Anyone reading this from the UK: don't lose hope. You can change things. The recent uptick in fascism in the UK is really disheartening but your voice needs to be heard.
For example, they tried to bring in censorship in Australia and failed. Change is possible. Don't be a pushover. You must fight.
This is really bad. Using a vpn or other kind of service to hide that data from them will now make you even more of an outlier to even more eyes/people. You will stand out from being hidden, you will stand out for having a minimal "internet history", and you will stand out to those who can really fsck your life.
Unfortunately privacy is not being taught and propagated to the general public in order to prevent this from harming you either you want it or not.
http2 as a transport, some metadata like url or header as a signal for a load-balancer to route the stream somewhere else (to a vpn endpoint in this case).
Alternative product idea: An open wifi hotspot that replaces the User-Agent and other client-identifying headers for each session with consistent values, regardless of who is connected. Anybody looking can still see what "your connection" did, but there's no longer any way to prove that any person in your household was the one who made it.
Surely the best thing to do is to install software that constantly randomly browses the internet, and properly clogs up any attempt at total logging and/or extracting anything of value out of it. If you're the only one doing it, it will look suspicious, but if you reach any kind of critical mass, I would imagine that it could be quite disruptive.
My plan is to split my network in half, a lot of the traffic I send I really don't care about been monitored (steam/netflix/even work related stuff about programming) but other stuff I do.
That way I'll have a "plane jane" traffic log and some VPN data which is a profile that anyone who works for a large company from home would have.
Unless you put criminal sites in the filter, I can't see how this will help? And if you do...you it will trigger an alert and then they can hax you...legally.
Might be a flippant comment, but that's the first thing that went through my mind. I've never gone deep into caring much about government overreach, but that was a terrifying subconscious reaction.
This may just be a reflection of the fact that signing petitions (especially online ones) achieves very little. Sure you might get a debate in parliament about it but that debate could involve a handful of MPs and take a few minutes, concluding that everything is fine.
This has already been debated extensively in parliament, and got voted through.
AIUI, he is now only allowed to oppose them in private (or leave the cabinet):
"All ministers, whether senior and in the cabinet or junior ministers, must publicly support the policy of the government, regardless of any private reservations."
There is no restriction on where you must live to stand for parliament- I encourage you to stand against him!
Although, I would concentrate on Theresa May herself (I considered doing this at the last election when all this was mooted but blocked by the lib dems, but I stood where I live instead.)
Assuming you are in support of his former public position, I think you'd be shooting yourself in the foot by doing that.
We don't know his private position any more, and it may have changed. But I think it's quite likely that his opinion hasn't changed; he just isn't allowed to state it publicly any more. In this case, it would be better for supporters of this position to keep him in the cabinet, where he can at least have a private influence. Consider this: if we could get everyone in the cabinet to share his opinion, we wouldn't have a problem any more. We need more David Davises in cabinet, not fewer.
The MPs to vote out are all the ones who are publicly in favour of the Snoopers' Charter. We can be far more confident in having an influence in our favour this way.
Depends on how you look at it. Remember that in UK, there's no concept of separation of powers - the Parliament is sovereign, and the executive (monarch excepted) derives all power from it, inasmuch as the Parliament chooses to grant it. And one of those powers is to set policy for the entire cabinet.
In a sense, UK actually has too much democracy, and too few [formal] checks and balances on the power of the elected legislature.
Because there is rarely anyone arguing against the state being more involved in peoples lives, against making activities of the state harder by safeguarding systems against abuse.
But why is that? I mean in Hungary (where I live) there were demonstrations against Internet Tax which is a much smaller concern. This is a country where a lot of people live in apathy and there is no true democracy. UK is a much mature democracy where people care. Or not? I don't understand this.
Petition
Repeal the new Surveillance laws (Investigatory Powers Act)
A bill allowing UK intelligence agencies and police unprecedented levels of power regarding the surveillance of UK citizens has recently passed and is awaiting royal assent, making it law.
The one I always come back to is the National Road Pricing Proposal a few years ago - a big petition (nearly 2 million) completely killed it. It does require a lot of people to get noticed though.
Signed but I suspect this will be treated with as much contempt as other petitions have.
I think the best way of handling this is to have a private code of ethics in the IT industry in the UK. If you are involved in any collection infrastructure, do like a government IT project, and make a complete fucking mess of it I.e. make it cost a fortune and bring bad publicity for any sponsors. Use O(n!) algorithms, use IO heavy storage patterns, piss all over cache lines, spend the entire budget having meetings in Wagamamas, write yourself a new minivan, overestimate everything and play solitaire.
> I do not believe that it is reasonable to allow terrorists, paedophiles and criminals to be able to use these same services out of sight to perpetrate criminal acts which harm UK citizens.
Stick the reply on pastebin with a note explaining how it doesn't stop pedophiles and terrorists, explain how it protects incumbent pedophiles in the political class as per pizzagate, then post it on reddit, 4chan and to the opposition (actually forget the latter as they're just as bad).
I do wonder (perhaps naively) whether this is a genuine misunderstanding of the argument for privacy/encryption or something more malicious. Is it that politicians haven't spent enough time thinking about this or are they willfully ignorant of the wrongness of their argument?
That distinction doesn't really matter. Willful ignorance by anyone in power should definitely be classified as malice. Remember that as your representative, they should be able to explain their actions to you.
It's an interesting point. If they are ignorant (perhaps without the wilful), then perhaps when you present them with facts and information, they might change their mind. If they are malicious, they won't change their mind in the face of any facts or information, because their motivations are underhand and cannot be reasoned with.
I suspect in cases like this it's probably a bit of both (and perhaps in the case of this particular MP, she might just be toeing the party line).
They already are communicating, on huge services like Twitter, that are constantly monitored. ISIS & JaN Surrogate accounts, as well as Assad Regime Loyalists (Which for some, count as Terrorists) freely use online services under the radar.
The time to stop encryption is gone. TOR & Signal have seen to that.
Oh god that must be so much fun. Working on projects with the intent to deliver the worst in every aspect. I'd like to add terrible UI and UX, deliberately throttling any connection to anything and the prerequisite for users to learn obfuscated regex for any simple old search query. Make a ton on teaching absolutely useless knowledge in the process.
In any other circumstances this would be fraud and unethical, sure. But is it when you're preventing digital fascism?
Which droplet would be best for between one to three people?
From what I gather, the ISP has to record the sites you visit—but not the specific pages. Does VPN stop my ISP from seeing the loaded sites? Or do I need Tor for that? I’m not too concerned about complete privacy, I just don’t want every website I just don’t want my browsing history to be leaked.
If you route traffic and DNS to a DO droplet outside the UK, all the ISP sees is a connection to that droplet and how much data was sent, not anything about what it was that was sent.
It neatly circumvents this bullshit, some suspect doing so will put you on a list for a closer look but if your traffic is innocuous who cares, I'm more worried about my useless ISP leaking/losing such data than I am about state intelligence.
Just the existence of these databases held by ISP's built under lowest cost bids will make them a massive target.
Possibly but I'd quite like to exit in another country sinces another layer of bureaucracy for them to deal with and not all countries have equal policies in terms of privacy.
How is your opsec - i.e. do you vary your purchasing pattern, using random numbers to pick intervals between purchases and a variety of vendors?
I only ask, because routing everything over a VPN provides the illusion of privacy while flipping contracts every month provides some element of real privacy. It is easy enough to check on the activity of people pretending to hide their activity (assuming GCHQ has access to the same access that the NSA do), but real resources have to be spent tracking down people who actually hide their activity.
I have no idea how they allocate their budget for tracking potential threats, but somebody flipping prepaid sims would warrant a closer look if I was analysing the logs.
Indeed, that's a good point and I'm aware of that. They can absolutely track me given enough effort; they probably do it anyway since I'm a developer, I just try to make it a bit costlier for them I guess. For now, I don't bother much rotating vendors but it should be something I do indeed!
Until the UK adopts rules regarding SIM card registration which are effective in some other European countries (I know of Germany and Poland): every pre-paid card must be associated with a specific person and vendors won't issue/activate you one until you present them with your ID card.
VPN is your friend. I hope people comes more aware of this government spying. Sad thing is that you needto select carefully services that you use also. Google, Facebook and Twitter you have to avoid. Freedom of speech is a joke these days really. I don't think petitions help anything.
The privacy concerns nonwithstanding, I'm puzzled how ISPs are supposed to actually implement that load of bollocks.
We're talking DPI here, applied as a dragnet on each and every connection. The bill explicitly states that every connection is to be tracked, which means it disallows the stochastic methods that normally are used for traffic instrumentation.
And even storing "just" the metadata, over the course of a year, that's quite a significant amount of data. Where the hell are ISPs supposed to store that? And store it securely in a way, that only "lawfull" access is possible.
That bill is stupid and ludicrous and the people who came up with it should be institutionalized, IMHO. Not just because of the privacy concerns.
Create 291 days ago | parent | on: UC Berkeley profs lambast new “black box” network ...
Transparent monitoring for your protection
In keeping with this spirit, here is a reminder of how we monitor (your) CERN activities. We monitor all network Traffic coming into and going out of CERN.
Our new analysis infrastructure will be able to cope with the automatic live analysis of about one terabyte of data every day. All this data is stored for one year.
That's traffic analysis, not traffic metadata retention. The problem is not the computational load, but the storage capacity and bandwidth requirements.
And what is stored at CERN is the analysis results of the data, not the data history itself. Also it's one TiB/day in total for the whole of CERN.
Which refers to the result of the analysis. If CERN would retain all the data that crosses their network, or just the metadata they'd have to roll in truckloads of HDDs each day.
The problem I see is not the computational power required for implementing the DPI, but the storage capacity and bandwidth required to implement retention for upo to a year. Lets assume that ISPs were applying a data cap of, let's say 200GiB/month. MTU for Ethernet is 1500 octets, with PPPoE it's 1480. IP Headers are at least 17 octets, so around 1% overhead for a optimally utilized connection. In that situation this gives about 2GiB/month of IP header data. Even if you strip that down to just the source/destination address that would still leave you with 800MiB/(customer·month) of data. That's the bottom baseline you have to provision for.
Of course your typical TCP stream is highly redundant and even simple RLE compression will cut that. But ISPs have to provision for the worst case. Currently there are about 60M internet users in the UK.
That would amount to about 536PiB/year of retention data to be provisioned for (worst case). And even if due to redundancies you can compress that down in practice that's still a lot of harddisks to keep around just to store the bare minimum (who with whom, but without context) of a whole country's internet traffic metadata (about 100k HDDs).
That's a significant investment that's expected from ISPs to be implemented in a very short timespan.
Disclaimer: I won't claim to have read the law or even caring about what happens in the UK.
From reading related articles, I get the idea its requirements can be implemented in terms of a browsing history, which could point to a date in the internet archive for all the legislator cares. Hint: that's how you compress browsing habits for > quadrillions of requests.
I don't see why one would need complete packet traces of the whole thing.
> From reading related articles, I get the idea its requirements can be implemented in terms of a browsing history, which could point to a date in the internet archive for all the legislator cares.
Good luck doing that with a TLS secured connection. All you see is the TCP stream between the two peers. And thanks to PFS enforced on the server side you can't even go around and force people to escrow their keys.
> I don't see why one would need complete packet traces of the whole thing.
Because that's the only thing an ISP is able to see of a properly encrypted connection.
But it's useless to save the encrypted bytes so nobody will do it. It doesn't matter the connection is encrypted - you still get the following information:
Source IP, mapped to customer. Timestamp. Target domain (from SNI or the certificate). Passive system identification (os, browser).
The only thing they're additionally interested in is the link and that's the only thing that encryption hides. I'm not sure they even care about cookies and headers in ICR
Also a few years ago DJB proposed to make a systems hostname the nonce of a key/signature and use secured DNS (DNSSEC or DNSCurve) as a means for establishing a web of trust; a CNAME would be used to for translating www.example.com into ${NONCE}.example.com.
Since DNSSEC (and DNSCurve) allow for signature verfication against a small number of root keys (ATM a single digit number) it'd be trivial to ensure an unbroken chain of trust for name resolution, which essentially completely mitigates a state level MitM attack on DNS.
So by combination of securing DNS and nonceing the hostname into TLS certificates you can throw quite a log into state level crypto circumvention. Of course the critical problem is rolling out all the necessary protocol changes and implementation. And of course DNSSEC is used only homeopathically ATM (and yes, I'm guilty of not having implemented for my stuff as well).
So ISPs can now be coerced, by law, to allow for MITM in TLS connections. Another reasonable expectation from buyers of DPI products.
Like I said, nothing technically absurd about this law. It is its profound disregard for privacy that we should be discussing, instead of spending our time on technical issues which are solved.
The domain (hostname) you request is inside the encrypted communications between you and the remote server. Only the TCP information is visible (IP, source port, destination IP, and destination port.)
It's the DNS request which reveals the domain you requested.
Have a look at https communication in Wireshark for example. What you wrote is incorrect. Https reveals the domain at least one time these days. First, ssl extension SNI (https://en.m.wikipedia.org/wiki/Server_Name_Indication) is sent, which reveals the domain you're requesting. This happens before the keys are exchanged.
Then, the matching certificate is sent (again in plaintext) from the server so that you can verify it and extract the keys. It will contain the domain again, although it may be a partial one like *.example.com
So no, the domain is public. The full URL path is encrypted though.
This whole business has got me wondering if it's even theoretically possible to prevent the site identity being visible to middlemen. Like you said below, even without SNI the cert is sent in the clear, and I can't think of a way around that. You'd need to somehow set up a secure channel before communicating site identity, but encryption without authentication is insecure in the face of MITM, and you need to establish site identity before you can authenticate the server.
I suppose, with IPv6, we could do away with shared-IP virtual hosting, and hence SNI at least; and perhaps we could even devise a system whereby the domain is omitted from the cleartext-transmitted handshake, say by using the IPv6 address as the cert's DN instead... but then that numeric address would serve as a surveillable site identifier, and you can still be tracked.
Is there any active research in this area? Is it provably impossible? Anyone know?
But it's more than that. If it's illegal to spy, that means you can't disseminate the fruits of that spying far and wide. You need to resort to parallel construction and carefully safeguarding your sources.
This allows a massive expansion in the scope of capture and use of that information to more agencies in a "legitimate" manner. At least when it was illegal they had to contain the "conspiracy" lest it get out.
Indeed one way to devalue this information would be to swamp ISP servers with 'fake' data; hide our real activities in the noise. What we need is someone to release a modified versions of Chrome/IE/Firefox that spends all your browsing downtime accessing 'dodgy' sites. If everyone starting using it this information would soon become either impossible to store and pointless as everyone is a criminal according to the data.
Now is an excellent time to set up a custom home router (I'm thinking pfsense to send all traffic through a VPN).
The excuse of "if you have nothing to hide, you have nothing to fear" is not only intellectually feeble; it permits a gradual erosion of civil liberties that can easily find the average citizen on the wrong side of the law should any agency casually find it convenient for them to be so. It is a snowball.
On that note. What VPN services are recommended and has anyone got some good guides to this?
I suggest AirVPN (no affiliation). I’ve been using it for more than a year, and it’s reliable, with plenty of servers and good speeds. If I am not mistaken, it’s operated from Italy.
Another option is to rent a VPS/dedicated server somewhere outside the UK, with decent bandwidth and data cap, and configure your own VPN between your systems, using the rented server as the internet gateway.
> Those ICRs effectively serve as a full list of every website that people have visited, not collecting which specific pages are visited or what's done on them but serving as a full list of every site that someone has visited and when.
So running search engine crawlers like yacy or using browser link prefetchers, could cause sites to appear on this list, you haven't even visited?
Even if you don't use that, you have to investigate every link and external site resource, if it points to a domain/site that also hosts illegal stuff? And how do I do that? Using VPN?
Also content and owner of sites change. I can't imagine such "prove" holding up against a good lawyer in a fair court.
What exactly are they logging? IP addresses, reverse domain names, dns lookups?
They just should provide a white list of sites the lawful citizens are allowed to visit. That would make things much easier and safer for everyone. And the government exists to keep the citizen safe, isn't it?
"The first duty of any government is to keep our country and our people safe." - David Cameron
That will be the ultimate end game: whitelist of sites, all of them large companies controlled by the government. Either do what we require or be eliminated from the list. Even VPNs only work if the connection to the VPN is permitted.
UK citizens, help me out: Is there a way you can appeal against laws like this? In Germany, something like that would be thrown out by the Bundesverfassungsgericht, the federal constitutional court. Is there nothing similar in the UK?
Slightly more complex than that, as the ECHR isn't an EU institution, so Brexit won't result in any significant change to the relationship with the ECHR (it's a little more complex than I've made sound, as there are some relatively minor links with the EU).
However, May has stated her desire to also leave the European convention on human rights (and replace it with a UK owned Bill of Rights). This is not something that's happening as part of Brexit, and no bills have been presented before Parliament with this as a component or purpose.
I would assume that the government would take the pragmatic approach that it's better to focus on Brexit for now, and deal with the ECHR once Brexit is over with. However, I have no inside knowledge of this, and that's just my wild and unsubstantiated assumption.
There is one other relevant complexity. ECHR membership is a condition of being a member of the EU. Brexit has to happen for the UK to depart from the ECHR.
So voting for Remain was also a vote to keep the UK locked in to the ECHR. Voting for Leave was also a vote to release that lock.
The European Court of Human Rights is separate from the EU and the UK will will still be part of it after Brexit. But the political climate might be such that leaving ECHR could follow on from Brexit
It'd be great if the UK had a written constitution. But let's also be realistic here. The US also has a written constitution and the NSA has a database exactly like this one anyway, and such databases are also available to a mishmash of random law enforcement bodies. The constitution didn't help.
Also, the UK is signed up to the ECHR which theoretically guarantees a right to privacy. It's sort of like the US Bill of Rights except useless, because it was drafted by Europeans so every right has a giant get-out clause. In this case the so-called "right" to privacy exists only as long as it doesn't conflict with the "needs of a democratic society". That sort of thing crops up all the time in this document.
It's not sufficient to have a constitution. It must have teeth as well.
Germany has a proper constitution which makes it easy to judge if something is unlawful. In the UK, the constitution is just a collection of ways of doing things. That makes it harder to throw a law like this out.
casual user doesn't see a reason to care about its privacy anyway.
if it changes its mind, google already has a lot of guides on the first page of like "protect privacy internet".
I would urge everyone who can to sign the petition against it.
This, in my mind is a problem, not because of the obvious costs (ISPs storing _literally all_ metadata for a year), and the insidous privacy concerns, but how bad Govts are at keeping information secure. Below are 3 recent and well known examples of Government Mass Data leaks- this information will be compromised at some point, for profit or espionage.
IMHO, trotting out "If you've got nothing to hide, you've got nothing to fear" BS doesn't mean that at some point, that data will be misused, even if the UK (My) Government doesn't suddenly turn dictatorial.
I have lots to hide, and I have plenty to fear from the current government. I sincerely doubt that there's anybody out there who doesn't. I'm not going to worry too much about GCHQ and other Security Services, because I seriously doubt they'll be making any requests - I have no doubt that they have a far more comprehensive database in place already, and they're only included in the proposal to lend an air of legitimacy to the proceedings.
What concerns me is the sheer number of groups that are being given access from the start, not because of who is on it, but because somebody has compiled that list in the first place. It suggests that there is already a longer term plan in place for the use of this data, and these are the entities who will need access to achieve that end. Otherwise, surely the approach would be a lot more cautious - "We'll limit it to GCHQ and the Secretary of State for now, and all requestss can go through the SoS. That will give us an idea of who actually needs this data on a case by case basis, and we can tweak the legislation as necessary based on that."
Then you look a little closer at some of the entries. Why would the Fire Service need access? Nothing in their job involves anything to do with individuals, at least not to the degree that they have any requirement for access to any data about them. Well, it doesn't say Fire Service. It says "Fire and Rescue Authorities under the Fire and Rescue Services Act 2004". Take a look at that act. Unless you're in Greater London, your fire and rescue authority is your local council. Why did they feel the need to slip your council in through the back door like that? Granted, access is limited to "Watch Manager (Control)", which sort of sounds like a Fire Service position, but it's vague enough that you could legitimately assign that job title to a Traffic Warden's supervisor without anybody batting an eye.
Why do the Food Standards Agency need access? Access for them is restricted to Grade 6, which doesn't seem to have any job title definitions, only a pay range - as of August 2015 it was £54,000 to £69,500. So any person who commands that salary, regardless of whether they need it for that job, will have this access? That doesn't seem a particularly clever way to manage data access.
> Granted, access is limited to "Watch Manager (Control)"
FFS, are they deliberately choosing the creepiest sounding job titles to give access to?! Sure, it sounds fine when it's linked to the Fire Service, but it sounds dodgy as hell when applied to the Internet Snooper Service.
I don't have anything to hide- but a malicious attacker could easily cause me to.
Step One: Maliciously cause the target to click on a link or open a url (Phishing, Exploit, RFE, XSS etc)
Step Two: With JS, one can easy introduce HTTP connections to any number of websites, such as maybe the Taliban's official website (They have one!), Google Searches for (to think of a few) "Gaziantep Places to Stay", "Turkey Flights", "Opposition to the Kuffar at home", "Dabiq Magazine", "how to join the Khalifah" etc
This could easily be done in a realisic appearing manner, especially to ISP/GCHQ filters and alerts.
Step Three: If any of this tallies with any physical activity (Let's say the target wanted to go Clay Pigeon Shooting, or Visited a Gun Club because he has in interest in .22 target shooting), then they have a case.
Sure, it's defendable, and this is a really simplistic example. But it's basically ruined the target's life.
Remember, it's probably not the "Government" doing this, as this info will be leaked.
EDIT: heck, I'll be stuffed- I tend to actively visit /r/combatfootage...
Here's a nasty example of where this is going. Agencies will be able to compile "watches" on searches across the UK.
The Food Standards Agency will have a trigger for anyone that searches for "Salmonella" for example. They then cross reference the source IP address to any restaurants. Then they march in there and close it down.
Sounds like it is both intrusive and useless at the same time.
If you're not going to see what people did on a site, what's the point? Presumably nefarious stuff like pedo rings and dark markets will not stay in the same place very long.
At the same time, people can see what kind of politics you're into. Or porn. Or dating. Which is not terribly useful for the public interest, but you can see a cop abusing this for personal gain. I think Snowden mentioned his colleagues used to stalk their exes.
Also, anyone who's accidentally left WireShark open will know how much data you're sucking up. It's not actually a small amount, and it compounds if you're an ISP. And it sure isn't easy to filter huge pcap files, which you'll have to do if you want to find something specific. And then you have to glue the clues together, totally non trivial.
Last, how will this be used in court? Knowing what sites someone visited is not evidence they did something. Some guy visits an ISIS homepage, is that because he's curious or he's getting bomb manuals? At best you can use it to suggest some guy is a sympathiser, when he might well not be.
> If you're not going to see what people did on a site, what's the point?
Because you are not a unique and special snowflake. If you regularly go to /r/The_Donald, it says something specific about your politics (probably). Same for /r/LateStageCapitalism or /r/trees. It might not say much, but it adds up to a profile of who you are and what you think about.
If you are emailing certain people, or tweeting them or whatever, GCHQ can build a social graph of people you know, who they know, etc. If you are the friend (or friend of a friend) of a person of interest, you're more likely to be of interest yourself. There are not many criminals like the una-bomber working entirely on their own - most of us need encouragement and/or provocation, and nowadays much of that happens online.
If your search phrases include things like "how to make a bomb", you're probably going to be on a database somewhere. There have been numerous serious court cases (e.g. murder trials) where the prosecution have presented evidence that the accused's search history included phrases like "how to dispose of a body" or "how to poison someone". In other cases, jurors have been dismissed for using Google to research the background to the case they are serving on. I wonder where the information about these searches came from?
Metadata is important for identifying "interesting" people. When you have found them, you "zoom in" and start hoovering up all the information you can find, not just the metadata. It's the greatest spying tool ever, and a way to implement highly repressive government too - just start monitoring people with different lifestyles or "way out" opinions.
This illustrates how slippery the distinction between communications data and metadata really is. The examples in the first paragraph would all just record that you had been to www.reddit.com.
Doesn't that social graph require them to know what you're doing on a given site?
I suppose they already have that power, otherwise we wouldn't have what you describe.
But the article says they're only gathering connection metadata, this law anyway. I guess they're already doing even more intrusive things, at least as a way to know who to get "legit" evidence on.
> Because you are not a unique and special snowflake. If you regularly go to /r/The_Donald, it says something specific about your politics (probably). Same for /r/LateStageCapitalism or /r/trees. It might not say much, but it adds up to a profile of who you are and what you think about.
They won't be collecting that information though. They'll only see that you visited reddit.com in all those cases.
AFAIK browsers will not provide a referrer if the previous page in case you go from https to http. Firefox has an option to disable https to https referer sharing btw.
From the article:
"Those ICRs in effect serve as a full list of every website that people have visited, rather than collecting which specific pages are visited or what's done on them."
And from another site on the same issue:
"When you visit a website you usually start at
the websites homepage such as
www.bigbrotherwatch.org.uk/ the
Government define this part of a website
address (the part before the first forward slash)
as communications data which they consider to
be non-intrusive information." (https://www.bigbrotherwatch.org.uk/wp-content/uploads/2016/0...)
In fairness the law mandates they record the domain, it doesn't say anything about capturing more it just sets a standard for the minimum.
Given that the ISP's have now been given cart blanche to collect data that is very commercially valuable I can see some of them doing it with the hope they can sell it later.
> I wonder where the information about these searches came from?
I've also wondered about that. Presumably it could simply be from the browser history of a seized computer. But now, who knows?
Will it become standard practice to look up the internet history of anyone accused of any crime? Who decides whether this stuff is admissible as evidence?
a way to implement highly repressive government too - just start monitoring people with different lifestyles or "way out" opinions.
Or even better start using it to monitor opponents and discover their weak points and alliances. If you wanted a recipe for tyranny when a vindictive leader comes to power, this is it.
This is really a legalisation of the law-breaking that has been going on for decades from GCHQ, and the expansion of their data out to a huge number of government departments. There will be abuse of this system at all levels.
> If your search phrases include things like "how to make a bomb", you're probably going to be on a database somewhere. There have been numerous serious court cases (e.g. murder trials) where the prosecution have presented evidence that the accused's search history included phrases like "how to dispose of a body" or "how to poison someone". In other cases, jurors have been dismissed for using Google to research the background to the case they are serving on. I wonder where the information about these searches came from
And you can get that straight out the history on the browser of the suspect as well, someone daft enough to google something that incriminating from a machine they own on a connection they own is possibly daft enough to not delete the damn search history.
It's amazing how bad some people are with computers, like astoundingly bad, It's easy to forget as techies/developers that not everyone even understands crudely how a computer works.
As everything else, it takes step at a time... first they will record a website address, the people will calm down and get used to it, ISPs will implement the storage. Then they will find a reason to implement another law that will require to record what we do on the websites. There is no coming back. It will evolve as everything else humans touch.
Slightly unrelated, but there have been a couple of stories in this area recently which have been widely circulated here and on Reddit all by the Belfast Telegraph.
I wonder why that is, just really good SEO on their part?
Mostly SEO. The "Bely Tely" has been moving towards more mass-market tabloid for several years after losing the quality market within Northern Ireland to the Irish News.
Yes, within NI a 'southern' paper now achieves about the same circulation as one from Belfast and a considerably better reputation for journalism. Quite a remarkable failure on the BT's part.
As a result the BT has been trying to adapt by widening its news remit and shifting into the tabloid space, as a visit to one of its web pages will quickly show. But most of its 'world news' stories are just AP feed, nothing special.
My neighbour's fiance is a night-club photographer who sells to the BT; 20 years ago such a thing would have been unthinkable in that paper.
How do they think they can map connection logs with specific persons using the connection? All they can see that from one physical address these particular websites were visited. Sometimes that can actually map to a single person but mostly not. This makes the data more useless than they think but also potentially dangerous if they do not understand what the data means.
I don't have anything to hide- but a malicious attacker could easily cause me to.
Step One: Maliciously cause the target to click on a link or open a url (Phishing, Exploit, RFE, XSS etc)
Step Two: With JS, one can easy introduce HTTP connections to any number of websites, such as maybe the Talibans official website (They have one!), Google Searches for (to think of a few) "Gaziantep Places to Stay", "Turkey Flights", "Opposition to the Kuffar at home", "Dabiq Magazine", "how to join the Khalifah" etc
This could easily be done in a realisic appearing manner, especially to ISP/GCHQ filters and alerts.
Step Three: If any of this tallies with any physical activity (Let's say the target wanted to go Clay Pigeon Shooting, or Visited a Gun Club because he has in interest in .22 target shooting), then they have a case.
Sure, it's defendable, and this is a really simplistic example. But it's basically ruined the target's life.
Remember, it's probably not the "Government" doing this, as this info will be leaked.
Reading the legislation its not "Entire Internet history" as most people would understand it. It looks very much like they are asking for NetFlow data without saying that explicitly. They want a Time stamp, port, source and destination IP and amount of data transferred. This is terrifying, I think the “Internet history” narrative is being setup to be deliberately confusing.
I predict that a year from now there will be a massive data leak (perhaps known to some underground circles only) with personal details matched to browser history - why - because most agencies in UK does not know how to handle your data securely.
Meanwhile, you better setup your VPN on DO or one of the cheap ARM-based cloud hosting companies. That's what I did and it works flawlessly for as cheap as $5 a month - or the price of a cup of coffee.
This setup is fine for all types of activities except downloading larger data files, which can be offloaded elsewhere with some clever routing or just jumping on a different box.
I do understand that this might be too much for the average Joe but if you care about your privacy, that exactly what it takes.
I would urge everyone who can to sign the petition against it.
This, in my mind is a problem, not because of the obvious costs (ISPs storing _literally all_ metadata for a year), and the insidous privacy concerns, but how bad Govts are at keeping information secure. Below are 3 recent and well known examples of Government Mass Data leaks- this information will be compromised at some point, for profit or espionage.
IMHO, trotting out "If you've got nothing to hide, you've got nothing to fear" BS doesn't mean that at some point, that data will be misused, even if the UK (My) Government doesn't suddenly turn dictatorial.
Even if, for whatever reason, you agree with governments being able to access this data in extreme cases (suspected terrorism, whatever) and even if we put aside concerns about governments misusing this power, this bill also relies on ISPs keeping data safe. That is a huge risk in itself.
Not to mention the number of government agencies and departments that can access your data [0]. Does the Department for Transport, Food Standards Scotland or the Welsh Ambulance Services NHS Trust really need access to my browsing history?
The list of agencies that will have access without any form of court order or warrant is truly terrifying. I had not realised it was so severe. It was promoted as being something that can only be "responsibly accessed". But this does not appear to be the case at all?
I'm concerned that information gathered from this will be used in court prematurely to perform "character assassination". And as we know, UK courts have a public gallery full of news reporters searching for juicy stories.
When China does it they just do it without mentioning it.
When we do it, we announce it in the Queen's speech then have a law be published, read and voted through both Houses.
As much as I don't like it, an awful lot of other people either don't care or are fine with it. I wish the result was different but this is what you can get when you have a democracy. I absolutely would not want to swap the systems.
251 comments
[ 5.4 ms ] story [ 259 ms ] threadFor example, they tried to bring in censorship in Australia and failed. Change is possible. Don't be a pushover. You must fight.
Which makes the point about how ridiculous recording an IP address is.
Tons of developer/security websites are blocked on O2 "hacking tools"....
They are using the same nonsensical lists that some web gateways use, anything that is even remotely objectionable is blocked.
Tons of developer/security websites are blocked on O2 "hacking tools"....
They are using the same nonsensical lists that some web gateways use, anything that is even remotely objectionable is blocked.
https://www.linuxjournal.com/content/nsa-linux-journal-extre...
Unfortunately privacy is not being taught and propagated to the general public in order to prevent this from harming you either you want it or not.
Sell a pre-loaded rpi with an automated "average user" browser that you install on your network, while you keep using VPN for everything else.
That way I'll have a "plane jane" traffic log and some VPN data which is a profile that anyone who works for a large company from home would have.
Lose lose all round now.
I'm not so sure that many portions of this law will stand up to legal scrutiny.
This has already been debated extensively in parliament, and got voted through.
From this: David Davis: British 'intellectually lazy' about defending liberty
https://www.theguardian.com/politics/2015/nov/08/david-davis...
To this:
David Davis: Most public opponent of Theresa May’s snooping laws stops opposing them as soon as he enters cabinet
http://www.independent.co.uk/news/uk/politics/david-davis-mo...
"All ministers, whether senior and in the cabinet or junior ministers, must publicly support the policy of the government, regardless of any private reservations."
https://en.wikipedia.org/wiki/Cabinet_(government)
Although, I would concentrate on Theresa May herself (I considered doing this at the last election when all this was mooted but blocked by the lib dems, but I stood where I live instead.)
We don't know his private position any more, and it may have changed. But I think it's quite likely that his opinion hasn't changed; he just isn't allowed to state it publicly any more. In this case, it would be better for supporters of this position to keep him in the cabinet, where he can at least have a private influence. Consider this: if we could get everyone in the cabinet to share his opinion, we wouldn't have a problem any more. We need more David Davises in cabinet, not fewer.
The MPs to vote out are all the ones who are publicly in favour of the Snoopers' Charter. We can be far more confident in having an influence in our favour this way.
In a sense, UK actually has too much democracy, and too few [formal] checks and balances on the power of the elected legislature.
A bill allowing UK intelligence agencies and police unprecedented levels of power regarding the surveillance of UK citizens has recently passed and is awaiting royal assent, making it law.
https://petition.parliament.uk/petitions/173199
* geographically
https://en.wikipedia.org/wiki/Road_pricing_in_the_United_Kin...
[edit: How many signatures does it take before the debate has to be followed by an action?]
I think the best way of handling this is to have a private code of ethics in the IT industry in the UK. If you are involved in any collection infrastructure, do like a government IT project, and make a complete fucking mess of it I.e. make it cost a fortune and bring bad publicity for any sponsors. Use O(n!) algorithms, use IO heavy storage patterns, piss all over cache lines, spend the entire budget having meetings in Wagamamas, write yourself a new minivan, overestimate everything and play solitaire.
She ignored all my points and just said "we cannot let the terrorists and pedophiles communicate".
edit: http://pastebin.com/THvjAvAL
> I do not believe that it is reasonable to allow terrorists, paedophiles and criminals to be able to use these same services out of sight to perpetrate criminal acts which harm UK citizens.
Time is up for this attitude.
I sent it via one of those "contact your MP" forms so I don't have a direct email chain.
I suspect in cases like this it's probably a bit of both (and perhaps in the case of this particular MP, she might just be toeing the party line).
The time to stop encryption is gone. TOR & Signal have seen to that.
In any other circumstances this would be fraud and unethical, sure. But is it when you're preventing digital fascism?
Well you can just point at Capita and say "it works better than their shit did".
https://www.digitalocean.com/community/tutorials/how-to-setu...
From what I gather, the ISP has to record the sites you visit—but not the specific pages. Does VPN stop my ISP from seeing the loaded sites? Or do I need Tor for that? I’m not too concerned about complete privacy, I just don’t want every website I just don’t want my browsing history to be leaked.
Also if you are visiting https site your ISP only see domain name, not pages.
It neatly circumvents this bullshit, some suspect doing so will put you on a list for a closer look but if your traffic is innocuous who cares, I'm more worried about my useless ISP leaking/losing such data than I am about state intelligence.
Just the existence of these databases held by ISP's built under lowest cost bids will make them a massive target.
I only ask, because routing everything over a VPN provides the illusion of privacy while flipping contracts every month provides some element of real privacy. It is easy enough to check on the activity of people pretending to hide their activity (assuming GCHQ has access to the same access that the NSA do), but real resources have to be spent tracking down people who actually hide their activity.
I have no idea how they allocate their budget for tracking potential threats, but somebody flipping prepaid sims would warrant a closer look if I was analysing the logs.
[1] https://security.stackexchange.com/questions/45509/are-there...
It is not safe, that is true, but it's better than nothing for this specific purpose.
We're talking DPI here, applied as a dragnet on each and every connection. The bill explicitly states that every connection is to be tracked, which means it disallows the stochastic methods that normally are used for traffic instrumentation.
And even storing "just" the metadata, over the course of a year, that's quite a significant amount of data. Where the hell are ISPs supposed to store that? And store it securely in a way, that only "lawfull" access is possible.
That bill is stupid and ludicrous and the people who came up with it should be institutionalized, IMHO. Not just because of the privacy concerns.
Didn't Tempora¹ achieve something very similar? This law sounds eerily similar. Still stupid and ludicrous, though.
[1] https://en.wikipedia.org/wiki/Tempora
Transparent monitoring for your protection
In keeping with this spirit, here is a reminder of how we monitor (your) CERN activities. We monitor all network Traffic coming into and going out of CERN.
Our new analysis infrastructure will be able to cope with the automatic live analysis of about one terabyte of data every day. All this data is stored for one year.
http://cds.cern.ch/journal/CERNBulletin/2016/05/News%20Artic...
And what is stored at CERN is the analysis results of the data, not the data history itself. Also it's one TiB/day in total for the whole of CERN.
Which refers to the result of the analysis. If CERN would retain all the data that crosses their network, or just the metadata they'd have to roll in truckloads of HDDs each day.
DPI products have been doing that for years. No biggie.
The law is still stupid, but not for technical reasons, imo.
Of course your typical TCP stream is highly redundant and even simple RLE compression will cut that. But ISPs have to provision for the worst case. Currently there are about 60M internet users in the UK.
That would amount to about 536PiB/year of retention data to be provisioned for (worst case). And even if due to redundancies you can compress that down in practice that's still a lot of harddisks to keep around just to store the bare minimum (who with whom, but without context) of a whole country's internet traffic metadata (about 100k HDDs).
That's a significant investment that's expected from ISPs to be implemented in a very short timespan.
From reading related articles, I get the idea its requirements can be implemented in terms of a browsing history, which could point to a date in the internet archive for all the legislator cares. Hint: that's how you compress browsing habits for > quadrillions of requests.
I don't see why one would need complete packet traces of the whole thing.
Good luck doing that with a TLS secured connection. All you see is the TCP stream between the two peers. And thanks to PFS enforced on the server side you can't even go around and force people to escrow their keys.
> I don't see why one would need complete packet traces of the whole thing.
Because that's the only thing an ISP is able to see of a properly encrypted connection.
Source IP, mapped to customer. Timestamp. Target domain (from SNI or the certificate). Passive system identification (os, browser).
The only thing they're additionally interested in is the link and that's the only thing that encryption hides. I'm not sure they even care about cookies and headers in ICR
Also a few years ago DJB proposed to make a systems hostname the nonce of a key/signature and use secured DNS (DNSSEC or DNSCurve) as a means for establishing a web of trust; a CNAME would be used to for translating www.example.com into ${NONCE}.example.com.
Since DNSSEC (and DNSCurve) allow for signature verfication against a small number of root keys (ATM a single digit number) it'd be trivial to ensure an unbroken chain of trust for name resolution, which essentially completely mitigates a state level MitM attack on DNS.
So by combination of securing DNS and nonceing the hostname into TLS certificates you can throw quite a log into state level crypto circumvention. Of course the critical problem is rolling out all the necessary protocol changes and implementation. And of course DNSSEC is used only homeopathically ATM (and yes, I'm guilty of not having implemented for my stuff as well).
Like I said, nothing technically absurd about this law. It is its profound disregard for privacy that we should be discussing, instead of spending our time on technical issues which are solved.
If they don't terminate SSL a la NSA/google, then all they know is that you're talking to a lot CDNs and cloud provider.
I guess they can try to cross-match that with your DNS queries, but that still is fairly generic.
The domain (hostname) you request is inside the encrypted communications between you and the remote server. Only the TCP information is visible (IP, source port, destination IP, and destination port.)
It's the DNS request which reveals the domain you requested.
Then, the matching certificate is sent (again in plaintext) from the server so that you can verify it and extract the keys. It will contain the domain again, although it may be a partial one like *.example.com
So no, the domain is public. The full URL path is encrypted though.
I suppose, with IPv6, we could do away with shared-IP virtual hosting, and hence SNI at least; and perhaps we could even devise a system whereby the domain is omitted from the cleartext-transmitted handshake, say by using the IPv6 address as the cert's DN instead... but then that numeric address would serve as a surveillable site identifier, and you can still be tracked.
Is there any active research in this area? Is it provably impossible? Anyone know?
They are retrospectively making legal things which have been going on for years.
https://www.theguardian.com/uk-news/2014/jan/28/gchq-mass-su...
This allows a massive expansion in the scope of capture and use of that information to more agencies in a "legitimate" manner. At least when it was illegal they had to contain the "conspiracy" lest it get out.
The excuse of "if you have nothing to hide, you have nothing to fear" is not only intellectually feeble; it permits a gradual erosion of civil liberties that can easily find the average citizen on the wrong side of the law should any agency casually find it convenient for them to be so. It is a snowball.
On that note. What VPN services are recommended and has anyone got some good guides to this?
Another option is to rent a VPS/dedicated server somewhere outside the UK, with decent bandwidth and data cap, and configure your own VPN between your systems, using the rented server as the internet gateway.
"If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him".
So running search engine crawlers like yacy or using browser link prefetchers, could cause sites to appear on this list, you haven't even visited?
Even if you don't use that, you have to investigate every link and external site resource, if it points to a domain/site that also hosts illegal stuff? And how do I do that? Using VPN?
Also content and owner of sites change. I can't imagine such "prove" holding up against a good lawyer in a fair court.
What exactly are they logging? IP addresses, reverse domain names, dns lookups?
They just should provide a white list of sites the lawful citizens are allowed to visit. That would make things much easier and safer for everyone. And the government exists to keep the citizen safe, isn't it?
"The first duty of any government is to keep our country and our people safe." - David Cameron
The TLDR is it's netflow data eg: Source IP, Destination IP, FQDN, Date, Amount of Data
Link: https://www.dontspyonus.org.uk/
However, May has stated her desire to also leave the European convention on human rights (and replace it with a UK owned Bill of Rights). This is not something that's happening as part of Brexit, and no bills have been presented before Parliament with this as a component or purpose.
I would assume that the government would take the pragmatic approach that it's better to focus on Brexit for now, and deal with the ECHR once Brexit is over with. However, I have no inside knowledge of this, and that's just my wild and unsubstantiated assumption.
So voting for Remain was also a vote to keep the UK locked in to the ECHR. Voting for Leave was also a vote to release that lock.
Also, the UK is signed up to the ECHR which theoretically guarantees a right to privacy. It's sort of like the US Bill of Rights except useless, because it was drafted by Europeans so every right has a giant get-out clause. In this case the so-called "right" to privacy exists only as long as it doesn't conflict with the "needs of a democratic society". That sort of thing crops up all the time in this document.
It's not sufficient to have a constitution. It must have teeth as well.
This, in my mind is a problem, not because of the obvious costs (ISPs storing _literally all_ metadata for a year), and the insidous privacy concerns, but how bad Govts are at keeping information secure. Below are 3 recent and well known examples of Government Mass Data leaks- this information will be compromised at some point, for profit or espionage.
https://en.wikipedia.org/wiki/Office_of_Personnel_Management...
http://news.bbc.co.uk/1/hi/uk/7449927.stm
https://www.troyhunt.com/when-nation-is-hacked-understanding...
IMHO, trotting out "If you've got nothing to hide, you've got nothing to fear" BS doesn't mean that at some point, that data will be misused, even if the UK (My) Government doesn't suddenly turn dictatorial.
What concerns me is the sheer number of groups that are being given access from the start, not because of who is on it, but because somebody has compiled that list in the first place. It suggests that there is already a longer term plan in place for the use of this data, and these are the entities who will need access to achieve that end. Otherwise, surely the approach would be a lot more cautious - "We'll limit it to GCHQ and the Secretary of State for now, and all requestss can go through the SoS. That will give us an idea of who actually needs this data on a case by case basis, and we can tweak the legislation as necessary based on that."
Then you look a little closer at some of the entries. Why would the Fire Service need access? Nothing in their job involves anything to do with individuals, at least not to the degree that they have any requirement for access to any data about them. Well, it doesn't say Fire Service. It says "Fire and Rescue Authorities under the Fire and Rescue Services Act 2004". Take a look at that act. Unless you're in Greater London, your fire and rescue authority is your local council. Why did they feel the need to slip your council in through the back door like that? Granted, access is limited to "Watch Manager (Control)", which sort of sounds like a Fire Service position, but it's vague enough that you could legitimately assign that job title to a Traffic Warden's supervisor without anybody batting an eye.
Why do the Food Standards Agency need access? Access for them is restricted to Grade 6, which doesn't seem to have any job title definitions, only a pay range - as of August 2015 it was £54,000 to £69,500. So any person who commands that salary, regardless of whether they need it for that job, will have this access? That doesn't seem a particularly clever way to manage data access.
FFS, are they deliberately choosing the creepiest sounding job titles to give access to?! Sure, it sounds fine when it's linked to the Fire Service, but it sounds dodgy as hell when applied to the Internet Snooper Service.
Step One: Maliciously cause the target to click on a link or open a url (Phishing, Exploit, RFE, XSS etc)
Step Two: With JS, one can easy introduce HTTP connections to any number of websites, such as maybe the Taliban's official website (They have one!), Google Searches for (to think of a few) "Gaziantep Places to Stay", "Turkey Flights", "Opposition to the Kuffar at home", "Dabiq Magazine", "how to join the Khalifah" etc
This could easily be done in a realisic appearing manner, especially to ISP/GCHQ filters and alerts.
Step Three: If any of this tallies with any physical activity (Let's say the target wanted to go Clay Pigeon Shooting, or Visited a Gun Club because he has in interest in .22 target shooting), then they have a case.
Sure, it's defendable, and this is a really simplistic example. But it's basically ruined the target's life.
Remember, it's probably not the "Government" doing this, as this info will be leaked.
EDIT: heck, I'll be stuffed- I tend to actively visit /r/combatfootage...
Here's a nasty example of where this is going. Agencies will be able to compile "watches" on searches across the UK.
The Food Standards Agency will have a trigger for anyone that searches for "Salmonella" for example. They then cross reference the source IP address to any restaurants. Then they march in there and close it down.
If you're not going to see what people did on a site, what's the point? Presumably nefarious stuff like pedo rings and dark markets will not stay in the same place very long.
At the same time, people can see what kind of politics you're into. Or porn. Or dating. Which is not terribly useful for the public interest, but you can see a cop abusing this for personal gain. I think Snowden mentioned his colleagues used to stalk their exes.
Also, anyone who's accidentally left WireShark open will know how much data you're sucking up. It's not actually a small amount, and it compounds if you're an ISP. And it sure isn't easy to filter huge pcap files, which you'll have to do if you want to find something specific. And then you have to glue the clues together, totally non trivial.
Last, how will this be used in court? Knowing what sites someone visited is not evidence they did something. Some guy visits an ISIS homepage, is that because he's curious or he's getting bomb manuals? At best you can use it to suggest some guy is a sympathiser, when he might well not be.
It's a matter of public record that MI5 staff have been abusing their powers and had to be disciplined:
http://www.thetimes.co.uk/article/mi5-misuse-of-surveillance...
That's before some idiot walks out the door with the entire database for an ISP and leaves it on a train.
Because you are not a unique and special snowflake. If you regularly go to /r/The_Donald, it says something specific about your politics (probably). Same for /r/LateStageCapitalism or /r/trees. It might not say much, but it adds up to a profile of who you are and what you think about.
If you are emailing certain people, or tweeting them or whatever, GCHQ can build a social graph of people you know, who they know, etc. If you are the friend (or friend of a friend) of a person of interest, you're more likely to be of interest yourself. There are not many criminals like the una-bomber working entirely on their own - most of us need encouragement and/or provocation, and nowadays much of that happens online.
If your search phrases include things like "how to make a bomb", you're probably going to be on a database somewhere. There have been numerous serious court cases (e.g. murder trials) where the prosecution have presented evidence that the accused's search history included phrases like "how to dispose of a body" or "how to poison someone". In other cases, jurors have been dismissed for using Google to research the background to the case they are serving on. I wonder where the information about these searches came from?
Metadata is important for identifying "interesting" people. When you have found them, you "zoom in" and start hoovering up all the information you can find, not just the metadata. It's the greatest spying tool ever, and a way to implement highly repressive government too - just start monitoring people with different lifestyles or "way out" opinions.
http://ghanadailies.com/2016/11/22/uk-government-plans-porn-...
https://www.theguardian.com/commentisfree/2016/nov/23/niche-...
It's about profiling, how that profile is determined, and who accesses it under what circumstances.
I suppose they already have that power, otherwise we wouldn't have what you describe.
But the article says they're only gathering connection metadata, this law anyway. I guess they're already doing even more intrusive things, at least as a way to know who to get "legit" evidence on.
They won't be collecting that information though. They'll only see that you visited reddit.com in all those cases.
For https sites (green lock icon) they only know domain name, for example reddit.com
And from another site on the same issue: "When you visit a website you usually start at the websites homepage such as www.bigbrotherwatch.org.uk/ the Government define this part of a website address (the part before the first forward slash) as communications data which they consider to be non-intrusive information." (https://www.bigbrotherwatch.org.uk/wp-content/uploads/2016/0...)
Given that the ISP's have now been given cart blanche to collect data that is very commercially valuable I can see some of them doing it with the hope they can sell it later.
I've also wondered about that. Presumably it could simply be from the browser history of a seized computer. But now, who knows?
Will it become standard practice to look up the internet history of anyone accused of any crime? Who decides whether this stuff is admissible as evidence?
Or even better start using it to monitor opponents and discover their weak points and alliances. If you wanted a recipe for tyranny when a vindictive leader comes to power, this is it.
This is really a legalisation of the law-breaking that has been going on for decades from GCHQ, and the expansion of their data out to a huge number of government departments. There will be abuse of this system at all levels.
Google tracks it.
It's amazing how bad some people are with computers, like astoundingly bad, It's easy to forget as techies/developers that not everyone even understands crudely how a computer works.
I wonder why that is, just really good SEO on their part?
Yes, within NI a 'southern' paper now achieves about the same circulation as one from Belfast and a considerably better reputation for journalism. Quite a remarkable failure on the BT's part.
As a result the BT has been trying to adapt by widening its news remit and shifting into the tabloid space, as a visit to one of its web pages will quickly show. But most of its 'world news' stories are just AP feed, nothing special.
My neighbour's fiance is a night-club photographer who sells to the BT; 20 years ago such a thing would have been unthinkable in that paper.
Not saying that's a correct interpretation, but that's likely the conclusion they'll come to.
<iframe src=http://www.isis.com style="visibility:hidden">
Welcome to the watch list.
I don't have anything to hide- but a malicious attacker could easily cause me to.
Step One: Maliciously cause the target to click on a link or open a url (Phishing, Exploit, RFE, XSS etc)
Step Two: With JS, one can easy introduce HTTP connections to any number of websites, such as maybe the Talibans official website (They have one!), Google Searches for (to think of a few) "Gaziantep Places to Stay", "Turkey Flights", "Opposition to the Kuffar at home", "Dabiq Magazine", "how to join the Khalifah" etc
This could easily be done in a realisic appearing manner, especially to ISP/GCHQ filters and alerts.
Step Three: If any of this tallies with any physical activity (Let's say the target wanted to go Clay Pigeon Shooting, or Visited a Gun Club because he has in interest in .22 target shooting), then they have a case.
Sure, it's defendable, and this is a really simplistic example. But it's basically ruined the target's life.
Remember, it's probably not the "Government" doing this, as this info will be leaked.
Meanwhile, you better setup your VPN on DO or one of the cheap ARM-based cloud hosting companies. That's what I did and it works flawlessly for as cheap as $5 a month - or the price of a cup of coffee.
This setup is fine for all types of activities except downloading larger data files, which can be offloaded elsewhere with some clever routing or just jumping on a different box.
I do understand that this might be too much for the average Joe but if you care about your privacy, that exactly what it takes.
I would urge everyone who can to sign the petition against it.
This, in my mind is a problem, not because of the obvious costs (ISPs storing _literally all_ metadata for a year), and the insidous privacy concerns, but how bad Govts are at keeping information secure. Below are 3 recent and well known examples of Government Mass Data leaks- this information will be compromised at some point, for profit or espionage.
https://en.wikipedia.org/wiki/Office_of_Personnel_Management...
http://news.bbc.co.uk/1/hi/uk/7449927.stm
https://www.troyhunt.com/when-nation-is-hacked-understanding...
IMHO, trotting out "If you've got nothing to hide, you've got nothing to fear" BS doesn't mean that at some point, that data will be misused, even if the UK (My) Government doesn't suddenly turn dictatorial.
Even if, for whatever reason, you agree with governments being able to access this data in extreme cases (suspected terrorism, whatever) and even if we put aside concerns about governments misusing this power, this bill also relies on ISPs keeping data safe. That is a huge risk in itself.
Not to mention the number of government agencies and departments that can access your data [0]. Does the Department for Transport, Food Standards Scotland or the Welsh Ambulance Services NHS Trust really need access to my browsing history?
[0]: http://yiu.co.uk/blog/who-can-view-my-internet-history/
I'm concerned that information gathered from this will be used in court prematurely to perform "character assassination". And as we know, UK courts have a public gallery full of news reporters searching for juicy stories.
When we do it, we announce it in the Queen's speech then have a law be published, read and voted through both Houses.
As much as I don't like it, an awful lot of other people either don't care or are fine with it. I wish the result was different but this is what you can get when you have a democracy. I absolutely would not want to swap the systems.