so easy to stretch those qualifiers, an inch at a time, till they cover the whole elephant.

Re:Storage for all those conversations

[tuxette]

And...um...who is the party providing or paying for all the storage and backups-handling to retain all these conversations?

This is one of the main reasons why telecom companies are opposed to long-term storage of data. They're the ones who are going to have to foot the bill, as politicians would never raise taxes to pay for this. The burden of costs will end up on the consumer, which in the long run is bad for business, profits, etc.

If you're not a terrorist, go ahead and encrypt...

[QuietRiot]

If you value your privacy (and that of others you communicate with - which can be more important than your own!) be sure to exercise your rights.

Encourage the use of the OpenPGP standard by supplying others with your public key and encouraging them to use it.

Using encryption does not often complicate traffic analysis, but it can keep them from reading your private communications. Be sure to remind people that email subject lines are not encrypted and should be condidered carefully. I often use something like

Subject: This space intentionally left ______________

Here's some boilerplate: [there's breakage on the 5th link - be sure to correct]

:: E M A I L ::

Do consider Thunderbird

http://www.mozilla.com/products/thunderbird/
http://www.mozilla.com/products/thunderbird/why/

for both yourself and your clients. It's really a wonderful product
and has spam handling built right in. Unlike Outlook(TM) it is open
about where it keeps your email (not hidden and difficult to export)
and is not so susceptible to worms and email nastiness such as scripts
that run without hindrance. Many a spyware app has been installed
further contributing to the spam problem due to people running just
that piece of software. Don't help the spammers. Reclaim your inbox.

It supports Enigmail: ( email envelopes you don't have to lick! )
http://enigmail.mozdev.org/
http://www.moztips.com/index.php?id=87
http://dudu.dyn.2-h.org/nist/gpg-enigmail-howto.ph p

I've attached my public key [ 0xYOUR_FINGERPRINT ]. I prefer to receive
secure mail. I've got nothing to hide, but I don't like using
postcards for all my USPS/post correspondence either. Regular email is
like using postcards on the internet. Any postal worker along the way
can take a look ( have a look at email "headers" sometime; every hop
you see is a place where your email is stored on a hard drive. )
Please use an envelope when communicating with me. It won't even cost
you a stamp. I value your privacy as much as I hope you value mine.

How to Get Encryption Going on Windows

There's no need to keep my public key a secret. Feel free to give
it away or put it on a telephone pole; write it in the sky if you'd
like. It's available on the web. The more people that have it the
better. Use it to seal your envelopes when sending me mail. I've got
the only other matching key (my private key, opposite the public key
I've given to you) that allows me to unlock the envelope. You can
even lock an envelope so that multiple people can unlock it on their
own, but nobody else can read what you've sent them.

You can also find keys for me here:

http://www.biglumber.com

Please try it out. Be glad to help you get started.

Just flood it

[KiloByte]

So... what about writing a P2P app over SMTP, just to clog down the bastards?

Re:Just flood it

[paulhar]

SMTP is designed with delays in mind; it may take minutes or hours for a message to get to someone (or - even - days).

Tunneling via https would be more sensible and would allow us all to use P2P through firewalls, corporate blockages etc (assuming it was designed cleverly enough to hide the fact it's p2p traffic)

It won't work

[bogaboga]

My view is that this will not work! Consider this: Terrorists have been known to communicate using wierd and unconventional means. A case can be made this way: -

They might communicate by using say plain English mentioning good harvests or talking about recent events, yet the meaning could be that material was delivered or that "their latest mission" was successful or otherwise.

A terrorist's message could be..."Did you hear about thet flood that made people's lives in country X very miserable..."? The hidden message to this would be that "next month will be a crucial one."

They could even send out bogus messages so that the Europeans and the CIA can "waste time" on them. After all, it's known fact that the Americans have tens of thousands of text and audio they just do not know how to handle. They are simply overwhelmed! I know, and the CIA does, that much of this is just bogus!

Guys, this just won't work. The best way to fight terrorism is to be "FAIR" to the world or be seen to be fair. This way terrorists will find very few sympathizers.

Re:It won't work

A terrorist's message could be..."Did you hear about thet flood that made people's lives in country X very miserable..."? The hidden message to this would be that "next month will be a crucial one."

You underestimate the intelligence agencies, and the resources they have access to (I'm talking brain-power, not CPU-power). I suggest you read The Code Book by Simon Singh. If you think that using simple word substitition would make your communication secure then you've got a lot to learn. Once you've read about Charles Babbage you'll never think of word substition ciphers in the same way again..

Sure, word substitution in one message may be somewhat secure, but if you start sending more messages using the same system, then you can be pretty confident that someone will break your "cipher" system.

It's all about the priorities...

[ShatteredDream]

Europe is so concerned about for-profit corporations keeping personal information, but not national governments. Isn't it ironic, the worst the corporations can do to you is annoy you at dinner time and be intrusive with their advertising. The worst the state can do in Europe is put you behind bars for life. Now, which is the lesser of the two evils to have keeping personal information about you?

Personally, I'd take the corporations any day over the U.S. Government. But what do I know? I'm just an American capitalist...

Re:It's all about the priorities...

[NormalVisual]

Practically, does it make a difference? Most (not all) companies will turn over whatever information they have about you to the government if they have even so much as a pen pointed in their direction. About the only time you'll see a company refuse a government request for a customer's data is if they feel it will somehow be financially beneficial to do so.

Don't forget eBay's statement from last year: "If you are a law-enforcement officer, all you have to do is send us a fax with a request for information, and ask about the person behind the seller's identity number, and we will provide you with his name, address, sales history and other details--all without having to produce a court order."

Re:It's all about the priorities...

Some governments are just a group of corporations.
Hollywood shouldn't be able to do its bidding in
Finland.

Tips on running a successful Freenet node

[QuietRiot]

If you're not a terrorist, find help on getting setup with Freenet here: http://slashdot.org/comments.pl?sid=127703&cid=106 69904

Info on FreeMail as well. Totally anonymous and encrypted mail system: http://slashdot.org/comments.pl?sid=127703&cid=106 81546

countries looking?

That is so cute. I can picture a nice little country peering at charts over a nice pair of granny glasses.

Seriously, get with it. The political leaders of countries wanting to join are all sold the to idea, who in those countries gets to say otherwise?

The case of the Ukraine is a great example.
The democratic movement there is about as convincing as the weapons of mass desctuction lies.

Re:EU 1984?

[AndreySeven]

The EU is getting to be a huge economic power, and one of the appeals is having a common single market. The EU has the largest economy in the world right now, so not joining may hurt a country.

UBI?

[maxgilead]

Each time I hear such proposals I think about how easy it would be to bomb it, at least in cases of smaller and medium-sized ISPs -- what if I start sending 100MB /dev/urandom dumps to my other remote mail accounts? With high enough bandwidth and persistent users I doubt anyone would be able to keep up with it. So what then? They'll limit amount of traffic we can generate just so we could be spied upon conveniently?

(yeah, and after two days of sending those dumps UBI (Union Bureau of Investigation?) will knock on your door ;-) )

Re:UBI?

[maxgilead]

Similar. Currently limitations are set by ISPs and in most cases you can buy better service to get higher limits or no limits at all. What I had in mind were limitations set by law and enforced by law.

Re:If you're not a terrorist, go ahead and encrypt

[Xenna]

Don't forget that Thunderbird suppports s/Mime encryption and signatures out of the box. So do Outlook (Express), Netscape & Mozilla.

So if you want to keep compatibility with friends using 'that other product' that doesn't have a PGP plugin, s/Mime might not be a bad idea. AFAIK it's as secure as SSL.

You need a signed certificate that can be obtained free of charge from Thawte:

http://www.thawte.com/email/index.html

X.

It affects more than just the EU

[Antony-Kyre]

It affects anyone sending data over there as it would log the incoming stuff too. I hope that makes sense.

Tell me, Mr. EU,

[Darren+Winsper]

what good is data retention, when you are unable to decrypt it?

Re:Tell me, Mr. EU,

[Anne+Thwacks]

I cant speak for the rest of the EU, but here in the UK, it is illegal to encrypt personal communications over radio links or the telephone, except using devices that the government can crak (and that needs a licnece so they know they can crack it).

And that includes messages encrypted using codes like "Mission completed" means "I have sold my old Ford and bought a BMW instead".

Most laws are unenforceable. Its about 200 years since Dickens said "The Law is an Ass", and it definitely has NOT got better.

Re:Tell me, Mr. EU,

[Darren+Winsper]

Yup, and I'll hate Jack Straw for the RIP Act until my dying day, where I'll be too concerned that I'm about to die to hate him specifically.

Re:Tell me, Mr. EU,

[maxwell+demon]

I cant speak for the rest of the EU, but here in the UK, it is illegal to encrypt personal communications over radio links or the telephone, except using devices that the government can crak (and that needs a licnece so they know they can crack it).

And that includes messages encrypted using codes like "Mission completed" means "I have sold my old Ford and bought a BMW instead".

Does it also include using codes like "Sorry, I'd really like to come to your party, but I don't have the time." for "Your parties are that boring that I'm using every excuse to not go there."?

Re:This is new....

[__aaclcg7560]

Something like this tried in the USA would result in a ton of out-of-work Congress folks.

It would probably result in more lawsuits against corporate management.

One company I worked for had a mailing list for the Counter-Strike gamers that often became a bitch session between lower management and the workers. Whenever one of these lower management folks gave me a hard time, I always pull out an email that they written to the list and reminded them how HR would feel about the email. Upper management shut down the list when they realized that lower management painted itself into a corner that paralyzed them. Turns out HR didn't like those emails after all. :)

There's a lot of dirty laundry to be had in corporate emails. Especially if a company is require to hang on to it indefinitely.

What's next?

[littleRedFriend]

The government will install a high resolution 24/7 webcam in your bedroom, feed all the footage over the internet and store it for ever? Just to make sure that nothing is said there that could be connected to criminal or terrosist activity. Anyway if your a good, well behaved, citizen you have nothing to worry about because you have nothing to hide, right? In my opinion we're all being held hostage by criminals and terrorist.

As well, history has repeatedly shown that it is just a very small step from storing personal information to abusing it to repress the masses. Maybe good intentions, but very dumb dumb people.

Those that are willing to trade freedom for security, will get none and deserve neither !

Re:What's next?

[SW6]

The government will install a high resolution 24/7 webcam in your bedroom, feed all the footage over the internet and store it for ever?

Oh no, the gummint will realise I Don't Get Any. Like this is any sort of secret...

Re:Tools - But Even Then...

[ControlFreal]

In The Netherlands (and also the UK), a person can be forced to assist the authorities to decrypt information (i.e. supplying them with the key). If you refuse to cooperate, you could face a hefty fine, or be put in prison (depending on whether the police, or the intelligence services give the order).

The only alternative seems to be anonymous multi-hop networks that use onion routing; in those cases, you cannot cooperate (when it's not your own communication), since you don't have the key. And on top: purely from network traffic, eavesdroppers cannot determine whether a given packet is yours or (more likely) someone elses. These networks exist, but are still in their infancy; they don't support a full /. crowd yet. So I won't mention the name here; if you're savvy enough, you'll find its name on Google (maybe) or Freenet (certainly).

The whole terrorism witchhunt has seen 1984 approach rapidly. This must be fought. If it happens anyway, at least I can sleep with a clear conscience, since I fought in the war...

smells of 80's eastern europe

[dresseduptoday]

When I grew up, in the 70s and 80's, the eastern European countries were scorned for their obvious distrust in its own people, since copies were kept of phone conversations and letters. Still we're horrified by the vast archives of Stasi, Securitate and similar organisations. Yet, what we're about to introduce goes so much further. Is it only because it's so easy to do with electronic information that it feels OK to do so? I have a feeling that it would not be appreciated to suggest a legislation to make copies of all snail mail and store for use in fight against crime and terrorism. _ /Bjorn.

Re:smells of 80's eastern europe

[liangzai]

Is it only because it's so easy to do with electronic information that it feels OK to do so?

No, it is OK to do so because we, the government, are your benevolent servant. We know what is best for you, and you can trust us. After all, we are democratic institutions with a long history of serving our subjetcs. Since we are democratic, we can turn to measures previosuly abused in Communist countries, without any risk whatsoever that integrity will be compromised. This is social engineering at its best!

Furthermore, we, the democratic governments of the European union, naturally subscribe to the human rights declarations and all, just that we need to modify it a bit to make it work in a European framework. After all, we are not freedom of expression fundamentalists like the Americans, and we don't really need a constitution for anything than else but to use as parliament toilet paper, or to quote at fashionable political international gatherings (for instance to cram it up Hu Jintaos ass when we need to press China for better investment deals).

And for your information: Communism is DEAD! You have no alternatives any longer, so we don't really need to put up a good side to contrast with the evil, since there is no evil. We are all good, we all want your best, we all know what is best for you. You can trust us.

Re:smells of 80's eastern europe

[crummynz]

So... two options, then?

The EU where you have "freedom of speech, as long as its what we want you to talk about."
And the US where you have "freedom of speech, as long as its in a freedom of speech zone."

Free S/MIME certs

[QuietRiot]

Very good indeed. I'd suggest trying OpenPGP on people (I like _distributed_ over _centralized_) and if they don't bite you can try to get them to use S/MIME. The no-extra-work factor will help in many cases indeed.

Free certs can be had at CAcert.org as well. Not only will they give you a free email cert, they'll give you a SSL cert for your web site, sign your PGP/GPG keys with their signature and they even allow you to login to the site with a certificate (no password needed to update your info or login to renew cert, etc.)

More resources?? - Reply with links please!

Probable Cause?

[Apathetic1]

Is it not necessary to have probable cause and a warrant in order to demand that information be decrypted? Arbitrary e-mail monitoring seems intrusive and counter-productive since the problem such legislation seems to be trying to solve is lack of information, where one of the main issues facing police and intelligence agencies is the inability to sift through the massive quantities of information already available to find what's relevant.

Re:Probable Cause?

[DrSkwid]

in the UK they wanted to give civil servants arbitrary access, that means the guy in the social security office could just tap your name in and browse your emails, sans warrant, sans anything, just if he felt like it

luckily it was quashed but not without quite an effort

Re:Probable Cause?

[tolan-b]

Only some of it was quashed wasn't it? IIRC pretty low level people, outside the police and intelligence agencies, investigating fairly minor crimes can still request the information.

Also there's the fact that MI5 got their bulk monitoring thing introduced in an amendment a few months after RIPA passed, after dropping it because the bill was going to be defeated because of it...

Re:This is new....

[TheRealSync]

That's also what you get for believing in the compete-with-the-US propaganda that got you the EU in the first place.

Well now, there are quite a lot of other reasons for getting the EU - actually the main reason for starting this in the first place, is to prevent future wars.

European countries have been fighting each other for as long as anyone can recall - making the countries depend on each other for sales purposes is a stroke of genius; most wars are about money/power, but nobody as lobbying for war agains a country which is a big customer of whatever product you might be selling.

It has been said a million times before....

[tc3driver]

and I am going to say it again!

They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.

Benjamin Franklin To the world governments:

Please Leave us ALONE. Your forms of protection, infringe on our freedoms, maybe there wouldn't be a terrorist issue if you weren't so controling. Maybe if you didn't try to impose your morals on the rest of the world, there would be no reason to "rise up against $nation".

Where, at what point, did things go wrong?

I really don't know, but as long as there are more than 2 beings in exsistance, one will try to dominate.

Re:It has been said a million times before....

[16K+Ram+Pack]

I think it went wrong when people stopped accepting death and risk as the stuff of life, and that they should have a risk-free existence and everything is the government's fault.

Re:EU 1984?

The EU has the largest economy in the world right now, so not joining may hurt a country.

There are other markets, and for the time being, you can still trade with the EU, even if you're not a member, can't you? Or are they to the point where they try to blackmail countries into joining?

The danger of the EU isn't in it becoming a great economic power, it's in it turning into a political organization, which it will do, if left unchecked. If the EU decides that it's for the best if Country X shuts down all its farmland and converts to manufacturing, then farmers will lose their land under eminent domain and be forced to either move somewhere else or become factory workers. With enough economic power and a little bit of political power, it's a Socialist organization in everything but name. If that's what the people want, then it's none of my business to say otherwise, because I'm not in any danger of ever falling under the EU, but the people won't have a say in it whether they want it or not.

Government gets me thinking.

[hell_for_leather]

I have to thank the people who are bringing out this legislation. This is exactly the type of thing that motivates me into learning new topics like encryption and so forth. I haven't thought much about encryting my communications or data up until right now.
As soon as they put obstacles in our way we must find ways around them.

Where has this data been used before?

[goneutt]

I'm thinking about the past record of using telephone records and e-mail records have been usefull before. As far as all the encryption, I think the idea is to keep track of the TO: and FROM: lines, as well as maybe the subject lines, so only encrypt as far as your paranoia takes you.
I think most of this data has been used after the fact, when they have a starting point and want to find out who a person has been communicating with. I don't think this will make anyone safer, but it might be handy after the fact to help string up scape goats.

I feel sorry for you Brits. That law about having to assist police in accessing encrypted data sucks. Over here we have the 5th ammendment, something most people didn't know about till the OJ Simpson trial.

Re:Where has this data been used before?

[SenseiLeNoir]

That sucky law has not been enforceable, and in practice, noone gives two monkeys, police included.

Probable Cause

[Apathetic1]

From the article you posted it looks like the legislation is intended to give the police the right to decrypt communications they've already intercepted as part of an investigation. Can they do this without a warrant? If they can't, what's the problem?

Re:Probable Cause

[julesh]

From the article you posted it looks like the legislation is intended to give the police the right to decrypt communications they've already intercepted as part of an investigation. Can they do this without a warrant? If they can't, what's the problem?

They're allowed to issue their own orders. There is no judicial oversight of the process. The requirement for evidence that you actually can comply with the order is that they show reasonable grounds to believe it, not that they prove it beyond reasonable doubt.

Nobody cares...

[tcdk]

I try not to rant and rave about this, to my non-nerd friends, but sometimes I just can't help my self... but it seems nobody really cares. They will just mumble something like "but think about the children" and surrender their freedom. Damn.

Anyway, I've all but given up, except I digitally sign (s/mime) all my mails and I've a pgp key that I'll use when requested.

Now digitally signing my mails may not seem like much, but I don't know a single other person (Nerds/Geeks or not) that has a digital signature, so I can't encrypt (I've one work colleage with a pgp key). But sometimes somebody asks me what that strange symbol by my mail is about and I have an opening to talk a bit about security (I often add something about spam), but I still haven't managed to get a single other person to get a digital signature.

Not that I've anything sinister to mail about, but I just want to keep those NSA servers busy. Trying to break a 2048bit key, just to get to a message about soup.

Re:Nobody cares...

[Phil+Karn]

It's now easier than ever before to routinely encrypt the bulk of your own IP traffic. These steps can make passive eavesdropping of your broadband connection a lot less interesting:

Select the SSL/TLS options on your SMTP, IMAP and POP sessions to your mailserver. Mozilla/Thunderbird has full support for SSL/TLS, and I think most other modern email clients do as well.

If your mailservers don't support SSL/TLS, ask the admins to enable it. If they refuse, switch to ISPs that do. (Speakeasy supports SSL/TLS for IMAP and SMTP.)

Run your own personal SMTP server and enable the STARTTLS option. Most SMTP senders -- even many spammers! -- will automatically invoke the STARTTLS option if the server advertises it. This finally turns spam into something useful -- a constant background stream of encrypted fill traffic from all over the planet. What better way to thwart traffic analysis?

Configure your own webservers to support https. Make it available for all your webpages, not just the "sensitive" ones.

Use SSH for all remote login/file transfer between machines on which you have accounts.

Web surf over a SSH tunnel into a shared proxy cache with logging turned off.

Set up IPSEC in opportunistic mode.

If you have a flat-rate broadband connection, run background scripts to ship big random files to your friends with various P2P applications. Set up a traffic-shaping router and configure it to give low priority to P2P traffic so it won't bother your foreground activities.

Sure, it would be a lot better if you could convince everybody you exchange email with to encrypt everything on an end-to-end basis with S/MIME or GPG/PGP, but this stuff is quite doable and it's a lot better than just giving up on your privacy and security.

Re:Nobody cares...

[Insanity]

It's not that no one cares, it's that no one cares enough to make sense of the mess that is encryption.

Here's a scenario: I communicate via email a bit. Most of what I say isn't really sensitive, but I still wouldn't like the whole world to know about it. I know that in theory anyone can read my email, but I also know that no one cares about me; I'm lost in a sea of faceless unimportant people. De facto anonymous, if you will.

Good enough, but being somewhat politically conscious as a result of spending all this time on slashdot, I decide to look at encryption. I have a basic understanding of public and private key cryptography. Yet, what I encounter is byzantine in its complexity.

I need a certificate? What? Why? What does verifying my identity have to do with scrambling my messages? Fingerprints, signatures, expiry dates, revocation, degrees of trust... what is all this shit?

Given that I'm the sort who's looking into encryption, I'm a little bit technically inclined. Just enough that I don't really want to use something that I don't understand. Since this isn't really an issue of life-or-death importance, I give up on encryption and go back to de-facto anonymity, which was good enough anyway.

I just described my experience with PGP. Until someone actually puts together something that explains how this whole mess works, I'm staying well away from encryption.

It seems to me that encryption is mixed with identity verification in an incomprehensible mess, when all I want is something that transparently scrambles messages on my end and unscrambles them on the other. That's not too much to ask, I think.

As a counterexample, consider SecureIM, as implemented in Miranda. I downloaded a plugin and told a friend to do the same. In a matter of seconds, we were passing encrypted messages between each other. No passwords, no certificates... totally painless. Is it secure? I don't know... It's based on tested and studied algorithms, and I trust the author's implementation implicitly. I'd imagine that if the NSA wanted to read about my day-to-day life, they could, but with some effort. That's not really the point anyway; it's better than plaintext, and almost certainly not practical to decrypt and analyze in an automated system like Echelon. It's good enough.

If secureIM came with miranda, rather than being installed as a plugin, I might use it and never even know of its existence. If it were implemented by default in MSN and ICQ, all IM would be encrypted and the users would never have to know. That's the right way to do encryption.

Re:Nobody cares...

[tuxette]

I try not to rant and rave about this, to my non-nerd friends, but sometimes I just can't help my self... but it seems nobody really cares. They will just mumble something like "but think about the children" and surrender their freedom. Damn.

People will care if they knew about and fully understood what's at stake. Unfortunately, the people who "know and understand" do an extremely poor job at informing and appealing to the masses. Sorry, but the tin foil hat look has never been or ever will be in.

Re:Nobody cares...

[kesuki]

"but think about the children"
Anytime a non geek mutter that to you the rebuttal is. "is (insert politician name here) 'thinking' about the children when he supported allowing the national debt to soar to over 70% of the GDP of the united states of america?"
Think about the children my ass. This about power, and control. not 'the children' Unless they're good for a photo op the politians couldn't give a damn about the children. They do everything for their own selfish needs to wild power over the masses. the 'benefit' of the masses and the children is truly the last thing on the minds of any politician.
If they try to make the national debt's growth seem insignifigant, then just point to the osama bin laden tape where he 'enourages' terrorists 'to bankrupt the americans'
Let me tell you exactly what would happen if america defaulted on it's national debts, for anyone trying to say 'we can always default' first off, ever global stock market in the world will drop to 10% of it's previous day's value*. Every market in the world. a TOTAL GLOBAL ECONOMIC CRASH
we're not talking 'the great depression' big here, we're talking 'the great depression'^3. global starvation, global riots, global chaos. a world war. possible nuclear annhilation. Remember as part of a default every government employee gets a 'big fat 0' all federal govt retirement plans get dissolved too, and hey all those federal grants to the states? those all go away... many states would go default as a direct result of the federal goverment going belly up. you think it's tough to get a job now? imagine if uneployment was 75%...
in some areas it would be after a Us ferderal default... all those contractors would lay off everybody the day they heard. Of course a lot of this is assuming a federal default were to happen 'by surprize' because say, noone would lend america so much as another dollar. if a defalt were planned, the kind of chaos and catastrophy would not ensue, as the markets would have already had a 'black monday' when the rumours of the default proved to be a real valid plan.. and the unemployment would still happen, and hell people in LA would riot just to riot. But it's the kind of thing that would cause at a minimum a recession, if not a full blown depression--No matter how well planned out it was.

You do not want to go back on your word about 8 trillion dollars. plain and simple. Whole nations get slaughtered over a fraction of that...

*= which is because once the collapse starts, everone who isn't stupid pulls thier money, and that causes a dominoe effect, and unlike the 'bubble' finacial anylists trying to sucker you into keeping your money in the market, won't be doing any holding of thier own, they'll be getting out of the markets themselves! Afterall the markets will recover a bit after the crash, if you pull out soon enough, and buy the right stocks at the right time you could double or triple your money easily with a 10x factor of fortune making not impossible under those scenarios...

A few numbers

[Spad]

For the sake of argument, ignoring phone records, etc and just focusing on the internet.

There are over 100 million broadband users in the EU - plus countless milllions of dialup users - but we'll ignore the dialuppers too for the moment.

Now I download about 300Gb/year and upload about half that. So we'll say about 400Gb/year of traffic. Now I know that they only have to log the traffic and not store everything I download/upload (although that would make for a more amusing example) so let's make it 1/10th of that actually required to log all my data (40Gb).

That's 3.7 Exabytes of data per year for all the broadband users in the EU alone. Assuming they haven't changed the proposal too much since I last read it, they required storage of data for 7 years, that's ~26 Exabytes of storage required to hold all this stuff.

How the hell do you find anything of use in 26 exabytes of data?

Re:A few numbers

[La+Camiseta]

Simple, with several 10 exabyte indexes. After all, the size is more than cut in half, so it should be exponentially quicker.

Re:A few numbers

[cybertears]

google desktop search, obviously.

Re:A few numbers

[pe1chl]

You miss the fact that there is no requirement to keep the actual data.
You need to keep traffic logs. That is not the 300GB/year that you download, but the list of files that you download. Assuming that the average file is larger than its name, this is substantially less data.

Re:A few numbers

[Spad]

And you miss the half-paragraph that I devoted to this fact

Now I know that they only have to log the traffic and not store everything I download/upload (although that would make for a more amusing example) so let's make it 1/10th of that actually required to log all my data (40Gb).

Now even assuming that each user only generates 40Mb of data a year in logs - which is rubbish as my firewall logs alone are 200Mb+ a day - you're still looking at 26 Petabytes of data, which just as impractical to sift through.

Re:EU 1984?

[mrjb]

> It seems the EU is becoming less and less appealing... Yups, the EU is becoming more and more like the United States. They're really taking a good look and copying all the bad things.

Re:Encrypt your data/files

[Dr_Barnowl]

The US government were originally so afraid of PGP that they imprisoned its author for "trafficing arms". It's probably the most peer-reviewed encryption software in the world.

I'd rather trust PGP than any government-recommended scheme any day. Take Clipper ; the inbuilt key escrow killed it from day one - even PHBs were not going to bend over for that one, given the record of gov.us in the matter of taking foreign trade secrets by surveillance and using them to benefit domestic companies.

will this be enough?

[appleLaserWriter]

will this be enough to boost seagate's stock price?

A Subject

95% of the terrorism I read about lately are the paranoid laws by the (uber)governments of the world on it's own citizens.

Re:EU 1984?

[Alioth]

The EU is about as democratic as the former Soviet Union. The European Parliament is almost powerless, and the national governments are almost powerless against new European legislation. Those in the US who are thinking Europe's getting it right are sadly wrong.

Re:EU 1984?

[Ulven]

You second paragraph makes me laugh. You sound as if the royalty and 'nobles' are a ruling elite. All the countries I can think of in the EU that have a monarchy have a constitutional monarchy. The monarch is purely a ceremonial figurehead. As for the nobles, it's just a title. Our landlord is a 'Sir Charles' and it means nothing.

I happen to think this is a better system than that in the US where the head of state is also the head of government. This way we can revile the government without being called unpatriotic and having mobs burn our cds and send us hate mail.

Re:If you're not a terrorist, go ahead and encrypt

[Alioth]

How to avoid breakage on links on Slashdot:

Just enclose them in a <URL:....> tag. It's quick. It's easy. It gives a working link without spurious spaces. Look at the example in "URLs" below the text box when you next post a Slashdot message.

Re:EU 1984?

[16K+Ram+Pack]

I sometimes wonder if there's a new land of opportunity. The US and Europe are both getting more and more knackered.

India maybe?

backup

finally, a real backup solution for my personal data

Re:backup

[kraut]

You laugh, but under the UK Data Protection Act an organisation that stores personal data on you must tell you what it is so you can check it. So in theory, you could use that to get your data back....

Re:EU 1984?

[AndreySeven]

Its a good thing they have a country like the US to shift the attention away from them, otherwise the citizens would not be so happy.

This is totaly unrelated to what I just said, but check out this old story(sorry if already covered):

http://www.foxnews.com/story/0,2933,97538,00.html

Wrong numbers

[AndreySeven]

I think some posters are overestimating the numbers. Here is what the post says:

...require EU service operators to retain data about telephone calls and e-mails as part of an overall fight against crime and terrorism. The retained data would not only consist of logs, but of entire conversations and contents of the e-mails and SMS messages.

So the are talking about SMS messages, emails and phone data. calculating the entire badwidth usage is extreme, since they will not store everything. This makes it more feasible, and thus- a bigger reason to worry...

Re:Wrong numbers

[Spad]

In the UK alone, over 20 billion SMS messages are sent each year. Which means over the whole of the EU you're looking at at least 10 times that number.

That's 200 Billion SMS messages, times 7 years. Even at only 1kb per message, that's 1.3 Petabytes just for SMS messages - and that's a conservative estimate.

Re:Wrong numbers

[IWannaBeAnAC]

Your numbers imply you are using the british definition of billion, ie. 10^12. But 2 x 10^13 sounds way too high for the number of SMS messages sent in Britain per year, it corresponds to an average of over 30 SMS messages for every man, woman and child in the country per day. Did you mean 2x10^10 messages instead?

Copyright?

[rsilvergun]

If I transmitt my copyrighted works over my ISP's network, do they have a right to keep that data on file if it just went through their server's cache? I know, it's a moot point. They'll be exceptions for this sort of thing and it doesn't have any practical meaning (aside from the occasional sys admin skimming data), but it's fun to annoy bueracrats with this kinda question :).

Re:Tools - But Even Then...

[andrewscraig]

Presumably, it is possible to have an encryption algorithm such that :

encrypt(x,y,k1,k2) = z;
decrypt(z,k1) = x;
decrypt(z,k2) = y;

Then when the government asks you for the key, you can provide k2, and provide them with only the 'y' part of the conversation? This could be any old document. It is up to the government to prove that k1 even exists?

Just a thought...

Re:Sure. Great.

[pe1rxq]

You are forgetting that there is a big difference between logging everything and actually showing up at your house. They might have power but they usually need a reason to actually take action.

Jeroen

Re:Encrypt your data/files

[gtoomey]

No, you missed the point.

Transmitting emails using PGP is one way to keep your information private. Encrypting disks just adds to your privacy by making personal information private as well.

With all the litigation thats going on, including raids on Kazza & IndyMedia servers, keeping information private is a serious concern.

Hmmm

[tarunthegreat2]

What good is anal retention, when you are unable to decrypt it?

Re:Encrypt your data/files

[jargonCCNA]

Ahh yes, but your original message gave the impression that you were referring solely to the abilities of PGPDisk.

Furthermore, regarding the raids on KaZaA and IndyMedia servers, the fact that the physical locations of these servers was made available could not possibly be the fault of the operators of the servers; it's that the ISPs were pressured/subpoenad (sp?) into revealing said information.

Re:Tools - But Even Then...

[Ibix]

Presumably, it is possible to have an encryption algorithm such that :

encrypt(x,y,k1,k2) = z;
decrypt(z,k1) = x;
decrypt(z,k2) = y;

Then when the government asks you for the key, you can provide k2, and provide them with only the 'y' part of the conversation? This could be any old document. It is up to the government to prove that k1 even exists?

I have no idea if this is possible, but it's irrelevant, sadly. If I understand the Regulation of Investigatory Powers Act correctly, then no, it's encumbent on you to prove that k1 does not exist and (even if it did) that you don't have it.

I always thought it should be easy to get the RIP Act changed - find out who wouldn't vote it down, plant some encrypted child porn on their computers and arrest them for not giving up the key when the police come knocking. Unfortunately it would require someone with the will to change the RIP act in power to order the cops, but I like the poetic justice of the thought.

I

France and encryption

[Uukrul]

Before 1999:
As in the United States, France has long classified encryption as a military or dual-use technology, and accordingly restricted its export. It received special treatment in a small flourish appended to the 20-page telecommunications law of December 29, 1990. Article 28 of this law required government permission for any use of encryption.
No immediate action was taken on what the French refer to as "the December 29 law," but six years later a more comprehensive bill was passed. This July 26, 1996 law specifies that users of secret keys must store them with organizations that will furnish them to government officials as needed for crime-fighting purposes, a plan commonly known as "trusted third parties" or (in the United States) as "key escrow," "key recovery," or "government access to keys."
Original article

At this moment France has changed his mind and has raised 40-bit level to 128 bits on civil encryption.

Re:Tools - But Even Then...

[jargonCCNA]

That's doable, though a logistical nightmare. I have a book (though I didn't bring it with me to school.. interesting) that outlines a very basic method of doing it and it really all depended on perfectly wording the ciphertext (which appeared as cleartext) such that one decryption yielded a false cleartext and another yielded the genuine cleartext. After the Christmas break, I'll bring the book back with me, assuming I can find it, and outline it in a journal entry.

Re:Tools - But Even Then...

[andrewscraig]

But that would be madness. That basically means that the UK government could take *any* file on your PC and demand that you decrypt it (even if it is already in cleartext), requiring you prove that it isn't just some fancy encryption algorithm that made the ciphertext look like a Word document, or a system library!

Some particularly malicious government official could potentially generate a keys that translated explorer.exe into child porn and use it as "evidence" against you!

Legislations of this type...

[kataflok]

are rarely intended to accomplish anything. They are intended simply to create precedent for legislation of this nature such that when the real alteration in law comes along (or the real use becomes apparent), no one will notice.

What they haven't even thought about

[Saiai+Hakutyoutani]

What they haven't even thought about is whose data gets stored by whom.

Say Mr. Jones uses his Albania Online connection to send an e-mail to Mr. Smith. Mr. Jones' e-mail server, however, is located on Mbwawanga Island in Mbwamwere, and Mr. Smith's e-mail server resides in his living room.

If we assume that Albania Online is obligated to store all e-mail and voice traffic that even passes through its network for an extended period of time, we can also assume that after said period, there will, of course, be no Albania Online.

I wonder how they're going to solve that?

Re:EU 1984?

[killbill!]

The EU is about as democratic as the former Soviet Union. The European Parliament is almost powerless, and the national governments are almost powerless against new European legislation.

I have a newsflash for you. You are a victim of the old trick that has been repeatedly used by national politicians to pass necessary, but painful reforms: "the EU made me do it". What they don't tell you is that they made the EU make them do it.

The so-called "democratic deficit" in the EU is a myth. The EU executive is currently shared between the European Commission and the European Council.
The Council is made of all of the elected national heads of government, or the appropriate ministers (depending on the issue).
As for the Commission, it is appointed by the heads of government, which is hardly less democratic than, for instance, the (directly elected) French President appointing a Prime Minister from the majority party in the Parliament. Moreover, just as a national government, the European Commission has to be approved by the Parliament. Remember how Mr Santer was forced to resign, or how Mr Barroso was forced to remove contested Commissioners because he'd have failed the confidence vote otherwise?

If you remember the EU software patent debacle, the non-democratic decision (i.e. not giving a flying f#ck about the EU Parliament) was made by the European Council, i.e. the government of the member states that the EU citizens themselves elected!

It is high time the disinformation stopped. While I would welcome a major increase in the Parliament's powers, the EU executive is definitely held accountable. The current situation is not a "democratic deficit", but rather excessive powers in the hand of national heads of state.

By the way, I'd trust the Commission much more than my own national government... Give me a Prodi over a Chirac or a Berlusconi any day.

Re:Encrypt your data/files

[jargonCCNA]

I suppose I'd need to get OpenSSL then. As an extension of that, I do believe I'd also need to have a webserver on this (Windows) machine that doesn't suck donkey dong... which could be hard to do, I have never--ever--had luck getting Apache running on this thing. I don't know why.

Re:Tools - But Even Then...

[jonwil]

The right way to treat encryption is the same way they treat safes and lockboxes.

If the police are searching your house (with a warrant) and they find a safe, there are rules about when they can and cant force you to open that safe.

The same rules should apply to any ecrypted information they find.
For example, if they have an encrypted email or file, the same rules should apply as apply to them finding a safe in your house.

As for this new data retention crap, are the cops going to pay for the huge servers and disks required to hold all this information? And the people to keep everything going?

Is anyone else tired of that Buzz word..

[dBLiSS]

Terrorism has lost all meaning to me now, it's unfortunate that such an awful thing has turned into nothing more then a Buzz word and an excuse for governments to spy on their own people. Everyday I hear about fighting terrorism, and people losing their privacy and rights, I feel like its getting closer and closer to 1984. If people weren't so misguidied in their fear of terrorism then the governments wouldn't have the excuses to enact these laws. Terror kills only a percentage of a percentage of what smoking does, or heart disease or AIDS. Why not take most of the money being spent on fighting terrorism and put it to use fight the REAL killers of the world population, because everyone knows, no matter how much money you through at it humans will still kill humans.

My 2 cent rant.

Re:Is anyone else tired of that Buzz word..

[t_allardyce]

Because only evil degenerates get AIDs! Wheres your sense of freedom?

1984 was about a constant war as an excuse to keep people in check, we've already arrived - the war on terror can never be declared over because terrorism is a noun, not something you can defeat, notice how it could have been called the war on Al-Qaeda? a slightly more realistic goal. This is Bush's pathetic little buzzword thats been adopted by every government around the world, its never going to go away and its defination is always going to become broader.

Re:Is anyone else tired of that Buzz word..

[t_allardyce]

Ho Ho Ho! Not a bad start eh?

Re:Tools - But Even Then...

[SquadBoy]

Something like this. http://www.mirrors.wiretapped.net/security/cryptog raphy/filesystems/rubberhose/rubberhose-README.txt
although the main site seems to have gone away.

Re:Or...

[symbolic]

the Patriot Act

Re:Tools - But Even Then...

[russint]

In The Netherlands (and also the UK), a person can be forced to assist the authorities to decrypt information (i.e. supplying them with the key). If you refuse to cooperate, you could face a hefty fine, or be put in prison (depending on whether the police, or the intelligence services give the order).

Heh, it still probably beats going to jail for whatever the police/intelligence services may have found on you harddrive.

Re:Tools - But Even Then...

[kraut]

Yes, in the UK, under the RIP act, you can be sentenced to moderate jail time for not giving up your key. This is supposed to stop terrorists, child molesters and drug smugglers from using encryption.

Of course, any drug-smuggling terrorists with a penchant for child-molesting will immediately surrender the keys to incriminating information. Why would he take up to three years vacation at her Majesty's pleasure for encryption, when he could easily get 18-25 or even life for his real offences?

It's because of well thought out, useful laws like this that crime is virtually unheard of on our sunny islands! Thank you New Labour!

Broad danish implementation

[Mekanix]

Denmark is way ahead of the rest of the EU and is implementing a legislation that affect not just ISP... it affect anyone who provide some sort of "tele services"...

So if you run a block, you need to track, register and store everyone who makes a comment on you page.

If you run a BulletinBoard... same applies.

Run a chat or mailinglist? Ditto for you.

Do you run *any* kind of server (apache, irc, cvs, ftp, mailinglist etc.). You're not excused.

In short: every citizen is obliged to keep records of friends, family etc. whereabouts.

Welcome to Stasi-land!

Re:Tools - But Even Then...

[arevos]

It is very stupid. However, it is something of a habit for the British to ignore laws that don't make sense. Whilst the RIP bill was passed in 2000, so far as I understand it, it has never actually been used.

Telephones and E-mails? Spams too?

[Parandor]

Wow, I wonder how many HOURS the system will hold... And this is to fight terrorism? I doubt terrorists could do as much damage to a contry economy as this law thing even if they tried for a hundred years.

Uh.

[warrax_666]

Which part of "and" don't you understand? He was referring to using both encrypted communications and partitions.

Indeed,

[warrax_666]

when you encrypt something with PGP you can just avoid self-encrypting it, ie. preventing yourself from decrypting it while still allowing the party you sent it to to decrypt it. (Not sure how this would interact with signing, though).

AFAIK there is no way to prove whether you did/didn't self-encrypted the message, effectively giving you plausible deniability.

Re:Tools - But Even Then...

[Ibix]

But that would be madness. That basically means that the UK government could take *any* file on your PC and demand that you decrypt it (even if it is already in cleartext), requiring you prove that it isn't just some fancy encryption algorithm that made the ciphertext look like a Word document, or a system library!

Yup. Probably wouldn't fly in open court, but if memory serves you aren't allowed to tell anyone that the government have requested the key, or else you get to spend twenty years in the clink. I left my tinfoil hat at home today, so I won't comment that this gives "Them" a nice mechanism to lock you up on an unfalsifiable pretext.

I

Re:Tools - But Even Then...

[BlueWonder]

In The Netherlands (and also the UK), a person can be forced to assist the authorities to decrypt information (i.e. supplying them with the key). If you refuse to cooperate, you could face a hefty fine, or be put in prison (depending on whether the police, or the intelligence services give the order).

What if you suddenly forget your passphrase? This can plausibly happen in extreme stress situations, such as being arrested, interrogated, and/or threatened to be put in prison.

DPA rights still apply yeah?

[t_allardyce]

Well on the plus side I can call my ISP and demand to see a list off all my web history and they can only charge me 10 quid still? Think im gona make a habbit of demanding all my data from everywhere, and if they keep CCTV for a year then they'll just have to go through the tapes looking for me..

Re:Tools - But Even Then...

[Tony+Hoyle]

Yes if you tell your employer that the government has requested the network passwords/keys etc. then you get sent to jail.

If you don't of course, you're likely to get the sack and may never work as an admin again (since who would want to employ an admin who has given away all the network keys).

Really sucks.

Re:Tools - But Even Then...

[Tony+Hoyle]

Terrorism has *always* existed. It's not any worse now than 10 years ago.... I used to have the odd afternoon off school due to bomb scares (99.9% of terrorism is the fear of it not the actual action. The closest I got was when the IRA decided to do a demolition job on the local city centre on a Saturday afternoon.. I was about half a mile away.. spent the afternoon quaffing beer on the exclusion perimiter and watching helicopters/police with guns surrounding the place).

There is a witchhunt - basically anyone who wants 'rights' risks being thrown in jail without and representation or right to a trial. This situation would never have been allowed a few years ago but under the 'terrorism' laws you can be arressted for anything they decide to dream up.

Re:Tools - But Even Then...

[Anonymous+Brave+Guy]

It's because of well thought out, useful laws like this that crime is virtually unheard of on our sunny islands! Thank you New Labour!

Heh. Big Blunkett is watching you! If you have nothing to hide, you have nothing to fear!

Oh, wait...

Re:If you're not a terrorist, go ahead and encrypt

[Tony+Hoyle]

The S/MIME on OE doesn't work - it just displays a blank page with an error message & you have to click to read the message.

This *really* confuses newbies - I tried it for a couple of weeks and gave up after getting loads of messages back from OE users complaining that they couldn't read my message.

Re:what if I don't?

[BlueWonder]

What if I just told the government "fuck you, it's too much of a pain in the ass for me, if you want it done then give me money otherwise shut the fuck up"?

Here in Germany, the situation will become similar to that described by the original poster on Jan 1, 2005.

ISPs are indeed telling the government what you suggest, albeit I believe they don't use your choice of words exactly. It won't help them, since the law explicitly states that the ISPs have to bear the costs of spying on their customers on the government's behalf. Even before they start spying, they have to prove to a government agency that they have government approved spying equipment in place. The fine for non-compliance is half a million Euros.

It is indeed estimated that this will cause a large number of ISPs (more than 50%, most likely) in Germany to go bankrupt within the next year.

Re:Tools - But Even Then...

[fossa]

As for this new data retention crap, are the cops going to pay for the huge servers and disks required to hold all this information? And the people to keep everything going?

No, your tax dollars will!

I agree with the rest of your post... At the very least, I should know what the gov't/police have and haven't read of my personal communications. (which I would if they needed a proper warrant to legally comel me to decrypt.)

Re:Sure. Great.

[Jarnis]

If everything is available in some huge data retention center, and it's readily accessible, it WILL be abused.

Power corrupts.

(Absolute power, on the other hand, is kinda neat :p )

stealth fascism

[Doc+Ruby]

4 years is too short a time to say "never". Wait until the UK government lets some asshole with a plane "slip through" their defenses, and blow up a 200 year old building in central London. RIP will see new life, and everyone will accept it, because it's not "some ancient, obscure law", or something "passed in the heat of the moment", or some new legislation that would have to overcome the newly mobilized opposition.

Re:Tools - But Even Then...

[hardpress]

The RIP bill has been used frequently and even by those who were not supposed to.

When the government sought to introduce RIP2 recently their investigation showed that ISPs were handing over information without court orders and that the law was being exercised by lowly council workers that were not intended to be provided access to users data.

More storage space

[dimss]

The only problem I see here is that I will need much more disk space for mail archives and their backup copies. Guess who will pay for it...

Even worse in Germany

[stiebing.ja]

"We can shout at people that the government can read our email and chat logs, but very few people will make the move to encryption. People are apathetic and lazy - unless encrypted email and chat is enabled BY DEFAULT in the next version of email and chat programs, people won't do it."

I can only agree with this. Living in Germany I followed the discussion about the data storage a bit.
This includes the knowledge that every offerer of telecommunications in Germany has to provide the hardware to monitor and store communication details - like email or your mobiles SMS - from January 2005 on, and that on their on costs.

As a result to this I describe the privacy problem in my signature of every email, including a link (http://home.arcor.de/ja.stiebing/gpg sorry - german only) to a page with further information (respectively links to information) about the german law and a brief usage of gpg. Although the people I communicate with all are aware of the dangers of the 'glassy human' (like they call it in Germany), NO ONE OF THEM has started to use encryption - well one friend of mine at least thought about doing it.

You are absolutely right to claim that encryption has to be enabled by default - and it has to be available in every kind of communication program for the net. I hope that eg. Opera will have at least the possibility to include GPG in its upcoming version (perhaps allowing the users to point to an online GPG key?).

Keep your data private - or would you also like everyone enquiring your underwear?

btw, my GPG key:
http://home.arcor.de/ja.stiebing/download/gpg-key

Re:Tools - But Even Then...

[plague3106]

Is it not the same in the UK as the US? I believe you CANNOT be legally fired for complying with law enforcement.

Re:EU 1984?

[Anonymous+Brave+Guy]

While I would welcome a major increase in the Parliament's powers, the EU executive is definitely held accountable. The current situation is not a "democratic deficit", but rather excessive powers in the hand of national heads of state.

It's not a wash-out, but it is a deficit. The indirectly-elected Council/Commission can walk all over the directly-elected Parliament. That's the wrong way around.

Re:This is new....

[Eastree]

>like this tried in the USA would result in a ton of out-of-work Congress folks.

Actually, you may be surprised how many Americans would support this if the media tells them to. People here tend to be very fickle on every issue. Besides fickleness, there's also the issue of people on the more extreme end of political philosophies who will believe this is a good idea. And as another response says, we are also mostly apathetic and no matter how much we complain to each other, we are likely to do nothing effective about it, much less try.

Encryption Problem

[nurb432]

The problem with that idea is that once most of the populous does start encrypting everything, the government will just put a stop to it.

How? Easy. By making it a felony to use *any* encryption mechanism that isn't approved ( i.e., backdoored ) by the government.

Then it wont matter that the email was from your wife telling you to get milk on the way home...They don't even have to bother to 'break' it, the simple fact that its not readable by the authorities will be enough cause for jail time.

Re:Tools - But Even Then...

[KatieL]

If you forget your passphrase, and cannot prove you haven't got it, you get locked up until you remember it.

You don't get a trial. You don't get a lawyer. And in fact it's an offence to tell ANYONE you've been served with a request for the key.

Nice, huh?

Re:Tools - But Even Then...

[plague3106]

I'd think stunts like that are rare though, since again, if caught, it will bring nothing be headaches to the employer.

Re:This is new....

[IWannaBeAnAC]

Hrmf. WTF are you even talking about? Something like this tried in the USA would result in a ton of out-of-work Congress folks.

Of course. Following on from the mass departures that followed the DMCA, CDA, PATRIOT, the broadcast flag, and no doubt will happen again after PATRIOT2.

"Limited Period of Time"

[Bob9113]

Be afraid. Be very afraid. The "Consultation Document on Data Retention" (the directive that will be used by the commission in establishing the rules) contains the requirement, "ensure that the data is only retained for a limited period of time." As we know from copyright law in the US, that currently means, "100 years plus automatic increases for the next 25 years then we'll decide how much further to extend it." And it has been argued by former congressman Sonny Bono that it really means, "forever minus a day."

Re:Tools - But Even Then...

[Jeppe+Salvesen]

Sure. Terrorism is real. But we are reacting in irrational ways. The ways we react do in fact only make the most sense if either we're ruled by incompetent asshats that are out of touch with reality, or the asshats that rule us have a different agenda they don't disclose.

Re:Tools - But Even Then...

[pjt33]

Was the "Oh, wait..." as you suddenly remembered that Blunkett resigned yesterday?

Re:Tools - But Even Then...

[pjt33]

That's not the real problem. What if you never knew the key in the first place? You can't prove that you never knew it, and the authorities don't need to prove that you did know it.

self-encrypting

[bagofbeans]

Good idea, but you would have to actually not self-encrypt the message. Once you have provided your password to the authorities it can be checked . They won't simply take your word for it.

Re:self-encrypting

[warrax_666]

you would have to actually not self-encrypt the message

... which is exactly what I said. "Avoid self-encrypting" is pretty much the same as "not self-encrypting". :)

You are, of course, right that you don't gain deniability (because you still have to give away the passphrase and "they" can check whether the given passphrase/key can decrypt it), but you have effectively obscured the message from the authorities even with these provisions in place -- which just goes to show how silly they are, I guess.

It might also be possible to modify the PGP system slightly to "invisibly" embed multiple keys (with different passphrases) in one "superkey". This might actually give you the ability to encrypt one innocuous message to yourself while encrypting an entirely different message to the party you were communicating with. (Disclaimer: I haven't really thought this through, but it seems like it should work).

Re:Tools - But Even Then...

[Yartrebo]

You can always generate a one time pad key that will convert any document into another of the same length. Just XOR all the bits of both documents together and that's your key. If you XOR the key with one of the 2 documents, you get the other document.

Before dialling, scramble the phone number

[Anders+Andersson]

Well, if anything is going to drive people to personal encryption, this type of brain-damaged legislation will be it.

Exactly how would you be able to encrypt data like recipient address, sender address, date and time of the connection was made, what phone number you dialled, how long your call lasted, and how much you are supposed to pay for it? You can encrypt the contents of your e-mail message if you like, but if you want your ISP to actually deliver it, you at least have to provide them with the recipient address in plaintext. That's traffic data stored by your ISP, which is what this proposal is about.

Here on Slashdot, KokoBonobo claimed:

The retained data would not only consist of logs, but of entire conversations and contents of the e-mails and SMS messages.

I see no support for this bold claim in either of the linked documents. They are appearantly talking about traffic data, not message contents. This data retention proposal was discussed on Slashdot months ago; we didn't find any evidence of planned bulk snooping back then either.

There is some mention of certain "other" pieces of traffic data, not yet specified. What could that be? Perhaps whether the phone call was made using hidden Caller ID, and any technical service logs associated with the subscriber line... That's a lot of data; let's just throw in an MP3 of the entire call (whether voice or fax) as well for simplicity, right? :-)

Now, it's quite possible that your average politician will be unable to tell an SMTP message envelope from a user's manually written signature, and would thus happily vote for any proposal either way, but I suggest you quote the specific parts of the proposal that mandate bulk snooping before you label it "brain-damaged". Have you seen the proposal?

Re:Before dialling, scramble the phone number

[cayenne8]

"Exactly how would you be able to encrypt data like recipient address, sender address, date and time of the connection was made, what phone number you dialled, how long your call lasted, and how much you are supposed to pay for it? You can encrypt the contents of your e-mail message if you like, but if you want your ISP to actually deliver it, you at least have to provide them with the recipient address in plaintext. That's traffic data stored by your ISP, which is what this proposal is about."

Not necessarily...you encrypt your message, and send it through multiple remailers, on each stage, it is decrypted to the next 'bounce'...no computer in the path knows the final destination of the email...so, very difficult if not next to impossible to trace.

Also, you can post and get your anonymous encrypted email from USENET, there are groups for nothing but this.....again, use remailers to hop the message around the world a few times...before it goes through a mail to news server...This is untraceable...

Re:Before dialling, scramble the phone number

[Anders+Andersson]

you encrypt your message, and send it through multiple remailers, on each stage, it is decrypted to the next 'bounce'...no computer in the path knows the final destination of the email...

When you use remailers, you are merely packing additional delivery instructions into the contents of a message. From the viewpoint of your ISP, your first remailer is the destination, and you can't hide the address of that remailer from the server to which you send your encrypted message. Neither can you prevent the owners of that server from learning when the message was sent. Those addresses and timestamps constitute the traffic data which we are discussing here, as certain authorities want it to be retained for potential uses beyond mere billing.

As long as the operators don't actually retain copies of message contents, encrypting said messages offers no additional privacy. To make a human analogy, you write a message for Alice, encrypt it using Alice's public key, add a note to Bob saying "please forward this to Alice", encrypt the whole thing again using Bob's public key, and send it off to Bob. As long as you use some operator's mail server (rather than your own custom channels) to deliver the message in each step, some operator will learn that you sent a message to Bob, and somebody else will learn that Bob sent a message to Alice. Thus, even the delivery instructions that you encrypted ("forward this to Alice") will eventually appear in plaintext as delivery is carried out, and thus be subject to the data retention policy. You might just as well have skipped the encryption step as neither ISP ever looked at the message contents!

so, very difficult if not next to impossible to trace.

The issue here isn't whether you can send untraceable messages, but whether the data retention policy being discussed would encourage people to encrypt their communications. As long as the policy only applies to traffic data, encrypting the message contents serves no purpose at all besides letting the users feel safe about it, no matter how many anonymous remailers you employ.

There may be several other good reasons for encrypting your communications, but traffic data retention isn't one of them.

Also, you can post and get your anonymous encrypted email from USENET, there are groups for nothing but this.....again, use remailers to hop the message around the world a few times...before it goes through a mail to news server...This is untraceable...

I wouldn't call it "untraceable" unless I can tell for sure how reliable each hop is, but I agree that adding a broadcast link (Usenet) to the chain makes a significant difference, in that you can't tell who the ultimate recipients are when the message is sent everywhere. This is much like those secret messages placed under "personal" in printed newspapers, available to anybody but understood by the intended recipient only.

Still, traffic data retention may mean that the authorities get access to log files from a substantial number of operators, allowing them to compare log entries and analyze traffic patterns in a way which the operators themselves have been unable or unwilling to do. It's almost as if everybody (including the remailers) would be hosted by the same ISP. If Alice is a known terrorist, Bob will be considered an accomplice, and soon you will be a suspect too merely by talking to Bob. Now, Bob may obtain multiple identities (accounts) to make things more interesting, but it's not like people will begin using anonymous remailers for their communications in general, or they would become regulated out of existance.

Now i remember this one!

[kesuki]

We need to send all our emails in the form of SPAM because noone in thier right mind would store spam for 7 years!
Hot Nude chicks!
We have to be seen to be believed!
Our chick spread thier pussies wide for you!

See if you only read the bold letters. it's says 'Hi what's up' of course, if you bold the letters it's pretty obvious, there are a lot of other things you can do that will remain in formatting that are less obvious...

Re:Sure. Great.

[aminorex]

And the usual reason is that you offended someone who had the power to order your arrest.

Re:Tools - But Even Then...

[badmammajamma]

Actually, in the US, your employment can be terminated for any reason (with the exception of discrimination) if you live in a "right to work" state.

Re:EU 1984?

[nerdonamotorcycle]

India is, as I understand it, not exactly encouraging immigration. Witness the myriad "ha ha only serious" postings on /. message boards from laid-off coders who would be happy to emigrate from the US to Bangalore if it meant that they could write code at a wage that kept a roof over their heads. But yes, I agree that from the standpoint of both economics and freedom the US and Europe are both getting pretty old-n-busted. I'd vote for the moon as envisioned by Robert A. Heinlein, myself.

Re:Tools - But Even Then...

[plague3106]

Right to work state or not, I believe its still illegal to can someone for cooperating with law enforcement.

More generally, even in right to work states there is still such a thing as wrongful termination (which covers more then just discrimination). Please post links to laws saying something to the contrary.

Re:Tools - But Even Then...

[Anonymous+Brave+Guy]

Yes. I "suddenly remembered". :-)

(Please note the ironic comment about having nothing to fear if you have nothing to hide, and my new sig as of this morning, which is also related to the UK's anti-terrorism policies as advocated by DB.)

Eu==facist bastards?

[theolein]

I live in Switzerland, where, as a matter of course, most EU policies are implemented even though Switzerland is not part of the EU.

Already now it is law that logs of all communications must be kept by ISP's, telcos etc for around 6 months. This new law will make it legal for these fucking bastards to listen in on my private conversations without any problems and tape it as well.

There goes my privacy. There goes business secrets, and above all...

There goes my ISP's bill spiralling upwards because someone has to pay for the fucking storage.

So much for Europe being a bastion of liberal values. The Europeans are only liberal as long as they can take the piss out of the US.

Re:Eu==facist bastards?

[fuzzybunny]

I'm in the same country; following some of the Swiss ISPs' discussions on related topics on the SwiNOG list brings up a few pretty scary issues.

Frankly, what can one do? The EU and its ilk have been soundly defeated in two major national referenda here, and yet successive governments bulldoze ahead with plans to join up at any cost. Nobody seems to give a flying shit about issues like these

Swiss ideas about data protection always relied on the premise that the government is trustworthy, which it usually was. Now we start seeing a prime example why "trust us, we'll never misuse the information/capability to gather information" is a load of bull.

As to what individuals can do, I can think of three easy things:

* Make your acquaintances, family and colleagues understand, as simply as possible, the consequences of unimpeded governmental authority to collect data, and of what can go wrong with it, using real-life examples.
* Vote against every single politician who makes noise about allowing this sort of crap
* Obfuscate, obfuscate, obfuscate. Use SSL. Use PGP. Use SSH. Store data on PGPDisk, GBDE, CFS, or some of the Linux methods mentioned here.
There's not a whole hell of a lot you can do about voice, until someone comes up with a simple, compatible, free/low cost VoIP or analog line encryption method. None of these things is impossible to break through or get around for a really determined eavesdropper, but you can sure do your tiny little bit to make it harder for "them".

Frankly, I think it's ironic that, in the last national vote about joining the EU, the most vocal voices against it from among my colleagues came from, you guessed it, expats from EU countries who moved here exactly because they hoped Switzerland would not follow the lead of the rest of this continent in issues like this.

Re:If you're not a terrorist, go ahead and encrypt

[badzilla]

Rememeber to check the "clear signing" option, regular opaque-signing can produce just the effect you describe in some recipients' mail clients.

Re:Tools - But Even Then...

[pjt33]

I have sig display disabled because most of the time they just take up bandwidth and time, so I didn't notice it.

Re:EU 1984?

[16K+Ram+Pack]

The moon's fine, except it's a bit lacking in atmosphere ;)

Recording of conversations is inevitable

[pmagsa]

I recommend you guys read my post at SmartMobs. My understanding is that, because of spreading of VoIP, especially with applications such as Skype, everybody will record their conversations, not only government agencies but ordinary people.

There is a Spanish version of my post available at my blog: Conversaciones enlatadas.

Regards,
Pablo Martinez-Almeida

Re:EU 1984?

[nerdonamotorcycle]

It's lacking in atmosphere, but the food more than makes up for it. :-) Seriously, Heinlein posits the moon having been settled, with domes and stuff.

This would be good

[Exter-C]

This would have massive benefits to the right people. however it mis used it would be terrible for most people.

any data retention = infinite retention

[whovian]

Seems to me that the authorities could just burn the data to optical media. There's no need for infinite hard drive storage. In that case the police wouldn't record everyone's data, but all the data of any "persons of interest".

Great News!

[Java+Ape]

As a DBA I have lots of big files to play with. On an average day I archive nearly a terabyte.

I think I'll fire up a cron to encrypt them and send them to our off-site archives as email attachments (after all, I have to send that data anyway). If everyone would contribute a terabyte or so every day, they'd have lots of fun storing it. I'm glad I don't on their disk farm!

PGP!

[aggieben]

PGP, PGP, PGP!!!!

Oh when will the web email services have integrated PGP support????

This is an opportunity for companies like Microsoft, who have a disproportionately large share of certain markets, to do some good. If the Outlook (and Outlook Express) setup wizard included 2-3 dialogs for setting up a PGP key and a dummy's intro on how to use it, it would go a long way to making privacy invasions much more difficult.

Re:Encrypt your data/files

[LuSiDe]

Look at it another way; who do your users trust more, verislime or you?

Or an alternative for Verislime which the GP is searching for in the first place?

Re:Tools - But Even Then...

[HermanAB]

What you need are double messages with two encryption keys, that will either decrypt to the real message, or to a fake message. For details, see Practical Cryptography by Bruce Schneier.

Re:Tools - But Even Then...

[ControlFreal]

The whole essence of onion-routing networks, is that you do not have the key for most of the communications you do. In fact, you do not even know the original source or final destination, or indeed anything at all about what you're transfering. (Except for what the next hop's IP address is)

Off-the-record messaging

[retepkaid]

This Slashdot article on "Off-the-record messaging" should be very relevant to this. This is the homepage.