

UK government to monitor email and web use under new laws - earnubs
http://www.bbc.co.uk/news/uk-politics-17576745

======
hamoid
The only way I would find this acceptable was if the government applied this
to themselves. I want to be able to hear all their conversations, to know
where they are, who they meet and talk to, who pays them money, how many bank
accounts and properties they own. I'd like that accepting a job as a
politician involved full transparency. If they were an example themselves then
it might be easier to convince people about approving a law like this one.

~~~
tjoff
Personally I don't see how I could give up my privacy just because some/all
politician(s) would.

A lot of people don't even mind the absence of privacy, the key point is that
that is a decision they can make for themselves. Even if everybody would
gladly give away everything on facebook the moment you force them to do so you
cross the line.

------
derda
Its a EU thing that is pushed from the commission to the individual countries.
Germany implemented this a while ago but it was ruled unconstitutional by our
constitutional court, so the law was repealed and all collected data was
deleted (at least thats what they say). Now the government is facing fines
from the EU for not implementing the law.

Its awful that an institution of questionable democratic legitimation (EU
commission) is forcing a democratic government to implement laws, that are
against their constitution. The worst thing is, that the big political parties
dont see anything wrong in this.

~~~
CWuestefeld
_Its awful that an institution of questionable democratic legitimation (EU
commission) is forcing a democratic government to implement laws, that are
against their constitution._

You used the word "democratic" twice. But I don't see what democracy has to do
with it. The whole point of a democracy is to allow the majority to bully the
minority. The protections you need are Constitutional limitations.

~~~
alextgordon
The Commission is undemocratic because it holds great power, yet its members
are unelected. Contrast with the EU Parliament, which is elected and therefore
far more accountable to the electorate.

~~~
fauigerzigerk
By that standard most governments are undemocratic. The UK is a particularly
interesting case with a monarch that can dissolve parliament, appoint the
prime minister, as well as hereditary and life peers in the upper house.

~~~
archangel_one
The key difference here is that while that is theoretically the case, the
Queen does not in practice arbitrarily dissolve parliament, and her appointing
the prime minister is basically a formality. The House of Lords, while it is
fairly undemocratic, doesn't seem to be doing any worse a job of looking out
for the rest of us than the Commons are. Contrast this to the various EU
directives which frequently are interfering in local affairs, often not in a
way that's in our best interests.

~~~
fauigerzigerk
I think we need to seperate two issues here: One is whether or not a
particular government does a good job and the other is how democratic it is.

The first question is too subjective in general to have a useful debate. I'll
just say that complaints about interference in local affairs have been a
mainstay of all political unions ever formed, including The United Kingdom of
Great Britain and Northern Ireland. Just ask the Scottish. And it's completely
natural because "interference" is just another word for "governing".

However, the parent post was about the democratic legitimacy of the EU
commission. The commission is not directly elected just as most other
governments are not directly elected. In most countries cabinet ministers are
not even elected MPs. Parliaments are elected and sometimes heads of states
but rarely governments. The closest thing to an elected government are
probably the presidential systems in the US and France.

Most critics of the EU do not want an elected EU president or a directly
elected EU commission as that would obviously take away more powers from the
nation states. That's a legitimate position, but it's incompatible with
criticising the EU for not being democratic enough.

------
nkassis
I'm not one to wear a tinfoil hat but SOPA in the US, Bill C-30 in Canada, and
the various laws in the EU can make one think there is some sort of conspiracy
going on. It's simply intriguing how all these laws seem so similar.

~~~
voodoochilo
to me all this stuff seems a bit overcoincidental, but i am tired of talking
about. few months ago i joined the freedombox-project
(<http://wiki.debian.org/FreedomBox>) - now i vote by coding.

~~~
ktizo
_vote by coding_

I like that. I been saying to hippy mates of mine for a while that while they
have been trying to change the world through the application of drum circles
and yurt building classes, the geeks have quietly been building in the open
source movement, the only successful communist (with a very small c) system to
successfully compete with capital on its own terms, and many are now setting
their sights on using it for actual manufacture.

If you don't like the world you see around you, at this point in history one
of your best chances for empowerment is to learn some form of engineering and
then apply it.

~~~
voodoochilo
fully agreed. sorry to correct you, but it's the "free software movement" or
"FOSS" and it's _not_ a communist system. not even with a small "c", because
communist systems force you to share, FS allows you to share.

~~~
ktizo
If you produce software within the framework of the free software movement
then you are sharing it. What free software licence allows you not to share
your source?

The word communism can also describe systems that are mutual with consent, and
most of the states that claim to be communist appear to be run by
totalitarians who use the word and associated dogma to seize and hold power
under the promise of equity in the future, so I am not sure there has ever
been an actual communist state, by the terms of the philosophy.

Personally, I'm a Groucho Marxist, so my main tenet is that I wouldn't want to
join a club that would have someone like me as a member. ;)

~~~
voodoochilo
no no, i will not enter this discussion, because time flies like an arrow and
fruit flies like a banana;) (btw. you can always take a FS, modify it and keep
it completly to yourself, so all FS licenses allow you not to share)

~~~
ktizo
Yep, but then you would from then not be participating in the free software
movement for that particular project. If you then later shared your
modifications you would be again.

Look, a four year old child could understand this. Quick, someone fetch me a
four year old child. I can't make head nor tail of any of it.

[edit] I wonder how it would go if I tried to work Groucho Marx quotes into
all of my posts. Something tells me it might not go too well.

------
tjoff
Is this a joke?

I'm glad I don't live in the UK but pissed since they set an example others
might be tempted to follow.

~~~
objclxt
As far as I'm aware this is fairly common. If you read the article, you'll see
that the new legislation "would not allow GCHQ to access the content of
emails, calls or messages without a warrant".

Looking through your comments it looks like you're in Sweden: Sweden _already
has_ similar legislation via the FRA law, which authorises the Swedish
government to wiretap _all_ traffic entering the country. A lot of countries
have similar arrangements: not all arrangements are backed by legislation.

In many ways it is _better_ to have this thing legislated: at least then it's
out in the open. It's naive to think that large ISPs in countries without
active legislation aren't linking intelligence agencies into their networks.

The legislation in the UK is presumably intended to speed up the time from
getting a warrant to putting the tap in place: I would imagine most large ISPs
(BT, Virgin, etc) are already plugged into GCHQ, in the same way the NSA
intercepts all AT&T traffic.

~~~
tjoff
Yes, I'm in Sweden and yes we have the FRA law. But there are huge differences
between this and the FRA law. The FRA explicitly forbids FRA to
intercept/process traffic that is meant to stay within the borders. Both laws
are an insult to democracy but my take from this is that this is much worse
and they have different intents.

Why is it better to have this thing legislated? The argument that it is better
to have laws like this because otherwise they will just do it anyway
(illegally) just blows my mind. There are many advantages to having stuff like
this unlegislated, without support from the law they can't actively act on the
data, something that is far better than having the FRA-law. Especially when
the intent of the law isn't to act on it but rather to observe.

In other words that argument is of the lines that "since they already have the
information (which they illegally intercepted), why wouldn't we want to give
them the legal right to intercept that information so that they act on it as
well?". How does that make any sense?

Even with a warrant the data collected by FRA wouldn't be legal to use in a
court if both parties (sender and receiver of a message/whatever) was in
Sweden (regardless of whether the traffic took a detour across the border or
not (too/from gmails servers for instance)).

~~~
bribriinlondon
This is why it is critical to encrypt all communications using a trusted
provider or doing it yourself with PGP, if you have the skills to do it.

Whether or not this interception is currently legal / illegal, this has been
happening on a massive, global scale. The UK is just catching up to France /
USA / Canada in this regard. The EU legislation on the books for Saas, ISPs to
log all their traffic for an indeterminate time is also a huge cause for
concern.

Shameless plug: Use PrivateSky.

~~~
pwaring
The problem with encryption is that, as far as I'm aware, it doesn't hide the
sender/recipient information. You might not be able to read the content, but
intelligence agencies are just as interested in who is communicating with whom
as they are in the content of the messages.

Oh, and we have a law in the UK which makes it a criminal offence, punishable
by 2-5 years in prison, to refuse to hand over the private key so that your
data can be decrypted. :(

------
mooism2
Is this an April Fool's?

~~~
lleims
That was my first reaction after reading the first lines of the article. But
I'm afraid it's not a joke.

------
sambeau
A warrant would still be needed to read emails, but this essentially will give
the government access to your browser history.

~~~
read_wharf
The fact that two people have communicated is damaging enough, which is what
this does. For the law under discussion in the UK, it seems that it's just
formalizing practice.

In the US this is covered under the Pen Register Act:
<https://en.wikipedia.org/wiki/Pen_register>. Essentially the fact that two
people have communicated is not protected under our Constitution; only the
content of that communication is protected. In that context, Congress passed
the Pen Register Act, which requires law enforcement to get a warrant to
monitor who calls who; the bar for these particular types of warrant is
particularly low.

The Patriot Act extends the concept of pen register and their required
warrants to internet communication. The government specifically is required to
get a warrant before it can ask an ISP, for example, to reveal who someone
emails or what web sites they visit. For now, they need a warrant to know that
you visited Amazon or your library's site, but they need a harder to get
different warrant to know what books you've bought or checked out, or what you
thought about those books when you emailed your friend.

The fundamental problem with pen registers and the internet equivalents is
that it brings people under government scrutiny that otherwise would have
escaped notice. If person A is a person of interest, and the government is pen
registering his communication, then that makes everyone on person A's
communication list a person of interest. Now the government gets a warrant to
pen register person B, someone who person A communicates with. That means that
everyone that person B communicates with is now known to and watched by the
government, even though they are not specifically the target of any
investigation or warrant.

Person A may be a drug dealer, person B may buy from person A, and I, person
XYZ, may be a friend of person B, don't buy or use drugs, and don't know a
thing about the relationship between person A and B. But now the Eye of the
government has swung its gaze over to me. I could become collateral damage in,
for example, a plea bargain negotiation. My house might be violently raided by
law enforcement, merely because Person B visits me a lot; my child might have
a gun pointed at his head, and my dog might be routinely killed merely for
getting in the face of one of the law enforcement home invaders.

This (the pen register) is a violation of my desire to not be scrutinized by
the government, whether I've done nothing wrong or not, whether I have
anything to hide or not. I in fact have done nothing wrong and have nothing to
hide, and I _still_ do not want the scrutiny of the government to fall on me.
The government is in theory my servant, not my master. That relationship
naturally gives me the right to expect the government to leave me alone.

------
bootload
_"... But it would enable intelligence officers to identify who an individual
or group is in contact with, how often and for how long. ..."_

Cynical enough to think GCHQ do this already & the legislation allows for more
favourable results.

~~~
iuguy
The legislation would permit information obtained in this way being used in
legal processes. Currently if GCHQ were doing intercepts in this way it would
be unlawful, and as such evidence obtained through such potential intercepts
would be inadmissible in a court terrorism case for example.

~~~
bootload
_"... Currently if GCHQ were doing intercepts in this way it would be
unlawful, and as such evidence obtained through such potential intercepts
would be inadmissible in a court ..."_

True, but wouldn't the sources be covered under OSA and hence not disclosed?

~~~
iuguy
Not if you're going to court. There's a whole secret inquest thing that's been
going on, occasionally popping up in the news. The problem with relying upon
intelligence for evidential purposes is that you can often expose the
handlers, assets or sources involved in a public trial.

~~~
bootload
_"... The problem with relying upon intelligence for evidential purposes is
that you can often expose the handlers, assets or sources involved in a public
trial. ..."_

Excellent point.

------
downx3
This government keeps shooting itself in the foot. If only I was young enough
to flee.

~~~
rytis
Where to?

~~~
downx3
Where the grass is greener of course!

------
Tharkun
I hope we'll be getting rid of these april fools stories tomorrow?

------
hajrice
Reading the headline, I instantly thought of George Orwell's 1984.

------
alexchamberlain
I have no problem with this if it's just GCHQ and they need a warrant to do
it. The police shouldn't be able to do it, though I don't have a problem if
they can request GCHQ to do it for them! They don't think they have time to go
beyond terrorism.

------
TazeTSchnitzel
As a UK citizen, I now do not regret in the slightest forcing every single
user of my website to use HTTPS. It costs maybe 10 or 20 dollars a year, your
site runs no slower, and all your users get real privacy.

~~~
4ad
Sorry to spoil it for you, but HTTPS provides no protection against MITM when
the MITM is a nation state which can legitimately buy root keys from CAs (or
become a CA themselves, if they are not already).

For more info about the security theater revolving around SSL in the context
of HTTP see this great talk: <http://www.youtube.com/watch?v=Z7Wl2FW2TcA>

~~~
Anderkent
Well, you can verify the certificate is the same when accessing the page via
your connection and via tor. If they have different chains you stop trusting
the root authority.

This can be spoofed only if the nation state buys _the_ master root keys (i.e.
not just a key allowed to sign any domain, but the root key the provider uses
to sign everything, so that the chain is exactly the same) from every
certificate provider... At which point you're screwed whatever you do.

------
mattvot
I think this will turn out alright. The article mentions a law prohibiting
such surveillance without a warrant, and the fact that this is being covered
by main stream media to start.

------
Father
Doesn't this violate secrecy of correspondence and their own data protection
act of '98? Terrorism seems to be the godwin for privacy debates regarding
national security.

~~~
objclxt
The Data Protection Act gives the security services opt-outs on the basis of
national security. This is to prevent you, for example, requesting all files
that MI5 might have on you.

------
uptown
Watch these two videos and tell me whether you think this is already happening
in with US data ... most-likely transferred outside the country for the
purpose of analysis beyond the nation's legal jurisdiction.

<http://www.youtube.com/watch?v=_ae0yED6gRA>

<http://www.youtube.com/watch?v=oYNXVgYhPOc>

------
adam-_-
Wait, I had assumed this was an April Fools?

------
Jach
blah blah blah use PGP for emails blah blah in fact encrypt all the things
blah blah "no it's too hard for Joe Public" blah then Joe gets what he
deserves.

~~~
Angostura
PGP protects your from the state knowing who you are communicating _with_? I
think not. And that's the main aim of this legislation. Tracking who you are
talking to, and which Web sites your are visiting.

~~~
Jach
I confess ignorance on the particular details of whether a PGP-encrypted
message leaks who the sender/receiver are, though supposing it does it only
leaks a single token--a username-email pair. If the state can read everything
you as an individual send, they can only know who you're communicating with if
the PGP-encrypted message itself leaks a name that maps to another offline
individual. You could argue that a PGP-encrypted email leaks the name by
default--i.e., the recipient of the email. You tell me how useful it is to
know that I sent a message to cornflakesrule12345@emailprovider.ext without
knowing what the message says. (More information can of course be found by
coercing the particular email provider, if you can, to give up an IP address
of the user, but we all know how reliable IP addresses are at pinpointing a
single offline individual and there are many other options...)

Of course, we can go further down the rabbit hole of schemes, we don't have to
stick with just PGP. As one of your sibling-comments noticed, anyone who wants
to get around any State Spying can do so as long as the State leaves room for
some reasonable assumptions. (As for outlawing encryption, that's a problem on
its own, both in enforcement and in definition. You'd likely just get
particular encryption software outlawed rather than the concept. (I'm aware of
the US classifying certain algorithms as munitions.) Funnily enough, telegraph
operators tried to outlaw simple ciphers and encodings (like 'u' for 'you' and
even anagrams) used back in the day because they were losing money, since they
charged a fee for a message length.)

I like the '89 paper entitled _The Dining Cryptographers in the Disco:
Unconditional Sender and Recipient Untraceability with Computationally Secure
Serviceability_. Here's part of the abstract:

We present a protocol which guarantees _unconditional untraceability_ , the
original goal of the DC-net, on the _inseparability assumption_ (i.e. the
attacker must be unable to prevent honest participants from communicating,
which is considerably less than reliable broadcast), and _computationally
secure serviceability_ : Computationally restricted disrupters can be
identified and removed from the DC-net.

~~~
DanBC
> _I confess ignorance on the particular details of whether a PGP-encrypted
> message leaks who the sender/receiver are_

An important part of public key cryptography is the "web of trust" - you must
know that you're sending stuff to the right person. A person's identity is
tied to their PGP key.

> _You tell me how useful it is to know that I sent a message to
> cornflakesrule12345@emailprovider.ext without knowing what the message
> says._

They build up big databases and then mine that for information. Most people
are not disciplined enough to use cryptographic technology properly; and that
holds for "not doing stuff that leaks data". Associating username@example.com
with a set of data is an important step in getting the identities of both
username and the people username is communicating with. Don't forget that even
if username is careful the people that username emails might be idiots.

~~~
Jach
Both good points. From what I've been reading, "pattern finding" databases
instead of "hash finding" databases are starting to be the new thing that
allows huge and useful data analysis, and you can find patterns among a
collection of lies or even just otherwise random data that wouldn't be
associated without the pattern matching.

Fundamentally, it only takes one matching join on your citizen-data against
any other collected assortment of data to implicate you. Human stupidity will
continue being the weakest link. But there's still a lot that can be done to
guard against it.

Even if the government manages to figure out that user@example is an Al-Qaeda
member, and they know I sent them an email, they have no idea what I sent
without resorting to, depending on how secure I was, torture, bargaining,
private key compromises of the receiver, further insecure communications from
the receiver's end, or hard drive sniffing for the original message from my
computer. Increased carefulness can guarantee the message only exists within
the minds of the sender/receiver, but with the advent of the "forgetting pill"
even that vulnerability can be accounted for when plotting world domination.
Of course as you note, human stupidity can undo it, but that's no reason to
give up adding more layers of security.

------
J3L2404
No politician in the US would even dare suggest this never mind try to get it
passed as law. I really don't understand the politics. What constituency
supports this?

~~~
jiggy2011
Really? Does the patriot act not allow things such as this?

~~~
J3L2404
Read_wharf explains it well.

<http://news.ycombinator.com/item?id=3783906>

