Slashdot Mirror
Irish GSM Providers Asked to Track Users' Web Use
With the disclaimer "I'm both Irish and work for the EU Commission," reader VShael writes "The head of the Irish police force has requested that Irish cell phone providers (Vodafone, 02, Meteor, 3) retain detailed information on the web pages that people view over their handheld devices. This information would be held over for 'possible future criminal investigations', but would be gathered without a warrant, probable cause, or without the citizen being suspected of a crime. This request goes way beyond the European Union's data retention directive, which never included retention of web-based email. Representatives of Vodafone, O2 and 3 discussed the letter at a meeting with Mr Davis (6th November 2008) and questioned the legal basis under which they could retain this data. It is their understanding that the content of calls or e-mails, or details on webpages browsed, are excluded from the EU directive. As such, any retention or disclosure of that information would be a violation of existing EU data protection legislation."
Did this guy not get legal advice pointing out that what he's asking for is almost definitely illegal/unconstitutional?
Better luck to the next generations
Because, you know...criminals browse the web on their phone to plan/commit crime. Brilliant!
Orwell's Estate should sue this guy for copyright infringement. That'd teach him!
This carn't Be legal Can It ?
Time for I2P and Tor on a cellphone?
Yet another reason why Firefox's stupid warnings on self-signed certificates are wrong.
Another reason why HTTPS is a stupid standard.
We need viable encryption of all traffic, now.
Rich.
libguestfs - tools for accessing and modifying virtual machine disk images
"This information would be held over for 'possible future criminal investigations', but would be gathered without a warrant, probable cause, or without the citizen being suspected of a crime. "
Remember people the "world" isn't "the US". Warrants, probable cause, and presumption of innocence aren't universal.
Shai Schticks:"You don't make peace with friends, you make peace with enemies"
... just view your illegal web pages in lynx over SSH?
Nothing new here... almost all ISPs retain data regarding you traffic which includes what sites you visit and what e-mails you send. This informal policy is now being extended to mobile platforms. Governments do this, not to prevent crime, but just because they are paranoid. There should probably be some sort of international body to monitor abuses of this power.
What about all the good folk who "broadband" through the GS network?.. I've checked the date, and it's not 1st April in any known time zone the I can find, but this has to be a joke??
If they use opera mini the only being logged will be the opera proxy servers.
F**k that, I'm on 3.
The second they do start tracking me I'm never gonna own a phone again.
This is getting ridiculous and it's only a matter of time before this creeps over into the UK.
It's 'way past time the service providers grew a set and sent a resounding "Fuck you!" to these fascist pricks. And it's also 'way past time those of us who live alleged democracies to start demanding some privacy protection. I'm a lot more frightened of Big Brother than some whack-job terrorist. The terrorist might manage to kill a few of us. Big Brother will sit down hard on ALL of us and never, get off.
The best I ever heard it put was by an English commentator. He said we need to recall that the freedom we're so thoughtlessly flushing down the toilet isn't even ours to give away. It was bought and paid for with the blood of our parents and grandparents and great-grandparents.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
Simply put, they can't retain a copy of every file transfered; it's simply impossible from a storage perspective. All they'll be able to retain is the IP address of the server you're connecting to. Solution? Use a proxy.
The only think that might be new here is the storage of emails, and that can be overcome easily enough using PGP
It would be very easy for an ISP to perform man-in-the-middle attacks on supposedly secure sites which use self-signed certificates.
Not necessarily. There's a Firefox plugin called Perspectives that prevents MITM attacks that are confined to a limited IP block, such as one initiated by an ISP.
It works by getting several remote servers to query the site and send the certificate back to the browser. If the certificate the remote sites see is the same as the certificate your browser sees, then you can bee certain your ISP isn't performing a MITM attack.
"Encryption without trust is bunk"
;) )?
Ever see all the CA certs preinstalled in your browser? Count them.
1) Do you trust all of those CAs? Do you even really know who they are?
2) Have you bothered to remove the certs of CAs you have no good reason to trust?
3) For instance can you really trust Verisign/NS? They issue Microsoft certs to the wrong parties, hijack domains, lock domains just because you search for them.
Now, tell me how much worse is accepting a self signed cert compared to accepting a cert issued by those CAs.
I would prefer it if a browser gave me a warning if a cert changed, even if it's valid. After all it could be a "valid" CA issued cert to someone _claiming_ to be the FBI/CIA/NSA. Then later they go whoops sorry (but only if you ever notice).
A site having its cert changed from one CA to another to me is not so different in security terms from suddenly having a new self signed cert compared to an old self-signed cert.
Certs expiring after X years are just a good way for CAs to make money. If someone had enough access to a site's private key they already can do so much more, why bother with just tampering with your connections to that site. Yes in theory they might be able to crack your cert without cracking your server, but let's talk "real world".
If you really want security, browsers would be treating certs a bit differently. As it is, all a CA cert does is prevent one extra "annoying box" from appearing. There's no real added security.
Nobody cares who the CA is, how much verification they do, or what the browser people do before deciding to add a CA's certs in. Have they ever audited any of the CAs? How could they? Why would they?
Have the browser people already defined a certain level of badness for CAs, so that if they reach that level they get removed?
Believe me, most of the people involved in making browsers don't really care about security. They just talk about it. They have other higher priorities.
And most of the people using browsers don't care either. Nor do the CA bunch.
I personally regard self signed certs (and CA issued certs too) as usually safe - it's when they change for no good verifiable reason that you should worry. And it's in this very same scenario where you want your browser to also protect you from "strange" and "valid" CA signed certs. But AFAIK the browsers don't do that. Their "cert stuff" is not designed to protect you from that.
But they do help CAs make money and make people feel safe.
Fact is their https connections are actually quite safe. Their banks are probably more likely to go under, or screw up their transactions, or have some SQL injection/web app security problem than their https connections to their banks being subverted by some 3rd party. Why attack one user's https session when it's easier to do the whole bank, or mass install malware to get thousands of users bank usernames and passwords (and then use valid https sessions to transfer money
The world is a safer and at the same time more dangerous place than most people realize - most people have a distorted view of things. Same goes for me, but I think I've got a slightly less distorted view in this particular field than average. If you do have a clearer/better view, I'd be happy to know of it - but do provide good reasoning or evidence.
Well, I'm Irish and I work for the Irish Government (Civil Servant, minor role).
To my mind, it looks like that Garda Commissioner has tried to be very smart, but ended up looking very stupid. People on Slashdot probably don't know, but the Irish government decided recently to 'merge' the Data Protection Commissioner (DPC) - the independent body that made sure noone, including the government and police, misused people's private data or were overly invasive - with a whole host of other, barely related organisations.
Thankfully, they were made climb down and back away from their original plans which looked - from an outsider's point of view - like they were using the 'merger' to scrap some of the more thorny Agencies that regularly complain about government policy and the police altogether. (When the Secretary General of the UN called to make 'observations' on the plan, I think they realised they had overstretched themselves a bit!)
However, they are still in a position where they can't lose too much face, and a 'merger' is still on the cards - except this time, it probably is a merger along the lines of sharing buildings and stationery orders. What the guard probably saw that the DPC was still on the cards for a merger without realising that is wasn't screwed over as badly as was initially intended. Or else he realised that he couldn't now just wait a year and then be able to force through his agenda without a State Agency that could effectively oppose him. Whatever the reason, he decided to rush in there to stick his oar into the operators.
He probably wasn't expecting the operators to go public, nor did he realise that the DPC is still operating effectively.
He deserves it, though. The Irish police (the 'guards') are notoriously weak on a technical level. They are so technophobic, they even call their computer people 'gits'! (Garda Information Technology section.)
As an example, many guards use Google or Yahoo email address as their official email addresses. Despite having set aside time and money for it years ago, most guards and, indeed, some police stations do not have email addresses. These free email addresses are used to communicate information about serious crimes, crime-scene photos etc. How's that for 'web-based email security'??? (For god's sake, nobody tell them about 'Flicker'!!!)
I also have occasion to know that many case records still exist only in the little black notebooks of individual guards. No such thing as entering a current investigation on a secure system or even having a typed version of ongoing case notes. This is after investing millions in a police system called 'PULSE'. This was supposed to be a secure system for recording all aspects of a case. You can't even upload a picture to the system, logs people out after five minutes of inactivity - even though it takes more then two minutes to log in and so on. It cost millions, yet the police still sometimes have to fall back to typewriters!
Even extends to basic tech like radios. A lot of them have to bring their own mobile phones to work. Either their radio system doesn't work in some areas or was never installed properly or their handsets have been broken and out of commission for a long time. And so on.
This, despite all our brilliant legislation about electronic signatures, eCommerce and so on.
(I'll also ad the disclaimer that this is not the area of the Service that I work in).
Concrete analysis...
You are work for the EU commission?
Technically, the EU Data Retention Directive requires retention of comms data pertaining to 'Internet E-mail' - it doesn't make a distinction between SMTP/POP3 e-mail and web-based e-mail.
If an ISP is running a mail system for its customers, then it should have comms data from use of its own mail system. For webmail, it should be the organisation running the webmail system which retains this data & provides it to the police on request - as the ISP obviously knows nothing about this without digging into all the traffic its customers pass over the network. Of course, many webmail systems are outside the jurisdiction of the EU - which causes a bit of a problem!
Whether this is a good thing or bad thing is an interesting debate & I think less obvious than the case made by privacy advocates tends to state. The police have relied on such comms data from telephone systems for decades to help catch the bad guys ...
"Warrants, probable cause, and presumption of innocence aren't universal."
I thought U.S. was an Orwellian state where a cop can throw you into jail on his say so, and then it turns out it's actually the EU that does is, and furthermore, the people who criticize the U.S. for this exact same thing rationalize this away.
Funny how that works...
Their next step will be to have the libraries and books stores not only maintain the lists of books you take out but also the lists of books you take off the shelves to browse through.
Undetectable Steganography? Yep, there's an app fo
Please stop calling all Eastern Europeans "Russians". Russia is not in the EU and Russians cannot easily move to Ireland (certainly not in large numbers). Poles and other Western/Southern Slavs have similar languages to Russian, but they are not Russians (in the same way as Dutch/Danish aren't Germans and French aren't English).
Coding etudes
Industry sources indicated that Vodafone has met Garda representatives to discuss the letter...
Right Answer: "No."
Wrong Answer: Anything other than "No.", although "Go f*ck yourselves!" would be acceptable.
[End Of Line]
So, I'm all tired with the craziness here in the U.S., but now my two main options Ireland and Australia are getting crazy with their Internet blocking and monitoring. Where the hell am I supposed to go to get some freedom?
How the heck is this off topic?