If you want to understand the state of state surveillance technology and thinking in the UK then I highly recommend Henry Porter's novel "The Dying Light".
It's so trivial to work around this that I'm stunned they're even bothering to implement it. As we've heard over various stories recently terrorist groups were doing such varied things as steganography, if they've managed to work out how to do that I'm sure they've sussed VPNs, anonymous proxies and disposable network points.
Pointless and makes my life as a British citizen more awkward as I'll having to put all my network traffic off through something rather than leaving it as a nice, simple internet connection.
My understanding is that they need a warrant to look at the log of your traffic. Presumably they'd need to look at the log of your traffic in order to see if you're using a VPN or Tor.
So what you're suggesting means they'd need to look at your traffic without a warrant in order to determine if they need a warrant to look at your traffic.
[edit] Also, presumably they can already get a warrant to tap your traffic. All this new legislation means is that they can look at historic traffic too?
Don't get me wrong. I am British, and I do think it's fucking disgusting. But don't forget, it's just a proposal.
[edit2] I was wrong. It seems they wont need a warrant to see who you're talking to. Just a warrant to see what you're saying. So yes, I guess they'll be able to tell that you're using a VPN without getting a warrant first.
Don't know to be honest, unless EVERYONE is running encrypted traffic/VPN/Tor then the few that are using it stick out like a sore thumb. It is bound to raise some suspicion. I am British too btw and hoping it is just a proposal at the moment, but these things have a way of being watered down to make them "more acceptable" or revived under a different guise still have a whilst still have the core concepts in them.
Problem is I don't trust our government with our data, they've shown sheer incompetence far too many times when it comes to IT systems. And it's always a case of do as we say, not as we do as the expenses scandal and the current Leveson enquiry is showing.
when the percentages of people that use these kinds of technologies are low then yes, it's a big sign to the spooks that "LOOK AT ME, I'M PROBABLY DOING SOMETHING INTERESTING"
... this is the reason several people I know don't use PGP signed/encryted email.
That was one of the more interesting parts to come out, the clever word politik of saying 'only terrorists, paedos or criminals would dare to be upset about this'. So ordinary man thinks "I'm neither of those 3, rummage away".
Note that this is a recurring theme. Two possible explanations:
1. It's trivial for you. Is it as trivial or convenient for the average Joe? Tor is slower and more restricted in terms of multimedia and VPNs and other proxy/routing services cost money and while not hard to implement, are still beyond the grasp of the average citizen. Of course this immediately prompts the question of whether this is intended as a security measure at all since only the average citizen will be affected.
2. I suspect that this is more about legislative precedence than it is about actual implementation. Governments are forever forcing new surveillance measures. The common people ignore them and the techies resolve to bypass them technically. But the politically harm is already done. Before we know it there will be hundreds of these laws and measures passed and when we finally realize it, it will be very hard to persuade the bureaucrats that implemented them in the first place to remove them.
I used to think like this until a recent conversation between 2 cousins on facebook concerning the nautically naughty bay.. I had a bit of a shock seeing one of my "knuckle dragging, mouth breathing" (my words) relatives spouting on about VPNs etc. and getting it mostly right. I suspect if it's a choice between not accessing certain sites and learning you'll be surprised at how quickly people will learn.
Okay true, trivially for me is not trivial for all. However, VPNs are already familiar to a large group of users who've used them for business, including a lot of straight forward guides on the internet. If you can work out how to follow the instructions you're sorted.
>It's so trivial to work around this that I'm stunned they're even bothering to implement it.
This does not matter one iota. People have been spied upon for ages with things that are even more trivial to work around.
Also, that it's trivial to some means nothing, if it's not trivial for others, or if they are not bothered. Can you guarantee that your grandmother or friend will also "work around" this --and other such measures? You don't really believe that they can get information about you only from YOUR system?
Lastly, even if its trivial to bypass and useless, it raises the Overton Window. Society accepts that --already an unthinkable level of surveillance 2-3 decades ago--, and they'll come up with something more intrusive next time.
Plus, they make the laws. If they can get away with that one, they could also get away with outlawing "working around it", and all related tools.
In that case, they don't even need to "break" Tor to get people. They can execute some warrant search to your house (for whatever reason), or even a routine laptop search at the airport, and arrest them if they see such a tool MERELY installed on it.
> But senior Tory David Davis said it was "incredibly intrusive" and would only "catch the innocent and incompetent".
I think this sums it up, this data will be of little help for stopping crime, but it would be of great help for corrupt officials to do evil not to mention the risks involved with storing this data.
"The only people who will avoid this are the actual criminals, because there are ways around this - you use an internet cafe, you hack into somebody's wi-fi, you use what's called proxy servers, and they are just the easy ways."
It's sad that it's shocking for a politician to be able to actually list ways that this sort of system can be worked around.
I'm also disappointed that the Lib Dem ministers are so easily placated by "warrants must be approved by the Home Office", and not a judge. This shows an unnerving readiness to erode the separation between legislature and the judiciary.
Given that another Conservative minister claimed, under oath, that he doesn't know what "quasi-judicial" means (he was appointed that exact role), I don't have much hope that the home secretary will apply legal advice before handing out warrants.
I'm not informed massively on the work-load that the home secretary is under but is it really a good idea to even expect that they have the time to do proper research and take advice into account when judging whether a warrant is worthy or not?
It seems an awful lot like catching someone in a hurry to get them to sign something because you don't want them to read it.
Officials have already shown that they are happy to overstep what regular people consider to be acceptable. And that was a generous line. People in the UK are on the whole accepting of privacy invasions.
Announcing this during the McPherson inquiry (where various people (including police officers) have shown they're happy to break criminal law to obtain, buy, and sell information) means they're going to have a hard time getting it passed.
Unfortunately those who probably would care are too busy consuming the noise of the numerous wars, inquiries, showbiz, celebrity dross, royal banality, Olympic bleugh and regurgitating it all over Facebook.
See the calm when ID cards were first proposed. Most people just didn't care. There were some vocal anti-ID card campaigns pointing out the real faults of the proposed scheme, but most people either didn't care or thought it was a good idea. (A lot of wingnut racists who thought (wrongly) that it'd sort out the illegal immigrant "problem".)
It was only as time went on and the costs increased and the benefits decreased that more people started being against the card. The death knell came when the government announced that each card would cost > £100.
See also the number of people who think that everyone should be on the Police DNA database; the number of people who'd volunteer to have their DNA on that database. It's only relatively recently that people have started campaigning to have data removed for people who haven't been convicted or charged of a crime.
There isn't much fuss around cctv cameras; or around automatic number plate recognition cameras; or around laws enforcing specific fonts to allow anpr cameras to work.
Your last sentence sums up the problem nicely: most people care more about X Factor than about privacy.
And as usual the criminals are going to find another way.
I await more "the terrorists are coming" and "think of the children" legislation.
However, we have one thing on our side: government IT incompetence. They have managed to screw every major IT project up in the last 20 years, so this will go the same way :)
Unfortunately this is a double edged sword. Their incompetence also caused the a lot of trouble like in this example http://beusergroup.co.uk/index.php?id=695 where they proxied file sharing sites thus forbidding access.
There are two parts to the plans for Internet intercept support in the UK, the police and the security services. The police use is primarily for the purposes of stopping crime. The purposes for the security services are opaque and unlimited as long as they are for 'lawful purposes' - i.e. anything under the Intelligence Act 1994.
When opposing this it's important to understand the remits of the two organisations and that one is nominally accountable to the public, while one isn't.
I am much less worried about letting GCHQ trawl my traffic data than I am letting my local council noodle around in it. Mostly because GCHQ probably already do it - they certainly have the capability, but also because local councils have shown themselves to be corrupt and "data-leaky".
I'm not bothered about my traffic data being trawled. I oppose this bill because it's stupid - the people who have to keep data are not clearly defined; hiding some of that data is trivial for criminals; keeping that data is an unreasonable burden on some (but not all?) ISPs; etc etc.
It's frustrating that there are some really clueful politicians and advisors, yet governments keep pumping out really stupid laws about computers and networking.
For all you people who are not phased by it and think it's OK and harmless: you do realise it's your own tax money they are senselessly wasting here right? A lot of money. For nothing.
Brought to you by the same crowd that passed the "cookie law" that requires user opt in for any cookies - even if it is storing something as trivial as a session ID for the duration of one visit.
These legislators seem to be regulating what they do no understand.
I dont consider myself any form of hacker, I dont think i do anything illegal on the interweb. However i am very for privacy on the internet and against goverment monitoring.
When SOPA and CISPA etc all came about my first port of call was to get off gmail and on to my own webserver on a VPS. 2 weeks ago i deicded it was time to create my own elite anon proxy using squid. Took a few days of tinkering (sidenote did you know that google can get your IP via user_agent header? took me ages to work out why all the sites but google were getting my VPS IP and yet google could see right passed it and get my orignal IP)
now I am posting to this topic using said proxy. I can bet that once all these systems go live I will be one of the first pulled up as a terroist. I have VPNs to 2 countries, and 2 machines route out over those, i have very little standard traffic going via my ISP, and i use external DNS (currently in the process of setting up my own bind server).
I am even in the process of setting up my own jabber server (what did google rename it to xxmp?) and using that as a replacement for MSN/Skype interaction thing with my friends.
All of the above will classify me as a terroist under the UKs ever watchful eyes, I think now I am going to route my proxy in to tor for extra funz
User agent headers don't include IP addresses. Are you sure Squid isn't setting the X_FORWARDED_FOR header and revealing your IP to every site you visit which is clever enough to look?
[...] the government would be able to request any service
provider to keep data about internet usage, although
initially it will involve about a dozen firms including
BT, Virgin and Sky.
I guess that includes VPN services (like HMA, who are based in UK).
As I understand it they backed away from the stronger restrictions at the last minute... but still, the very idea of a surveillance nation like the UK "protecting" people by blocking third party cookies would be hilarious if it wasn't also tragic. Very generously they've said they won't prosecute offenders... probably... unless they don't like you... or have a political axe to grind... or you're the wrong ethnicity...
There is no irony, because they are completely different things.
You think that if a government decides that its citizens should be granted extra privacy protections from corporations and individuals, then it's only right that they grant the same protections from law enforcement?
I guess it's also ironic that my government prevents McDonalds from locking me up, but will lock me up themselves if I commit a crime?
A lot of websites now offer SSL by default, or as an option - is this more of an obstacle or can ISPs use some sort of MITM technique to defeat the SSL for snooping purposes?
Forgive my ignorance, I'm very curious about this as a UK citizen.
SSL does encrypt the traffic, but requested domain name is still transferred in plain text during the SSL handshake. I guess for tracking purposes remote IP and domain name would are more than enough.
They can MITM SSL/TLS if they manage to forge the certificates in question, or on both endpoints by having a snooping backdoor in place on either the server or the client. Other than that there are no known weaknesses in the encryption websites use but there is a multitude of things that can and do go wrong without anybody noticing.
Businesses (and governments) can legitimately buy root keys that allow MITMing any SSL connection or they could just be a CA themselves (any CA can MITM the whole internet).
"Businesses (and governments) can legitimately buy root keys that allow MITMing any SSL connection"
A business can buy their own SSL keys, but to MITM any SLL connection those keys would have to be trusted and installed at both ends of the connection and used to generate the SSL session key.
"any CA can MITM the whole internet"
Again, the CA's keys would have to be trusted and installed by the communicating parties.
You did not misunderstand me, but you misunderstand how SSL in the context of HTTP is used and what CAs offer for sale. Please see the video I linked in my original post.
I don't have the time or opportunity to watch a 50 minute video right now, but I found a summary of the talk on the presenter's blog [1]. Interesting stuff! He references a paper [2] that discusses a "compelled assistance" attach, where a government can use the law to compel a CA to hand-over a certificate that would certainly be usable for a MITM attack. Bruce Schneier also mentioned this [3].
But this is far from "Businesses (and governments) can legitimately buy root keys that allow MITMing any SSL connection". Businesses can't invoke CALEA (or the UK RIPA[4] law, since we're talking about UK government surveillance) - only governments can do that. And the keys are not really being sold or bought. And I don't see how a government could compel a CA in a different legal jurisdiction anyway.
"any CA can MITM the whole internet"
No. A CA has access to keys that can be used to MITM a connection that is secured by keys issued by them. Thats not the "whole internet".
They can MITM attack SSL only if they have root/superuser access to your computer. They'd have to install a new SSL root cert. Or ISPs can put up a fake cert and hope that people ignore/click through the warnings (which lots do). Or if they have a contact with a corrupt SSL root cert signer, they could get their own fake cert signed.
"...The police and security services are concerned that criminals and terrorists are increasingly evading detection by using social media and online gaming sites to communicate with each other..."
of course they do - because the terrorists and the criminals have the brains and the survival instinct of a peanutbutter sandwich!
http://www.amazon.co.uk/The-Dying-Light-Henry-Porter/dp/0752...
Although it's a novel, it's written by a well-known journalist with an interest in civil rights and liberty: http://en.wikipedia.org/wiki/Henry_Porter_(journalist)