[1] https://en.wikipedia.org/wiki/Tempora
[2] https://en.wikipedia.org/wiki/XKeyscore
[3] https://en.wikipedia.org/wiki/PRISM_(surveillance_program)
[4] https://en.wikipedia.org/wiki/Global_surveillance_disclosure...
We should absolutely keep it in the public eye lest it be relegated to acceptance.
Unfortunately unlike right to repair, this is a fight against a government which already has too much leverage on anyone and gaining more, making the fight progressively more difficult. It's clear that the gov't will use any power at it's disposal to fight against any such citizen initiative.
What was disappointing about this was that I remember the day this bill got passed. I remember refreshing BBC news repeatedly. Not one article was written about the snoopers charter within the days leading up to it (or the day itself). Now, back to the "bad" again... The list of people who can access these records, without a warrant is just utterly insane. It starts off legit-ish but honestly some of these are pretty hard to justify:
* Metropolitan police force
* City of London police force
* Police forces maintained under section 2 of the Police Act 1996
* Police Service of Scotland
* Police Service of Northern Ireland
* British Transport Police
* Ministry of Defence Police
* Royal Navy Police
* Royal Military Police
* Royal Air Force Police
* Security Service
* Secret Intelligence Service
* GCHQ
* Ministry of Defence
* Department of Health
* Home Office
* Ministry of Justice
* National Crime Agency
* HM Revenue & Customs
* Department for Transport
* Department for Work and Pensions
* NHS trusts and foundation trusts in England that provide ambulance services
* Common Services Agency for the Scottish Health Service
* Competition and Markets Authority
* Criminal Cases Review Commission
* Department for Communities in Northern Ireland
* Department for the Economy in Northern Ireland
* Department of Justice in Northern Ireland
* Financial Conduct Authority
* Fire and rescue authorities under the Fire and Rescue Services Act 2004
* Food Standards Agency
* Food Standards Scotland
* Gambling Commission
* Gangmasters and Labour Abuse Authority
* Health and Safety Executive
* Independent Police Complaints Commissioner
* Information Commissioner
* NHS Business Services Authority
* Northern Ireland Ambulance Service Health and Social Care Trust
* Northern Ireland Fire and Rescue Service Board
* Northern Ireland Health and Social Care Regional Business Services Organisation
* Office of Communications
* Office of the Police Ombudsman for Northern Ireland
* Police Investigations and Review Commissioner
* Scottish Ambulance Service Board
* Scottish Criminal Cases Review Commission
* Serious Fraud Office
* Welsh Ambulance Services National Health Service Trust
She probably envisioned the Home office doing mass denial of visas based on a lookup of applicant names with IP addresses deemed to be related to terrorist activity.
> "police obtained the fingerprints of every male aged 16 and over who had been in the vicinity of Blackburn on the night of 14-15 May to compare their fingerprints to those left at the crime scene by the perpetrator. ... a milestone in the history of forensic science; this being the first time a mass fingerprinting exercise had been implemented to solve a murder in the United Kingdom."
> Just weeks prior to the execution of Peter Griffiths, all the fingerprint records obtained from individuals who had been in the vicinity of Blackburn between 14 and 15 May were publicly destroyed [emphasis my own] in a mass pulping exercise at a local papermill. Several local journalists were present to record the destruction of the records.
Why was society so vigilant about giving data that might be abused to authorities, and now, when the data is so much more vast and powerful, no one seems to care?
[0] https://en.wikipedia.org/wiki/Murder_of_June_Anne_Devaney
It's easier for people to connect with the reason _for_ doing it. Stop the terrorists, it may happen to you, etc. But the other way round is harder because it's invisible and you can live your life without caring. Even the warnings fall on deaf ears because "come on, you're being irrational" or "meh, doesn't affect me".
It is far easier and more enjoyable to believe that Britain is peace- and freedom-loving, which is the continual message from the tabloids, than to keep track of these developments and their implications.
It's easier to stand against something when there is something stand against - The end of the cold war meant the west didn't have a "At least we don't do <insert Stasi tactics">" to oppose itself to.
Now we routinely do things that would have made the Stasi wet themselves in excitement.
It is very different to the newer methods where you don't necessarily know what is being collected or what it is being used for.
I saw discussed online the other day some alarmist comments about the government wanting to know "what your bedroom activities are" in response to receiving the census letter in the post and seeing a mention of sexuality. Putting aside the ignorance of conflating sex with sexuality, I thought it was interesting how hard this problem is for most people to deal with.
That same person no doubt uses multiple mainstream social media sites, has browsers full of tracking cookies, uses loyalty cards and has their data collected, sold and used for all sorts of things. But it's the letter through the front door, for, of all things, a function of society that is over 200 years old, that causes alarm.
Few seem to care
2. Further degrades the privacy of the general public: Check
Just another day in internet legislation.
There are smart people working for them, why do they keep bringing in this stuff that doesn't actually have an effect against the baddies?
Is it possible that they are self-sabotaging because they actually realize they don't want to live in the world they are rushing headlong towards? Or is that giving them too much credit?
For you and me, yes. For Joe Public no. I think it's fair for people to expect a modicum of privacy inside their own home.
Is constant surveillance of a nation's citizens OK? I don't think so.
If the shit hits the fan, you want to know the political stance of all the citizens, and who the troublemakers will be, if something large is happening. ...and for that, it's enough to know which political sites they're visiting, even if you don't know the content itself.
Also this is done in america for commercial reasons to sell to adtech, like t-mobile recently or comcast for quite a while and probably all the others.
To the point that we agonized over and sabotaged contact tracing apps, which could have helped a lot in fighting COVID, over claims to privacy and government control.
Now this shit. Fuck it.
You either are or you’re not. So if my privacy is to be made sausages, chopped and sold at the market for FB, ad-tech and spooks, then give me at least some upside! As it is, we’re just bovines with ear tags...
Ask minority groups in China like Christians wanting to build a church or Uyghurs how well the model works.
https://www.independent.co.uk/news/uk/politics/conservative-...
(+) however, you need an ID card if you're an immigrant, or want to open a bank account, rent or buy a house, or have a job.
- It gives justification to obscene spending on the military
- It justifies imperialist actions which violates international law
- It blinds the local populacy with "patriotism"
- It allows to create draconian local policies which would not be accepted in "peaceful times"
- It protects the government because any local or foreign criticism can be discarded by using _whataboutism_ about the enemy du jour.
Oldest trick in the book.
The real governors operate from their country clubs and banquettes. No proper kingmaker would be so obvious as to grab headlines or make public announcements. Where is the personal enrichment in that?
A simple rule of thumb: if you know who they are, they're not the people in control.
We always ask for total transparency from our governments, yet if they ask even a little of it from us, it's bad. Why? Also, in our society, wanting too much of anything makes you a weirdo and an outcast. Why has advocating for total privacy become normal(ized)?
Since time immemorial governments have used the seal of secrecy to hide their daily embarrasments, failures, and corruption.
UK government has ordered a report into whether Sauidi is promoting Jihadism in Uk, and then decraled it secret. Same for Russia report. Recently the government has been sued for handing out multi-billion contracts to pals without challenge, and obviously they immediately reached out for the secrets act.
We are sensitive about private data, because if you believe in a right to remain silent, well, now you can't stay silent.
Evem if you are innocent, spurrious charges can ruin you financially.
It’s not a bad idea, but you’ll need something more sophisticated.
So all you have to do to avoid surveillance is to make a bunch of connections so the system gets overwhelmed and ignores you?
https://www.youtube.com/watch?v=QwiUVUJmGjs
https://www.youtube.com/watch?v=oYNXVgYhPOc
And then lying about lying about it.
I'm not sure if the "URL" column in a table in the article is supposed to contain URLs. In the example it only has domain names. I don't think full URLs can be obtained from SSL/TLS connections.
When your browser tries to display https://www.example.com/some/directory?someParameter=Value#A... ::
#Appendix isn't sent anywhere, your browser only needs that locally
The path /some/directory and the query ?someParameter=Value are encrypted using keys which should be known only to the browser and server, today in most cases the keys are random and will be forgotten soon afterwards
The scheme https is implied by your browser's connection to an HTTPS web server. Modern browsers also explicitly transmit ALPN requesting h2 (HTTP/2) if available in their ClientHello, this will not be encrypted today.
The server name www.example.com is somewhat implied by your browser's connection to an IP address for this server. Any browser that still works in 2021 explicitly transmits the SNI requesting this name, so as to enable Virtual Hosting which offers multiple distinct web servers on a single IP address. SNI is also in the ClientHello and thus not encrypted.
The full server name will also be looked up by the browser in DNS. In many cases this means an unencrypted UDP query for that name, and this may in turn trigger a query for example.com, and in theory at least, com itself because DNS is hierarchical and the hierarchy may need to be discovered.
You can secure some of this last step by using any of the DPRIVE technologies, including DNS over HTTPS (DoH) or DNS over TLS (DoT) and some day DNS over QUIC (DoQ). Eventually DPRIVE might also secure the recursion, but even today if snoopers can see that Google's DNS service asked about example.com that does not pin down who wanted them to do that, let alone why.
If you've secured DNS, this will pave the way for ECH, a forthcoming standard to Encrypt the ClientHello. It is likely that popular browsers will begin just doing ECH (silently enabling it for at least some users) in the next year or so, but right now it isn't quite finished.
Even with an Encrypted ClientHello, the IP gives away roughly who you connected to. The Internet Archive, the Fox News web site, and Wikipedia have no interest in sharing IP addresses with Porn Hub so as to throw off snoopers who are wondering roughly what you're doing. On the other hand, Encrypted ClientHello would hide whether you're looking at the German Wiktionary or the English Wikipedia page about the Hitler Youth, and it would mean there was no longer a privacy advantage to a site using directory prefixes to categorise things versus using server names.
https://www.eff.org/deeplinks/2013/08/dea-and-nsa-team-intel...
Your Article 8 protections only matter as much as they're enforced and respected by the government. If Article 8 was the defense you imagine it to be, then the Investigatory Powers Bill wouldn't have passed in the first place.
It's very hard for me to square the text of Article 8 with a bill that allows warrantless access of every single IP address you visit. If that's consistent with the government's interpretation of the text, then it doesn't sound to me like the text is doing its job.
Regular healthy frogs just jump out of the pan when it gets uncomfortable.
If you connect to IP xxx.xxx.xxx.xxx a few milliseconds after looking up the IP for badsite.com then you're probably connecting to badsite.com. Then they can get a warrant for badsite.com's web server logs, or cloudflares logs if badsite.com is using it...
Then you ask ISP to lookup subscriber info (via account id) based on that.
You can do that already in some EU countries, just by lodging a complaint with police as a service provider (say you have an e-shop) for example. ISPs have to store these logs for some months.
Their own citizens are an entirely different ballpark, as you might say.
When you track and log everything - for up to a year - that's not snooping.
That's surveillance.
Using candy-coated language for such things is as (almost as) harmful as the acts themselves.
'Snooping' isn't candy-coated language in British English, and this is a British article. It's just another way to say surveillance. You're imagining a meaning that isn't there.
Your school nemesis snoops on what you're up to to try to embarrass or one-up you in some way.
Surveillance can be good or bad. Snooping is always bad.
How very democratic and transparent of them
Kinda in two minds about this...tempted to implement a VPN to a VPS but not super keen on killing my gbps speeds.
Cryptography is fast and cheap enough to handle SSD encryption — it’s plenty fast enough to handle your network traffic too.
The only downside is the packet overhead. Can you survive going from 1500 down to 1420 bytes per packet? (Yes.)
You've gone from your ISP being the point at which interception can happen to your VPS provider and/or their ISP being the point at which interception can happen.
But yeah, you're swapping your ISP and your government for your VPN and maybe their government.
If you're a dissident, you're probably fine. If you're a pirate and the VPN isn't in certain countries, you're probably fine. If it's something both countries disagree with, you're in trouble.
Know your personal risks.
But it would have to be outside the UK to avoid the same fate, since you are in the UK, this makes it harder to trust the service provider and their security services not to find your "foreign" traffic very interesting and not subject to their laws protecting their own citizens' data.
A lot of "we don't keep logs" vpn providers were found to very much keep logs of all your traffic. Some of the people in the VPN business are the last ones you would want to see all your traffic.
Tor might work, or at least change the threat model, but it cannot be used as a high bandwidth proxy.
Secondly, I really recommend Andrews & Arnolds [1] as an ISP if you can only get ADSL. I don't use them at home because I need the bandwidth afforded by cable -- for which there is one supplier in my town, Virgin (bah!) -- but AAISP supply my mother's home and are genuinely amazing. She had some issues due to BT and they let me raise an issue via IRC; the few times I have had to get in touch with them it's been an absolute pleasure; they disclose their support as "xkcd/806 compliant". Their owner also is a strong campaigner for digital privacy.
[1]
However, you don't want that: you want a subject access request. This covers data from private sector companies too. Not responding is illegal and you can take them to the Information Commissioner and eventually the Information Tribunal.
This is the information commissioner's office's guide to making a request:
https://ico.org.uk/your-data-matters/your-right-to-get-copie...
Source: trained as a journalist and am quite good at media law stuff. Not a lawyer, but have had substantial training and think this is worth a punt.
Data you send out over the internet unencrypted doesn't have an expectation of privacy. Yet lots of people assume stuff like this is private.
The only way to close the gap is to publish the data so everyone can see exactly what they and others are inadvertently telling the world.
It listed a bunch of stuff that I never downloaded though...
Like shooting fish in a barrel; total surveillance state achieved.
Of course, a computer trying to hide like that would also raise a red flag.
Because the real link has too many redirects behind my pihole. ;-)
* https://www.wired.co.uk/article/internet-connection-records-...
So for one thing, using the data collected for anything else or providing it to anyone else would be an immediate and severe breach of both data protection and security laws. That would have serious consequences for the ISP doing it.
For another, it would bring that monitoring system into disrepute and damage the credibility of a government that wants to be seen as strong on security. As a previous government learned to its cost when it tried to introduce personal ID cards here, even voters in the UK (who traditionally have a majority in favour of tough policing and security measures) still have lines they aren't willing to cross.
In short, while there is plenty of scope to debate whether a system like this is necessary or justified as a security measure, it's highly unlikely that it will also be turned into the kind of sell-all-your-data exercise that might be a concern in some other parts of the world.
> Today 6 October 2020, the Court of Justice of the European Union (CJEU) delivered its verdict on four data retention cases in France, Belgium and the UK, in the context of these countries surveillance programmes. The European Court of Justice ruled that the surveillance laws of France, Belgium, and the United Kingdom fail to safeguard fundamental rights and freedoms. The CJEU rules that general and indiscriminate data retention is allowed under EU law when the State faces a “serious threat to national security” that is present or foreseeable, but only under the scrutiny of courts or independent administrative bodies and when this is done only temporarily. Finally, the CJEU specifies that national courts cannot use information obtained from bulk retention regimes against suspects in criminal proceedings.
> “Today’s judgement is a massive blow to existing laws in France, UK and Belgium and to other current data retention practices by Member States”, said Diego Naranjo, Head of Policy at European Digital Rights (EDRi). “With this judgement, the CJEU essentially rules that, States can only engage in general and indiscriminate data retention when they face a “serious threat to national security” that is present or foreseeable, when subject to a court or administrative body review. The CJEU has put a stop to current illegal practices and disregards practices that are not under a national court’s scrutiny in the name of national security or in the fight against “terrorism””, he added.
> Data retention practices entail the storage of traffic and location data (metadata) by telecommunications companies for an extended period of time in order to ensure the availability of such data for law enforcement purposes. As electronic communications technologies are increasingly used in the course of criminal activity, electronic communications data can play an important role in criminal investigations. Mandating the bulk retention of this data, however, poses serious risks to the right to privacy and communications freedoms.
https://edri.org/our-work/press-release-the-data-retention-r...
This was October 2020. The CJEU still held jurisdiction over the U.K court during the transition period after brexit (31 jan 2020 - 1 jan 2021) per the withdrawal agreement.
> The Court of Justice of the European Union continues to have jurisdiction over the United Kingdom during the transition period. This also applies to the interpretation and implementation of the Withdrawal Agreement.
https://ec.europa.eu/commission/presscorner/detail/en/qanda_...
The U.K. is free to do whatever with little to no recourse for U.K. citizens beyond appeal to their own Supreme Court to challenge the constitutionality of data retention / surveillance laws.
That said, the EU is not without it's own particular faults and shortcomings, but there are times when it does pay off to be able to challenge national legislation and policy making when it threatens human rights and freedoms such as they are purported to be upheld on the West-European continent.
As far as "governments" go, across the EU, the separation of powers is a thing. If data retention laws are enacted, that's a reflection of the prevailing winds / power balances between the legislative, executive and judicial bodies.
