Slashdot Mirror

← Back to Stories (view on slashdot.org)

Controversial New UK Internet Powers Bill Makes No Mention of VPNs (thestack.com)

Posted by samzenpus on from the left-out dept.

An anonymous reader writes: The Draft Investigatory Powers Bill presented by the UK Home Secretary Theresa May to Parliament today has caused controversy because it proposes new legislation to force UK ISPs to retain an abbreviated version of a user's internet history for a year, and would also oblige vendors such as Apple not to provide consumer-level encryption that the vendor cannot access itself in accordance with a court order. But perhaps the most surprising aspect of DIPA is that Virtual Private Networks are mentioned nowhere in its 299 pages, even though VPNs are a subject of great interest to Europe, Russia, Iran, China and the United States.

9 of 115 comments (clear)

  1. The contriversial parts in brief. by SuricouRaven · · Score: 5, Insightful

    Demands to ISP:
    1. Log every website any of your customers visits and store it for a year.
    2. We're not going to tell you how. That's your problem, but if you can't figure out a way we'll probably fine you. No, we're not excluding SSL.
    3. You are paying for it too. Just pass the costs on to your customers or something.

    1. Re:The contriversial parts in brief. by Xest · · Score: 4, Insightful

      Yep, it's the web tracking that makes this bill awful. If it weren't for that section the bill wouldn't actually be that bad as security bills go because it's largely an improvement on the status quo - i.e. bringing the judiciary into the issuing of warrants for digital searches and interception is a good thing and an acceptable measure IMO. We already allow judges to issue warrants to smash people's doors down and that's typically seen as acceptable, so I have few qualms with a digital equivalent. Our judiciary are typically good on this front and I have far more trust in them than I do the Home Secretary. The other stuff about banning VPNs and encryption was, as I suspected, bullshit, and the bill says nothing about these things contrary to claims in the summary.

      But the web tracking needs to be stopped, Theresa May has completely understated the implications of what she's proposing claiming it's just like an itemised phone bill. It's not. An itemised phone bill at best tells people who you've called. A list of domains you've visited can tell people everything from your sexuality, to where you shop, to where you bank, to where you plan to go on holiday, to where you work, to who your service providers are, whether you're having or seeking to have an affair (e.g. Ashley Madison), where you get your news from, and so on. As I understand it, the security services weren't too bothered about this power (presumably because they're already intercepting way more than this), and it was actually the police that pushed for this particular measure and yet it's the police I trust with access to this data the least because the police have the lowest barriers to entry, the largest staff count, and the greatest interaction with the public that they can now spy on and so are the most likely to abuse it.

      It's this argument I'll be making to my MP but I don't hold up much hope for this being blocked given that unsurprisingly Labour backs it in part because one of the biggest slimeballs in partliament, Andy Burnham backs it, and Corbyn still seems to be unable to find anything even slightly representing a spine when he now needs it the most since he's, you know, supposed to be some kind of leader now. Mass use of VPNs by the public will be the only realistic option to fight this.

    2. Re:The contriversial parts in brief. by andrewbaldwin · · Score: 4, Insightful

      I've been following this issue and have not yet heard the following question/argument raised.

      Leaving aside all the usual privacy arguments and the slippery slope case of a reasonable regime now going bad in the future, there's still a practical question which would have less impact on privacy and costs.

      "Why are you tracking all the users and generating a huge 'haystack' of noisy data when you could track the 'needle' instead?"

      In other words, why track every member of the public to see if any of them view moneylaunderingterroristpaedophiles.com instead of just looking at subscribers to that site?

      Focusing on a small range of IP addresses and then looking at address headers should be relatively easy.

      Even the effort of maintaining a 'naughty list' of 'bad' sites must be easier than sifting through petabytes of ISP logs.

    3. Re:The contriversial parts in brief. by locofungus · · Score: 4, Insightful

      In other words, why track every member of the public to see if any of them view moneylaunderingterroristpaedophiles.com instead of just looking at subscribers to that site?

      You've completely missed the point of why they want to do this.

      They don't care at all about this data. What they care about is that GCHQ, MI6 etc can continue to capture everything in a dragnet (something that they claim was already allowed but was kept so secret that even most of the people in the organizations that were doing it didn't know it was happening.

      They need a way to use that dragnet without admitting to actually capturing everything and possibly decrypting some of it. They'll use the records collected by the ISP to build a case against someone.

      Once they get good at bulding cases that judges like they can use those skills to take the data from the ISPs to build a case against anyone they don't like for any reason.

      Given the dozens of different domains that data is fetched from for any given page I suspect there's an almost unique fingerprint of connections for many webpages.

      If this bill passes you will also no longer be able to trust things like the raspberry pi - in fact, any hardware made or assembled in the UK will be suspect.

      --
      God said, "div D = rho, div B = 0, curl E = -@B/@t, curl H = J + @D/@t," and there was light.
    4. Re:The contriversial parts in brief. by Xest · · Score: 4, Interesting

      Yes, this has always been my concern with most internet monitoring laws, and Theresa May even said it herself once without quite grasping what she'd actually said, saying one thing and thinking it meant another. She once said "We need to build a bigger haystack". No we don't Theresa, we need to get better at finding the fucking needle, not make it harder to find.

      Perhaps the biggest argument I've often made for this is the fact that every single time there is a fucking terrorist attack in the West, it turns out that the perpetrator was known to security services. Lee Rigby's murderers were held by Kenyan security services and MI5 tried to recruit them. The 7/7 and Glasgow airport attackers had all previously been on MI5's radar. The Charlie Hebdo attackers were known to French security services, as was Canada's parliament attacker. The US security services had been alerted to the Boston bombers by the Russian security services. It's the same story time and time again, these attackers don't turn up out of the blue, consistently they're people who have long been on the radar and have reached a point of radicalisation where they decide to cross the line. If we can't even stop people that we know think this sort of terrorist attack is okay, then what the fuck will logging everyone's data achieve? Already security services can't properly vet the risks of people they know about, so even if they get good at pulling additional people out of this data, then what use is that if they still can't properly vet them anyway?

      Given that this is something that's being pushed for by the police, my suspicion is that they're basically asking the UK to give up privacy simply so that the police can catch the low hanging fruit - people who visit known paedophile sites without any kind of obscuring of that fact (for example, by using Tor). They want to be able, once a year, to grab the list of data, compare it against a list of known paedophile websites, and then go out and do a massive publicity gandering raid where they bust down the doors of the hundreds of people they find on this list and then claim yeah, we smashed a massive paedophile ring, not giving a toss about the innocents caught in the crossfire because their PC had been hacked and used as a proxy for the actual perpetrator, just like last time they did this sort of thing after the authorities in America sent them a massive list of credit cards used on such a website.

      You'll have to excuse me therefore if I'm not convinced that this justifies the death of privacy.

      I think you're right to cast aside the slippery slope argument FWIW, I don't put much weight in that view. Frankly if government goes bad, then it'll do that anyway regardless of what the law says - I've not seen the US constitution have any effect on flagrant violations by successive governments in the US since 9/11 for example. I don't think it's worth worrying about slippery slope stuff because if government goes bad you're already fucked regardless of what the law at that point pretends your rights are.

      I think it's far better to concentrate on the actual problems here and now, rather than worrying too much speculating or screaming about slides towards police states and so on- that type of argument never gets us anywhere, because most people in the general public scoff at it and see it as nonsense. It's far better to simply focus on making it clear to people that this move wont have any impact in preventing terrorism, and will mean the police will know everything about their lives.

    5. Re:The contriversial parts in brief. by andrewbaldwin · · Score: 4, Interesting

      "You've completely missed the point of why they want to do this."

      EXACTLY

      And, being an old cynic, that is probably why this question has never been aired on the news, TV, radio... etc (newspapers are a lost cause in the UK).

  2. Brilliant - This means... by jaseuk · · Score: 4, Interesting

    That the Gov cannot gain access to modern Apple and Microsoft devices. This legislation wouldn't be necessary otherwise. Microsoft and Apple have genuinely closed the encryption / key loopholes that would allow the authorities to force them to unlock these devices.

    This is excellent news, now just to get this bill junked.

    Jason.

    1. Re:Brilliant - This means... by AmiMoJo · · Score: 3, Interesting

      It's been suggested that if manufacturers are forced to remove encryption from their devices they should simply leave the UK market. I'd support that. Voters are pretty apathetic but take away their iPhones and there will be a revolution.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  3. Re:And another thing by AmiMoJo · · Score: 4, Interesting

    The problem is that such evidence is usually secret, so it is impossible to argue against in court. The security services get to show it to the judge, and it's up to him to question if it would allow evidence to be planted. The defendant and their legal team doesn't even get to see it, or know the nature of it.

    There is also parallel construction, which would mean that evidence of hacking could be hidden entirely from the court.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC