Irish GSM Providers Asked to Track Users' Web Use

With the disclaimer "I'm both Irish and work for the EU Commission," reader VShael writes "The head of the Irish police force has requested that Irish cell phone providers (Vodafone, 02, Meteor, 3) retain detailed information on the web pages that people view over their handheld devices. This information would be held over for 'possible future criminal investigations', but would be gathered without a warrant, probable cause, or without the citizen being suspected of a crime. This request goes way beyond the European Union's data retention directive, which never included retention of web-based email. Representatives of Vodafone, O2 and 3 discussed the letter at a meeting with Mr Davis (6th November 2008) and questioned the legal basis under which they could retain this data. It is their understanding that the content of calls or e-mails, or details on webpages browsed, are excluded from the EU directive. As such, any retention or disclosure of that information would be a violation of existing EU data protection legislation."

Re:Encryption

[theapeman]

It would be very easy for an ISP to perform man-in-the-middle attacks on supposedly secure sites which use self-signed certificates. Self-signed certificates provide some security against eavedropping by third parties, but almost none against a malicious network. They can only be useful if you have some independent method of verifying them, and very few people would know how to do that. (Of course, that also applies to certificates signed by many certifying agencies - it is probably quite easy to get a fake certificate that will be silently accepted by browsers)