The only way I would find this acceptable was if the government applied this to themselves. I want to be able to hear all their conversations, to know where they are, who they meet and talk to, who pays them money, how many bank accounts and properties they own. I'd like that accepting a job as a politician involved full transparency. If they were an example themselves then it might be easier to convince people about approving a law like this one.
Personally I don't see how I could give up my privacy just because some/all politician(s) would.
A lot of people don't even mind the absence of privacy, the key point is that that is a decision they can make for themselves. Even if everybody would gladly give away everything on facebook the moment you force them to do so you cross the line.
As a rhetorical device, I agree. I've summed it up in the past as, "You first."
I'd even be willing to argue it with respect simply to communication performed as part of their work. More and more "governance" seems to be too sensitive to allow people being governed to be aware of it.
Its a EU thing that is pushed from the commission to the individual countries. Germany implemented this a while ago but it was ruled unconstitutional by our constitutional court, so the law was repealed and all collected data was deleted (at least thats what they say). Now the government is facing fines from the EU for not implementing the law.
Its awful that an institution of questionable democratic legitimation (EU commission) is forcing a democratic government to implement laws, that are against their constitution. The worst thing is, that the big political parties dont see anything wrong in this.
Its awful that an institution of questionable democratic legitimation (EU commission) is forcing a democratic government to implement laws, that are against their constitution.
You used the word "democratic" twice. But I don't see what democracy has to do with it. The whole point of a democracy is to allow the majority to bully the minority. The protections you need are Constitutional limitations.
Its worse than that. Google "democratic deficit european commission" it will give you a lot of material on the problem. For the lawmakers (big parties) in the member states it is not a bug, its a feature. It is much easier to pass a controversial law, like this one, if its made away from the public somewhere in Brussels. And when there is critique, you can blame it on the EU, and that the country would face sanctions if they dont implement it.
The Commission is undemocratic because it holds great power, yet its members are unelected. Contrast with the EU Parliament, which is elected and therefore far more accountable to the electorate.
The Commission's staff are chosen and approved by both the indirectly elected Council (Member State government ministers) and the directly elected European Parliament[1]. The Parliament has forced the dissolution of the Commission before.
By that standard most governments are undemocratic. The UK is a particularly interesting case with a monarch that can dissolve parliament, appoint the prime minister, as well as hereditary and life peers in the upper house.
The key difference here is that while that is theoretically the case, the Queen does not in practice arbitrarily dissolve parliament, and her appointing the prime minister is basically a formality. The House of Lords, while it is fairly undemocratic, doesn't seem to be doing any worse a job of looking out for the rest of us than the Commons are. Contrast this to the various EU directives which frequently are interfering in local affairs, often not in a way that's in our best interests.
I think we need to seperate two issues here: One is whether or not a particular government does a good job and the other is how democratic it is.
The first question is too subjective in general to have a useful debate. I'll just say that complaints about interference in local affairs have been a mainstay of all political unions ever formed, including The United Kingdom of Great Britain and Northern Ireland. Just ask the Scottish. And it's completely natural because "interference" is just another word for "governing".
However, the parent post was about the democratic legitimacy of the EU commission. The commission is not directly elected just as most other governments are not directly elected. In most countries cabinet ministers are not even elected MPs. Parliaments are elected and sometimes heads of states but rarely governments. The closest thing to an elected government are probably the presidential systems in the US and France.
Most critics of the EU do not want an elected EU president or a directly elected EU commission as that would obviously take away more powers from the nation states. That's a legitimate position, but it's incompatible with criticising the EU for not being democratic enough.
A closer comparison is the suggestion that although UK government departments are headed by ministers, they are actually run by the permanent civil service, which is akin to the EU Commission.
there is a deep tug-of-war in this. The EU position is that European Law is higher level than any law of member states, including their constitutions. States, generally, say that EU law takes its very legitimation from the souce of national law and, consequently, cannot overrule it.
I wouldn't worry about that, here in Europe we have a long tradition and history of solving our problems in a conciliatory and, above all else, peaceful way.
You'll notice substantial differences between the EC document and the UK version.
The EU says:
Article 4
Access to data
Member States shall adopt measures to ensure that data retained in accordance with this Directive are provided only to the competent national authorities in specific cases and in accordance with national law. The procedures to be followed and the conditions to be fulfilled in order to gain access to retained data in accordance with necessity and proportionality requirements shall be defined by each Member State in its national law, subject to the relevant provisions of European Union law or public international law, and in particular the ECHR as interpreted by the European Court of Human Rights.
That would leave the UK quite within its rights to require a court order or warrant before access was granted. But Oh no.
The EU Directive makes no mention of logging Web URLs either.
I'm not one to wear a tinfoil hat but SOPA in the US, Bill C-30 in Canada, and the various laws in the EU can make one think there is some sort of conspiracy going on. It's simply intriguing how all these laws seem so similar.
That's not controversial. The US uses its economic and (indirectly) its military power to persuade or coerce other nations into enacting laws similar to its own. To some extent this is desirable: it makes life simpler in a global economy. Like everything government does, it gets taken too far.
The US federal government does the same thing to the states:
Under the Federal Aid Highway Act, a state with a minimum drinking age below 21 would be subjected to a ten percent decrease in its annual federal highway apportionment.
It was bound to happen that the internet would be regulated, just like all other innovations and media before it. Once a technology becomes mainstream it is regulated, that's like a law.
We are going to miss the open internet, but there will always be "ham radios" like Tor or other technologies in the future.
to me all this stuff seems a bit overcoincidental, but i am tired of talking about. few months ago i joined the freedombox-project (http://wiki.debian.org/FreedomBox) - now i vote by coding.
Tired of talking about it. Terrible, but I know exactly what you mean. Its like being under siege. And I suppose that is the point. Those who oppose all these vile attacks on our basic freedoms will eventually be worn down and defeated.
Unless a good majority of people get radical and stamp this out properly, and for every one world wide, this will creep and creep until the internet becomes nothing more than a sales portal.
I like that. I been saying to hippy mates of mine for a while that while they have been trying to change the world through the application of drum circles and yurt building classes, the geeks have quietly been building in the open source movement, the only successful communist (with a very small c) system to successfully compete with capital on its own terms, and many are now setting their sights on using it for actual manufacture.
If you don't like the world you see around you, at this point in history one of your best chances for empowerment is to learn some form of engineering and then apply it.
fully agreed.
sorry to correct you, but it's the "free software movement" or "FOSS" and it's not a communist system. not even with a small "c", because communist systems force you to share, FS allows you to share.
If you produce software within the framework of the free software movement then you are sharing it. What free software licence allows you not to share your source?
The word communism can also describe systems that are mutual with consent, and most of the states that claim to be communist appear to be run by totalitarians who use the word and associated dogma to seize and hold power under the promise of equity in the future, so I am not sure there has ever been an actual communist state, by the terms of the philosophy.
Personally, I'm a Groucho Marxist, so my main tenet is that I wouldn't want to join a club that would have someone like me as a member. ;)
no no, i will not enter this discussion, because time flies like an arrow and fruit flies like a banana;)
(btw. you can always take a FS, modify it and keep it completly to yourself, so all FS licenses allow you not to share)
Yep, but then you would from then not be participating in the free software movement for that particular project. If you then later shared your modifications you would be again.
Look, a four year old child could understand this. Quick, someone fetch me a four year old child. I can't make head nor tail of any of it.
[edit] I wonder how it would go if I tried to work Groucho Marx quotes into all of my posts. Something tells me it might not go too well.
As far as I'm aware this is fairly common. If you read the article, you'll see that the new legislation "would not allow GCHQ to access the content of emails, calls or messages without a warrant".
Looking through your comments it looks like you're in Sweden: Sweden already has similar legislation via the FRA law, which authorises the Swedish government to wiretap all traffic entering the country. A lot of countries have similar arrangements: not all arrangements are backed by legislation.
In many ways it is better to have this thing legislated: at least then it's out in the open. It's naive to think that large ISPs in countries without active legislation aren't linking intelligence agencies into their networks.
The legislation in the UK is presumably intended to speed up the time from getting a warrant to putting the tap in place: I would imagine most large ISPs (BT, Virgin, etc) are already plugged into GCHQ, in the same way the NSA intercepts all AT&T traffic.
"In many ways it is better to have this thing legislated: at least then it's out in the open. It's naive to think that large ISPs in countries without active legislation aren't linking intelligence agencies into their networks."
How about the other option: we make it strictly illegal for ISPs to cooperate with intelligence agencies (or anyone else asking for data) unless there's a warrant involved (and even then only to the extent of the warrant).
Yes, I'm in Sweden and yes we have the FRA law. But there are huge differences between this and the FRA law. The FRA explicitly forbids FRA to intercept/process traffic that is meant to stay within the borders. Both laws are an insult to democracy but my take from this is that this is much worse and they have different intents.
Why is it better to have this thing legislated? The argument that it is better to have laws like this because otherwise they will just do it anyway (illegally) just blows my mind. There are many advantages to having stuff like this unlegislated, without support from the law they can't actively act on the data, something that is far better than having the FRA-law. Especially when the intent of the law isn't to act on it but rather to observe.
In other words that argument is of the lines that "since they already have the information (which they illegally intercepted), why wouldn't we want to give them the legal right to intercept that information so that they act on it as well?". How does that make any sense?
Even with a warrant the data collected by FRA wouldn't be legal to use in a court if both parties (sender and receiver of a message/whatever) was in Sweden (regardless of whether the traffic took a detour across the border or not (too/from gmails servers for instance)).
This is why it is critical to encrypt all communications using a trusted provider or doing it yourself with PGP, if you have the skills to do it.
Whether or not this interception is currently legal / illegal, this has been happening on a massive, global scale. The UK is just catching up to France / USA / Canada in this regard. The EU legislation on the books for Saas, ISPs to log all their traffic for an indeterminate time is also a huge cause for concern.
The problem with encryption is that, as far as I'm aware, it doesn't hide the sender/recipient information. You might not be able to read the content, but intelligence agencies are just as interested in who is communicating with whom as they are in the content of the messages.
Oh, and we have a law in the UK which makes it a criminal offence, punishable by 2-5 years in prison, to refuse to hand over the private key so that your data can be decrypted. :(
> Even with a warrant the data collected by FRA wouldn't be legal to use in a court if both parties (sender and receiver of a message/whatever) was in Sweden (regardless of whether the traffic took a detour across the border or not (too/from gmails servers for instance)).
That does not make me fell much safer. In Sweden there is nothing preventing illegally obtained evidence to be used in court. The idea is that the one obtaining the evidence will also be punished for his crimes, but I can easily see that case not even reaching court.
A friend is a network engineer who has worked on some big UK ISP projects and he says that all had a requirement to mirror traffic and make it available to an external undocumented point/body. It's just understood that it's the security services.
> If you read the article, you'll see that the new legislation "would not allow GCHQ to access the content of emails, calls or messages without a warrant".
Note that this talks about the content of emails, calls or messages. The police will still be able to see the metadata without a warrant.
And how long until some dodgy copper flogs it to his contacts in the tabloids.
I think in the UK the public accept that the security service (MI5) and SIS (MI6) have greater leway but that the police should be much more restricted.
The problem is when you let "uncle tom cobley and all have access" is where people get worried.
This effectively the position the Stella Rimington ex head or Mi5 said in the house of lords a while back.
>In many ways it is better to have this thing legislated: at least then it's out in the open. It's naive to think that large ISPs in countries without active legislation aren't linking intelligence agencies into their networks.
No, it's actually worse having it legislated.
Having it happen covertly (and in shame) by the agencies, would be much preferred.
By legislating it, you enable it to be more widespread, used in court, etc. But the worst thing is, that by legislating, you make it normal, and that pushes the boundaries of what is acceptable. Since now, this monitoring is acceptable, then even worse things can take its place in the "secret" surveillance domain.
This line of thinking, is similar to what (philosopher) Zizek describes when talking against legalizing torture in the US:
"*Why not go further still and legalise the torture of prisoners of war who may have information which could save the lives of hundreds of our soldiers? If the choice is between Dershowitz’s liberal ‘honesty’ and old-fashioned ‘hypocrisy’, we’d be better off sticking with ‘hypocrisy’.
I can well imagine that, in a particular situation, confronted with the proverbial ‘prisoner who knows’, whose words can save thousands, I might decide in favour of torture; however, even (or, rather, precisely) in a case such as this, it is absolutely crucial that one does not elevate this desperate choice into a universal principle: given the unavoidable and brutal urgency of the moment, one should simply do it. Only in this way, in the very prohibition against elevating what we have done into a universal principle, do we retain a sense of guilt, an awareness of the inadmissibility of what we have done.
In short, every authentic liberal should see these debates, these calls to ‘keep an open mind’, as a sign that the terrorists are winning. And, in a way, essays like Alter’s, which do not openly advocate torture, but just introduce it as a legitimate topic of debate, are even more dangerous than explicit endorsements. At this moment at least, explicitly endorsing it would be rejected as too shocking, but the mere introduction of torture as a legitimate topic allows us to court the idea while retaining a clear conscience. (‘Of course I am against torture, but who is hurt if we just discuss it?’).
Admitting torture as a topic of debate changes the entire field, while outright advocacy remains merely idiosyncratic. The idea that, once we let the genie out of the bottle, torture can be kept within ‘reasonable’ bounds, is the worst liberal illusion, if only because the ‘ticking clock’ example is deceptive: in the vast majority of cases torture is not done in order to resolve a ‘ticking clock’ situation, but for quite different reasons (to punish an enemy or to break him down psychologically, to terrorise a population etc). Any consistent ethical stance has to reject such pragmatic-utilitarian reasoning."
"At any given moment, the “window” includes a range of policies considered to be politically acceptable in the current climate of public opinion, which a politician can recommend without being considered too “extreme” or outside the mainstream to gain or keep public office. Overton arranged the spectrum on a vertical axis of “more free” and “less free” in regard to government intervention. When the window moves or expands, ideas can accordingly become more or less politically acceptable."
The fact that two people have communicated is damaging enough, which is what this does. For the law under discussion in the UK, it seems that it's just formalizing practice.
In the US this is covered under the Pen Register Act: https://en.wikipedia.org/wiki/Pen_register. Essentially the fact that two people have communicated is not protected under our Constitution; only the content of that communication is protected. In that context, Congress passed the Pen Register Act, which requires law enforcement to get a warrant to monitor who calls who; the bar for these particular types of warrant is particularly low.
The Patriot Act extends the concept of pen register and their required warrants to internet communication. The government specifically is required to get a warrant before it can ask an ISP, for example, to reveal who someone emails or what web sites they visit. For now, they need a warrant to know that you visited Amazon or your library's site, but they need a harder to get different warrant to know what books you've bought or checked out, or what you thought about those books when you emailed your friend.
The fundamental problem with pen registers and the internet equivalents is that it brings people under government scrutiny that otherwise would have escaped notice. If person A is a person of interest, and the government is pen registering his communication, then that makes everyone on person A's communication list a person of interest. Now the government gets a warrant to pen register person B, someone who person A communicates with. That means that everyone that person B communicates with is now known to and watched by the government, even though they are not specifically the target of any investigation or warrant.
Person A may be a drug dealer, person B may buy from person A, and I, person XYZ, may be a friend of person B, don't buy or use drugs, and don't know a thing about the relationship between person A and B. But now the Eye of the government has swung its gaze over to me. I could become collateral damage in, for example, a plea bargain negotiation. My house might be violently raided by law enforcement, merely because Person B visits me a lot; my child might have a gun pointed at his head, and my dog might be routinely killed merely for getting in the face of one of the law enforcement home invaders.
This (the pen register) is a violation of my desire to not be scrutinized by the government, whether I've done nothing wrong or not, whether I have anything to hide or not. I in fact have done nothing wrong and have nothing to hide, and I still do not want the scrutiny of the government to fall on me. The government is in theory my servant, not my master. That relationship naturally gives me the right to expect the government to leave me alone.
The legislation would permit information obtained in this way being used in legal processes. Currently if GCHQ were doing intercepts in this way it would be unlawful, and as such evidence obtained through such potential intercepts would be inadmissible in a court terrorism case for example.
"... Currently if GCHQ were doing intercepts in this way it would be unlawful, and as such evidence obtained through such potential intercepts would be inadmissible in a court ..."
True, but wouldn't the sources be covered under OSA and hence not disclosed?
Not if you're going to court. There's a whole secret inquest thing that's been going on, occasionally popping up in the news. The problem with relying upon intelligence for evidential purposes is that you can often expose the handlers, assets or sources involved in a public trial.
"... The problem with relying upon intelligence for evidential purposes is that you can often expose the handlers, assets or sources involved in a public trial. ..."
I have no problem with this if it's just GCHQ and they need a warrant to do it. The police shouldn't be able to do it, though I don't have a problem if they can request GCHQ to do it for them! They don't think they have time to go beyond terrorism.
As a UK citizen, I now do not regret in the slightest forcing every single user of my website to use HTTPS. It costs maybe 10 or 20 dollars a year, your site runs no slower, and all your users get real privacy.
Sorry to spoil it for you, but HTTPS provides no protection against MITM when the MITM is a nation state which can legitimately buy root keys from CAs (or become a CA themselves, if they are not already).
Well, you can verify the certificate is the same when accessing the page via your connection and via tor. If they have different chains you stop trusting the root authority.
This can be spoofed only if the nation state buys the master root keys (i.e. not just a key allowed to sign any domain, but the root key the provider uses to sign everything, so that the chain is exactly the same) from every certificate provider... At which point you're screwed whatever you do.
I think this will turn out alright. The article mentions a law prohibiting such surveillance without a warrant, and the fact that this is being covered by main stream media to start.
Doesn't this violate secrecy of correspondence and their own data protection act of '98?
Terrorism seems to be the godwin for privacy debates regarding national security.
The Data Protection Act gives the security services opt-outs on the basis of national security. This is to prevent you, for example, requesting all files that MI5 might have on you.
Watch these two videos and tell me whether you think this is already happening in with US data ... most-likely transferred outside the country for the purpose of analysis beyond the nation's legal jurisdiction.
blah blah blah use PGP for emails blah blah in fact encrypt all the things blah blah "no it's too hard for Joe Public" blah then Joe gets what he deserves.
PGP protects your from the state knowing who you are communicating with? I think not. And that's the main aim of this legislation. Tracking who you are talking to, and which Web sites your are visiting.
I confess ignorance on the particular details of whether a PGP-encrypted message leaks who the sender/receiver are, though supposing it does it only leaks a single token--a username-email pair. If the state can read everything you as an individual send, they can only know who you're communicating with if the PGP-encrypted message itself leaks a name that maps to another offline individual. You could argue that a PGP-encrypted email leaks the name by default--i.e., the recipient of the email. You tell me how useful it is to know that I sent a message to cornflakesrule12345@emailprovider.ext without knowing what the message says. (More information can of course be found by coercing the particular email provider, if you can, to give up an IP address of the user, but we all know how reliable IP addresses are at pinpointing a single offline individual and there are many other options...)
Of course, we can go further down the rabbit hole of schemes, we don't have to stick with just PGP. As one of your sibling-comments noticed, anyone who wants to get around any State Spying can do so as long as the State leaves room for some reasonable assumptions. (As for outlawing encryption, that's a problem on its own, both in enforcement and in definition. You'd likely just get particular encryption software outlawed rather than the concept. (I'm aware of the US classifying certain algorithms as munitions.) Funnily enough, telegraph operators tried to outlaw simple ciphers and encodings (like 'u' for 'you' and even anagrams) used back in the day because they were losing money, since they charged a fee for a message length.)
I like the '89 paper entitled The Dining Cryptographers in the Disco: Unconditional Sender and Recipient Untraceability with Computationally Secure Serviceability. Here's part of the abstract:
We present a protocol which guarantees unconditional untraceability, the original goal of the DC-net, on
the inseparability assumption (i.e. the attacker must be unable to prevent honest participants from
communicating, which is considerably less than reliable broadcast), and computationally secure
serviceability: Computationally restricted disrupters can be identified and removed from the DC-net.
> I confess ignorance on the particular details of whether a PGP-encrypted message leaks who the sender/receiver are
An important part of public key cryptography is the "web of trust" - you must know that you're sending stuff to the right person. A person's identity is tied to their PGP key.
> You tell me how useful it is to know that I sent a message to cornflakesrule12345@emailprovider.ext without knowing what the message says.
They build up big databases and then mine that for information. Most people are not disciplined enough to use cryptographic technology properly; and that holds for "not doing stuff that leaks data". Associating username@example.com with a set of data is an important step in getting the identities of both username and the people username is communicating with. Don't forget that even if username is careful the people that username emails might be idiots.
Both good points. From what I've been reading, "pattern finding" databases instead of "hash finding" databases are starting to be the new thing that allows huge and useful data analysis, and you can find patterns among a collection of lies or even just otherwise random data that wouldn't be associated without the pattern matching.
Fundamentally, it only takes one matching join on your citizen-data against any other collected assortment of data to implicate you. Human stupidity will continue being the weakest link. But there's still a lot that can be done to guard against it.
Even if the government manages to figure out that user@example is an Al-Qaeda member, and they know I sent them an email, they have no idea what I sent without resorting to, depending on how secure I was, torture, bargaining, private key compromises of the receiver, further insecure communications from the receiver's end, or hard drive sniffing for the original message from my computer. Increased carefulness can guarantee the message only exists within the minds of the sender/receiver, but with the advent of the "forgetting pill" even that vulnerability can be accounted for when plotting world domination. Of course as you note, human stupidity can undo it, but that's no reason to give up adding more layers of security.
You miss the whole point, it's about the implications of the legal frameworks which are put in place, not about how to hide from governments. The simple fact that you need to hide from the governments is indicative of a deep systemic problem.
This is just a first step in making encryption illegal. Not like that's not the case already in some parts of the world, and it's not regulated heavily in other parts of the world.
I don't think I missed the point, that point's pretty obvious. All of us on HN recognize that the legal frameworks of the US and the UK (and other countries) are screwed up, and we don't need this particular post to point that out. The looming totalitarianism manifests itself elsewhere with even more clarity.
My point, admittedly facetiously expressed before, was an aside, and it is that hey, we know the government's screwed up, and it's not likely to get much better soon (especially on this particular issue) without a fundamental shift away from Big Government (and more debatable, a Massarchy implementation of government). In the meantime, there are technical solutions around it which we could implement en-masse today for the benefit of the masses instead of the localized solutions like GnuPG that us privileged nerds have--and it's worth reminding/letting be known by budding smarty-pantses that they too can communicate with other smarties securely if they want to. (I suspect any dangerous terrorists already do communicate securely and don't need reminding, but most terrorists are dumb and ineffectual in whatever their particular goals are so most probably don't.)
If only Joe Public was educated about it and motivated to care and demand... Does a gmail-to-gmail message stay on Google's network alone? If not, they should encrypt everything behind the scenes before it leaves their network, just like how they've now been using https by default. It limits gov. snooping to subpoenaing the specific email provider to get the data off their servers rather than catching it in real-time as it passes through some network node. Also, I think that most probably gmail-to-hotmail or gmail-to-yahoo goes outside, so you can expand. Why can't Google, Microsoft, and Yahoo each agree to roll out an auto-PGP system where when an email is sent to one of the others, a handshake occurs first where a one-time public key is swapped from receiver to sender that's used to encrypt before sending, and the receiver will decrypt before presenting the decrypted email to the receiver user? (And to the receiving user's provider's content-scanners to display targeted ads.) With similar legal implications, the public could always demand regulations that require an auto-PGP protocol alongside a requirement of https (even though https isn't as secure as it could be). But that would be an instance of the government looking out for its people when the private companies aren't doing so, therefore it's not going to happen.
It's hard to enforce any anti-encryption laws beyond monitoring for distribution of specific software and monitoring for users who encrypt almost everything. Basically you can only catch someone using encryption for almost everything by noticing that none of their data is understood by any of your software. If you only encrypt important things, well, a steg'd image once in a while isn't going to be detected (and there are other things you can do too).
No politician in the US would even dare suggest this never mind try to get it passed as law. I really don't understand the politics. What constituency supports this?
