
Britain passed the “most extreme surveillance law ever passed in a democracy” - eeZah7Ux
http://www.zdnet.com/article/snoopers-charter-expansive-new-spying-powers-becomes-law/
======
datamoshr
As a UK resident, this irks me beyond belief. It's a sickening invasion of
human rights[1]. To echo u/rubberstamps sentiments, it's such that there's
been little to no coverage of this in the media.

But it's the same everywhere, introduce an encroaching bill, have uproar from
those with the heads screwed on (the minority). Let it grow a little stale in
the publics eye and keep reintroducing with slight alterations it until it
passes into law.

There's a definite sense of helplessness and hopelessness when approaching the
subject with the public. Even within IT there's a sense of 'who cares'. I had
a conversation about it just last weekend. I asked for my roommates phone so I
could look at all his emails, sms, etc. He gave it to me and said he doesn't
care.

How do those who want to maintain privacy reach out to people and let them
know it's not OK? Because this is not OK.

Anyway - off to study journalism.

[1] - [https://www.liberty-human-rights.org.uk/human-
rights/privacy](https://www.liberty-human-rights.org.uk/human-rights/privacy)

~~~
dracht
I've noticed that Britons, generally speaking, put a lot of trust in
authority. They'll shrug it off or rationalize it when their government
introduces another perverted law - the NHS works, so it can't be that bad,
surely. Britain lacks a sizeable and vocal government-distrusting
counterculture like they exist in Germany or the US. How you go about
introducing that artificially, I don't know. The frog is being boiled too
slowly.

~~~
bjelkeman-again
That is interesting. Living in Sweden, and having lived in the UK for 15
years, I feel the Brits trust their government much less than the Swedes do.
In the UK there is strong resistance against a national ID card, as an
example. Whereas in Sweden you can hardly live without one.

I got the feeling that the Brits didn't trust their government with that info
and control it implies. In Sweden we have the opposite: ID cards are seen as
an asset and surveillance cameras are severely restricted by the government,
for privacy reasons.

~~~
nly
Resistance to the national ID card idea mostly came down to two things 1) cost
to government, and 2) cost to citizens.

There's also the fact that ~87% of the population already hold a passport, and
some of those that don't likely have a drivers license.

~~~
bjelkeman-again
The funny thing is that the cost to the individual is negligible and the cost
to government (and business) is low compared to the benefits. Less fraud,
efficient identification processes etc.

------
s_kilk
> Despite the uproar, the government's opposition failed to scrutinize any
> significant amendments and abstained from the final vote. Killock said
> recently that the opposition Labour party spent its time "simply failing to
> hold the government to account".

What the hell is the point of the Labour party these days? They are absolutely
not an effective opposition. Worthless bastards, one and all.

~~~
98Windows
>Worthless bastards, one and all. Why write this crap? The labour party is the
biggest left wing party in Europe, are you saying everyone inside it is
worthless?

~~~
pjc50
They are also _staggeringly_ ineffective and can't seem to decide what they
stand for. Miliband was OK despite the "controls on immigration" equivocation,
but since then the party has turned into a circular firing squad.

Going back into history, I'm fairly sure we saw attempts at invasive
surveillance under Blair's Labour; Regulation of Investigatory Powers Act, and
the failed ID cards scheme.

It's not even clear whether they're able to oppose Brexit.

~~~
DonaldFisk
That's because Blair's Labour Party was as right wing and authoritarian as the
Tories they replaced. Both Corbyn's supporters and opponents know well what
they stand for. The problem is it isn't the same things.

The only people who have any moral right to oppose Brexit are the Scottish
nationalists and the Northern Irish republicans. England and Wales voted to
leave.

~~~
petercooper
_That 's because Blair's Labour Party was as right wing [..] as the Tories
they replaced._

That's revisionist, and demonstrably false. The Blair government brought in
gay adoption, a minimum wage, the Freedom of Information Act, the Human Rights
Act, civil partnerships, banned fox hunting with dogs, increased NHS
investment by >25% in real terms, achieved the lowest unemployment in 50
years, slashed child poverty, and more. Minimum wage alone was considered a
bold left wing move at the time. Blair made modern Tories softer, if anything.

It's sad that the Iraq debacle caused people to write off what was the most
progressive and beneficial government this country had seen in decades - I
can't see how anyone could equate it to the governments of Major or Thatcher.

~~~
pjc50
I think it's a good example of why a simple left-right dichotomy doesn't cut
it. The Blair government had a lot of great social-democrat policies and was
genuinely redistributive. It also relied on control-freakery and media
management; all policy had to come from the Blair-Campbell office. There was
no mechanism for incorporating friendly critique. And some of its policy was
genuinely illiberal, especially in the antiterrorism & surveillance area.

That may have been a hidden tradeoff for taking on the security establishment
enough to get a peace deal in NI.

------
rubberstamp
Will the citizens allow it to be passed if they knew about it via some news
source? Of course "news" now a days is about kardarshians or justin beiber
than about things that requires serious attention. This may have hardly got
tiny little square cm area in newspapers or 30 seconds air time. Thus sinks
democracy. People who are informed are way less in number than non-informed
people, but all get to vote thus diluting the vote of well informed
people(whose size smaller and smaller as quality of news sources declines). I
think there needs to be a law that punishes false information, but at the same
time protects journalism.

~~~
pjc50
Quite a lot of them would be in favour of it as a means of "fighting
terrorism". It's not so much what is reported as how it's spun.

The really big thing is the "internet connection record": _every TCP
connection_ you make is supposed to be logged by the ISP:
[https://www.gov.uk/government/uploads/system/uploads/attachm...](https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/530556/Internet_Connection_Records_factsheet.pdf)

(just look at that list of justifications. Of course! It's about catching
paedos! The all purpose justification for everything.)

Besides, it's been buried under the bigger politics news of the moment - Trump
and the continuing mystery of Brexit.

~~~
simopaa
This sounds like a potential (new?) attack type though. Just have software
that pings certain illegal websites and bam - the target is now a paedo or
whatever the attacker wishes.

~~~
NumberCruncher
Generating fake evidence to blackmail someone? No one would do that. They are
too busy chasing terrorists.

~~~
jwtadvice
For those that don't understand this comment, intelligence agencies are known
for generating fake evidence and allegations to take down targets - and it's
well known that intelligence agencies such as the NSA and GCHQ are not charged
with missions to track down terrorists.

A very clever sarcastic comment I think will probably go under the radar
because the OP omitted a "/s".

------
module0000
Protect your privacy with a VPN, either run your own or use one of the
available providers. It's a shame you need to do this, but that's just the
state of things.

Run your own with OpenVPN: [https://openvpn.net](https://openvpn.net)

VPN providers(not affiliated, just ones myself or colleagues use):
[https://www.expressvpn.com](https://www.expressvpn.com)
[https://www.goldenfrog.com/vyprvpn](https://www.goldenfrog.com/vyprvpn)
[https://nordvpn.com](https://nordvpn.com)

~~~
jwtadvice
VPN will not protect your privacy, as VPN providers are monitored by state
police and VPN protocols have been broken and backdoored by intelligence
agencies (as disclosed in the Snowden Documents).

~~~
EugeneOZ
just setup own vps with vpn and use encryption

~~~
jwtadvice
[https://en.wikipedia.org/wiki/Karma_Police_(surveillance_pro...](https://en.wikipedia.org/wiki/Karma_Police_\(surveillance_program\))

The GCHQ sit on the internet infrastructure, decrypt TLS sessions, and
correlate accounts and activity to individual granularity.

The backbone of the internet is tapped, including from the termination of
IPSEC/IKE into your VPN out to the internet again.

Giving the advice to people to "use encryption" and "use VPN" is going to get
people killed.

Please, be responsible.

~~~
EugeneOZ
Decrypt tls sessions? Please fuck off.

~~~
jwtadvice
Oh there's a ton of ways to do it, from stripping, downgrade attacks,
backdoored constants, precomputed tables for low order groups, shadow ca
certs, etc.

I recommend reading the Snowden Documents, which disclosed a number of
successful at-scale attacks on the PKI infrastructure.

I find it surprising there's so much ignorance in the Hacker News community
about the state of encryption, especially given the newsworthiness of the
Snowden Disclosures.

I also find the prevalence of 'shoot the messenger' regarding HN folks getting
angry at me for pointing out publicly known issues with the current practice
of commercial and consumer encryption.

~~~
EugeneOZ
Quote from his documents about tls DECRYPTION (exactly decryption) would be
much more convincing than "oh there is a ton".

~~~
jwtadvice
Sure, there's been good journalist work compiling the state of the art here:
[http://www.spiegel.de/international/world/nsa-documents-
atta...](http://www.spiegel.de/international/world/nsa-documents-attacks-on-
vpn-ssl-tls-ssh-tor-a-1010525.html)

But also, being familiar with the cryptography you are attempting to have
conversation about is a basic starter. For example, there were attacks listed
in the prior comment following the "oh there's a ton" header. You seemed to
have glazed past those, but they are familiar topics to those who habituate
themselves with the technicalities of cryptography and its practice.

~~~
EugeneOZ
Thanks for the link. I've read all of the docs (presentations slides) related
to ssl/tls and found only one weak point (Debian sessions). And none of them
have information about decryption of collected traffic - collected encrypted
traffic is useless, only possible (at this moment) way is to intercept
multiple things in live mode and try to decode data.

It's sad, but I'm still saying "use encryption", because alternative is "don't
use encryption" and it's obviously worse. So I'm much more responsible than
those who are trying to propose second option.

~~~
jwtadvice
Sure thing!

Unfortunately I'm afraid that you missed a lot of the content! You had asked
for specific documents, not news reporting that pieced the context together
(for example following the code names of the various programs together to
understand how the system works as a pipeline).

In doing so, I'm afraid you're deeply underestimating the capabilities of the
NSA, which expert analysis of the documents in question along with the
technologies, related programs and internal customer requests indicate
something much more startling than Debian session issues.

To put a point on that: TLS is broken at scale for billions of internet
browsing sessions across platforms.

Give the short amount of time you've looked at the documents, I understand the
misinterpretation you've arrived at. At the same time it's really impressive
that you bothered to try to read the documents at all and should be commended.

Please feel encouraged to continue reading.

A large number of documents are hosted on edwardsnowden dot com and search
functionality is provided here:
[https://search.edwardsnowden.com/](https://search.edwardsnowden.com/)

Der Spiegel, The Guardian and The Intercept provided good analysis of the
documents as they were being released and that can be found at the websites
respectively.

> It's sad, but I'm still saying "use encryption", because alternative is
> "don't use encryption" and it's obviously worse. So I'm much more
> responsible than those who are trying to propose second option.

Yes. I agree with this. Just don't recommend this as 'enough' to people who
have serious need to protect their communications. If someone is worried about
their porn habits, sure. But recommending this for sensitive use (journalists,
dissidents, organizers, politicians, administrators) can lead to very serious
outcomes.

For these cases, it is important to have frank conversations about the
limitations of freely available and widely distributed tools.

------
anondon
What is the easiest way to explain to the average citizen that the "Nothing to
hide, nothing to fear" argument is not a good reason to let the Government
keep tabs on your online activities? Most people don't give any thought to
online privacy that it truly scares me.

~~~
fibbery
the only way I have had any success is to describe the problem in terms of
"wrong place wrong time" \+ "misinterpreted evidence" scenarios. this is
something I wrote up a while back to try to explain it to a family member:

\---------------------------------------------------------------

 _Imagine a crime takes place in a certain area. Using surveillance
technology, police identify everyone who was in the area around the time of
the crime. They do this through license plate recognition, face recognition,
cell phone tracking, and credit card receipts. You happen to be on that list
because you were shopping at a nearby store earlier._

You're now technically a suspect in a crime, although there's a thousand other
suspects, and you have nothing to hide, so no big deal, right?

 _A witness saw the perpetrator running away from the crime. They only saw
them from the back, but report that the suspect is a tall white male around 40
years of age._

So police narrow down that list to just people who fit this description. Uh
oh, the list is now only about 50 people, and you're one of them.

 _The crime appears to be a potential race-motivated hate crime. Using web
profiling, investigators search for those 50 people to look for any history of
involvement with hate groups. The algorithm they use has over-zealously
classified certain extreme right wing news sources as potential markers for
hate crime._

You're not particularly worried, I mean, you're obviously not some crazy
racist. There's no way they'd be interested in you.

But you forgot - six months ago, you started to get interested in the
immigration debate, and posted on several anti-immigration forums.

 _With the additional profiling, the list narrows down to 8 suspects,
including you. You happen to fit other markers for this kind of crime as well
- you live alone, work a less prestigious job, neighbors say you don 't go out
much._

Now you're a suspect in a crime. You'll almost certainly not be convicted,
because there's no direct evidence. But good luck explaining that to your
employer, your family, your friends, and the criminal defense lawyer you now
have to pay for.

Still think you have nothing to hide?

~~~
pbhjpbhj
This doesn't read as very convincing to me. Do you have experience of the
justice system?

There's no way the CPS in the UK would take a "well he was probably in the
general area based on his number-plate, and he reads the Toadygraph newspaper
and is in the 52% who are for Brexit", even along with matching a general
profile for criminals, and seek a prosecution on that basis. Not to mention it
would be a huge miscarriage of justice to convict. And that the courts don't
have time for arsing around with people who may have a tenuous link to an area
where a crime may have been committed; we don't have time, seemingly, for the
"certain" cases.

But what about the people who don't support racism/xenophobia, read a mix of
news sources, aren't male (and so don't match with crime profiling). Are you
saying their argument for not needing strong encryption is valid? That would
seem to be a corollary of your hypothetical situation, you've cherry picked
long-shot situations compounded together that would lead to a case laughed out
of court - no motive, no evidence, no credible witnesses.

>Still think you have nothing to hide? //

Seems like ~99% of people reading that who weren't convinced before hand would
say "yes".

Also, if they're savvy they know that the store where you went has your MAC
address logged for customer tracking and corroborates your story (due to
"privacy violation"), the car-park away from the scene on their number-plate
cam shows you stayed in the area long after the alleged crime and so weren't
fleeing, another shop has you on their instore tapes at the time the police
say the crime was committed.

Now the Toadygraph has picked up your story and someone leaked that you
wouldn't have been picked up if you weren't a reader; the Barclay brothers are
threatening to pull their Tory party funding and so the PM is putting pressure
on the presiding Chief of Police to make an example of the department
responsible.

Lawyers are starting to contact you (they got your info because you left your
friend list open on Facebook) and are offering to lodge a case for unlawful
arrest for you and the compensation they're suggesting looks promising ...

Meanwhile people are wondering why the police didn't catch the perp; the
police say it's because they don't have access to all the data they need due
to public privacy concerns ...

~~~
fibbery
No, I don't have experience with the UK justice system, so perhaps my comment
isn't as relevant for this specific article.

That said, even if this specific scenario isn't realistic, discussions about
the problems with surveillance state don't have to be grounded in "what
happens right now" because the information stored today is available to future
regimes and the specific technology involved is continuously changing.

> But what about the people who don't support racism/xenophobia, read a mix of
> news sources, aren't male (and so don't match with crime profiling). Are you
> saying their argument for not needing strong encryption is valid?"

Not at all, and I'm surprised that's what you would conclude from my
statement. Obviously not every crime ever has that specific profile. The point
was that when you have tons and tons of information about everyone, that is
all categorized and geotagged and searchable and machine-learnable, it's a LOT
easier for a completely innocent person to become a suspect.

------
jfindley
Oddly I can't find any other sources reporting this. I'd have expected it to
show up in at least one other place else (e.g. BBC news for example).

I'm not trying to imply that it's not accurate, I'm just confused by the lack
of info. And the article doesn't really reference anything other than other
zdnet articles, so it's really hard to tell exactly what form of the act got
passed - did all the really controversial stuff actually make it in?

~~~
EvilTerran
Here's the Open Rights Group (a UK group who aspire to emulate the EFF) on the
latest development - note in particular the link at the bottom of the article,
to their "campaign hub" on the bill:

[https://www.openrightsgroup.org/press/releases/2016/ipb-
will...](https://www.openrightsgroup.org/press/releases/2016/ipb-will-reach-
beyond-the-uk)

And, for what it's worth, a brief report from The Register:

[http://www.theregister.co.uk/2016/11/16/british_pols_sign_of...](http://www.theregister.co.uk/2016/11/16/british_pols_sign_off_on_surveillance_law/)

------
ajeet_dhaliwal
When this was originally proposed I thought it would never get passed because
it sounded like something right out of 1984. Amazing. I thought the ridiculous
'Agree to this cookie' nonsense was stupid but this is now just very creepy.
National database for keylogging next?

~~~
waqf
Don't worry, the 'Agree to this cookie' thing is an EU directive. So that's
what the UK is currently destroying their economy in order to be free from.

------
bootload
This is bad news for Brits. One problem I see is the storage. If the ISP
stores this information it makes their users open to hacking of personal data.
A bigger problem than the phone hacking scandal. [0]

The title is inaccurate. Australia introduced storage of Internet usage logs
(metadata) at ISP providers for two years in 2015. [1],[2]

[0] [http://www.telegraph.co.uk/news/2016/11/17/three-mobile-
cybe...](http://www.telegraph.co.uk/news/2016/11/17/three-mobile-cyber-hack--
six-million-customers-private-data-at-r/)

[1]
[https://en.wikipedia.org/wiki/Mass_surveillance_in_Australia...](https://en.wikipedia.org/wiki/Mass_surveillance_in_Australia#Mandatory_data_retention)

[2]
[https://en.wikipedia.org/wiki/Telecommunications_(Intercepti...](https://en.wikipedia.org/wiki/Telecommunications_\(Interception_and_Access\)_Amendment_\(Data_Retention\)_Act_2015)

------
junto
So the British government is just rubber stamping what they had already been
doing in secret and technically illegally for the last twenty years.

I can't wait till they get hacked and someone dumps every parliamentary
minister and lord's dubious Google searches for the public to see.

~~~
nthcolumn
It was illegal until they brought in retroactive legislation in the middle of
the night making it legal for them to hack. What's the point in having laws?

Most politicians want these intrusive powers in spite of them being against
the ECHR Act. Nobody to vote for or dare you vote at all?

------
RRRA
The whole planet is descending into fascism, put in place by the old
generation who doesn't understand technology while the new one is too busy
inventing the next toilet sharing app.

I guess everyone will enjoy this last century...

------
88e282102ae2e5b
It will be interesting to see the response when this data is hacked and the
browsing histories of the politicians who passed it are released to the
public.

~~~
olegkikin
It doesn't even need to be hacked. Sooner or later some politician will get
that info on his/her opponent, it's inevitable. And, compared to your average
person, a politician has a lot more at stake.

------
erjjones
The first thing that comes to mind here is that data is only good if it is
quality data... dirty data isn't good or reliable.

Coming up with a way to dirty the data from our IPs (i.e. a program that
randomly hits domains via multiple browsers that everyone just runs as a
background service)

~~~
smellf
Just run a tor exit node. Problem solved, sort of.

~~~
dx034
Until you're being questioned in connection with child porn. I'm glad that tor
exists but the crimes that some people commit with it make it impossible for
me to run an exit node. There are things I don't even want to be remotely be
associated with.

------
fierarul
How is this any different from the EU Data Retention Directive we've had for a
decade already?

Somebody should make a "feature matrix" and explain this.

~~~
hoodunit
Are you referring to the Data Retention Directive [1], which was invalidated
in 2014? Or are there still other EU-wide laws on data retention?

[1]:
[https://en.wikipedia.org/wiki/Data_Retention_Directive](https://en.wikipedia.org/wiki/Data_Retention_Directive)

~~~
fierarul
I wasn't aware it was invalidated. Of course, once each member state
implemented this directive into national law and I don't believe the national
laws immediately became void.

For example, a quick google shows that just last month the Constitutional
Court in Romania declared the Big Brother law doesn't infringe on the
constitutional rights so data retention continues. All data is kept for 3
years.

------
necessity
Brazil has passed that a few years ago as part of Marco Civil - 1 year period
too, which can be extended per request from the authorities:

>Art. 13. Na provisão de conexão à internet, cabe ao administrador de sistema
autônomo respectivo o dever de manter os registros de conexão, sob sigilo, em
ambiente controlado e de segurança, pelo prazo de 1 (um) ano, nos termos do
regulamento.

It demands the storage for 1 year of "connection access registers", defined
as:

>VIII - registros de acesso a aplicações de internet: o conjunto de
informações referentes à data e hora de uso de uma determinada aplicação de
internet a partir de um determinado endereço IP.

I.e. user IP, access data, and info on the accessed website/application.

~~~
oscargrouch
Its not the same thing, as in Brazil the investigation forces will need to get
a warrant from a judge to have access to that data. Exactly the same way it
happens for phone records or private bank accounts.

This data is protected by law, and is considered private.. so only a judge, in
a ongoing investigation, when asked by police forces, when investiganting
crimes for instance, can grant access to this data.

As i understand from what i read in the article, the UK government has direct
access to that data, so the privacy of its citizens is not respected or
granted by the rule of law.

~~~
necessity
They do not need a warrant, read Article 11.

~~~
oscargrouch
It says exactly the opposite of what you are trying to imply.

>Article 11. In any operation of collection, storage, custody and treatment of
records, personal data or communications by connection providers and internet
applications in which at least one of these acts occurs in the national
territory, shall be _obligatorily respected the legislation and the rights to
privacy, the protection of personal data and the confidentiality of private
communications and records_.

[http://www.planalto.gov.br/ccivil_03/_ato2011-2014/2014/lei/...](http://www.planalto.gov.br/ccivil_03/_ato2011-2014/2014/lei/l12965.htm)

------
atom_enger
If we can't fight them in the courts then we fight them where we are
comfortable. Now more than ever we need to start outpacing the law using
technology. We've done this before and we can do it again. Bits move faster
than bureaucracy :)

------
fatdog
The new Prime Minister Theresa May does not hold any principles that would
place limits on the powers of the government. She was a well known "champion
of the snoopers charter," (wiki) when she was home secretary. There is a
british tendency to be overbearing authoritarians that provides fuel to their
various secession movements. Britain is unlikely to maintain its current
borders for many years after Brexit.

~~~
pmlnr
> does not hold any principles that would place limits on the powers of the
> government

This is why opposition exists. If only the were doing their job, instead of
fighting amongst themselves.

------
WordyMcWordface
I will just leave this here:
[https://www.privateinternetaccess.com](https://www.privateinternetaccess.com)

~~~
gambiting
I just feel like using a VPN, while legal, might already put you on some list
of "suspicious" users. Surely, if you have something to hide, then you are
worth investigating closely.

~~~
noir_lord
Which is why we need to push as many people as possible to use VPN's, they
already have too much straw and too few needles so lets give them even more
straw.

The reality is that no one in the know thinks this has anything to do with
terrorism and _everything_ to do with political control.

If you don't have the right to privacy then all other rights are subverted,
previous governments have used the state security apparatus to monitor
perfectly legal political activities, they've proven again and again they
can't be trusted with this kind of power and we let them give themselves more
(and legalise all the illegal shit they where already doing).

The reality is the UK (which traditionally has been a less free society for a
'free' society) is rapidly sliding into something you can't realistically call
a free society.

~~~
hash-set
The surveillance state has always been about political control. Terrorism is
merely the justification.

~~~
pbhjpbhj
>Terrorism is merely the justification. //

You've lost sight of any balance when you start claiming that terrorism is
just an idea used to justify state oversight and not an actual problem of
organised harm/killing of peaceful civilians.

[https://en.wikipedia.org/wiki/7_July_2005_London_bombings](https://en.wikipedia.org/wiki/7_July_2005_London_bombings)
\- presumably you think that's just a huge fiction created so the government
can get hold of your holiday snaps.

~~~
gambiting
I think one can acknowledge that terrorists and terrorist attacks are
definitely a real thing that exist, and at the same time one can think that
the current reaction is completely out of proportion, where the whole society
is giving away its freedoms to prevent a really minor threat?

~~~
uabstraction
I'd happily live with the lightning strike probability of being involved in a
terrorist attack than the certainty that the government will abuse this data
to subvert opposition.

Trading the rights of millions of people to combat terrorism hurts more people
than the terrorists could ever hope to touch.

This doesn't even factor in solutions terrorists can use to avoid
surveillance, or answer the question of if all this surveillance even reduces
terrorism in the first place.

------
dx034
As a UK resident: I know that I can only avoid logging traffic by using a vpn.

But the domain logging part bothers me the most. Does anyone here know how
they will do it? Could I just use another dns server? Or will they intercept
http header?

If I'm not mistaken, they could still extract the domain names from https
traffic but no exact history?

Anyway, a reason more to use https everywhere, reduces sharply what they can
see.

~~~
jwtadvice
VPN has been thoroughly defeated. China, UK and US state law enforcement
monitor VPN use. (Snowden documents, for example, revealed that VPN traffic
can be readily decrypted.)

ISPs and police will use every mechanism including DNS, HTTP, IP addresses,
CRL behavior, ad tracking markers embedded in pages and more to determine your
browsing behavior and history.

The best way to defend yourself against this is to lie down and comply.

~~~
thomasahle
Do you have a link to the "VPN has been defeated" documents? Didn't Snowden
say exactly, that the only thing to trust is strong encryption?

> ISPs and police will use every mechanism including DNS, HTTP, IP addresses

Surely VPN will protect you from all of that?

My main concern is police/isp's logging all VPN traffic, and then when they
want to use some of it, they subpoena your VPN provider for the keys. Though,
maybe forward security fixes this? They could also secretly force every
provider to log everything at all time? But surely there are enough providers
that some would have leaked it?

~~~
jwtadvice
I was going to write up a dossier, but found one created by Der Speigel here:
[http://www.spiegel.de/international/world/nsa-documents-
atta...](http://www.spiegel.de/international/world/nsa-documents-attacks-on-
vpn-ssl-tls-ssh-tor-a-1010525.html)

Yes, trust strong encryption.

VPN isn't strong encryption. Or rather, VPN is not necessarily strong
encryption as most of the VPN standards and implementations have either been
backdoored or weren't designed for strength against state actors.

~~~
tobltobs
> most of the VPN standards

What VPN standards are you talking about?

~~~
jwtadvice
IPSEC, IKE.

~~~
thomasahle
From the (excellent list of) papers you listed, it seems the weaknesses are
not so much that the encryption can be broken, but that you can do all kinds
of man in the middle and timing attacks. Does this mean, that as long as you
are not being actively attacked, the security is acceptable? That is, if you
are only trying to avoid passive logging?

I guess in either case, it would be better to just go with openvpn. I really
don't understand why it isn't natively supported in Android, OSX etc.

------
ohstopitu
I know this is not a great solution, but wouldn't a week long ban on UK IP
addresses by major websites (Google, Facebook etc.) raise awareness? (or a
redirect to a page describing why this law is the issue)

~~~
bbcbasic
Share holders ain't gonna love that

------
hx87
How difficult would it be to swamp the monitoring system with noise?

~~~
pmlnr
That's what I'm thinking as well. I only need to do a crawler, doing HEAD
requests only, piping into /dev/null, in theory.

~~~
vsgxvhdxh
So all your head requests get filtered out when the db gets queried. Leaving
all your gets and posts etc.

Also better hope your crawler doesn't hit any illegal sites (there are loads
according to UK law).

~~~
DanBC
> (there are loads according to UK law).

No, there really aren't.

------
DannyB2
It sickens me that Britain passed the most extreme surveillance law ever.

America is supposed to be number 1 at everything. C'mon congress, get on the
ball! Don't let America be out done by Britain.

~~~
mindcrime
In America,the government doesn't need a law to conduct extreme surveillance.
They just do it and don't give a shit what the public think.

------
sleavey
After I heard this was likely to get passed, I set up a VPN on my server based
in France. I now funnel my traffic through this VPN, so now all web
connections are end-to-end encrypted and not subject to UK ISP logging. I
suggest to everyone who is capable of setting up and running a server to do
something like this.

------
ablation
As other people have said, there are a few steps you can take to protect
yourself in the near to medium term future:

1) Use Signal 2) Use Tor 3) Use a VPN 4) Reduce your digital footprint -
especially if you use social media

What was once paranoid fantasy now just seems like prudence. What a time to be
alive, eh?

~~~
jwtadvice
1) Signal does not and can not protect information about who you are in
contact with, when you contact or are contacted by them, and how long your
conversation is.

2) Tor has been both infiltrated organizationally, academically broken, and is
occupied by police on most of its exit nodes. This without the operational
burden it puts on users. Tor is 'just okay' at protecting users, and should
never be used alone.

3) Use a VPN you can trust. Most VPN (especially cheap and free services) are
monitored by state police.

4) To add here, try not to have your pictures and locations uploaded online
and do not carry a cell phone.

I want to add to the list:

5) Do NOT be a target. This is the opposite rule of the usual "if you have
nothing to hide": DO NOT have anything to hide. Your opponents in the game of
'hide' are intelligence agencies and state police. It's much better that you
comply and focus on narrow interesting technical problems than social or civil
rights - as being outspoken and interested about the latter makes you a
target.

~~~
bahjoite
5) is probably the most depressing thing I've read for some time. We should
all make the effort to do exactly the opposite.

------
jv22222
Is it possible to confidently bypass this intrusion of privacy using vpn's or
some other system?

------
coo1k
Since people are mentioning VPN, be aware which server you use. You might want
to stay away from servers in 14 eyes countries.

[https://en.wikipedia.org/wiki/UKUSA_Agreement#9_Eyes.2C_14_E...](https://en.wikipedia.org/wiki/UKUSA_Agreement#9_Eyes.2C_14_Eyes.2C_and_other_.22third_parties.22)

Few useful resources when deciding between VPNs

1\. That one privacy guy - [https://thatoneprivacysite.net/vpn-comparison-
chart/](https://thatoneprivacysite.net/vpn-comparison-chart/)

2\. [https://www.privacytools.io/](https://www.privacytools.io/)

------
nikon
Wow, didn't realise it had made it this far let alone being passed today.

Does this law cover non-residential IP traffic? I would like to set up a VPN
but would prefer to be recognised as being physically located in the U.K.
while browsing Google and Netfix.

------
joggery
Isn't this sort of thing inevitable? I mean, the more technology advances the
easier and cheaper it becomes to build terrorist devices or WMDs. Therefore
society, in order to protect itself, has to be vigilant about how the relevant
knowledge disseminates. An analogy might be an individual guarding against
suicidal thoughts.

More interesting to me is how to create mechanisms to control who gets access
to the data and under what circumstances. I think in the UK we have a pretty
bad record of local councils and other busybodies using snooping powers not
intended for them.

------
StillBored
So, they just codified what they have been doing for the past decade. Much
like the E911/etc bill here in the US, apparently ones use of technology
removes _ALL_ pretenses of privacy.

------
Johnny555
I hope the ISP's add a separate line item to internet bills for all of the
costs to implement this system so people can see how much this is costing
them.

------
joantune
BTW, these would totally be incompatible with EU privacy shield laws. Enjoy
your 'deregulated' post Brexit state

------
koga-ninja
The way I read the story, this law which was passed is Modifying surveillance
laws, rather than completely Oppressing people with something new.

What can the average British subject do? I know they Do not have the funds nor
the legal and political Acumen to do anything about it.

------
jwtadvice
Outsourcing to companies what its intelligence agencies have been doing for
decades.

[https://en.wikipedia.org/wiki/Karma_Police_(surveillance_pro...](https://en.wikipedia.org/wiki/Karma_Police_\(surveillance_program\))

------
_coldfire
Who exactly is going to pay for this? The govt or ISP/consumer?

And if as another comment suggested, what happens if there's a concerted
effort of spamming the system? How much data are they actually willing to
hold?

People aren't so apathetic on issues when told they have to pay more.

------
jasonszhao
This leads me to consider that although ISPs previously weren't forced to
collect users' browsing history, they had the legal right to. The only
difference the bill does is to share the power corporations had with the
government.

------
katkattac
This is just crazy. It like anyone could be a criminal, so let's treat
everyone like one? Feels like a huge invasion of basic human rights.

Alas, I feel like the US isn't far behind. It feels like this will be the norm
soon enough.

------
daveheq
What do you do when your leaders go against the will of the people? You get
new leaders. When they do t again? Try again? When they just keep doing it?
Then what?

~~~
jodrellblank
What do you do if this _is_ the will of the people?

------
macawfish
It's time for user-friendly p2p, local internets.

~~~
setq
packet amateur radio

------
MrBra
What are the most effective measures a British citizen could take right now to
escape this surveillance?

------
shmerl
Why are people in UK tolerating this?

~~~
josscrowcroft
[https://en.wikipedia.org/wiki/Learned_helplessness](https://en.wikipedia.org/wiki/Learned_helplessness)

------
Fifer82
Is there a way that I can browse privately or just not at all any more?

------
JustSomeNobody
Soo... What is the UK government so scared of that they need to do this?

~~~
rublev
Assuming these decisions are bred out of any sort of 'necessity' is assuming
sincerity from the government.

------
vixen99
Let's fervently hope we won't see a demonstration of how to organize a
devastating terrorist attack in the UK without using a single telephone or
internet connection.

------
posterboy
The "extremest", one could say.

------
aaroninsf
Blofeld is happy, at least.

------
bigbugbag
What a sensationalist title, I was expecting a comparison with other
surveillance law in others countries and the result to be something
outrageous. Turns out it's just sensationalism and it ends up being the kind
of surveillance that has been enacted around the world in the last few years,
mandatory ISP data retention has been active for 10 years in France[1].

It was even a European directive, directive 2006/24/EC or data retention
directive[2], for all members of the European Union from 2006 to 2014 when it
was invalidated through the Court of Justice of European Union. Interestingly
this directive came into existence while the Uk had the presidency of EU in
2005. >According to the directive, member states will have to store citizens'
telecommunications data for a minimum of 6 months and at most 24 months.

Why is zdnet trying to put this UK law as if it was something out of the
ordinary ? Switzerland[3], Canada's bill C-51[4], Germany[5], Australia[6],
Italy[7], and more [8] (Estonia, Greece, Spain, Hungary, Latvia, Lithuania,
Luxembourg, Malta, Portugal, Ireland) all have mandatory data retention law.

Then again none of those are actual democracies (the closest being
switzerland) and that's pretty much the reason these laws made to spy on
citizens are possible.

[1]:[https://en.wikipedia.org/wiki/Law_on_the_fight_against_terro...](https://en.wikipedia.org/wiki/Law_on_the_fight_against_terrorism)
[2]:
[https://en.wikipedia.org/wiki/Data_Retention_Directive](https://en.wikipedia.org/wiki/Data_Retention_Directive)
[3]: [http://www.bbc.com/news/world-
europe-37465853](http://www.bbc.com/news/world-europe-37465853) [4]:
[https://en.wikipedia.org/wiki/Anti-
terrorism_Act,_2015](https://en.wikipedia.org/wiki/Anti-terrorism_Act,_2015)
[5]: [https://www.huntonprivacyblog.com/2015/10/16/german-
parliame...](https://www.huntonprivacyblog.com/2015/10/16/german-parliament-
adopts-data-retention-law-with-localization-requirement/) [6]:
[https://en.wikipedia.org/wiki/Telecommunications_(Intercepti...](https://en.wikipedia.org/wiki/Telecommunications_\(Interception_and_Access\)_Amendment_\(Data_Retention\)_Act_2015)
[7]:
[https://edri.org/edrigramnumber3-16italy/](https://edri.org/edrigramnumber3-16italy/)
[8]: [https://www.purevpn.com/blog/data-retention-laws-by-
countrie...](https://www.purevpn.com/blog/data-retention-laws-by-countries/)

~~~
fdkz
> Why is zdnet trying to put this UK law as if it was something out of the
> ordinary ?

Because the 2006/24/EC data retention directive [1] didn't say anything about
browsing history and even then was invalidated by the Court of Justice of
European Union. The new UK law however:

"The law will force internet providers to record every internet customer's
top-level web history in real-time for up to a year, which can be accessed by
numerous government departments; force companies to decrypt data on demand --
though the government has never been that clear on exactly how it forces
foreign firms to do that; and even disclose any new security features in
products before they launch."

[1] [http://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2...](http://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:0063:EN:PDF)
(read "Article 5" "Categories of data to be retained")

