Slashdot Mirror

← Back to Stories (view on slashdot.org)

Controversial New UK Internet Powers Bill Makes No Mention of VPNs (thestack.com)

Posted by samzenpus on from the left-out dept.

An anonymous reader writes: The Draft Investigatory Powers Bill presented by the UK Home Secretary Theresa May to Parliament today has caused controversy because it proposes new legislation to force UK ISPs to retain an abbreviated version of a user's internet history for a year, and would also oblige vendors such as Apple not to provide consumer-level encryption that the vendor cannot access itself in accordance with a court order. But perhaps the most surprising aspect of DIPA is that Virtual Private Networks are mentioned nowhere in its 299 pages, even though VPNs are a subject of great interest to Europe, Russia, Iran, China and the United States.

76 of 115 comments (clear)

  1. The contriversial parts in brief. by SuricouRaven · · Score: 5, Insightful

    Demands to ISP:
    1. Log every website any of your customers visits and store it for a year.
    2. We're not going to tell you how. That's your problem, but if you can't figure out a way we'll probably fine you. No, we're not excluding SSL.
    3. You are paying for it too. Just pass the costs on to your customers or something.

    1. Re:The contriversial parts in brief. by Xest · · Score: 4, Insightful

      Yep, it's the web tracking that makes this bill awful. If it weren't for that section the bill wouldn't actually be that bad as security bills go because it's largely an improvement on the status quo - i.e. bringing the judiciary into the issuing of warrants for digital searches and interception is a good thing and an acceptable measure IMO. We already allow judges to issue warrants to smash people's doors down and that's typically seen as acceptable, so I have few qualms with a digital equivalent. Our judiciary are typically good on this front and I have far more trust in them than I do the Home Secretary. The other stuff about banning VPNs and encryption was, as I suspected, bullshit, and the bill says nothing about these things contrary to claims in the summary.

      But the web tracking needs to be stopped, Theresa May has completely understated the implications of what she's proposing claiming it's just like an itemised phone bill. It's not. An itemised phone bill at best tells people who you've called. A list of domains you've visited can tell people everything from your sexuality, to where you shop, to where you bank, to where you plan to go on holiday, to where you work, to who your service providers are, whether you're having or seeking to have an affair (e.g. Ashley Madison), where you get your news from, and so on. As I understand it, the security services weren't too bothered about this power (presumably because they're already intercepting way more than this), and it was actually the police that pushed for this particular measure and yet it's the police I trust with access to this data the least because the police have the lowest barriers to entry, the largest staff count, and the greatest interaction with the public that they can now spy on and so are the most likely to abuse it.

      It's this argument I'll be making to my MP but I don't hold up much hope for this being blocked given that unsurprisingly Labour backs it in part because one of the biggest slimeballs in partliament, Andy Burnham backs it, and Corbyn still seems to be unable to find anything even slightly representing a spine when he now needs it the most since he's, you know, supposed to be some kind of leader now. Mass use of VPNs by the public will be the only realistic option to fight this.

    2. Re:The contriversial parts in brief. by AmiMoJo · · Score: 1

      It's not true to say that they can't tell which individual pages you have visited either. If you visit a page that pulls an image from random-cdn-732420.com, and it doesn't appear on any other page...

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:The contriversial parts in brief. by andrewbaldwin · · Score: 4, Insightful

      I've been following this issue and have not yet heard the following question/argument raised.

      Leaving aside all the usual privacy arguments and the slippery slope case of a reasonable regime now going bad in the future, there's still a practical question which would have less impact on privacy and costs.

      "Why are you tracking all the users and generating a huge 'haystack' of noisy data when you could track the 'needle' instead?"

      In other words, why track every member of the public to see if any of them view moneylaunderingterroristpaedophiles.com instead of just looking at subscribers to that site?

      Focusing on a small range of IP addresses and then looking at address headers should be relatively easy.

      Even the effort of maintaining a 'naughty list' of 'bad' sites must be easier than sifting through petabytes of ISP logs.

    4. Re:The contriversial parts in brief. by Anonymous Coward · · Score: 1

      Reading the draft bill it's not just web tracking - all IP connecttions would be covered...

      Quote:
      INTERNET CONNECTION RECORDS
      What are they?

      44. A kind of communications data, an ICR is a record of the internet services a specific device has connected to, such as a website or instant messaging application. It is captured by the company providing access to the internet. Where available, this data may be acquired from CSPs by law enforcement and the security and intelligence agencies.

      45. An ICR is not a person’s full internet browsing history. It is a record of the services that they have connected to, which can provide vital investigative leads. It would not reveal every web page that they visit or anything that they do on that web page.
      End Quote

      45 is a nice example of misleading the reader. The first sentence should be ignored - it says what and ICR is not, it communicates nothing about what it is. The second sentence says (as I read it) every IP address / Port pair connected to will be logged. Where you are at the time could be in that definition too.

      So every time a smartphone checks for email on a POP3 server, there is a record of what device (i.e. proxy for who), where. when.

      I can see why any potential blackmailer might like that.

    5. Re:The contriversial parts in brief. by Anonymous Coward · · Score: 2, Insightful

      Both too many needles and too much hay. Looking at relationships, though: if you and I both go to MadMidnightBomber.com then we may know wach other, at least tangentially, and if we also go to a few other obscure forums then it becomes more likely. It's a Big Data approach that ... might work.

      And in the meantime, it lays a wonderful volume of data for scope creep and data leaks (see Talk Talk - yay kid, all your porn habits are public in the brave new world). The fact that the ISP is supposed to secure that data is a figleaf: they're supposed to secure everything already under the DPA and basic good practice.

    6. Re:The contriversial parts in brief. by locofungus · · Score: 4, Insightful

      In other words, why track every member of the public to see if any of them view moneylaunderingterroristpaedophiles.com instead of just looking at subscribers to that site?

      You've completely missed the point of why they want to do this.

      They don't care at all about this data. What they care about is that GCHQ, MI6 etc can continue to capture everything in a dragnet (something that they claim was already allowed but was kept so secret that even most of the people in the organizations that were doing it didn't know it was happening.

      They need a way to use that dragnet without admitting to actually capturing everything and possibly decrypting some of it. They'll use the records collected by the ISP to build a case against someone.

      Once they get good at bulding cases that judges like they can use those skills to take the data from the ISPs to build a case against anyone they don't like for any reason.

      Given the dozens of different domains that data is fetched from for any given page I suspect there's an almost unique fingerprint of connections for many webpages.

      If this bill passes you will also no longer be able to trust things like the raspberry pi - in fact, any hardware made or assembled in the UK will be suspect.

      --
      God said, "div D = rho, div B = 0, curl E = -@B/@t, curl H = J + @D/@t," and there was light.
    7. Re:The contriversial parts in brief. by Anonymous Coward · · Score: 1

      I do not read this as a blanket demand that all ISPs log everything, it is a lot more targeted than that, there are very definite limits on what kind of data can be held and retention notices must be issued and justified.

      Clause 71: The Secretary of State may order an ISP or group of ISPs to log specific data for a max of 12 months (type of data defined and restricted elsewhere)
      Clause 72: They cant just order it willy nilly, it has to be appropriate and feasible
      Clause 73: Any such ISP can appeal, the board and commissioner will review if its feasibly and appropriate
      Clause 77: you cannot tell anyone you've been given a retention notice

      The powers this grants are a bit disturbing in what they would permit/legitimise, but it is nowhere near the scare stories that were circulating.

    8. Re:The contriversial parts in brief. by Xest · · Score: 4, Interesting

      Yes, this has always been my concern with most internet monitoring laws, and Theresa May even said it herself once without quite grasping what she'd actually said, saying one thing and thinking it meant another. She once said "We need to build a bigger haystack". No we don't Theresa, we need to get better at finding the fucking needle, not make it harder to find.

      Perhaps the biggest argument I've often made for this is the fact that every single time there is a fucking terrorist attack in the West, it turns out that the perpetrator was known to security services. Lee Rigby's murderers were held by Kenyan security services and MI5 tried to recruit them. The 7/7 and Glasgow airport attackers had all previously been on MI5's radar. The Charlie Hebdo attackers were known to French security services, as was Canada's parliament attacker. The US security services had been alerted to the Boston bombers by the Russian security services. It's the same story time and time again, these attackers don't turn up out of the blue, consistently they're people who have long been on the radar and have reached a point of radicalisation where they decide to cross the line. If we can't even stop people that we know think this sort of terrorist attack is okay, then what the fuck will logging everyone's data achieve? Already security services can't properly vet the risks of people they know about, so even if they get good at pulling additional people out of this data, then what use is that if they still can't properly vet them anyway?

      Given that this is something that's being pushed for by the police, my suspicion is that they're basically asking the UK to give up privacy simply so that the police can catch the low hanging fruit - people who visit known paedophile sites without any kind of obscuring of that fact (for example, by using Tor). They want to be able, once a year, to grab the list of data, compare it against a list of known paedophile websites, and then go out and do a massive publicity gandering raid where they bust down the doors of the hundreds of people they find on this list and then claim yeah, we smashed a massive paedophile ring, not giving a toss about the innocents caught in the crossfire because their PC had been hacked and used as a proxy for the actual perpetrator, just like last time they did this sort of thing after the authorities in America sent them a massive list of credit cards used on such a website.

      You'll have to excuse me therefore if I'm not convinced that this justifies the death of privacy.

      I think you're right to cast aside the slippery slope argument FWIW, I don't put much weight in that view. Frankly if government goes bad, then it'll do that anyway regardless of what the law says - I've not seen the US constitution have any effect on flagrant violations by successive governments in the US since 9/11 for example. I don't think it's worth worrying about slippery slope stuff because if government goes bad you're already fucked regardless of what the law at that point pretends your rights are.

      I think it's far better to concentrate on the actual problems here and now, rather than worrying too much speculating or screaming about slides towards police states and so on- that type of argument never gets us anywhere, because most people in the general public scoff at it and see it as nonsense. It's far better to simply focus on making it clear to people that this move wont have any impact in preventing terrorism, and will mean the police will know everything about their lives.

    9. Re:The contriversial parts in brief. by andrewbaldwin · · Score: 4, Interesting

      "You've completely missed the point of why they want to do this."

      EXACTLY

      And, being an old cynic, that is probably why this question has never been aired on the news, TV, radio... etc (newspapers are a lost cause in the UK).

    10. Re:The contriversial parts in brief. by grahamm · · Score: 1

      Reading the draft bill it's not just web tracking - all IP connecttions would be covered...

      Quote:
      INTERNET CONNECTION RECORDS
      What are they?

      44. A kind of communications data, an ICR is a record of the internet services a specific device has connected to, such as a website or instant messaging application. It is captured by the company providing access to the internet. Where available, this data may be acquired from CSPs by law enforcement and the security and intelligence agencies.

      How are they intending to which Specific Device on a LAN behind a router using DHCP is making the connection? If there are connections, at different times, to a number of services from a particular IP address, how can they tell if it is same device connecting to those services?

    11. Re:The contriversial parts in brief. by Anonymous Coward · · Score: 1

      Yes it does. It doesn't hide the *domain* you visit. Excepting multiple CN / wildcard certificates (where you still know approximately the site they visited) and certificates where the common name doesn't match the domain you entered.

    12. Re:The contriversial parts in brief. by IamTheRealMike · · Score: 2

      And the government knows that, and in fact May has said repeatedly that the data stored wouldn't include the specific pages you visit but only the name of the website.

      The Tories, of course, are painting this as a nuanced compromise with civil libertarians rather than what it is - a pragmatic acceptance that SSL isn't going anywhere so the SNI field (and IP addresses) is all the ISPs can actually see.

      Interestingly, there are proposals to encrypt the SNI. That would lessen the data ISPs can log yet again, probably down to the level of IP address only. Given the prevalence of hosting on CDNs like CloudFront and CloudFlare, this would at a stroke make browsing to sites behind such services largely anonymous.

    13. Re:The contriversial parts in brief. by AmiMoJo · · Score: 2

      Two reasons. Firstly they want the ability to retroactively spy on people. If they have a suspect they don't want to wait to see what they do in the future, they want to fit into their past behaviour. There may be evidence of crimes in there, they argue.

      Secondly, any kind of targeted monitoring will attract additional oversight. They don't want that. The current proposal is that a police officer would ask his colleagues for "permission" to view someone's browsing history, with minimal paperwork and scrutiny. Even under the current rules where they have to make a request for data, they did this over 700,000 times in the last year we have data for. So they basically want to access browsing history millions of times a year with minimal hassle and checks, because democracy and accountability are too much effort.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    14. Re:The contriversial parts in brief. by Mendy · · Score: 2

      "Why are you tracking all the users and generating a huge 'haystack' of noisy data when you could track the 'needle' instead?"

      A possible scenario is that Joe Bloggs is arrested for say drug dealing. They find that Joe Bloggs has 3 mobile phones and 1 ADSL connection. They contact those providers for a list of domains/times/IPs which messaging services were accessed. They use those details to make a request to the messaging providers for access to their messages to see who he contacted.

      I imagine this would be cheaper/quicker than trying to forensically examine the devices. It won't catch any savvy criminals but that also wouldn't have been the case with phone records if they used pay phones or "burners".

      The other, less positive explanation for why they think this useful is that they really are interested in monitoring the haystack to see how many people are visiting the sites of certain campaigns or political parties.

    15. Re:The contriversial parts in brief. by oobayly · · Score: 1

      ...web tracking that makes this bill awful.

      That and the fact that the authorities won't need a warrant to access this data. fishing trips are going to get very popular.

    16. Re:The contriversial parts in brief. by moonlandingchap · · Score: 2

      Lets not also forget that this is not the full detail of the bill and Ms May said that there will be other power added to it after it has passed. Meaning this is the thin end of a large wedge into personal libertie. Having to have encryption that they can crack means sub 2048 key strengeth. basicly if they want encryption that is possible to crack then every motherlover on the internet is going to crack everything. Online banking, online shopping of any kind, secure websites for work, vpns and even you phone encryption will all be illegal as they can't crack any encryption that works. so if we all only use 256bit keys then anyone with a calculator and some time could crack anything they wanted. It's technically unworkable, any business with any sense would leave the UK and run for cover as it would just a hack-fest-free-for-all, in the name of security from the government, an entitie well known for not knowing what security is or even understanding the basics of how it works, let alone digital security. If this passes I'll quit my job and move to another country. Can't wait for IS to hack every bank in the UK for funding, see if that wipes the smile off Theresa May's face. She doesn't have a clue.

    17. Re:The contriversial parts in brief. by Big+Hairy+Ian · · Score: 1

      Not sure I trust ISP's to secure my browsing history against hackers. Ahh well I think my browsing history is going to become very simple lots of entries that all read Opened TOR circuit!

      --

      Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

    18. Re:The contriversial parts in brief. by Oxygen99 · · Score: 2

      Perhaps the biggest argument I've often made for this is the fact that every single time there is a fucking terrorist attack in the West, it turns out that the perpetrator was known to security services.

      While I agree with your sentiment, the corollary to that is just how many people are known to the security services? How many people do they try and recruit? We're turning into East Germany in the 1970s except that we have better technology and we're actually voting the fuckers in.

      --
      I had a dream, bright and carefree, but now there's doubt and gravity
    19. Re:The contriversial parts in brief. by Bert64 · · Score: 1

      A list of domains is also fairly useless, for instance advertising banners often reside on different domains to the site displaying the ads so the logs will show that you visited the domain on which the banner is hosted.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    20. Re:The contriversial parts in brief. by AmiMoJo · · Score: 2

      We really need to keep pushing hard to encrypt everything that it is possible to encrypt. Progress is already being made on having most sites use HTTPS by default, and SNI looks like a good target for an RFC because once adopted by a relatively small number of CDNs it will do an huge amount of good.

      DNS requests and email headers are the other two big issues that needs to be addressed. I'm surprised there is no standard for encrypted DNS yet, can someone explain why it isn't a thing? Even email looks doable, maybe not perfectly but enough to be of great benefit.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    21. Re:The contriversial parts in brief. by LiENUS · · Score: 1

      I'm surprised there is no standard for encrypted DNS yet, can someone explain why it isn't a thing?

      Isn't that what DNSCurve (http://dnscurve.org/) is about?

    22. Re:The contriversial parts in brief. by AmiMoJo · · Score: 1

      Great. So why hasn't it been adopted? Wikipedia seems to imply that it works and Google liked it.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    23. Re:The contriversial parts in brief. by GNious · · Score: 1

      Demands to ISP:
      3. You are paying for it too. Just pass the costs on to your customers or something.

      Wouldn't that be the saving grace? If every ISP in the UK add a 5 GBP/Month surcharge to cover expenses, people will notice and react.

    24. Re: The contriversial parts in brief. by ZeroWaiteState · · Score: 1

      It's a shame they shuttered News of the World so soon. Their time to shine has just about come.

    25. Re:The contriversial parts in brief. by Solandri · · Score: 1

      1. Log every website any of your customers visits and store it for a year.
      2. We're not going to tell you how. That's your problem, but if you can't figure out a way we'll probably fine you. No, we're not excluding SSL.
      3. You are paying for it too. Just pass the costs on to your customers or something.

      All you need to prevent this type of idiocy is a law that requires:

      4. The politicians who pass this law will be the first ones monitored as the law requires, and the results of said monitoring will be freely available for the public to examine.

    26. Re:The contriversial parts in brief. by SuricouRaven · · Score: 1

      Technical issues like that are for the ISPs to figure out. The government only demands they do so somehow.

    27. Re:The contriversial parts in brief. by SuricouRaven · · Score: 1

      The bill explicitly excludes them from monitoring by making it clear that the Wilson Doctrine also applies to internet traffic.

      The commoners get to be monitored by the government, but MPs still value their own privacy.

    28. Re:The contriversial parts in brief. by SuricouRaven · · Score: 1

      It's enough to know that you visit squidporn.jp every week or so, which is quite enough to be useful if you threaten the powers that be.

    29. Re:The contriversial parts in brief. by Blue+Stone · · Score: 1

      >bringing the judiciary into the issuing of warrants for digital searches and interception is a good thing

      It doesn't do that though.

      The warrant is issued by the politician, the judge merely assesses whether it's all been done according to the offical proceedures in place; the judge doesn't determine whether it's a legit target or is proportionate or anything.

      The politicians and their corporate sponsors are still fully in charge.

      --
      Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
    30. Re:The contriversial parts in brief. by Bert64 · · Score: 1

      Not really, it's enough to know that a user from your line retrieved at least one file from squidporn.jp, but you cant tell if they actually visited the site or visited another site which had an advertising banner or included script.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    31. Re:The contriversial parts in brief. by SuricouRaven · · Score: 1

      It would give approximate frequency of access too. There has to be a time limit for considering multiple connections part of one session.

  2. The previous article was speculation by 91degrees · · Score: 1

    would also oblige vendors such as Apple not to provide consumer-level encryption that the vendor cannot access itself

    The draft bill says nothing of the sort.

    It does say something that suggests existing law (RIPA) already made this the case, but if that was the case, vendors would not be providing unbreakable encryption.

    1. Re: The previous article was speculation by 91degrees · · Score: 1

      Which part of the bill says that? I mean there's 300 pages so I will admit I just skimmed it.

  3. Encrypt everything by samantha · · Score: 2

    Encrypt everything and take no prisoners. Bring the control freaks down. The future will not be stopped.

  4. Reciprocal Round Trip VPN by Anonymous Coward · · Score: 1

    I could see ISP's automatically pass all client connections through dedicated VPN services of reciprocal ISPs who are out of juristication and just wipe their hands of the whole mess as all their clients are only visiting the same website in country XYZ.

    So UK ISP sends all client traffic to FR ISP's VPN and the FR ISP round trips that traffic back through the UK ISP's VPN. So when the UK government ask the ISP's where their citizens are websurfing they can just say France. Of course latency will suck but it is a small price for your privacy.

    1. Re:Reciprocal Round Trip VPN by Vitus+Wagner · · Score: 1

      It doesn't work this way. Novadays e-commerce websites love to use GeoIP to locate their customers.

      So, when I connect Moscow, Russia online shops via VPN endpoint on Germany, I typically see just "This item doesn't ship to Germany". So, I have to maintain sophisticated proxy configuration, to distinguish between local online services, which I have to go directly and informational web sites, which I can access via proxy to bypass Russian internet censorship.

      Of course, it makes my ISP able to tell police which online shops I've visited recently.

    2. Re:Reciprocal Round Trip VPN by Skapare · · Score: 2

      GeoIP is overrated. VPNs help make it meaningless. I picked my VPN in a country with a language I cannot read, so, now, many ads look like jumbled text to my eyes, as I scan the page.

      --
      now we need to go OSS in diesel cars
    3. Re:Reciprocal Round Trip VPN by Anonymous Coward · · Score: 1

      GeoIP is overrated. VPNs help make it meaningless.

      I believe that, but you need to convince the CEOs of all the online stores, content providers, etc. They don't care about losing the 1 or 2 out of 100 customers who actually know what a VPN is and bother to use one. They're OK with GeoIP being "eh, close enough" as long as it prevents some fraud/content being viewed in a different country/etc. It's one thing if you're just reading text-based sites over your VPN, but if you try to conduct any business at all, you soon realize how many companies are sold on the idea of GeoIP.

    4. Re:Reciprocal Round Trip VPN by jabuzz · · Score: 1

      BBC iPlayer is probably more of an issue that e-commerce ever will be.

  5. Re:Isn't a VPN provider an ISP? by Electricity+Likes+Me · · Score: 1

    Good luck with that? My VPN endpoint is in another country as is the company. They're going to have to do a ridiculous amount of enforcement and blocking, much of which would wind up contravening WTO treaties, to actually limit it.

    Of course the fact you need this service is still ridiculous.

  6. Re:what more can you expect from genocidal UK by Maritz · · Score: 1

    Although you're right, you're an idiot. Punny. ;)

    --
    I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
  7. They say you get the government you deserve... by Wakko+Warner · · Score: 1

    Great job electing a bunch of right-wing assholes yet again, England.

    --
    "Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
    1. Re:They say you get the government you deserve... by pr0nbot · · Score: 2

      Only 24 out of every 100 adults voted for the asshats. It's the electoral system that screws us, but the only people who can fix that are the very asshats themselves... well, until the revolution! Now if you'll excuse me, it's Nov 5, I must... attend to other matters.

    2. Re:They say you get the government you deserve... by Xest · · Score: 1

      The problem is that the UK elects almost entirely based on economic competence. I believe that not one election in the last 100 years has been won by anything other than the party that was polling highest in public perception of economic competence at the time.

      The fact is, that this election, the Tories were the only ones that put forward a compelling argument that they were the most economically competent. Labour was still fumbling over what it's economic policy even was frequently contradicting past claims of policy until a week before the election.

      The Tories didn't win this election so much as Labour lost it. It was Labour's for the taking and they absolutely fucked it. Whilst I voted against the Conservatives, I can fully well understand why they were elected - the opposition just offered no compelling case as to why they would be a better party to run the country other than "We're not those guys!".

      But let's be clear here, Labour also supports this bill and has put forward this bill in the past. Even under Jeremy Corbyn, the most hard left leader Labour has seen in decades, Labour is allowing Andy Burnham to jump forth and declare that Labour fully supports this bill and will not seek to amend this provision or block the bill on the basis of it. This is perhaps unsurprising as even when Labour dropped Blair and subsequently lurched to the centre left under Brown proposals for this sort of law (in fact, with even worse provisions than this one) were common place.

      So I don't think right-wing assholes has much to do with it as apparently the left-wing assholes want it just as much. I think the real problem here is simply the assholes regardless of political leaning.

    3. Re:They say you get the government you deserve... by 91degrees · · Score: 1

      This bill is supported by both Labour and Conservative. So that means at least 44% of voters voted for the "asshats". And a further 33.9% didn't care either way so I don't see why their opinion matters.

      If we switched to proportional representation, then we'd have a Conservative/UKIP coalition. Is that what you'd prefer?

    4. Re:They say you get the government you deserve... by AmiMoJo · · Score: 1

      I don't think we can lay all the blame on the asshats. The British people were given a choice to reform or stick with what we have. The Alternative Vote might not have been perfect, but it was a lot better than what we have. The main objections people seemed to have were "I don't understand it" and "the loser can win", which both boil down to basically the same argument: "hurrr duhhh I'm a fucking moron who is too apathetic to understand a concept easily graspable by the average 8 year old".

      I fear that even given the opportunity to improve our system we would reject it due to the unrelenting stupidity of the British electorate.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    5. Re:They say you get the government you deserve... by JesseMcDonald · · Score: 1

      And a further 33.9% didn't care either way...

      As they say on Wikipedia: [citation needed].

      Those 33.9% weren't asked how they felt about this particular issue. Maybe they really didn't care which representative got elected, when none of the available (and viable) candidates actually represented their views. Maybe they did care, but voting for a candidate whom they agree with on this issue would mean compromising on some other issue that matters to them at least as much; it's not uncommon or unreasonable to have more than one issue that matters to you. Or maybe they're just opposed to the whole system.

      Statistics about the recurring popularity contest between candidates or political parties provide very little useful data regarding specific political views or preferences.

      --
      "The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
    6. Re:They say you get the government you deserve... by UpnAtom · · Score: 1

      This bill is supported by both Labour and Conservative. So that means at least 44% of voters voted for the "asshats". And a further 33.9% didn't care either way so I don't see why their opinion matters.

      Alan Johnson didn't even know what it says. Watch from 11 mins: http://www.bbc.co.uk/iplayer/e...

      If we switched to proportional representation, then we'd have a Conservative/UKIP coalition. Is that what you'd prefer?

      Only if people voted exactly the same way (which they wouldn't) and we didn't use an electoral system that asks the voters about their opinions on all the candidates eg STV.

  8. To paraphrase a music industry executive ... by Laxator2 · · Score: 1

    âoeMost people, I think, don't even know what a rootkit is, so why should they care about it?â
    âThomas Hesse

    âoeMost politicians, I think, don't even know what a VPN is, so why should they care about it?â

  9. "Communications website" by UberVegeta · · Score: 1

    From BBC news: the Home Secretary said, "They would only be able to make a request for the purpose of determining whether someone had for example accessed a communications website, an illegal website or to resolve an IP [internet protocol] address where it is necessary and proportionate to do so in the course of a specific investigation."

    Tell me minister, what's a non-communications website? Last I heard, communications meant literally any situation where information is transferred, from checking rugby scores on Ceefax to weather forecasts in the newspaper to double glazing adverts via snail mail. Call me old-fashioned, but I specifically go on the web to discover information.

    --
    I knew I needed to stop reading Slashdot and finish my PhD when I started to miss articles by Bennett Haselton.
  10. And another thing by andrewbaldwin · · Score: 2

    I know replying to yourself is bad form but...

    The second question that's never asked is

    "If you can remotely 'hack' phones and computers to eavesdrop, surely you can also place evidence and forge records"

    In other words, how on earth can this 'evidence' be considered reliable and trustworthy?

    1. Re:And another thing by AmiMoJo · · Score: 4, Interesting

      The problem is that such evidence is usually secret, so it is impossible to argue against in court. The security services get to show it to the judge, and it's up to him to question if it would allow evidence to be planted. The defendant and their legal team doesn't even get to see it, or know the nature of it.

      There is also parallel construction, which would mean that evidence of hacking could be hidden entirely from the court.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:And another thing by myowntrueself · · Score: 1

      "Parallel construction" is also known as legalized perjury.



      Theres already a precedent for that in the USA; plea bargaining "I know I'm innocent but I agree to lie under oath to get a reduced sentence since you are going to find me guilty anyway".

      I don't think they allow quite this level of judicial corruption in the UK *yet*.
      --
      In the free world the media isn't government run; the government is media run.
  11. Excludes VPNs? I am not sure this is true. by JPMH · · Score: 1

    The bill contains sweeping powers to allow warrants to be served on "communication service providers in the UK and overseas." (CSPs) An operator of a VPN is surely a CSP, as would be the operator of a server farm. So yes, you can use a secure tunnel. But whatever server that tunnel goes to, the UK wants to be able to compel people to install whatever software and logging onto that they wish -- or else be hit with massive civil lawsuits in the UK courts, and/or have their operatives face arrest if they touch UK soil (rather like the U.S. does for overseas operators of U.S.-facing gambling sites, or indeed Kim Dotcom).

  12. Peaceful Protest by squoozer · · Score: 1

    I would like to suggest a peaceful protest:

    On Monday the 9th November, the day after we remember the men and women that fought for our freedom, don't throw your poppy away instead mail it to your MP at the House of Commons in protest against the Investigatory Powers Bill. Perhaps if they get enough poppies they will remember.

    House of Commons
    London
    SW1A 0AA

    --
    I used to have a better sig but it broke.
  13. Brilliant - This means... by jaseuk · · Score: 4, Interesting

    That the Gov cannot gain access to modern Apple and Microsoft devices. This legislation wouldn't be necessary otherwise. Microsoft and Apple have genuinely closed the encryption / key loopholes that would allow the authorities to force them to unlock these devices.

    This is excellent news, now just to get this bill junked.

    Jason.

    1. Re:Brilliant - This means... by jabuzz · · Score: 1

      No they can just demand you hand over the password, and if you don't throw you in jail for up to three years. Now of course is the evidence on the device might put you in jail for more than three years it would make sense to refuse to hand over the password, especially as almost all sentences in the U.K. run concurrently.

    2. Re:Brilliant - This means... by Fudoka · · Score: 1

      Yes, be nice to see this junked but it just won't happen. Should Labour take over at the next election, whatever moral stance Corbyn takes, he'll be forced top keep it by the "security services", full backed by the power brokers in his own party. The Tories will definitely keep it because it's just part of their on-going Big-Brother state act.

    3. Re:Brilliant - This means... by AmiMoJo · · Score: 3, Interesting

      It's been suggested that if manufacturers are forced to remove encryption from their devices they should simply leave the UK market. I'd support that. Voters are pretty apathetic but take away their iPhones and there will be a revolution.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    4. Re:Brilliant - This means... by Anonymous Coward · · Score: 1

      The U.K. government.
      It actually says nothing of the U.S.A.

    5. Re:Brilliant - This means... by Ash-Fox · · Score: 1

      It's been suggested that if manufacturers are forced to remove encryption from their devices they should simply leave the UK market.

      All that will do is make Chinese brands stronger (they'll evolve due to investment and needs) and become competition for existing handset makers.

      Voters are pretty apathetic but take away their iPhones and there will be a revolution.

      There is a difference between taking away and preventing new sales. Pretty certain a mostly viable replacement would be ready through Chinese makers soon after.

      --
      Change is certain; progress is not obligatory.
  14. why to use a VPN by Skapare · · Score: 1

    Too many ISPs monitor, sniff, any spy on their customers. If that were outlawed, there would not have been so much pressure to make it easy to use things like encryption. Governments that allowed providers to do that made their own bed of nails. Now they get to sleep on it.

    --
    now we need to go OSS in diesel cars
  15. Politics will always run behind state-of-the-art by tommeke100 · · Score: 1

    News at 11.

  16. We do not know what we are doing. by devslash0 · · Score: 1

    Once again it is obvious that the law is written by people who have no experience in the field.

    If I want a job in IT, I need to learn it, understand it, get experience, pass an interview and, most importantly, know what I am doing. Whereas politicians just need to be elected and have a network of connections. I wish one day politicians would have to take mandatory 'entry exams' related to the department they are applying to. A degree in the field wouldn't be bad either. Perhaps then we would have the right and competent leaders in the right places.

  17. VPNs will come later by Maritz · · Score: 1

    I doubt they're so stupid as to completely forget about VPNs, TOR etc. They'll just pretend to suddenly become aware of these things after this passes and then hastily pass a bill making VPN services illegal. Because terrorists/paedos/Nazi Zombies want to eat us.

    --
    I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
    1. Re:VPNs will come later by Xest · · Score: 1

      No, they have a weak majority in the commons and no majority in the lords. They've actually scaled back a lot of controversial parts of the bill for this reason - they want it to pass, that's why apart from web tracking this is a relatively tame bill.

      Things like VPN blocking were axed because they couldn't face yet another rebellion in the commons, or another defeat in the Lords. 75% of the governments bills in the 6 months they've been in power have been defeated in the Lords so far.

      VPN blocking wont be coming back, they it's not a politically viable option for them and they know it. Other things that were scaled back on in the same way were allowing the Home Secretary to be the sole authoriser or the hacking warrants and so forth. A judge is now involved in this process.

      I'm still not 100% confident that web tracking will make it through the commons and Lords for what it's worth. It's far and away the most controversial aspect of the bill still and an easy target for anyone wishing to make life hard for the government, which is basically everyone right now. The only reason it will go through is if Labour forgets they're an independent party capable of standing up to the Tories, something they have forgotten so far on this bill. When their own MPs start asking questions, and people like Tom Watson (now deputy to the leader of the opposition) who you may remember stood almost alone in opposing the awful Digital Economy Act which is own party was putting forward at the time there may be a chance the Labour position will change, if it does I suspect enough Tory MPs will rebel, and the Lords will certainly block.

      Put simply, whether this bill becomes law is more up to Labour now than it is the Conservatives due to the Labour/Lib majority in the Lords and the weak majority in the commons forcing the requirement of Labour support on many votes to see off Conservative rebels.

    2. Re:VPNs will come later by pbhj · · Score: 1

      If you look at the draft it doesn't mention ISPs either - VPN providers are just "telecommunication operators" providing a "telecommunications service", see Section 193-195 for the definitions used:

      >"Communication”, in relation to a telecommunications operator,
      telecommunications service or telecommunication system, includes—
      (a) anything comprising speech, music, sounds, visual images or data of any description
      (b) ..." //

      Also the definition of data made be chuckle, it means anything that's data and any information that's not data too! Presumably that's to counter suggestions that encrypted data isn't data and to encompass types of information transfer that might not have been foreseen.

    3. Re: VPNs will come later by ZeroWaiteState · · Score: 1

      The reason VPNs are not included in the legislation is to keep the wording vague, so that its interpretation can be molded as necessary when they require new authorities.

    4. Re:VPNs will come later by AHuxley · · Score: 1

      It seems the NSA and GCHQ are not really finding any issues with VPN's as they are sold, installed, offered, coded, or the OS they run on.
      The lack of new laws or gov demands that VPN's in the UK are transparent to or responsive to UK law enforcement requests is telling.
      A weakness in the code use, OS or networks would seem to allow gov's to track back the original ip.

      --
      Domestic spying is now "Benign Information Gathering"
  18. Just a power grab by sjbe · · Score: 2

    If we can't even stop people that we know think this sort of terrorist attack is okay, then what the fuck will logging everyone's data achieve?

    Power. Influence. Fear. Control.

    This has nothing to do with terrorism and never did. "Stopping terrorism" is just a means to an end, not the end itself. Like you point out, I'm not aware of a single instance where the criminals were not already known to the authorities for reasons that had nothing to do with their facebook status. This is the police and intelligence services doing a power grab under the fig leaf of "combating terrorism". Much like the TSA in the US it won't result in any actual terrorists being caught but it will give these services vast new capabilities they can use to stay in power.

  19. Use a proxy by CanadianMacFan · · Score: 1

    The bill says that ISPs are to store the domain name that you visit and not the page or anything you pass to it. So they could tell that you would have gone to Google or Bing but not what you searched for. But if you sent everything to a proxy server beyond your ISP then all they see is a bunch of connections to the proxy.

    1. Re:Use a proxy by ledow · · Score: 1

      There's a reason for that that has nothing to do with government intentions.

      Google and others have enabled full encryption for even search terms. Without SSL man-in-the-middle attacks that are plainly obvious on systems affected by them (depending on the root certificates chosen to be trusted), you can't even get that information.

      And going through Google "officially" was something they always could have done. They have no interest in actually obtaining warrants etc. to do this. They want to just sniff traffic. But that's not giving them the information they want, and companies are fighting back, so they have to dial-down their ambitions.

      Using a proxy is no different from that point of view - it's still just an encrypted connection they can't sniff. Whereas if they asked Google to provide data, there would be warrants required and records kept and accountability.

      VPN's are the same. They can't legislate against them without making it impossible to comply with Data Protection legislation for ordinary companies, and they can't sniff them, and they don't want to provide warrants for them. That leaves them with a bill to do exactly what they can currently do - and no more - which is pointless.

    2. Re:Use a proxy by CanadianMacFan · · Score: 1

      I just used Google and Bing as an example. I know that the when using SSL they can only see the host. But my point was if you are on a site that doesn't support it and you visit abc.co/page1.html then the bill says the ISP only has to store abc.co.

      But if you set up something so that all of your browsing looked like
      redirect.me/abc.co/page1.html
      redirect.me/abc.co/image1.png

      then all the ISP would ever save is the redirect.me for all of the sites that you ever visit.

    3. Re:Use a proxy by AHuxley · · Score: 1

      re 'so they have to dial-down their ambitions."
      The GCHQ has a few options to get past the average VPN use. Credit card use would point to a user buying the service. A change in a users logs from varied every day domains to a wall of VPN use.
      The very act of buying into a VPN is removing anonymity detectable on any UK providers logs.
      The question then becomes who is the user, why are they not trusting in their own nations data safeguards and risking their UK data with other random nations staff for ~$5~$10+ a month?
      Once tracked the privacy part of the VPN can be reduced. Are they using a consumer grade router with its own brand of code or is it open sourced flashed for VPN? Did they invest in a fancy one with lots for ram and more cpu?
      What weakness exist in the router? If the "free" US developed consumer OS is been used to run the VPN app its another very easy way in.
      A computer with Linux just to do VPN? Time for some gov backed "Equipment Interference" ie unique, bespoke, one of one crafted malware.
      The VPN protects from random provider log searches from UK gov groups, NGO's looking for domains, keywords, ip's over the years.
      ie a domain (ip) gets flagged by a charity, police, gov, mil, contractors and then the 'fishing expeditions" starts to see who in the UK visited the site over the last year.
      Re 'they can't sniff them, and they don't want to provide warrants for them". The UK will just track every user created VPN and build a profile of the user just from the provider logs. No need to break the codes at first, all in the info on the user or location will build up a nice database.

      --
      Domestic spying is now "Benign Information Gathering"
  20. Rise of the Corporations? by twykr · · Score: 1

    It would certainly provide a simple & effective (if costly/expensive) solution to the issue for the big Orgs (eg Apple, Google, etc).

    If Apple & Google were to stop selling all of their tech products in the UK, and add a disclaimer to anyone buying their equipment that it is not legal to purchase it in the UK, then I suspect the outcry would be heard on Pluto :P

    If ALL of the tech companies that support encryption did this, the UK would quickly find itself sliding into tech oblivion, if it didn't change it's stance. They can't force companies to do business within their territory. This would be an interesting move by the tech companies as well, in forcing a first world power to alter it's legal position, simply by refusing to do business with them. Reminds me of ... just a few movies :P

    twykr.

    --
    -- Never argue with an idiot, because people watching lose track of which is which.