117 comments

[ 3.3 ms ] story [ 199 ms ] thread
Having attempted to read the legislation passed, I actually have no idea in a lot of ways what this bill does and what this bill doesn't cover. (The main thread of what it covers seems terrible).

I consider myself a quite intelligent and logical person, but I get lost halfway through reading it. It seems full of contradictions and half vague statements that could or couldn't cover something.

Are these bills purposefully confusing by design? It seems like you can interpret it in a lot of ways. Why is it not clear, concise and understandable?

Here is the response from the Government to the petition posted:

https://petition.parliament.uk/petitions/173199

"The Government is clear that, at a time of heightened security threat, it is essential our law enforcement, security and intelligence services have the powers they need to keep people safe.

The Investigatory Powers Act transforms the law relating to the use and oversight of Investigatory powers. It strengthens safeguards and introduces world-leading oversight arrangements.

The Act does three key things. First, it brings together powers already available to law enforcement and the security and intelligence agencies to obtain communications and data about communications. It makes these powers – and the safeguards that apply to them – clear and understandable.

Second, it radically overhauls the way these powers are authorised and overseen. It introduces a ‘double-lock’ for the most intrusive powers, including interception and all of the bulk capabilities, so warrants require the approval of a Judicial Commissioner. And it creates a powerful new Investigatory Powers Commissioner to oversee how these powers are used.

Third, it ensures powers are fit for the digital age. The Act makes a single new provision for the retention of internet connection records in order for law enforcement to identify the communications service to which a device has connected. This will restore capabilities that have been lost as a result of changes in the way people communicate.

Public scrutiny

The Bill was subject to unprecedented scrutiny prior to and during its passage. The Bill responded to three independent reports: by David Anderson QC, the Independent Reviewer of Terrorism Legislation; by the Royal United Services Institute’s Independent Surveillance Review Panel; and by the Intelligence and Security Committee of Parliament. All three of those authoritative independent reports agreed a new law was needed.

The Government responded to the recommendations of those reports in the form of a draft Bill, published in November 2015. That draft Bill was submitted for pre-legislative scrutiny by a Joint Committee of both Houses of Parliament. The Intelligence and Security Committee and the House of Commons Science and Technology Committee conducted parallel scrutiny. Between them, those Committees received over 1,500 pages of written submissions and heard oral evidence from the Government, industry, civil liberties groups and many others. The recommendations made by those Committees informed changes to the Bill and the publication of further supporting material.

A revised Bill was introduced in the House of Commons on 1 March, and completed its passage on 16 November, meeting the timetable for legislation set by Parliament during the passage of the Data Retention and Investigatory Powers Act 2014. Over 1,700 amendments to the Bill were tabled and debated during this time.

The Government has adopted an open and consultative approach throughout the passage of this legislation, tabling or accepting a significant number of amendments in both Houses of Parliament in order to improve transparency and strengthen privacy protections. These included enhanced protections for trade unions and journalistic and legally privileged material, and the introduction of a threshold to ensure internet connection records cannot be used to investigate minor crimes.

Privacy and Oversight

The Government has placed privacy at the heart of the Investigatory Powers Act. The Act makes clear the extent to which investigatory powers may be used and the strict safeguards that apply in order to maintain privacy.

A new overarching ‘privacy clause’ was added to make absolutely clear that the protection of privacy is at the heart of this legislation. This privacy clause ensures that in each and every case a public authority must consider whether less intrusive means could be used, and must have regard to human ...

And this is why people in the UK are apathetic. Civilized protest is greeted by official jargon that basically says 'we do what we want'. Just like when we objected to the original RIPA.

The agencies and authorities that pressurise and cajole Governments into these actions are unelected and play the long-game. They can wait and ride-out any Paliament that is insufficiently malleable.

Which reminds me to update my collection of encryption program source code whilst I still can.

It's creepy as hell how reasonable it sounds, and yet, it says nothing. I mean, if I didn't really care about it, like most people, I'd probably think something in the lines of "Well, that's sensible", and forget about it.
I live in the UK and the thing that's disturbed me most about all this is how little coverage there's been and how little outrage there is about the consequences of this law. I genuinely think as a country we've given up. There's no enthusiasm for any cause and no one has any will left to stand up for the things they ought to care about. It's a weird atmosphere here now.
Yes, the lack of outrage is worrying to say the least.

What I find very disturbing is the response I've got from some people in regards to signing the petition against the legislation.

"I don't want to sign that, I will probably end up on some watchlist".

This is incredible, to admit this you are basically admitting that we no longer live in a free democracy. If you cannot sign a petition regarding basic civil liberties without ending up on a watchlist then you do not live in a free democracy. Upon me telling them this, I am usually then greeted with a shrug.

Good point. Whenever I post about the snoopers charter, I even have friends jumping in arguing that it's a good idea and that it's necessary in order to protect us from terrorists and pedophiles. As hypocritical and intellectually lazy as it sounds, I delete their comments.
If your friends are reasonably bright/open to discussion, but are making the "I have nothing to hide, so why should I worry" argument, and their genuine fear is terrorists blowing up their kids - I've had a little success with the "You might not have anything to hide, but others may." Then remind them that some people may be hiding things for good reason (fear of ostracisation/violence/death) as a result of social or religious reasons, and that if a list like this become public it could seriously affect _other people's_ lives, has sometimes made people take note. Obviously you have to choose your argument carefully.
In The Netherlands nobody had anything to hide, like the Jews around WW2. It was all neatly recorded who was a Jew and made things a whole lot easier for the Germans once they got their hands on the records after they invaded.

People might not have anything to hide now, but things can change... fast.

Yeah. My point exactly.
Even if you believe it's a necessary evil in principle, the implementation is bad enough to want to be against this particular law. The list of agencies who could gain access is laughable and there's nothing that fills me with confidence about ISPs storing people's browsing history with proper security. Three and TalkTalk have both had massive data breaches recently, and I have precisely zero confidence that there won't be a huge data breach/leak in the next few years.
Hopefully the knee-jerk reaction to the inevitable massive leak will put this law where it belongs.
that's because it's meaningless. they're doing all this and more already and this is just to make it official. signing a petition wont change a single thing. you can safely assume that legal or not all your traffic is monitored and stored forever and that's not going to change ever.
I'm vehemently against this legislation - but I also did not sign the official petition. One reason was that, yes I might end up on some list. I believe that risk is very small but the reward potential of signing the petition is effectively zero so why bother taking the risk? The bill had no real opposition so what use is a debate going to be, especially when all it now requires is royal assent (Edit: Just saw that happened yesterday, fuck). A debate would have been useful 12 months ago.

At this stage the important thing is to have it go through the courts and have them stop it. Hopefully, as long as we're still in the EU, the ECJ can do something to at least water this bill down. At the very least I would like to see the requirement for Internet Connection Records to be held for everyone to be removed. I don't like the ability for 12 months of data to be collected with a warrant but at least there is some process there and some oversight.

I couldn't understand that either. The thought of getting on a watchlist didn't even cross my mind, which might be naive although I'm cynical enough to at least entertain the possibility now it's been brought up. Ultimately though I'll keep acting like we're a free democracy, signing petitions against laws I don't agree with etc., until proven otherwise.
I have a feeling that UK people have decided not to care about hypotheticals, and that includes laws that technically exist but aren't inconveniencing them right now. People basically assume that the law lets the government do as it damn well pleases, or lets it off for doing so with a totally ineffectual slap on the wrist. Therefore the content of the law is irrelevant.

If the government uses the law to do bad things, people might start to raise a ruckus.

> If the government uses the law to do bad things, people might start to raise a ruckus.

Perhaps it even needs to be 'do bad things to them' before ruckus-raising ensues.

The problem is when the laws inevitably start including clauses that make it illegal to talk about the bad things that are done.

Because... terrorism?

What frighten me most is that Labour, supposedly the official opposition to the government, refused to try to stop or improve this bill. Instead they waved it through, abstaining on key votes, and not bothering to table amendments.

All of this is despite Labour being run by figures who have a long history of opposing government authoritarianism. For example, Jeremy Corbyn didn't vote against it. Shami Chakrabarti, who spent years running Liberty, an organisation dedicated to protecting individual liberties, abstained.

What the hell is going on behind the scenes when people like that have been successfully silenced?

When a law this far-reaching and repressive is passed with a conspiracy of silence and acquiescence from both the media and the political establishment, you have to conclude that UK democracy is basically non-functional. It's over.

> when people like that have been successfully silenced

Corbyn's a fucking clown. I wouldn't expect him to do anything effective about... well, anything.

His competence isn't really the issue though. Even his biggest opponents admit that he's principled to a fault. He's spent his whole career rebelling against his own side on points of principle, attending anti-government protests and rallies, etc.

I wouldn't necessarily expect Corbyn to organise an effective opposition to this bill, but I would expect him to offer some opposition. For him not to do so is not just disappointing, it's unbelievably weird. It's the kind of unexplained weirdness that means you have to start asking what is going on, and what kind of pressures are being applied, in order to prevent him doing so.

The pressure is being Labour party leader. Labour PMs don't want him to take any more unpopular positions, and he himself must know now that he has to lead the party first and be principled rebel second.

I like him as a politician, but Labour needs a leader that can unite both sides of the party that the leadership contest and the referendum exposed. Even if Corbyn wants to do this, the view now from the outside is that he can't.

But is this something he actually cares about? My impression is that while there are certainly some left/liberal principles he cares strongly about, there are also some that he doesn't seem to care about at all.
Labour are currently scared to be an opposition in case they get on the wrong side of public opinion and increase their political losses further.

Anything that can be spun as anti-British (i this case making it harder for security services and the military to "do their job") in the current climate is not a battle they want to fight unfortunately.

I have been wondering the same - where the fuck is Labour?

Where in UK politics is the voice of social progress and individual freedom?

It seems to be too busy tearing itself to pieces over idealogical minutiae to be any sort of useful opposition.

Even the SNP seem to be avoiding addressing this issue in any meaningful way, when asked a few years back whether things would be better in an independent Scotland they said:

"The primary function of government is to ensure the security of its citizens and to protect them, their property and way of life against threats. An independent Scotland will have security arrangements that are proportionate, fit for purpose and reflect a full strategic assessment of Scotland's needs and the threats we may face."

Which is great non-answer answer!

https://www.theguardian.com/commentisfree/2013/nov/03/nsa-su...

They're still there, that's the problem.

I think it's time for the Labour party to go out to pasture. There needs to be a split, take some Conservatives, some UKIP (maybe, if there's any more moderate ones left) but enough to lose the baggage of any one party, lose the extremes and head for the middle ground.

Unless that happens (and it seems at this point it won't) I don't see there being an effective opposition anytime soon.

If there's one thing that Brexit, Trump and the rise of UKIP has proven it's that the public has lost its appetite for "moderation".

Labour needs to focus on deselecting the Blairites who were in favor of 'moderately' invading Iraq and are 'moderately' in favor of making the snooper's charter even worse (e.g. like Yvette Cooper).

I didn't know Shami Chakrabarti abstained. That's totally mad. If there's one thing I would have thought we could rely on her for it was to vote against things like this.

The Labour party have been completely neutered. The membership and the unions clearly want them to take a much more radical left wing approach but the party establishment still want them to be the party Blair built and it's caused this weird stalemate. I think Blair would have backed this bill.

An interesting point is that the bill has exceptions for journalists. I suspect that has encouraged the media to keep pretty quiet about it.

What's weird is that she (and Corbyn) were vehemently against it for a while and then suddenly she went quiet and abstained.
I think Blair almost certainly would have backed this. The other day I rediscovered this article from 2008 about councils using RIPA to catch people littering and flytipping:

http://www.telegraph.co.uk/news/uknews/3333366/Half-of-counc...

> The Tories condemned the latest figures as further evidence that the law had become a "snooper's charter". "Under Labour, the rights and liberties of law-abiding citizens are being eroded through plans for ID cards, sinister microchip spies in bins and abuse of anti-terror laws by councils," said Eric Pickles, the party's communities spokesman.

Strange reading nowadays. I wonder what Eric Pickles makes of it all.

Between government mouthpieces and DA-Notices I can understand how the media silence could come about. But the lack of opposition, by people whose entire careers have been built around opposing the government, is quite concerning.

If there is a reason this policy has such broad cross-party support then why isn't anyone allowed to explain what that reason is?

I was completely shocked that Shami Chakrabart, once the head of Liberty[1] abstained, I thought she was the one ally we definitely had in the bag. I wonder what caused the turnaround; same for Jeremy Corbyn, complete U-turn in position in a really short space of time.

I mean, I'm trying to resist looking for my tinfoil hat but does anyone know of any agencies that have a decade's worth of everybody's communications history and Meta data that may or may not be used against somebody to sway their opinion on a particular subject? No? Didn't think so.

I still feel mad and a bit wrong typing that second paragraph as five years ago it would have just been complete conspiracy theory, but now it's just been passed into law. My country is a disturbing place right now.

[1]: https://www.liberty-human-rights.org.uk/

No need for any tinfoil hats:

https://www.theguardian.com/uk-news/undercover-with-paul-lew...

" A whistleblower, Peter Francis, has revealed that police compiled secret files on the political activities of Corbyn and nine other MPs, even after they had been elected to the House of Commons.

Francis disclosed that he had read the files on the 10 MPs while he worked for the Metropolitan Police’s special branch.

He added that he had personally collected information on Corbyn, and two other MPs, while he was working undercover infiltrating anti-racist groups in the 1990s. Read this and this for more details of his revelations that were made in March this year."

I don't doubt that the same people who ordered the monitoring of "subversive" anti-racist groups are the same people who are calling him an anti-semite.

Those motherfunsters. But surely this increases my need for a tinfoil hat, no?
Chakrabarti's turnaround is a result of her peerage (which in turn was a thankyou for her support in her impartial review into anti-semitism in the Labour party^).

She'll obviously tow the Corbyn line, and it's most likely that this line was set by the PLP. There's been talk about Andy Burnham (who's running for Mayor of Manchester) having raised concerns, but ultimately bowed out after being told about safeguards being put in - he never actually checked the safeguards and was apparently somewhat surprised when he found that they didn't actually exist.

^Before anyone says otherwise bear in mind Corbyn refused to nominate people to the Lords based on his opposition to the Lords, and she's the only nominated peer he's put forward, immediately after the review concluded but before the internal election.

> What the hell is going on behind the scenes when people like that have been successfully silenced?

Just think: who has the most to gain? And don't stay limited to the UK.

Everyone is just assuming that Corbyn and Chakrabarti had their arms twisted. But, one, if they were vulnerable to that, don't you think it would have been done before in the many other times they've been nuisances to the state? And two, I don't believe that an arm-twist exists that would get them both to shut up and smile, rather than sing out and damn the consequences. Nor is it plausible to stifle such a public disclosure these days.

So perhaps they were persuaded by actual persuasion, rather than a gun to the head?

Such as for example, somebody had a quiet word with them about The Aliens.

Labour gave us RIPA in the first place. They want surveillance as much as the Tories.

The problem is, there are no major parties which are opposed to it. There is no choice.

If you think Labour is in favour of individual rights over the rights of the state, you haven't been paying attention.
As a fellow Brit, I agree and it also feels like the timing of this was conveniently done while Brexit was going on and the US election. I think we're all fatigued right now which isn't fair.
I've posted this on my facebook and I immediately got 3 people telling me that they don't have anything to hide and I'm being paranoid. They are all British.

I really think that UK suffers because it hasn't gone through a restrictive communist government that had extended surveillance and censorship - so that now, in 2016, people don't know how to recognize signs of what's coming.

I had that exact conversation with my wife yesterday. It's infuriating. Luckily, I live outside the UK and have done for nearly 5 years now. I don't see me returning for any length of time.
I always find it kind of ironic when things like this get shared on Facebook. If you don't want the UK government to know everything about you, why would you be happy for a private, tax-dodging corporation to?
If everyone uses Facebook to consume their news then what better way is there to spread information?
Airstrip One? If they think they have nothing to hide, you could ask them whether they'd be happy with a telescreen in every room of their house or flat.
There has been more outrage about animal product (tallow) used in the new £5 notes...
That's why people don't trust the mainstream media anymore. They've become to close to power, and they only report on things that they know aren't offensive to those on power. So they avoid talking about protests or power-grabbing laws.
All the attention being put on Brexit provided the perfect cover for this, similar to the crap stuffed into the unPatriotic Act
Hypernormalization? Living in an Unreal World: https://www.youtube.com/watch?v=PtjfoEvsR9w

Or are we at stage three of Dmitri Orlov's Five Stages of Collapse (http://cleaves.zapto.org/news/attachments/nov2009/5stagescol...)?

Stage 3: Political collapse. Faith that "the government will take care of you" is lost. As official attempts to mitigate widespread loss of access to commercial sources of survival necessities fail to make a difference, the political establishment loses legitimacy and relevance.

Imo people need to attack the hard problem of changing the political landscape, limiting the power of the government and making it accountable. Fighting each and every overreach is way harder than limiting them in the first place. It is completely logical that the government is grabbing for more power as long as it is not incentivized to actually serve the people.
(comment deleted)
That is the old petition, they have already responded. We need a new petition.
Not been considered for debate yet. The response was triggered by 10,000 votes.
(Is it not 100,000?)

Genuine question - has anything ever happened as a result of these petitions? When it has been debated, has there been a meaningful change afterwards?

No, nothing has happened. 100,000 signatures means it's considered for debate, not guaranteed. The response is inevitably:

"We have considered debating this and decided actually we don't fancy it. Keep signing the petitions though, they definitely make a difference and don't think about taking direct action of any form."

In some cases ("pasty tax" and stuff like that), popular petitions added pressure to the pile that eventually forced policy U-turns. On their own they are pretty useless.
> "There may be not much point using a VPN to conceal your web activities if it can be blown open by a technical capability notice."

If my computer makes a VPN connection with a machine outside of the UK, is the above claim still valid?

From the article:

> "The UK government can certainly insist that a company not based in the UK carry out its orders – that situation is specifically included in the new law – but as to whether it can realistically impose such a requirement, well, that will come down to how far those companies are willing to push back and how much they are willing to walk away from the UK market."

Missed that. Thanks.

But I cannot see why someone would comply with that. For example getting an AWS machine in Ireland, is that within the "UK market"? Does amazon have to comply just because many customers are in the UK? And will we ever know if they do comply? What a mess.

Exactly. And think about private keys for SSL certificates. I'm not even sure if those are covered by the legal wording, but I wouldn't be surprised if they were.
Still, I'm not sure how that will work. Say I spawn a VPS, and I start my VPN server in there. Can Amazon just go in there and snoop somehow? My keys are encrypted, even if they can see the disk they are on, and the traffic also. All it can do is see the network traffic that originates from that machine, and log that.
They can easily look at the RAM of the VM and get the plain-text encryption keys for SSL or VPN or whatever.

I'm absolutely sure by now someone has written a program to automate this, and to be honest I expect some governments already force some companies to do this.

Assume that if someone has physical access, the machine is compromised.
The answers to your questions will come down to which a particular company values more -- their UK revenue or the privacy and safety of their UK customers.
I would like the crypto-experts of HN to help understand what consequences this has. For example, I have whatsapp with E2E encryption. Can the government read my texts now?
"Can the government read my texts now?"

It is impossible to read properly encrypted data. However, this law enables government to require tech firms to deliberately break cryptography in their products.

@grandparent: In other words, no, they can't read the texts you've sent up to this point. But they may be able to a month or year from now. Your texts up to the point the law passed are safe, but you can't be sure about the messages you send from now on.

(well, as safe as they were prior to the Snooper's Charter).

So the question will come down to how much leverage the UK government has over which companies?
Essentially, yes -- it will be down to whether the company is willing to risk having to withdraw from UK market. And if a company does choose to cave in into UK government's demands for backdoors, you can't be sure whether or not they would inform you of this in a timely manner.
You didn't answer my question, you just avoided it.
They key part in my answer is "properly encrypted data". I don't anything about your op sec or crypto tools you are using, so I can't answer if your texts are read by the government. The problem is that soon "properly encrypted data" might be outlawed in UK.
I do find such a law quite strange though. The intention (at least for public consumption) was to help "prevent" terrorism. Not sure how the NHS or health services seeing your browser history will do that.

France already has a similar law in place so I wonder how that worked out for them by preventing the Bataclan massacre. (it didn't)

This law will probably not help in any shape or form to prevent terrorism but was merely implemented to provide some form of leverage over people.

"Do as we say or this lovely data becomes public, or you are denied healthcare because of a site you visited but never visited because it was a hidden iframe"

The truth is that authorities the world over have finally caught up with the internet. Look at it this way: they already had pretty extensive powers to monitor telephone calls and correspondence; then the internet came about, and slowly made them blind.

Until a few years ago, they compensated by treating the internet as a free-for-all where they could spy at will; as people fought back and started to demand accountability and limits, they responded with a legislative backlash that is slowly making gains everywhere. The most authoritarian-inclined states (UK, France, Italy) have passed the worst laws, but others are busy following suit.

It's an ideological battle, and they are winning it. One day we will look back at the Chinese firewall as a pioneering effort.

I've been wondering, do we have any idea on what type of data they'll be recording now?

- Is it domain names, or subdomain names?

- How do they get the domain names? Do they look at IP addresses I'm connected to and do a lookup?

- If I use a VPN, will all my traffic come up as that VPN?

- How will they link an internet connection to a person? Will it be done on the name they used when they signed up, their house address, or their billing details?

When using a VPN (IPsec, OpenVPN, etc - something secure) then all the ISP will see is that you connected to your VPN IP and how much data volume was transferred.

Since the traffic exits at the VPN only the VPN endpoint would be able to read this meta data if they did such a thing which is not impossible but not normal. The worst case scenario is that your encrypted traffic is recorded for a while then they come knocking on the door for the encryption key. Alternatively if the international VPN provider is of the cooperating kind then they can log this data on behalf of your government. So use a foreign VPN provider that stands up for rights or use a dedicated server in a foreign country.

I have always wondered if this could be avoided though by using some form of rotating keys that you throw away or perfect-forward-secrecy if this works.

Do you have a suggestion for a paid VPN service?
This article [1] is so stupid I want my seconds back.

The matter in question is: who do you trust more? Your ISP or the VPN provider? The default should be that you don't trust your ISP, especially if you are in the UK. Hence, trusting a VPN provider is the lesser of two evils.

Will that protect your child-pornography-viewing? If you use Qubes OS, where you have a VPN on the host, then you use Whonix in a VM, where you use tor, then you are probably safe.

Are you a terrorist planning to destroy America? You are probably our of luck, but for the truly paranoid it could be achieved.

My advice: it is better to trust VPN providers in other countries than your own, just select decently (aka, not Hide my Ass). NEVER trust your ISP!

[1] https://gist.github.com/joepie91/5a9909939e6ce7d09e29

Could you please elaborate why Italy has one of the worst laws? Never read about it.
The public-wifi law recently amended, the anti-blogging laws, the leeway given to authorities to run riot over a datacentre if even just one account comes under suspicion, the cozy relationship with Hacking Team... all datapoints confirming an overall view of the internet as something to be curtailed and intercepted.
> The truth is that authorities the world over have finally caught up with the internet.

This isn't true they misunderstand it. They're trying to force it into their centralised, controllable world-view. They haven't yet figured out that this doesn't work with a decentralised system where its trivial for people to hop on and off the network irrespective of geography and borders.

This is hardly a battle they can win, the outcome is just that the average citizen is watched and those with knowledge of the internet circumvent the snooping. This will slowly chug along until someone leaks or gains a copy of the data, shares it online, ruins a bunch of lives, prompts public outcry and then they inevitably scrap it.

I completely agree with your sentiments.

But just to play devil's advocate, it is possible the authorities could have prevented the Bataclan massacre but chose not to "for the greater good". There's a similar conspiracy theory around the Coventry blitz[0].

It might very well be false, I'm just suggesting there may be an alternate explanation (i.e. the French surveillance is actually working very well).

[0] http://www.bbc.co.uk/news/uk-11486219

So the UK just killed their ISP and hosting industry. Welcome in Germany
I don't think Germany is much better...
I do not know of any German law which is comparable. Do you have a citation?

I agree with the sentiment, but at least legality of snooping has not been settled yet.

According to the German BSD scandal they still observe the 10% rule. Don't dragnet more than 10% - for their American friends. Whilst most others just take all.
I don't see how people living in the UK can just decide not use a UK ISP, unless they choose to forgo having an internet connection completely.
This is basically national security letters with oversight. Which is part of the problem. When any of the major democracies introduces a law like this, it normalises it for the rest. Which then gives encouragement to the more oppressive countries. The whole world seems to be in a race to the bottom.
What technical solutions can be used to prevent this? As I understand, this mainly entails internet access logs? Would a secure, off-shore VPN defeat this?
yeah. They're just tracing what pages the ISP serves you. So if you encrypt and proxy your requests via something else they'll only know you're accessing some random server somewhere.
No they will see the VPN service endpoint - the next step of course would be to disallow those connections since you must be hiding something. Only VPN providers (like Corporate ones) that are verified by the state will be permitted. Since the external VPN providers could keep changing the endpoint they will respond with whitelists of acceptable domains. Eventually you will succumb and learn to love big brother.
We'll just compromise a whitelisted end point. The whitelisting would have to be pretty liberal because of corporate and many of us are corporate. This bill only empowers those with technological skills.
That's fine, then they need new laws. And they'll have to extend the non-verified ban to any server or VPN service that I can run my own VPN on.
Couldn't you chain that to another VPN provider in a non-fascist country? It would only be fully decrypted at your PC.

Of course they could make that illegal as well...

It is curious to note that if you very slowly and gradually reduce the size of the sheep pen, as long as the sheep are still fed, they won't notice until they are driven down the tunnel to the slaughter house.

It is not until they hear the captive bolt being shot through the skull of the sheep in front of them, that they finally start to panic.

"Curious" is not the first word that I would think of to describe that situation.

Terrifying? Horrific? Insidious?

OK, time to stop using any security software created by company under UK jurisdiction. Anyone want to help make a list?
I would like to put some time into this, but I wouldn't even know how to go about it. What would the list contain? The names of companies HQed in the UK which produce privacy software?
I would like to attain some decent level of privacy, but my searches on how to go about it yield a large amount of conflicting information (which I suspect is there on purpose.) Is there a sensible guide out there that some of the experts at HN would recommend?
It depends on your threat model: what do you want to hide and from who? If you simply want to avoid someone reading your messages (payload), using https everywhere, end-to-end encrypted chat clients (ie. Signal), encrypted mail (ie. PGP), maybe disk encryption (ie. VeraCrypt) should be enough to defend against non-targeted attacks and government dragnets. If you want to hide your "meta-data" from non-targeted government snooping (browsing history and who do you contact with) it gets more complicated -- in this case you also need VPN and/or Tor. Defending against targeted attacks is next to impossible, but you should not be worried about these anyway, unless you are on FBI's top list or smth. Using open-source tools and avoiding highly centralized services (Google, Facebook etc.) is generally a good idea for a privacy minded individual as well.
Simply using VPNs and Tor provided a signal, and is (per previously released documents) a great way to get on a short list of people to pay more attention to.

I almost think we'd be better off going the other direction and hiding our signal in a bunch of noise, or just grab everything and review it on an uncompromised network (such as "spider every top link from HN and store it locally, then browse only that local copy").

If enough people use secure communications, then it becomes noise. Take an old, boring door lock analogy: everyone locks their home door, but nobody thinks that they have something to hide or illegal in their home just because of that. Making privacy and encryption tools easily accessible and easy to use is our best best imho.
Given the breadth and intent of these laws, I'd expect a different response - requiring ISPs to block VPN traffic that isn't hitting a whitelisted (i.e. corporate) endpoint.

VPN traffic has a distinctive signature, and ISPs are already using deep packet inspection hardware already, so blocking VPN traffic seems like a natural evolution in this particular arms race.

UK is going to get hacked into oblivion once the key gets leaked, and it will get leaked. "Hey lets cripple national security under a single point of failure in the name of security".