
Setting out plans to monitor all Internet use in the UK - iProject
http://www.bbc.co.uk/news/uk-politics-18434112
======
jgrahamc
If you want to understand the state of state surveillance technology and
thinking in the UK then I highly recommend Henry Porter's novel "The Dying
Light".

[http://www.amazon.co.uk/The-Dying-Light-Henry-
Porter/dp/0752...](http://www.amazon.co.uk/The-Dying-Light-Henry-
Porter/dp/0752874845)

Although it's a novel, it's written by a well-known journalist with an
interest in civil rights and liberty:
<http://en.wikipedia.org/wiki/Henry_Porter_(journalist)>

------
nicholassmith
It's so trivial to work around this that I'm stunned they're even bothering to
implement it. As we've heard over various stories recently terrorist groups
were doing such varied things as steganography, if they've managed to work out
how to do that I'm sure they've sussed VPNs, anonymous proxies and disposable
network points.

Pointless and makes _my_ life as a British citizen more awkward as I'll having
to put all my network traffic off through something rather than leaving it as
a nice, simple internet connection.

~~~
kamjam
If you are routing your traffic through VPN and anon proxies or use Tor then
_you must be a terrorist_!

Totally retarded, but I bet they will look at your traffic harder if you did
this, even though I have nothing to hide...

Interesting read from something that was posted on HN yesterday:
<http://news.ycombinator.com/item?id=4105485>

~~~
mike-cardwell
My understanding is that they need a warrant to look at the log of your
traffic. Presumably they'd need to look at the log of your traffic in order to
see if you're using a VPN or Tor.

So what you're suggesting means they'd need to look at your traffic without a
warrant in order to determine if they need a warrant to look at your traffic.

[edit] Also, presumably they can already get a warrant to tap your traffic.
All this new legislation means is that they can look at historic traffic too?

Don't get me wrong. I am British, and I do think it's fucking disgusting. But
don't forget, it's just a proposal.

[edit2] I was wrong. It seems they wont need a warrant to see who you're
talking to. Just a warrant to see what you're saying. So yes, I guess they'll
be able to tell that you're using a VPN without getting a warrant first.

~~~
kamjam
Don't know to be honest, unless EVERYONE is running encrypted traffic/VPN/Tor
then the few that are using it stick out like a sore thumb. It is bound to
raise _some_ suspicion. I am British too btw and hoping it is _just_ a
proposal at the moment, but these things have a way of being watered down to
make them "more acceptable" or revived under a different guise still have a
whilst still have the core concepts in them.

Problem is I don't trust our government with our data, they've shown sheer
incompetence far too many times when it comes to IT systems. And it's always a
case of do as we say, not as we do as the expenses scandal and the current
Leveson enquiry is showing.

------
voidr
> But senior Tory David Davis said it was "incredibly intrusive" and would
> only "catch the innocent and incompetent".

I think this sums it up, this data will be of little help for stopping crime,
but it would be of great help for corrupt officials to do evil not to mention
the risks involved with storing this data.

~~~
Lockyy
"The only people who will avoid this are the actual criminals, because there
are ways around this - you use an internet cafe, you hack into somebody's wi-
fi, you use what's called proxy servers, and they are just the easy ways."

It's sad that it's shocking for a politician to be able to actually list ways
that this sort of system can be worked around.

~~~
scott_w
I'm also disappointed that the Lib Dem ministers are so easily placated by
"warrants must be approved by the Home Office", and not a judge. This shows an
unnerving readiness to erode the separation between legislature and the
judiciary.

Given that another Conservative minister claimed, under oath, that he doesn't
know what "quasi-judicial" means (he was appointed that exact role), I don't
have much hope that the home secretary will apply legal advice before handing
out warrants.

~~~
Lockyy
I'm not informed massively on the work-load that the home secretary is under
but is it really a good idea to even expect that they have the time to do
proper research and take advice into account when judging whether a warrant is
worthy or not?

It seems an awful lot like catching someone in a hurry to get them to sign
something because you don't want them to read it.

------
gouranga
And as usual the criminals are going to find another way.

I await more "the terrorists are coming" and "think of the children"
legislation.

However, we have one thing on our side: government IT incompetence. They have
managed to screw every major IT project up in the last 20 years, so this will
go the same way :)

~~~
BitMastro
Unfortunately this is a double edged sword. Their incompetence also caused the
a lot of trouble like in this example
<http://beusergroup.co.uk/index.php?id=695> where they proxied file sharing
sites thus forbidding access.

------
iuguy
There are two parts to the plans for Internet intercept support in the UK, the
police and the security services. The police use is primarily for the purposes
of stopping crime. The purposes for the security services are opaque and
unlimited as long as they are for 'lawful purposes' - i.e. anything under the
Intelligence Act 1994.

When opposing this it's important to understand the remits of the two
organisations and that one is nominally accountable to the public, while one
isn't.

~~~
DanBC
The secret security services supposedly have a lot of oversight at all levels;
including politicians, which in theory are accountable to the public.

(<http://www.gchq.gov.uk/AboutUs/Pages/index.aspx>)

I agree that's suboptimal.

I am much less worried about letting GCHQ trawl my traffic data than I am
letting my local council noodle around in it. Mostly because GCHQ probably
already do it - they certainly have the capability, but also because local
councils have shown themselves to be corrupt and "data-leaky".

I'm not bothered about my traffic data being trawled. I oppose this bill
because it's stupid - the people who have to keep data are not clearly
defined; hiding some of that data is trivial for criminals; keeping that data
is an unreasonable burden on some (but not all?) ISPs; etc etc.

It's frustrating that there are some really clueful politicians and advisors,
yet governments keep pumping out really stupid laws about computers and
networking.

------
Paul_S
For all you people who are not phased by it and think it's OK and harmless:
you do realise it's your own tax money they are senselessly wasting here
right? A lot of money. For nothing.

~~~
mibbitier
There's a lot of bigger wastes of public money TBH. Like the Leveson enquiry.

------
GoodIntentions
Brought to you by the same crowd that passed the "cookie law" that requires
user opt in for any cookies - even if it is storing something as trivial as a
session ID for the duration of one visit.

These legislators seem to be regulating what they do no understand.

------
ElliotH
[http://bigbrotherwatch.org.uk/files/CCDP/CCDP_Briefing13June...](http://bigbrotherwatch.org.uk/files/CCDP/CCDP_Briefing13June.pdf)
has some good information on the counter arguments to this bill. (Some of the
media seems to be printing the Home Office briefing with only a little mention
of critics).

If UK people are interested in helping stop this then the Open Rights Group is
running training days on this topic:
[http://www.openrightsgroup.org/events/2012/censorship-and-
su...](http://www.openrightsgroup.org/events/2012/censorship-and-surveillance-
campaign-training)

------
ukgent2
Lets add my 2 centz

I dont consider myself any form of hacker, I dont think i do anything illegal
on the interweb. However i am very for privacy on the internet and against
goverment monitoring.

When SOPA and CISPA etc all came about my first port of call was to get off
gmail and on to my own webserver on a VPS. 2 weeks ago i deicded it was time
to create my own elite anon proxy using squid. Took a few days of tinkering
(sidenote did you know that google can get your IP via user_agent header? took
me ages to work out why all the sites but google were getting my VPS IP and
yet google could see right passed it and get my orignal IP)

now I am posting to this topic using said proxy. I can bet that once all these
systems go live I will be one of the first pulled up as a terroist. I have
VPNs to 2 countries, and 2 machines route out over those, i have very little
standard traffic going via my ISP, and i use external DNS (currently in the
process of setting up my own bind server).

I am even in the process of setting up my own jabber server (what did google
rename it to xxmp?) and using that as a replacement for MSN/Skype interaction
thing with my friends.

All of the above will classify me as a terroist under the UKs ever watchful
eyes, I think now I am going to route my proxy in to tor for extra funz

~~~
capnrefsmmat
User agent headers don't include IP addresses. Are you sure Squid isn't
setting the X_FORWARDED_FOR header and revealing your IP to every site you
visit which is clever enough to look?

<http://www.squid-cache.org/Doc/config/forwarded_for/>

------
majke

      [...] the government would be able to request any service 
      provider to keep data about internet usage, although 
      initially it will involve about a dozen firms including
      BT, Virgin and Sky.
    

I guess that includes VPN services (like HMA, who are based in UK).

------
b1tr0t
Anyone else catch the irony that this is the same nation that passed an absurd
"cookie law" in the name of protecting people's online privacy?

[http://www.theregister.co.uk/2012/05/26/eprivacy_cookie_comp...](http://www.theregister.co.uk/2012/05/26/eprivacy_cookie_compliance_begins/)

As I understand it they backed away from the stronger restrictions at the last
minute... but still, the very idea of a surveillance nation like the UK
"protecting" people by blocking third party cookies would be hilarious if it
wasn't also tragic. Very generously they've said they won't prosecute
offenders... probably... unless they don't like you... or have a political axe
to grind... or you're the wrong ethnicity...

~~~
mike-cardwell
There is no irony, because they are completely different things.

You think that if a government decides that its citizens should be granted
extra privacy protections from corporations and individuals, then it's only
right that they grant the same protections from law enforcement?

I guess it's also ironic that my government prevents McDonalds from locking me
up, but will lock me up themselves if I commit a crime?

------
revjx
A lot of websites now offer SSL by default, or as an option - is this more of
an obstacle or can ISPs use some sort of MITM technique to defeat the SSL for
snooping purposes?

Forgive my ignorance, I'm very curious about this as a UK citizen.

~~~
4ad
Businesses (and governments) can legitimately buy root keys that allow MITMing
any SSL connection or they could just be a CA themselves (any CA can MITM the
whole internet).

Here's the best talk I know of this subject: BlackHat USA 2011: SSL And The
Future Of Authenticity: <http://www.youtube.com/watch?v=Z7Wl2FW2TcA>

~~~
andyjohnson0
I find this hard to believe.

 _"Businesses (and governments) can legitimately buy root keys that allow
MITMing any SSL connection"_

A business can buy their own SSL keys, but to MITM any SLL connection those
keys would have to be trusted and installed at both ends of the connection and
used to generate the SSL session key.

 _"any CA can MITM the whole internet"_

Again, the CA's keys would have to be trusted and installed by the
communicating parties.

Or have I misunderstood your point?

~~~
4ad
You did not misunderstand me, but you misunderstand how SSL in the context of
HTTP is used and what CAs offer for sale. Please see the video I linked in my
original post.

~~~
andyjohnson0
I don't have the time or opportunity to watch a 50 minute video right now, but
I found a summary of the talk on the presenter's blog [1]. Interesting stuff!
He references a paper [2] that discusses a "compelled assistance" attach,
where a government can use the law to compel a CA to hand-over a certificate
that would certainly be usable for a MITM attack. Bruce Schneier also
mentioned this [3].

But this is far from "Businesses (and governments) can legitimately buy root
keys that allow MITMing any SSL connection". Businesses can't invoke CALEA (or
the UK RIPA[4] law, since we're talking about UK government surveillance) -
only governments can do that. And the keys are not really being _sold_ or
_bought_. And I don't see how a government could compel a CA in a different
legal jurisdiction anyway.

 _"any CA can MITM the whole internet"_

No. A CA has access to keys that can be used to MITM a connection that is
secured by keys issued by them. Thats not the "whole internet".

[1] [http://blog.thoughtcrime.org/ssl-and-the-future-of-
authentic...](http://blog.thoughtcrime.org/ssl-and-the-future-of-authenticity)
[2] <http://files.cloudprivacy.net/ssl-mitm.pdf> [3]
[http://www.schneier.com/blog/archives/2010/04/man-in-the-
mid...](http://www.schneier.com/blog/archives/2010/04/man-in-the-midd_2.html)
[4]
[http://en.wikipedia.org/wiki/Key_disclosure_law#United_Kingd...](http://en.wikipedia.org/wiki/Key_disclosure_law#United_Kingdom)

~~~
TeMPOraL
> And I don't see how a government could compel a CA in a different legal
> jurisdiction anyway.

Think Black Hawks and men in black suits.

------
jimworm
My next startup's business plan, using £5000 of seed money to make £1B:

£2500 to bribe a young woman at a high-profile company to accuse their upper
management of sexual harassment.

£2500 to bribe the cop for access to all of the company's data.

Sell to interested parties.

Repeat.

------
mayneack
Anyone here know enough about UK politics to know how likely it is that this
will pass?

------
voodoochilo
"...The police and security services are concerned that criminals and
terrorists are increasingly evading detection by using _social media_ and
_online gaming sites_ to communicate with each other..."

of course they do - because the terrorists and the criminals have the brains
and the survival instinct of a peanutbutter sandwich!

