
UK's new Snoopers Charter just passed an encryption backdoor law by the backdoor - tomtoise
http://www.theregister.co.uk/2016/11/30/investigatory_powers_act_backdoors/
======
boyce
I live in the UK and the thing that's disturbed me most about all this is how
little coverage there's been and how little outrage there is about the
consequences of this law. I genuinely think as a country we've given up.
There's no enthusiasm for any cause and no one has any will left to stand up
for the things they ought to care about. It's a weird atmosphere here now.

~~~
stupidcar
What frighten me most is that Labour, supposedly the official opposition to
the government, refused to try to stop or improve this bill. Instead they
waved it through, abstaining on key votes, and not bothering to table
amendments.

All of this is despite Labour being run by figures who have a long history of
opposing government authoritarianism. For example, Jeremy Corbyn didn't vote
against it. Shami Chakrabarti, who spent years running Liberty, an
organisation dedicated to protecting individual liberties, abstained.

What the hell is going on behind the scenes when people like that have been
successfully silenced?

When a law this far-reaching and repressive is passed with a conspiracy of
silence and acquiescence from both the media and the political establishment,
you have to conclude that UK democracy is basically non-functional. It's over.

~~~
boyce
I didn't know Shami Chakrabarti abstained. That's totally mad. If there's one
thing I would have thought we could rely on her for it was to vote against
things like this.

The Labour party have been completely neutered. The membership and the unions
clearly want them to take a much more radical left wing approach but the party
establishment still want them to be the party Blair built and it's caused this
weird stalemate. I think Blair would have backed this bill.

An interesting point is that the bill has exceptions for journalists. I
suspect that has encouraged the media to keep pretty quiet about it.

~~~
Pete_D
I think Blair almost certainly would have backed this. The other day I
rediscovered this article from 2008 about councils using RIPA to catch people
littering and flytipping:

[http://www.telegraph.co.uk/news/uknews/3333366/Half-of-
counc...](http://www.telegraph.co.uk/news/uknews/3333366/Half-of-councils-use-
anti-terror-laws-to-spy-on-bin-crimes.html)

> The Tories condemned the latest figures as further evidence that the law had
> become a "snooper's charter". "Under Labour, the rights and liberties of
> law-abiding citizens are being eroded through plans for ID cards, sinister
> microchip spies in bins and abuse of anti-terror laws by councils," said
> Eric Pickles, the party's communities spokesman.

Strange reading nowadays. I wonder what Eric Pickles makes of it all.

------
doc_holliday
Having attempted to read the legislation passed, I actually have no idea in a
lot of ways what this bill does and what this bill doesn't cover. (The main
thread of what it covers seems terrible).

I consider myself a quite intelligent and logical person, but I get lost
halfway through reading it. It seems full of contradictions and half vague
statements that could or couldn't cover something.

Are these bills purposefully confusing by design? It seems like you can
interpret it in a lot of ways. Why is it not clear, concise and
understandable?

~~~
doc_holliday
Here is the response from the Government to the petition posted:

[https://petition.parliament.uk/petitions/173199](https://petition.parliament.uk/petitions/173199)

"The Government is clear that, at a time of heightened security threat, it is
essential our law enforcement, security and intelligence services have the
powers they need to keep people safe.

The Investigatory Powers Act transforms the law relating to the use and
oversight of Investigatory powers. It strengthens safeguards and introduces
world-leading oversight arrangements.

The Act does three key things. First, it brings together powers already
available to law enforcement and the security and intelligence agencies to
obtain communications and data about communications. It makes these powers –
and the safeguards that apply to them – clear and understandable.

Second, it radically overhauls the way these powers are authorised and
overseen. It introduces a ‘double-lock’ for the most intrusive powers,
including interception and all of the bulk capabilities, so warrants require
the approval of a Judicial Commissioner. And it creates a powerful new
Investigatory Powers Commissioner to oversee how these powers are used.

Third, it ensures powers are fit for the digital age. The Act makes a single
new provision for the retention of internet connection records in order for
law enforcement to identify the communications service to which a device has
connected. This will restore capabilities that have been lost as a result of
changes in the way people communicate.

Public scrutiny

The Bill was subject to unprecedented scrutiny prior to and during its
passage. The Bill responded to three independent reports: by David Anderson
QC, the Independent Reviewer of Terrorism Legislation; by the Royal United
Services Institute’s Independent Surveillance Review Panel; and by the
Intelligence and Security Committee of Parliament. All three of those
authoritative independent reports agreed a new law was needed.

The Government responded to the recommendations of those reports in the form
of a draft Bill, published in November 2015. That draft Bill was submitted for
pre-legislative scrutiny by a Joint Committee of both Houses of Parliament.
The Intelligence and Security Committee and the House of Commons Science and
Technology Committee conducted parallel scrutiny. Between them, those
Committees received over 1,500 pages of written submissions and heard oral
evidence from the Government, industry, civil liberties groups and many
others. The recommendations made by those Committees informed changes to the
Bill and the publication of further supporting material.

A revised Bill was introduced in the House of Commons on 1 March, and
completed its passage on 16 November, meeting the timetable for legislation
set by Parliament during the passage of the Data Retention and Investigatory
Powers Act 2014. Over 1,700 amendments to the Bill were tabled and debated
during this time.

The Government has adopted an open and consultative approach throughout the
passage of this legislation, tabling or accepting a significant number of
amendments in both Houses of Parliament in order to improve transparency and
strengthen privacy protections. These included enhanced protections for trade
unions and journalistic and legally privileged material, and the introduction
of a threshold to ensure internet connection records cannot be used to
investigate minor crimes.

Privacy and Oversight

The Government has placed privacy at the heart of the Investigatory Powers
Act. The Act makes clear the extent to which investigatory powers may be used
and the strict safeguards that apply in order to maintain privacy.

A new overarching ‘privacy clause’ was added to make absolutely clear that the
protection of privacy is at the heart of this legislation. This privacy clause
ensures that in each and every case a public authority must consider whether
less intrusive means could be used, and must have regard to human rights and
the particular sensitivity of certain information. The powers can only be
exercised when it is necessary and proportionate to do so, and the Act
includes tough sanctions – including the creation of new criminal offences –
for those misusing the powers. The safeguards in this Act reflect the UK’s
international reputation for protecting human rights. The unprecedented
transparency and the new safeguards – including the ‘double lock’ for the most
sensitive powers – set an international benchmark for how the law can protect
both privacy and security.

Home Office"

Again in their response, I have no idea what they really said. It's not clear
other than some vague line on terrorism and safety. It's all a mixture of half
speak and jargon.

~~~
dingaling
And this is why people in the UK are apathetic. Civilized protest is greeted
by official jargon that basically says 'we do what we want'. Just like when we
objected to the original RIPA.

The agencies and authorities that pressurise and cajole Governments into these
actions are unelected and play the long-game. They can wait and ride-out any
Paliament that is insufficiently malleable.

Which reminds me to update my collection of encryption program source code
whilst I still can.

------
sir-alien
I do find such a law quite strange though. The intention (at least for public
consumption) was to help "prevent" terrorism. Not sure how the NHS or health
services seeing your browser history will do that.

France already has a similar law in place so I wonder how that worked out for
them by preventing the Bataclan massacre. (it didn't)

This law will probably not help in any shape or form to prevent terrorism but
was merely implemented to provide some form of leverage over people.

"Do as we say or this lovely data becomes public, or you are denied healthcare
because of a site you visited but never visited because it was a hidden
iframe"

~~~
toyg
The truth is that authorities the world over have finally caught up with the
internet. Look at it this way: they already had pretty extensive powers to
monitor telephone calls and correspondence; then the internet came about, and
slowly made them blind.

Until a few years ago, they compensated by treating the internet as a free-
for-all where they could spy at will; as people fought back and started to
demand accountability and limits, they responded with a legislative backlash
that is slowly making gains everywhere. The most authoritarian-inclined states
(UK, France, Italy) have passed the worst laws, but others are busy following
suit.

It's an ideological battle, and they are winning it. One day we will look back
at the Chinese firewall as a pioneering effort.

~~~
napworth
I've been wondering, do we have any idea on what type of data they'll be
recording now?

\- Is it domain names, or subdomain names?

\- How do they get the domain names? Do they look at IP addresses I'm
connected to and do a lookup?

\- If I use a VPN, will all my traffic come up as that VPN?

\- How will they link an internet connection to a person? Will it be done on
the name they used when they signed up, their house address, or their billing
details?

~~~
sir-alien
When using a VPN (IPsec, OpenVPN, etc - something secure) then all the ISP
will see is that you connected to your VPN IP and how much data volume was
transferred.

Since the traffic exits at the VPN only the VPN endpoint would be able to read
this meta data if they did such a thing which is not impossible but not
normal. The worst case scenario is that your encrypted traffic is recorded for
a while then they come knocking on the door for the encryption key.
Alternatively if the international VPN provider is of the cooperating kind
then they can log this data on behalf of your government. So use a foreign VPN
provider that stands up for rights or use a dedicated server in a foreign
country.

I have always wondered if this could be avoided though by using some form of
rotating keys that you throw away or perfect-forward-secrecy if this works.

~~~
napworth
Do you have a suggestion for a paid VPN service?

~~~
christoph
[https://gist.github.com/joepie91/5a9909939e6ce7d09e29](https://gist.github.com/joepie91/5a9909939e6ce7d09e29)

But if you must:
[https://thatoneprivacysite.net/](https://thatoneprivacysite.net/)

~~~
UniversalBlue
This article [1] is so stupid I want my seconds back.

The matter in question is: who do you trust more? Your ISP or the VPN
provider? The default should be that you don't trust your ISP, especially if
you are in the UK. Hence, trusting a VPN provider is the lesser of two evils.

Will that protect your child-pornography-viewing? If you use Qubes OS, where
you have a VPN on the host, then you use Whonix in a VM, where you use tor,
then you are probably safe.

Are you a terrorist planning to destroy America? You are probably our of luck,
but for the truly paranoid it could be achieved.

My advice: it is better to trust VPN providers in other countries than your
own, just select decently (aka, not Hide my Ass). NEVER trust your ISP!

[1]
[https://gist.github.com/joepie91/5a9909939e6ce7d09e29](https://gist.github.com/joepie91/5a9909939e6ce7d09e29)

------
junto
It is curious to note that if you very slowly and gradually reduce the size of
the sheep pen, as long as the sheep are still fed, they won't notice until
they are driven down the tunnel to the slaughter house.

It is not until they hear the captive bolt being shot through the skull of the
sheep in front of them, that they finally start to panic.

~~~
brokenmachine
"Curious" is not the first word that I would think of to describe that
situation.

Terrifying? Horrific? Insidious?

------
brassic
This is basically national security letters with oversight. Which is part of
the problem. When any of the major democracies introduces a law like this, it
normalises it for the rest. Which then gives encouragement to the more
oppressive countries. The whole world seems to be in a race to the bottom.

------
rahrahrah
I would like the crypto-experts of HN to help understand what consequences
this has. For example, I have whatsapp with E2E encryption. Can the government
read my texts now?

~~~
kbart
_" Can the government read my texts now?"_

It is _impossible_ to read properly encrypted data. However, this law enables
government to require tech firms to deliberately break cryptography in their
products.

~~~
setrofim_
@grandparent: In other words, no, they can't read the texts you've sent up to
this point. But they may be able to a month or year from now. Your texts up to
the point the law passed are safe _, but you can 't be sure about the messages
you send from now on.

(_well, as safe as they were prior to the Snooper's Charter).

~~~
rahrahrah
So the question will come down to how much leverage the UK government has over
which companies?

~~~
setrofim_
Essentially, yes -- it will be down to whether the company is willing to risk
having to withdraw from UK market. And if a company does choose to cave in
into UK government's demands for backdoors, you can't be sure whether or not
they would inform you of this in a timely manner.

------
mcherm
OK, time to stop using any security software created by company under UK
jurisdiction. Anyone want to help make a list?

------
juanre
I would like to attain some decent level of privacy, but my searches on how to
go about it yield a large amount of conflicting information (which I suspect
is there on purpose.) Is there a sensible guide out there that some of the
experts at HN would recommend?

~~~
kbart
It depends on your threat model: what do you want to hide and from who? If you
simply want to avoid someone reading your messages (payload), using https
everywhere, end-to-end encrypted chat clients (ie. Signal), encrypted mail
(ie. PGP), maybe disk encryption (ie. VeraCrypt) should be enough to defend
against non-targeted attacks and government dragnets. If you want to hide your
"meta-data" from non-targeted government snooping (browsing history and who do
you contact with) it gets more complicated -- in this case you also need VPN
and/or Tor. Defending against targeted attacks is next to impossible, but you
should not be worried about these anyway, unless you are on FBI's top list or
smth. Using open-source tools and avoiding highly centralized services
(Google, Facebook etc.) is generally a good idea for a privacy minded
individual as well.

~~~
falcolas
Simply using VPNs and Tor provided a signal, and is (per previously released
documents) a great way to get on a short list of people to pay more attention
to.

I almost think we'd be better off going the other direction and hiding our
signal in a bunch of noise, or just grab everything and review it on an
uncompromised network (such as "spider every top link from HN and store it
locally, then browse only that local copy").

~~~
kbart
If enough people use secure communications, then it _becomes_ noise. Take an
old, boring door lock analogy: _everyone_ locks their home door, but nobody
thinks that they have something to hide or illegal in their home just because
of that. Making privacy and encryption tools easily accessible and easy to use
is our best best imho.

~~~
falcolas
Given the breadth and intent of these laws, I'd expect a different response -
requiring ISPs to block VPN traffic that isn't hitting a whitelisted (i.e.
corporate) endpoint.

VPN traffic has a distinctive signature, and ISPs are already using deep
packet inspection hardware already, so blocking VPN traffic seems like a
natural evolution in this particular arms race.

------
vorotato
UK is going to get hacked into oblivion once the key gets leaked, and it will
get leaked. "Hey lets cripple national security under a single point of
failure in the name of security".

------
rurban
So the UK just killed their ISP and hosting industry. Welcome in Germany

~~~
elcct
I don't think Germany is much better...

~~~
Quarrelsome
its written into the constitution that they don't do this, cause of their
gestapo history. Ironically Germany are the safest bet because of their past.

~~~
elcct
Constitution means nothing. Check this one:
[https://www.reddit.com/r/worldnews/comments/5fxy9s/whistlebl...](https://www.reddit.com/r/worldnews/comments/5fxy9s/whistleblowing_website_wikileaks_has_released_a/)

------
reddavis
A petition can be signed here:
[https://petition.parliament.uk/petitions/173199](https://petition.parliament.uk/petitions/173199)

~~~
rahrahrah
That is the old petition, they have already responded. We need a new petition.

~~~
philjohn
Not been considered for debate yet. The response was triggered by 10,000
votes.

~~~
bshimmin
(Is it not 100,000?)

Genuine question - has anything ever happened as a result of these petitions?
When it has been debated, has there been a meaningful change afterwards?

~~~
tomtoise
No, nothing has happened. 100,000 signatures means it's considered for debate,
not guaranteed. The response is inevitably:

"We have considered debating this and decided actually we don't fancy it. Keep
signing the petitions though, they definitely make a difference and don't
think about taking direct action of any form."

------
Chris2048
What technical solutions can be used to prevent this? As I understand, this
mainly entails internet access logs? Would a secure, off-shore VPN defeat
this?

~~~
Quarrelsome
yeah. They're just tracing what pages the ISP serves you. So if you encrypt
and proxy your requests via something else they'll only know you're accessing
some random server somewhere.

~~~
coldcode
No they will see the VPN service endpoint - the next step of course would be
to disallow those connections since you must be hiding something. Only VPN
providers (like Corporate ones) that are verified by the state will be
permitted. Since the external VPN providers could keep changing the endpoint
they will respond with whitelists of acceptable domains. Eventually you will
succumb and learn to love big brother.

~~~
Quarrelsome
We'll just compromise a whitelisted end point. The whitelisting would have to
be pretty liberal because of corporate and many of us are corporate. This bill
only empowers those with technological skills.

------
antouank
> "There may be not much point using a VPN to conceal your web activities if
> it can be blown open by a technical capability notice."

If my computer makes a VPN connection with a machine outside of the UK, is the
above claim still valid?

~~~
artofcode
From the article:

> "The UK government can certainly insist that a company not based in the UK
> carry out its orders – that situation is specifically included in the new
> law – but as to whether it can realistically impose such a requirement,
> well, that will come down to how far those companies are willing to push
> back and how much they are willing to walk away from the UK market."

~~~
antouank
Missed that. Thanks.

But I cannot see why someone would comply with that. For example getting an
AWS machine in Ireland, is that within the "UK market"? Does amazon have to
comply just because many customers are in the UK? And will we ever know if
they do comply? What a mess.

~~~
artofcode
Exactly. And think about private keys for SSL certificates. I'm not even sure
if those are covered by the legal wording, but I wouldn't be surprised if they
were.

~~~
antouank
Still, I'm not sure how that will work. Say I spawn a VPS, and I start my VPN
server in there. Can Amazon just go in there and snoop somehow? My keys are
encrypted, even if they can see the disk they are on, and the traffic also.
All it can do is see the network traffic that originates from that machine,
and log that.

~~~
pricechild
Assume that if someone has physical access, the machine is compromised.

