

Email and web monitoring laws 'to be brought in soon' [UK] - earnubs
http://www.bbc.co.uk/news/uk-politics-17595209

======
buro9
I'm actively encouraging the users of the sites I run to encrypt everything.

I'm giving advice in private messages about how to use Truecrypt (especially
when using Dropbox or any remote backup or cloud sync service), what a VPN is
and how to use Relakks or IPredator, etc.

Just basic things, yet the reaction has been extremely positive. One of the
sites I run exists by donations, and just for giving this advice 1 person
donated £100 to the running of the site because in his words "No-one else is
telling me to encrypt or helping me.".

The big glaring omission in all of this is email. We all want a secure email
system, and one that doesn't involve locking yourself into a single provider
(Hushmail), and yet can co-exist with sending email to recipients on webmail
and corporate solutions.

Talk about a big hole in the market.

I've not pitched this to my users as "here's how to pirate", it's just been
"privacy is core to democracy, encryption protects your privacy". And
additionally I've argued to them that if they were amongst the people who
turned their Twitter avatars green last year for Iran, then by not using
encryption they leave encryption to "terrorists, criminals and dissidents",
who cares for the first two, but if you care for the last you'll encrypt too
to ensure that their dissenting opinion can be voiced safely in private.

I got the idea for telling my users all of this from HN, and specifically a
link to a Canadian site:

<http://encrypteverything.ca/index.php/Main_Page>

Then I also shared links to:

<https://www.eff.org/https-everywhere>

<https://www.relakks.com/?lang=eng>

<https://ssd.eff.org/tech/encryption>

I truly think that the best response that the people of Britain can give to
these proposals is to encrypt everything and take away from the government the
ability to pervasively spy on their own populace like this.

With most governments and corps it always feels like that ask for a mile, and
when we object they concede half a mile. We're happy, but then they do this a
few times and they get to where they wanted to be.

What better way to halt this for good than to encrypt everything.

Now, if someone could just give us email v2, secure by default. I'd happily
pay for it. Just make it work, and make it open source and aim for it to be
standard... don't give me another closed service to achieve it.

~~~
gravitronic
... Wait, why aren't we talking about PGP?

PGP (and it's mathematical foundations to some degree) were invented to solve
the secure email problem. Back then the proponents of PGP essentially
predicted the situation we're in now. Up until now there's been plausible
deniability for any of us normal people to care, so consumer adoption of PGP
remains close to nil. Even corporate use I've seen only comes into play when
dealing with another company who forces it be used.

That's changing fast. Their original use case (secure messaging in a monitored
society) is no longer only a tinfoil hat situation.

The solution is for all of us HNers to adopt PGP 100%. Everyone who wants to
talk to use would have to adopt PGP. The friction to start is rather huge but
that is how something like this would get adopted.

As for "but it doesn't jive with my gmail nicely".. maybe it's time we give up
gmail too. It's value proposition is based on reading your email to be better
build a profile on you to sell to advertisers. That's why google plus wanted
your real name, so they have a face to put all that mined data to.

Switch To PGP Day?

edit: relevant links

"simple pgp chrome plugin for gmail" -
<http://news.ycombinator.com/item?id=2918255>

~~~
buro9
I agree. I want to talk about PGP. But I'm talking to end users who have real
trouble setting up a VPN. PGP's big problem back then was that it should be
invisible and just work, it was neither. That's what I mean by needing to
revisit secure email.

~~~
kamjam
GMail and other webmail providers _just need to add this_ and make it a
configurable option in the settings. Heck, even Outlook should give the users
this option via some wizard (they seem to have one for everything else!).
Totally agree that this needs to be as invisible as possible. When I first set
up PGP in Thunderbird a few years back it was quite a bit of flaffing about,
add to that the fact that your key reside on any one of a million servers...

The cynic in me says it's been done in this way on purpose, i mean, don't want
to make the feds actually do any work to be able to snoop around my emails.

~~~
gravitronic
GMail is open about the fact that it mines your emails for your advertising
profile. Encrypting the data for you would result in reduced value proposition
for them. Not going to happen.

~~~
tjoff
No. Google would of course be able to decrypt the content (I don't see how
they would adopt it otherwise in this universe, google must comply if they get
a warrant and they are not willing to fight that), thing is only google would
be able to and noone else. And that alone is a huge win.

------
Hates_
Sign the petition to scrap plans to monitor all emails and web Usage. Only 4k
signatures so far.

<http://epetitions.direct.gov.uk/petitions/32400>

~~~
Sodaware
I would also advise writing to your local MP (find them here
<http://www.theyworkforyou.com/>). It's easier to ignore 4,000 digital
signatures than 4,000 physical letters. It wouldn't hurt to call them either.

------
alan_cx
So, mega snooping, well publicised. Any serious terrorist or lentil rights
protester would encrypt or simply stop using electronics for communication.
That leaves the rest of us being snooped on for no terrorist or what ever
reason.

I'm a thick idiot and I can work that out, so presumably the government can
too.

This is not about terror and all that scare story stuff, its population
surveillance.

Some how these governments need reminding that we the people are supposed to
be the boss. They serve us, not the other other way round.

------
nodata
Taking this back in time a bit, the idea that you would monitor everybody's
letters and where they go would never be allowed.

Because the monitoring is out of site, and cheap in terms of man power, now
it's allowed.

I really find it amazing.

~~~
weavejester
It's worth pointing out that this law would allow monitoring of communications
_with a warrant_.

The idea that communications can be monitored with oversight is not a new one.
Law enforcement departments have been able to tap phones with a warrant for
decades.

Edit: Hm, the article is actually a little unclear on whether or not a warrant
is needed. At the top it says it is, and then in the middle it quotes a bunch
of people saying it isn't...

~~~
rlpb
They're saying that the _contents_ will be only accessible with a warrant, but
metadata will be accessible without a warrant.

~~~
weavejester
Ah, I see. I stand corrected. That really is pretty bad.

------
mootothemax
It seems like there's little escape these days. I'm from the UK originally,
and my adoptive country, Poland, yesterday had a story written about how it's
the most surveilled country in the EU:

[http://thenews.pl/1/9/Artykul/95154,Poles-still-under-
watchf...](http://thenews.pl/1/9/Artykul/95154,Poles-still-under-watchful-eye-
of-Big-Brother)

All round, rather depressing.

------
_djo_
This needs to be resisted.

A nearly-identical law, the Recording and Interception of Communications Act
(RICA), was enacted in 2002 in South Africa. While in theory it contained all
the legal protections that have been proposed for the UK legislation, in
practice it has been badly abused.

Between 2006 and 2010 just one of the South African government's regional
interception centres (of which there are at least four and potentially many
more) carried out over 3 million legal interceptions, a number which is known
to have increased since then. Subsequent leaks to the media have revealed that
even this is a drop in the ocean; illegal interceptions are performed
routinely and are easily hidden from oversight amongst the millions of legal
interceptions performed every year.

Looking at the numbers involved, it's not unreasonable to assume that every
single connected South African will have their communications intercepted at
some point, sometimes in illegal interceptions with no official control over
the data collected. In fact, there have been examples of staff inside the
interception centres being bribed by business rivals, spouses and others to
spy on innocent citizens.

I see no reason why the UK will be immune to these types of abuses, despite
having a less corruptible civil service. This kind of power in the hands of
poorly-monitored government intelligence agencies is always a bad idea.

------
colinhowe
_sigh_ In preparation, where's the best place for a startup hacker to emigrate
to nowadays?

~~~
DanBC
The new laws don't grant access to content.

And GCHQ already have access to this data, the new law just makes access 'real
time' rather than retrospective.

~~~
colinhowe
"The information commissioner said public bodies not involved in dealing with
serious crime or national security, such as the Department for Work and
Pensions, should have to apply to a court before access was granted."

I don't have much of a problem with GCHQ using it... but the Department for
Work and Pensions? Also, a lack of warrants is concerning.

It feels very much like a law that could be exploited by anyone.

~~~
DanBC
DWP handles benefits. Organised crime is involved in a lot of benefit fraud.

Allowing the DWP to have access to anything without a warrant would be bad.
Allowing them to have access to destination / address data with a warrant
might be okay. Allowing them to have access to content data is probably a bad
thing. I think I'd prefer Serious Organised Crime Agency to all of it; and I'd
prefer some better oversight. Whether that's a warrant (good) or a chief
inspector of another force (bad) remains to be seen.

Don't forget that this is, essentially, just an extension to things like RIPA
(Regulation of Investigatory Powers Act) to cover new forms of communication.

I agree that we need to be careful that they don't kludge in things like
"looking at the content is fine" or "you don't need warrants".

------
topbanana
The proposal would allow the UK government to query, without a court order,
logs of who talked to whom and when. They would have to apply for a court
order to see the content.

It would compel UK based startups to keep a log of all this data, which of
course costs time an money, reducing the UK's competitiveness.

------
gst
How do all those European data retention laws apply to US companies? Do US
companies (with offices in Europe, but servers in the US) need to adhere to
those data retention laws, or is it safe to use US-based services?

------
drucken
If you think this has not already been implemented in the UK for a LONG time,
i.e. pre-RIPA 2000, then you are very naive.

Ask anyone who has ever worked on infrastructure at a large UK ISP or exchange
(e.g. LINX). Copious secret services systems are already used.

The key difference, the key burden that is being (publicly) demanded in 2012
by the services is _real-time_! Presumably, this was such a burden to the
overall infrastructure of the majority of UK ISPs that they just pushed back
when requested... hence the new law proposals.

~~~
aes256
_> Ask anyone who has ever worked on infrastructure at a large UK ISP or
exchange (e.g. LINX). Copious secret services systems are already used._

Go on...

------
ksajadi
Now you can observe the difference in Europe and US tech journalism. When an
anti-internet bill (SOPA) was being discussed in the US, any noteworthy US
journalist - those with and without vested interests in the matter - were
talking about it very loudly. Compare with the similar situation where TC
Europe and others are happily and silently carrying on their daily duties of -
mostly - using their media outlet for their own personal short sighted
benefits.

~~~
kamjam
It only became news when the likes of Google and Wikipedia decided to protest
and carry out a blackout... (I am not in the US, but this is what I have read)

~~~
ksajadi
No. Google and Wikipedia decided to protest when everyone from Tim O'Reily to
Mike Arrington protested and wrote against it. It is hard to compare that with
articles from the likes of Mike Butcher, because he hasn't written any on the
subject - yet.

------
tantalor
Wait, wasn't this an April Fools' Day joke?

------
tgandrews
Surely this opens the police open for discrimination law suits.
<http://raganwald.posterous.com/i-hereby-resign>

