Controversial New UK Internet Powers Bill Makes No Mention of VPNs

An anonymous reader writes: The Draft Investigatory Powers Bill presented by the UK Home Secretary Theresa May to Parliament today has caused controversy because it proposes new legislation to force UK ISPs to retain an abbreviated version of a user's internet history for a year, and would also oblige vendors such as Apple not to provide consumer-level encryption that the vendor cannot access itself in accordance with a court order. But perhaps the most surprising aspect of DIPA is that Virtual Private Networks are mentioned nowhere in its 299 pages, even though VPNs are a subject of great interest to Europe, Russia, Iran, China and the United States.

The contriversial parts in brief.

[SuricouRaven]

Demands to ISP:
1. Log every website any of your customers visits and store it for a year.
2. We're not going to tell you how. That's your problem, but if you can't figure out a way we'll probably fine you. No, we're not excluding SSL.
3. You are paying for it too. Just pass the costs on to your customers or something.

Re:The contriversial parts in brief.

[Xest]

Yep, it's the web tracking that makes this bill awful. If it weren't for that section the bill wouldn't actually be that bad as security bills go because it's largely an improvement on the status quo - i.e. bringing the judiciary into the issuing of warrants for digital searches and interception is a good thing and an acceptable measure IMO. We already allow judges to issue warrants to smash people's doors down and that's typically seen as acceptable, so I have few qualms with a digital equivalent. Our judiciary are typically good on this front and I have far more trust in them than I do the Home Secretary. The other stuff about banning VPNs and encryption was, as I suspected, bullshit, and the bill says nothing about these things contrary to claims in the summary.

But the web tracking needs to be stopped, Theresa May has completely understated the implications of what she's proposing claiming it's just like an itemised phone bill. It's not. An itemised phone bill at best tells people who you've called. A list of domains you've visited can tell people everything from your sexuality, to where you shop, to where you bank, to where you plan to go on holiday, to where you work, to who your service providers are, whether you're having or seeking to have an affair (e.g. Ashley Madison), where you get your news from, and so on. As I understand it, the security services weren't too bothered about this power (presumably because they're already intercepting way more than this), and it was actually the police that pushed for this particular measure and yet it's the police I trust with access to this data the least because the police have the lowest barriers to entry, the largest staff count, and the greatest interaction with the public that they can now spy on and so are the most likely to abuse it.

It's this argument I'll be making to my MP but I don't hold up much hope for this being blocked given that unsurprisingly Labour backs it in part because one of the biggest slimeballs in partliament, Andy Burnham backs it, and Corbyn still seems to be unable to find anything even slightly representing a spine when he now needs it the most since he's, you know, supposed to be some kind of leader now. Mass use of VPNs by the public will be the only realistic option to fight this.

Re:The contriversial parts in brief.

[andrewbaldwin]

I've been following this issue and have not yet heard the following question/argument raised.

Leaving aside all the usual privacy arguments and the slippery slope case of a reasonable regime now going bad in the future, there's still a practical question which would have less impact on privacy and costs.

"Why are you tracking all the users and generating a huge 'haystack' of noisy data when you could track the 'needle' instead?"

In other words, why track every member of the public to see if any of them view moneylaunderingterroristpaedophiles.com instead of just looking at subscribers to that site?

Focusing on a small range of IP addresses and then looking at address headers should be relatively easy.

Even the effort of maintaining a 'naughty list' of 'bad' sites must be easier than sifting through petabytes of ISP logs.

Re:The contriversial parts in brief.

Both too many needles and too much hay. Looking at relationships, though: if you and I both go to MadMidnightBomber.com then we may know wach other, at least tangentially, and if we also go to a few other obscure forums then it becomes more likely. It's a Big Data approach that ... might work.

And in the meantime, it lays a wonderful volume of data for scope creep and data leaks (see Talk Talk - yay kid, all your porn habits are public in the brave new world). The fact that the ISP is supposed to secure that data is a figleaf: they're supposed to secure everything already under the DPA and basic good practice.

Re:The contriversial parts in brief.

[locofungus]

In other words, why track every member of the public to see if any of them view moneylaunderingterroristpaedophiles.com instead of just looking at subscribers to that site?

You've completely missed the point of why they want to do this.

They don't care at all about this data. What they care about is that GCHQ, MI6 etc can continue to capture everything in a dragnet (something that they claim was already allowed but was kept so secret that even most of the people in the organizations that were doing it didn't know it was happening.

They need a way to use that dragnet without admitting to actually capturing everything and possibly decrypting some of it. They'll use the records collected by the ISP to build a case against someone.

Once they get good at bulding cases that judges like they can use those skills to take the data from the ISPs to build a case against anyone they don't like for any reason.

Given the dozens of different domains that data is fetched from for any given page I suspect there's an almost unique fingerprint of connections for many webpages.

If this bill passes you will also no longer be able to trust things like the raspberry pi - in fact, any hardware made or assembled in the UK will be suspect.