The UK Is About to Legalize Mass Surveillance [Update]

From a report on Motherboard: On Tuesday, the UK is due to pass its controversial new surveillance law, the Investigatory Powers Act, according to the Home Office. The Act, which has received overwhelming support in both the House of Commons and Lords, formally legalizes a number of mass surveillance programs revealed by Edward Snowden in 2013. It also introduces a new power which will force internet service providers to store browsing data on all customers for 12 months. Civil liberties campaigners have described the Act as one of the most extreme surveillance laws in any democracy, while law enforcement agencies believe that the collection of browsing data is vital in an age of ubiquitous internet communications. "The Investigatory Powers Act 2016 will ensure that law enforcement and the security and intelligence agencies have the powers they need in a digital age to disrupt terrorist attacks, subject to strict safeguards and world-leading oversight," a statement from the Home Office reads. Much of the Act gives stronger legal footing to the UK's various bulk powers, including "bulk interception," which is, in general terms, the collection of internet and phone communications en masse. In June 2013, using documents provided by Edward Snowden, The Guardian revealed that the GCHQ taps fibre-optic undersea cables in order to intercept emails, internet histories, calls, and a wealth of other data. Update: "Snooper's charter" bill has become the law. The home secretary said:"The Investigatory Powers Act is world-leading legislation, that provides unprecedented transparency and substantial privacy protection. "The government is clear that, at a time of heightened security threat, it is essential our law enforcement and security and intelligence services have the power they need to keep people safe. The internet presents new opportunities for terrorists and we must ensure we have the capabilities to confront this challenge. But it is also right that these powers are subject to strict safeguards and rigorous oversight."

As a UK Citizen

[richardkettle4]

Look, I know my browsing will be in a huge database that nobody will look at it... for now. But if this year has taught all of us anything it is that things change. If you take these powers, whoever is in power in the future can abuse them. Everyone, no matter how good intentioned, should think about how those powers might be abused in the future.

Re:Not just law

[Desler]

The BBC has multiple stories on this. Maybe you should dislodge your head from your ass?

From here:

Blogger Chris Yiu compiled a list of the 48 organisations and departments that will be able to access the browsing records of individuals without a warrant.
They include various police, military, government and NHS departments as well as the Food Standards Agency, the Gambling Commission, the Financial Conduct Authority and the Health and Safety Executive.

I found this article in about 20 seconds.

Re:Encrypt!

[TheRaven64]

The absolute irony is that visiting a site with a self-signed certificate shows the user a warning error (I understand why, don't worry) yet the resulting HTTPS exchange is actually immune to any and all eavesdropping. When visiting a site with a cert authority signed certificate, no error is displayed, yet this connection is vulnerable to anyone who has broken/intercepted the chain of trust

Not quite. Both connections are entirely safe from passive eavesdropping. Even if I've compromised a root cert that you're using, that doesn't let me decrypt TLS traffic. It does mean that if I am actively performing a man in the middle attack on you, then you won't notice, because during the initial key exchange you'll connect to me and establish a secure connection and I'll connect to the remote server and establish a secure connection. You'll trust me because I'll use a cert signed by one that I trust. The difference between this and a self-signed cert is that when the server uses a self-signed cert, there's no need for me to compromise a root cert that you trust: I can still perform the MITM attack and you won't know the difference.

Certificate pinning protects you from this to a degree: If you connect to a server twice and the certificate changes, then there may be a problem. On the other hand, there might not be, and with a self-signed cert, you can't revoke it if it's compromised and you can't easily advertise the fact that this is a replacement cert from the same person (unless you properly self-sign, rather than simply not signing, and people pin your signing cert).

Certificate transparency protects in both cases, by providing a public log of all of the certificates that have been seen by people connecting to the server. If the server operator sees a cert that they didn't issue, or if you see a cert that's not the same one that other people are seeing, then something is wrong.

Re:Attorney-client privilege abrogated in UK

[richardkettle4]

' becomes aware of a crime committed by a client' that was your post, if you become aware of a crime, you have to report it. I am not sure what your point was, it is the same in the USA