Question
There's much hoopla over this but is it any different than the police and security forces having access to your telephone conversations and call history (as long as warrants are needed just like for phonecalls)
The Queen has detailed the government's upcoming programme of law-making on a grey day darkened by the gloom of a double-dip recession and plans to massively increase surveillance of the internet in the UK. Opening the new session of Parliament, Her Majesty confirmed on Wednesday that "draft clauses" would be introduced to …
That's the problem, we don't really know what it entails yet, and it likely won't contain any technical detail as that will be left to the ISPs to implement (and pass the cost on to us customers).
The real problem is that it is likely to be blanket monitoring in retrospect (that is your past years worth of internet activity will be available, could be more), whether or not the requirement is a warrant, everyone is being watched and recorded.
The assurances that it won't contain message data, just comms data, is a lie. At some point in the system everything will be looked at. A packet may contain part of another protocol and the whole thing needs to be read and stored until enough data is available to reconstruct that 'communications data' but that may also include lots more bedsides. The rest may not get stored for long, but it is read at some point...
Yes there is a difference.
You might speak to perhaps a few tens of people by phone, but these days much more communication is done via email so maybe it would be fair enough that email addresses are captured with warrants required for their contents. I could just about live with that, although I'd prefer not to.
But this bill wants logs of every website address too, the equivalent of following someone about to see where they go. Query strings give away even more information. All without any warrant apparently. I guess website addresses will become more obfuscated.
What opening post delivered by Royal Mail? Why not if it's all for our own good?
Remember that this information will be logged and saved in advance.
So acess to call records & call content via a court order means that they will gain access to your records for as far back as the phone company have them (5 years ?). Also they could tap your phone to record your phone calls.
Now under this proposal they will log all the sites you visit, the content of all the emails you send and much more. They then have to get a court order to access that data but it would be already there on their equipment.
However it's not like there are 3rd parties involved (eg BT) so it would be trivial to lower the requirements. Putting this into the phone context everyone knows it's comparable to them recording all your phone calls (& text msgs) and then promising that they'll ask before listening to them.
reproducing the answer (to "is it any different") "From Lawful to Massive Interception: Aggregation of Sources" Slide (c) Amesys 2008
Features: ........Lawful Interception....Massive Interception (CCDP)
-----------------------------------------------------------------------
Recording target's communications..OK.................OK
Social Network for targets...............OK.................OK
Search in the past for newly identified targets.........OK
Identification of new potential suspects.................OK
Discovery of new targets on:
- Keywords.........................................................OK
- Key topics........................................................OK
- Social Network..................................................OK
Information synthesizer & top-level intelligence......OK
Creation of intelligence notes for the Authority......OK
Full Country traffic monitoring..............................OK
Behavioural analysis of Data Flow........................OK
(geo)Localisation.............................................OK
Multi-captor system..........................................OK
Privacy should be "on" by default, with an option to snoop only in exceptional circumstances*. The proposal is to set privacy to "off" by default.
* Granted, every government writes its own terms of meaning for "exceptional circumstances" but the right to privacy should be there first and foremost.
Or even just using webmail over https on servers located in some country which is less than friendly to the UK (Argentina, France, somewhere like that). And of course persuading all your <insert terrorist organisation of choice here> buddies to do the same.
Wait... they already do that :-(
Looks like a business opportunity to me. Start researching Swiss law now, for a service you can sell to respectable people who worry about journalists, PIs and spouses getting access to logs that are supposed to be for MI5 only.
Swiss, because they're a country that will cooperate with law enforcement agencies, but where they still believe in privacy. The really bad guys will find other more bribeable jurisdictions ... or possibly, put their servers afloat in the Pacific garbage patch or in orbit!
No market since around 1975.
Such a one time pad is only useful if you never reuse the pad. You've also got the problems of generating the CD contents, duplicating these and sending these around by trusted courier (That's similar to how the UK diplomatic service did it. I've seen their old paper punched tape OTP machinery in use up to the seventies now on display at Bletchley Park).
You are now doing much, much better having a new long enough key (128 bits or longer) randomly generated and exchanged using the Diffie Hellman protocol at the start of each session and securely disposed of at the end of a session. Secure disposal of the key after the session means that plod who calls around and obtains all known secrets after the session has ended (e.g. using RIPA or some other kind of rubber-hose cryptanalysis) has no way of decrypting his copy of the encrypted stream; this property is called 'perfect forward secrecy'. Diffie Hellman on its own doesn't protect against a man in the middle attack (e.g Eve pretending to Alice she is Bob while also pretending to Bob that she is Alice), so you need to use DH key exchange in connection with RSA signature or similar to authenticate the other end.
... I will also investigate investing in a VPN; though I can see a few years down the line that'll be the next area the government targets with legislation. It's an uncomfortable fact but as the internet becomes more imbedded in everyday objects & surveillance technology improves our lives will come under ever more scrutiny. Most people haven't kicked up a fuss so whatever government is in power will implement this.
Obviously you have something to hide..... I'm sure running Tor will get you onto at least one list.
Slight tangent, I wonder how many Tor nodes are spook run ? Can someone running all the nodes from request to exit node trace source and target IP ? I'm sure I read that was a Tor weakness so if I was wanting to monitor Tor I'd have a server room packed with as many nodes as possible modifed to try and trace requests.
"Obviously you have something to hide..... I'm sure running Tor will get you onto at least one list."
So what? What will they do, stop my flying to the USA? Fat chance... I'm not flying there anyway. If I want that kind of "intimate attention" from another person, I'll buy the girlfriend flowers and a nice dinner.
"Slight tangent, I wonder how many Tor nodes are spook run ?"
Probably a lot, but it doesn't matter. Data inside the network is encrypted, and data leaving the network only has the data you put into it readable by the exit node. Those folk who were caught in the drug sale sting gave out their shipping details. As is typical of data protection, "they" only get as much data as you give them. Encrypt the data before sending it (HTTPS anyone?) and don't go applying for credit or accessing your personal email account, and nobody will know who you are anyway.
Just making the point that running Tor makes you look like a "Bad Person" in some people's eyes.... and running Tor may one day be a amber/red flag in someone's data warehouse report. Just take steps to hide the Tor useage.
Who said anything about the USA ?
This is the UK goverment and they'll just knock on your door (possibly heavily) if they want to chat.
Question answered, cheers
> I'm not sure why people keep going on about SSL, it is completely readable when you
> have intercepted the entire communication from it's initiation.
No it isn't, you'd need access to the private certificate on the server to decrypt it. Only the public certificate is sent out, to allow the other end to encrypt stuff.
You can do a 'man-in-the-middle', where you decrypt SSL on the way then re-encrypt it, but it'll set the alarm bells off in the browser as the server name won't match the destination address.
"I'm not sure why people keep going on about SSL, it is completely readable when you have intercepted the entire communication from it's initiation."
If you do know how to break current SSL implementations, then please publish your reproducible attack method in full. Your publications and conference keynotes would then be worth a considerable amount of dosh. I'm also not including manipulating the CA system to get a false signed cert which we all know is doable but expensive to the CA that gets caught doing this, see Diginotar.
"Most people haven't kicked up a fuss.."
Most people do not understand their computer, let alone the impact of such a bill.
We all know how to obfuscate information using techniques already mentioned here. But your mum/aunt/grandmother/etc... have no clue. Its 'normal peoples' conversations being impacted. Those 'underhanded' persons will already be implementing counter surveillance techniques.
It's a waste of time and money really.
I expect them to do a Digital Economy bill on this one, make no mistake we will get it because its in the speech regardless of how unpopular it is. Even if they have to sneak it through the disgrace that is the Parliamentary "Wash up" to get it on the books we will have it forced on us.
What's the betting that p0rn filter comes along with this as well.
So maybe they can explain this
To quote:
"May and her department have tried to bat aside criticism from civil liberties groups by saying that "no emails would be read in real-time"."
To support
"The proposed bill described communications data as being "information about a communication, not the communication itself"."
If there is no communication content held, then how can they say that no email will be read in real-time, implying that they can (or will) be read after 'real-time' ie 1 seconds later by a person or batch job.
this puts me in mind of the Great Wall of China, unfortunately not the nice stone one......
Now, where is that tin foil hat of mine....
I'd hazard a guess that Her Maj is a bit more technically clued-up than you'd think.
Maybe not to the level of most of us reading tech news sites like this, but I'm sure she'll at least know how to switch on a PC and do a bit of casual web browsing in between her royal duties. Probably won't stretch to downloading torrents though!
> anyone thinks that old Liz actually has a clue about anything
She's far more clued-up than you might imagine.
She was a driver/mechanic during the war, and she was introduced to email before most of the rest of us.
That she talks such utter bollocks in the "Queen's Speech" is down to it being written by the government, not by the monarch.
Vic.
We already provide secure email, comms and IT services to UK companies, the more the merrier. :).
The problem of an evident lack of control, transparency and trustworthy oversight is not new, just that the process to legalise the abuse has now started. Any UK company that outsources IT to a UK based or controlled organisation already has the risk of backdoor intercept - compel the IT provider and the company in question may never find out (the magic word remains "terrorist").
Not a good position to be in if discretion is part of your business. Banks, lawyers, medical practises..
How about a little background process that , every 30 minutes or so, would google "ANARCHY BOMB TERRORIST BESTIALITY AL-QUEDA SEXTRAFFIC" and bounce off a random half-dozen of the websites produced?
A million or two PCs doing that 24/7 ought to fuck up the statistics a bit.
I'm actually semi-serious about this. Of course it would need to be more sophisticated than I'm making it, but is there any reason why this shouldn't happen? Going by my experience, there are enough people (even non techies) objecting to the bill to suggest there would be enough of a user base to make a difference.
My coding skillz are rusty as fuck these days, but I reckon even I could put together something like this.