Controversial New UK Internet Powers Bill Makes No Mention of VPNs (thestack.com)

← Back to Stories (view on slashdot.org)

Controversial New UK Internet Powers Bill Makes No Mention of VPNs (thestack.com)

Posted by samzenpus on Wednesday November 4, 2015 @08:04PM from the left-out dept.

An anonymous reader writes: The Draft Investigatory Powers Bill presented by the UK Home Secretary Theresa May to Parliament today has caused controversy because it proposes new legislation to force UK ISPs to retain an abbreviated version of a user's internet history for a year, and would also oblige vendors such as Apple not to provide consumer-level encryption that the vendor cannot access itself in accordance with a court order. But perhaps the most surprising aspect of DIPA is that Virtual Private Networks are mentioned nowhere in its 299 pages, even though VPNs are a subject of great interest to Europe, Russia, Iran, China and the United States.

21 of 115 comments (clear)

Min score:

Reason:

Sort:

The contriversial parts in brief. by SuricouRaven · 2015-11-04 20:16 · Score: 5, Insightful

Demands to ISP:
1. Log every website any of your customers visits and store it for a year.
2. We're not going to tell you how. That's your problem, but if you can't figure out a way we'll probably fine you. No, we're not excluding SSL.
3. You are paying for it too. Just pass the costs on to your customers or something.
1. Re:The contriversial parts in brief. by Xest · 2015-11-04 20:44 · Score: 4, Insightful
  
  Yep, it's the web tracking that makes this bill awful. If it weren't for that section the bill wouldn't actually be that bad as security bills go because it's largely an improvement on the status quo - i.e. bringing the judiciary into the issuing of warrants for digital searches and interception is a good thing and an acceptable measure IMO. We already allow judges to issue warrants to smash people's doors down and that's typically seen as acceptable, so I have few qualms with a digital equivalent. Our judiciary are typically good on this front and I have far more trust in them than I do the Home Secretary. The other stuff about banning VPNs and encryption was, as I suspected, bullshit, and the bill says nothing about these things contrary to claims in the summary.
  But the web tracking needs to be stopped, Theresa May has completely understated the implications of what she's proposing claiming it's just like an itemised phone bill. It's not. An itemised phone bill at best tells people who you've called. A list of domains you've visited can tell people everything from your sexuality, to where you shop, to where you bank, to where you plan to go on holiday, to where you work, to who your service providers are, whether you're having or seeking to have an affair (e.g. Ashley Madison), where you get your news from, and so on. As I understand it, the security services weren't too bothered about this power (presumably because they're already intercepting way more than this), and it was actually the police that pushed for this particular measure and yet it's the police I trust with access to this data the least because the police have the lowest barriers to entry, the largest staff count, and the greatest interaction with the public that they can now spy on and so are the most likely to abuse it.
  It's this argument I'll be making to my MP but I don't hold up much hope for this being blocked given that unsurprisingly Labour backs it in part because one of the biggest slimeballs in partliament, Andy Burnham backs it, and Corbyn still seems to be unable to find anything even slightly representing a spine when he now needs it the most since he's, you know, supposed to be some kind of leader now. Mass use of VPNs by the public will be the only realistic option to fight this.
2. Re:The contriversial parts in brief. by andrewbaldwin · 2015-11-04 21:19 · Score: 4, Insightful
  
  I've been following this issue and have not yet heard the following question/argument raised.
  Leaving aside all the usual privacy arguments and the slippery slope case of a reasonable regime now going bad in the future, there's still a practical question which would have less impact on privacy and costs.
  "Why are you tracking all the users and generating a huge 'haystack' of noisy data when you could track the 'needle' instead?"
  In other words, why track every member of the public to see if any of them view moneylaunderingterroristpaedophiles.com instead of just looking at subscribers to that site?
  Focusing on a small range of IP addresses and then looking at address headers should be relatively easy.
  Even the effort of maintaining a 'naughty list' of 'bad' sites must be easier than sifting through petabytes of ISP logs.
3. Re:The contriversial parts in brief. by Anonymous Coward · 2015-11-04 21:32 · Score: 2, Insightful
  
  Both too many needles and too much hay. Looking at relationships, though: if you and I both go to MadMidnightBomber.com then we may know wach other, at least tangentially, and if we also go to a few other obscure forums then it becomes more likely. It's a Big Data approach that ... might work.
  And in the meantime, it lays a wonderful volume of data for scope creep and data leaks (see Talk Talk - yay kid, all your porn habits are public in the brave new world). The fact that the ISP is supposed to secure that data is a figleaf: they're supposed to secure everything already under the DPA and basic good practice.
4. Re:The contriversial parts in brief. by locofungus · 2015-11-04 21:41 · Score: 4, Insightful
  
  In other words, why track every member of the public to see if any of them view moneylaunderingterroristpaedophiles.com instead of just looking at subscribers to that site?
  You've completely missed the point of why they want to do this.
  They don't care at all about this data. What they care about is that GCHQ, MI6 etc can continue to capture everything in a dragnet (something that they claim was already allowed but was kept so secret that even most of the people in the organizations that were doing it didn't know it was happening.
  They need a way to use that dragnet without admitting to actually capturing everything and possibly decrypting some of it. They'll use the records collected by the ISP to build a case against someone.
  Once they get good at bulding cases that judges like they can use those skills to take the data from the ISPs to build a case against anyone they don't like for any reason.
  Given the dozens of different domains that data is fetched from for any given page I suspect there's an almost unique fingerprint of connections for many webpages.
  If this bill passes you will also no longer be able to trust things like the raspberry pi - in fact, any hardware made or assembled in the UK will be suspect.
  
  --
  God said, "div D = rho, div B = 0, curl E = -@B/@t, curl H = J + @D/@t," and there was light.
5. Re:The contriversial parts in brief. by Xest · 2015-11-04 21:53 · Score: 4, Interesting
  
  Yes, this has always been my concern with most internet monitoring laws, and Theresa May even said it herself once without quite grasping what she'd actually said, saying one thing and thinking it meant another. She once said "We need to build a bigger haystack". No we don't Theresa, we need to get better at finding the fucking needle, not make it harder to find.
  Perhaps the biggest argument I've often made for this is the fact that every single time there is a fucking terrorist attack in the West, it turns out that the perpetrator was known to security services. Lee Rigby's murderers were held by Kenyan security services and MI5 tried to recruit them. The 7/7 and Glasgow airport attackers had all previously been on MI5's radar. The Charlie Hebdo attackers were known to French security services, as was Canada's parliament attacker. The US security services had been alerted to the Boston bombers by the Russian security services. It's the same story time and time again, these attackers don't turn up out of the blue, consistently they're people who have long been on the radar and have reached a point of radicalisation where they decide to cross the line. If we can't even stop people that we know think this sort of terrorist attack is okay, then what the fuck will logging everyone's data achieve? Already security services can't properly vet the risks of people they know about, so even if they get good at pulling additional people out of this data, then what use is that if they still can't properly vet them anyway?
  Given that this is something that's being pushed for by the police, my suspicion is that they're basically asking the UK to give up privacy simply so that the police can catch the low hanging fruit - people who visit known paedophile sites without any kind of obscuring of that fact (for example, by using Tor). They want to be able, once a year, to grab the list of data, compare it against a list of known paedophile websites, and then go out and do a massive publicity gandering raid where they bust down the doors of the hundreds of people they find on this list and then claim yeah, we smashed a massive paedophile ring, not giving a toss about the innocents caught in the crossfire because their PC had been hacked and used as a proxy for the actual perpetrator, just like last time they did this sort of thing after the authorities in America sent them a massive list of credit cards used on such a website.
  You'll have to excuse me therefore if I'm not convinced that this justifies the death of privacy.
  I think you're right to cast aside the slippery slope argument FWIW, I don't put much weight in that view. Frankly if government goes bad, then it'll do that anyway regardless of what the law says - I've not seen the US constitution have any effect on flagrant violations by successive governments in the US since 9/11 for example. I don't think it's worth worrying about slippery slope stuff because if government goes bad you're already fucked regardless of what the law at that point pretends your rights are.
  I think it's far better to concentrate on the actual problems here and now, rather than worrying too much speculating or screaming about slides towards police states and so on- that type of argument never gets us anywhere, because most people in the general public scoff at it and see it as nonsense. It's far better to simply focus on making it clear to people that this move wont have any impact in preventing terrorism, and will mean the police will know everything about their lives.
6. Re:The contriversial parts in brief. by andrewbaldwin · 2015-11-04 22:04 · Score: 4, Interesting
  
  "You've completely missed the point of why they want to do this."
  EXACTLY
  And, being an old cynic, that is probably why this question has never been aired on the news, TV, radio... etc (newspapers are a lost cause in the UK).
7. Re:The contriversial parts in brief. by IamTheRealMike · 2015-11-04 22:26 · Score: 2
  
  And the government knows that, and in fact May has said repeatedly that the data stored wouldn't include the specific pages you visit but only the name of the website.
  The Tories, of course, are painting this as a nuanced compromise with civil libertarians rather than what it is - a pragmatic acceptance that SSL isn't going anywhere so the SNI field (and IP addresses) is all the ISPs can actually see.
  Interestingly, there are proposals to encrypt the SNI. That would lessen the data ISPs can log yet again, probably down to the level of IP address only. Given the prevalence of hosting on CDNs like CloudFront and CloudFlare, this would at a stroke make browsing to sites behind such services largely anonymous.
8. Re:The contriversial parts in brief. by AmiMoJo · 2015-11-04 22:27 · Score: 2
  
  Two reasons. Firstly they want the ability to retroactively spy on people. If they have a suspect they don't want to wait to see what they do in the future, they want to fit into their past behaviour. There may be evidence of crimes in there, they argue.
  Secondly, any kind of targeted monitoring will attract additional oversight. They don't want that. The current proposal is that a police officer would ask his colleagues for "permission" to view someone's browsing history, with minimal paperwork and scrutiny. Even under the current rules where they have to make a request for data, they did this over 700,000 times in the last year we have data for. So they basically want to access browsing history millions of times a year with minimal hassle and checks, because democracy and accountability are too much effort.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
9. Re:The contriversial parts in brief. by Mendy · 2015-11-04 22:38 · Score: 2
  
  "Why are you tracking all the users and generating a huge 'haystack' of noisy data when you could track the 'needle' instead?"
  
  A possible scenario is that Joe Bloggs is arrested for say drug dealing. They find that Joe Bloggs has 3 mobile phones and 1 ADSL connection. They contact those providers for a list of domains/times/IPs which messaging services were accessed. They use those details to make a request to the messaging providers for access to their messages to see who he contacted.
  I imagine this would be cheaper/quicker than trying to forensically examine the devices. It won't catch any savvy criminals but that also wouldn't have been the case with phone records if they used pay phones or "burners".
  The other, less positive explanation for why they think this useful is that they really are interested in monitoring the haystack to see how many people are visiting the sites of certain campaigns or political parties.
10. Re:The contriversial parts in brief. by moonlandingchap · 2015-11-04 23:57 · Score: 2
  
  Lets not also forget that this is not the full detail of the bill and Ms May said that there will be other power added to it after it has passed. Meaning this is the thin end of a large wedge into personal libertie. Having to have encryption that they can crack means sub 2048 key strengeth. basicly if they want encryption that is possible to crack then every motherlover on the internet is going to crack everything. Online banking, online shopping of any kind, secure websites for work, vpns and even you phone encryption will all be illegal as they can't crack any encryption that works. so if we all only use 256bit keys then anyone with a calculator and some time could crack anything they wanted. It's technically unworkable, any business with any sense would leave the UK and run for cover as it would just a hack-fest-free-for-all, in the name of security from the government, an entitie well known for not knowing what security is or even understanding the basics of how it works, let alone digital security. If this passes I'll quit my job and move to another country. Can't wait for IS to hack every bank in the UK for funding, see if that wipes the smile off Theresa May's face. She doesn't have a clue.
11. Re:The contriversial parts in brief. by Oxygen99 · 2015-11-05 00:22 · Score: 2
  
  Perhaps the biggest argument I've often made for this is the fact that every single time there is a fucking terrorist attack in the West, it turns out that the perpetrator was known to security services.
  While I agree with your sentiment, the corollary to that is just how many people are known to the security services? How many people do they try and recruit? We're turning into East Germany in the 1970s except that we have better technology and we're actually voting the fuckers in.
  
  --
  I had a dream, bright and carefree, but now there's doubt and gravity
12. Re:The contriversial parts in brief. by AmiMoJo · 2015-11-05 01:13 · Score: 2
  
  We really need to keep pushing hard to encrypt everything that it is possible to encrypt. Progress is already being made on having most sites use HTTPS by default, and SNI looks like a good target for an RFC because once adopted by a relatively small number of CDNs it will do an huge amount of good.
  DNS requests and email headers are the other two big issues that needs to be addressed. I'm surprised there is no standard for encrypted DNS yet, can someone explain why it isn't a thing? Even email looks doable, maybe not perfectly but enough to be of great benefit.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Encrypt everything by samantha · 2015-11-04 21:03 · Score: 2

Encrypt everything and take no prisoners. Bring the control freaks down. The future will not be stopped.
And another thing by andrewbaldwin · 2015-11-04 22:10 · Score: 2

I know replying to yourself is bad form but...
The second question that's never asked is
"If you can remotely 'hack' phones and computers to eavesdrop, surely you can also place evidence and forge records"
In other words, how on earth can this 'evidence' be considered reliable and trustworthy?
1. Re:And another thing by AmiMoJo · 2015-11-04 23:51 · Score: 4, Interesting
  
  The problem is that such evidence is usually secret, so it is impossible to argue against in court. The security services get to show it to the judge, and it's up to him to question if it would allow evidence to be planted. The defendant and their legal team doesn't even get to see it, or know the nature of it.
  There is also parallel construction, which would mean that evidence of hacking could be hidden entirely from the court.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Re:They say you get the government you deserve... by pr0nbot · 2015-11-04 22:47 · Score: 2

Only 24 out of every 100 adults voted for the asshats. It's the electoral system that screws us, but the only people who can fix that are the very asshats themselves... well, until the revolution! Now if you'll excuse me, it's Nov 5, I must... attend to other matters.
Brilliant - This means... by jaseuk · 2015-11-04 22:50 · Score: 4, Interesting

That the Gov cannot gain access to modern Apple and Microsoft devices. This legislation wouldn't be necessary otherwise. Microsoft and Apple have genuinely closed the encryption / key loopholes that would allow the authorities to force them to unlock these devices.
This is excellent news, now just to get this bill junked.
Jason.
1. Re:Brilliant - This means... by AmiMoJo · 2015-11-05 01:35 · Score: 3, Interesting
  
  It's been suggested that if manufacturers are forced to remove encryption from their devices they should simply leave the UK market. I'd support that. Voters are pretty apathetic but take away their iPhones and there will be a revolution.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Re:Reciprocal Round Trip VPN by Skapare · 2015-11-04 23:19 · Score: 2

GeoIP is overrated. VPNs help make it meaningless. I picked my VPN in a country with a language I cannot read, so, now, many ads look like jumbled text to my eyes, as I scan the page.

--
now we need to go OSS in diesel cars
Just a power grab by sjbe · 2015-11-05 00:21 · Score: 2

If we can't even stop people that we know think this sort of terrorist attack is okay, then what the fuck will logging everyone's data achieve?
Power. Influence. Fear. Control.
This has nothing to do with terrorism and never did. "Stopping terrorism" is just a means to an end, not the end itself. Like you point out, I'm not aware of a single instance where the criminals were not already known to the authorities for reasons that had nothing to do with their facebook status. This is the police and intelligence services doing a power grab under the fig leaf of "combating terrorism". Much like the TSA in the US it won't result in any actual terrorists being caught but it will give these services vast new capabilities they can use to stay in power.