Hacker News new | comments | ask | show | jobs | submit login

The BBC is being a good state mouthpiece today - the fact that they're quoting May as saying it doesn't hold previously contentious matters (I.e. Breaking encryption) is disingenuous to say the least. The bill will say that "unbreakable" encryption is illegal - which means all encryption, as if it's breakable, well, it's not really encrypted, is it.

Never mind that this is totally unenforceable. I could write up a one time pad with pen and paper. Most won't. Crooked cops will sell data. They'll blame "hackers".

You only need look at the talktalk debacle to see how incredibly warped this govt's views are - they haven't arrested anyone at talktalk, who are tge ones who had such poor infosec that script kiddies could blow them wide open. Instead they're arresting children.

Oh, and I'm seriouslt considering redomiciling my company - we only contribute a few hundred million quid to the UK economy.




The bill will not say unbreakable encryption is illegal.

I've heard from sources inside the government that their intention is to maintain the legal status-quo dating from RIPA 2000. Which is to say that service providers have to disclose personal communications where reasonably practicable.

Since it's not possible for service providers to break end-to-end encryption, they will have a defence. Obviously this is a bit of a fudge and the position may need clarifying in court. But it's not the intention of this bill to change the legal status quo.


> it's not the intention of this bill to change the legal status quo.

If they didn't mean to change the status quo, they wouldn't have introduced a bill.

As it happens, they do want to change the status quo, by making clearly acceptable for authorities to eavesdrop, something that was, er, technically illegal before, despite them doing it anyway.

So instead of punishing spooks for breaking the law, they're changing the law. Easy, innit?


Plus, with the new "websites visited" retention rules - extendable at whim, there will be a permanent record, for example of that episode of Frasier that you downloaded from a Torrent site. A permanent record that is, of you "stealing something".


>If they didn't mean to change the status quo, they wouldn't have introduced a bill.

Just strictly on this point, sometimes bills (or parts of bills) are introduced to clarify existing law. It may be a matter of subtle semantics, but this is often what is meant when it is claimed that a bill will not change the law.


Well, in this case the proposed act will basically supersede the Human Rights Act, by excluding authorities from respecting its article 8 ("Right to Privacy"), under which they've been repeatedly challenged (and defeated) since Snowden's revelations. Which is really a change in law, not a clarification.

So yeah, what they really need is a change, because current law is very clear that what they do is illegal.


No, it doesn't (and can't) supercede the HRA; there is actually no mechanism in UK law for doing that other than explicit repeal (Factortame principle).

And article 8 has an ill-specified "national security" exemption. http://ukhumanrightsblog.com/incorporated-rights/articles-in...


IANAL but I've been chewing my way through the ~300 pages of the published draft bill. What catches my attention is that the bill appears does not appear to sufficiently constrain the Secretary of State's powers to oblige a "telecommunications provider" to render technical capabilities deemed necessary to "assist in the in the implementation of warranted activity".

Here, the definition of "telecommunications provider" seems (to my understanding) so broad as to cover any provider of an online service, paraphrasing section 193:

"Communication" is "anything comprising speech, music, sounds, visual images or data of any description" and "signals serving either for the impartation of anything between persons, between a person and a thing or between things or for the actuation or control of any apparatus."

And a "telecommunication service" includes "any case where a service consists in or includes facilitating the creation, management or storage of communications transmitted".

Section 189 titled Maintenance of technical capability allows the Secretary of State to make obligations on telecommunication services including (paraphrasing again):

* relating to apparatus * relating to the removal of electronic protection applied by a relevant operator to any communications or data * relating to the handling or disclosure of any material or data

in addition to requiring them to "provide facilities or services of a specified description"; the specification apparently being deferred until notice is served on the service provider.

Conversely, the Secretary of State is required to consult before serving a "technical capability notice" and section 190 lays out a number of considerations for the Secretary of State including "technical feasibility", "likely cost", "likely benefit" etc.

But other than these apparently very weak constraints, it appears to provide carte blanche for the Secretary of State to demand new technical capabilities of any service provider for the warranted access and interception of any user data they store or transmit.


So, it doesn't, but it does say that GCHQ have carte blanche to break encryption at will without warrant, in clause 187 section 423 - which may as well be the same thing, given that they can break far more than they let on, as they've more than likely factorised the most commonly used primes in standard implementations of cryptographic protocols.


That clause simply adds "make use of" to the beginning of the existing paragraph in the existing legislation[0]:

  (a)to monitor or interfere with electromagnetic, acoustic and other emissions and any equipment producing such emissions and to obtain and provide information derived from or related to such emissions or equipment and from encrypted material; and
They're still bound by the second clause in it:

  (2)The functions referred to in subsection (1)(a) above shall be exercisable only—
    (a)in the interests of national security, with particular reference to the defence and foreign policies of Her Majesty’s Government in the United Kingdom; or
    (b)in the interests of the economic well-being of the United Kingdom in relation to the actions or intentions of persons outside the British Islands; or
    (c)in support of the prevention or detection of serious crime.
[0] http://www.legislation.gov.uk/ukpga/1994/13/crossheading/gch...


With cryptographic protocols that rely on the difficulty of factoring large semiprimes, aren't you supposed to use primes that no one else has used before? If you use the same primes to make your key, then you would have the same key as someone else.


> reasonably practicable

May lead to "implement backdoors and ban unknown ciphertext"


> The bill will not say unbreakable encryption is illegal.

It's already being planned, see: https://news.ycombinator.com/item?id=10498280


I may claim that my encryption is breakable (any encryption is breakable), therefore legal. It will just take them 5 years to break it :-)


If that is the intention then why has no one from inside the government gone on record to say that?


  It will not include powers to force UK companies to capture 
  and retain third party internet traffic from companies based
  overseas. It will not compel overseas communications service 
  providers to meet our domestic retention obligations for 
  communications data. And it will not ban encryption or do 
  anything to undermine the security of people’s data. And the 
  substance of all of the recommendations by the Joint Scrutiny 
  Committee which examined that draft Bill have been accepted.
https://www.gov.uk/government/speeches/home-secretary-public...

Granted though, that is the single mention of encryption in the entire speech.

Draft bill is here: https://www.gov.uk/government/uploads/system/uploads/attachm...

  The draft Bill will not impose any additional requirements 
  in relation to encryption over and above the existing 
  obligations in RIPA.
However, under "EQUIPMENT INTERFERENCE" it discusses the following:

  What is it?
  27. Equipment interference allows the security and intelligence
      agencies, law enforcement and the armed forces to interfere with 
      electronic equipment such as computers and smartphones in order to 
      obtain data, such as communications from a device.

      Equipment interference encompasses a wide range of activity from 
      remote access to computers to downloading covertly the contents of 
      a mobile phone during a search.

  Why do we need it?
  28. Where necessary and proportionate, law enforcement agencies and the 
      security and intelligence agencies need to be able to access 
      communications or other private information held on computers, in 
      order to gain valuable intelligence in national security and   
      serious crime investigations and to help gather evidence for use in 
      criminal prosecutions.

      Equipment interference plays an important role in mitigating the 
      loss of intelligence that may no longer be obtained through other 
      techniques, such as interception, as a result of sophisticated 
      encryption. It can sometimes be the only method by which to acquire 
      the data. The armed forces use this technique in some situations to 
      gather data in support of military operations.
In other words, if you use "sophisticated encryption" then we'll just hack you, and that is about to be perfectly legal. Previously, "we" just used to do it anyway. Now we are going to make it legal, and have a FISA style "yes whatever officer" court in the UK, like you have in the US.

This is really the bottom line here. The UK is moving towards a secret court, with secret decisions, copying the US style FISA. So long and thanks for all the cups of tea.


Those latter two quotes are from the "Guide to Powers and Safeguards", which isn't part of the draft bill, and has no legal standing.


And having worked at BT where those with wide access to the data on the phone network had to be Vetted (as they could look up the Queens phone number)

I can't see a lot of ISP staff being happy at having to be PV Veted (Top Secret in US terms)


With you on the move IT / High tech out of the UK bit (also already had talks with our accountants & lawyers to relocate our company away from the UK).

One part of the "snooper's charter" is that it makes the ISPs / providers liable ("their duty") to store the content of I-Net sessions and provide access to this data for service, police & the tax office (not clear how all of these entities will share the data between each other or with the outside).

De facto this makes any end-to-end encryption or zero-knowledge services impossible to provide from the UK. If this propagates across EU / US / other countries it will bring an end to many cloud-based services & many saving governments & commercial are planning or envisioning for the next years. Wild guess estimate in damages to the UK (five years) - £100Billion + long term effects.

It seems the group of people pushing on this piece of legislation so heavily since years have not learned a bit from what is / has been happening in the UK and elsewhere for many years across industries (alternative reality: they want to create an very large income stream for themselves. This will nevertheless be most likely be short-lived at the cost of the overall UK economy / competitiveness - short- & long-term).

What has been proven over-and-over again in the UK (and certainly elsewhere as well) is that government or similar oversight is not working and is constantly abused by those given access to these means when large financial amounts / incentives are available to those who "bend" these processes / regulations / e.a. to their own benefit. At the same time those so far do not have to fear any reprisal / punishment. This is another shortcoming and clearly demonstrates that the true intentions of this legislation must be completely different from the labeling publicly provided - I'm talking about punishment along the line given to so called "hackers" in the UK / US - 10 years min. - but wait - it was the UK just recently that has removed all punishment for breaking the law 100'000s of times by some of its services (they couldn't make it legal without due process through the parliament so they just removed the punishment).

Let's have a brief look into how well "oversight" works in the UK:

- News of the World (data / access sold off by government employees)

- UK Mis-selling saga with PPI - unique case as almost £30Billion in compensations have been granted - non-working financial oversight

- Gold fixing scandal - non-working financial oversight for many years / decade

- FX fixing scandal - non-working financial oversight for many years / decade

- Bailouts / 2008 financial crisis - non-working financial oversight for many years

- NHS data leaks - no due process and proper data protection

- plenty more to add ...

... crime and abuse of the rules happens when an opportunity is provided with incentives and no reprisal.

IMHO - that is the biggest danger from all these almost limitless surveillance laws and powers provided without checks.


The BBC has been a mouthpiece for both the UK and the US government for quite a few years. That's why I've always disliked seeing their articles here, and I'd prefer another source like TheGuardian instead.

Their previous one about UK gov "backtracking" on encryption backdoors was just as bad.

http://www.bbc.co.uk/news/uk-34691956

Read through it and see how 80% of it is the government's opinion about these things. It barely gives mention to what the civil liberty groups are saying.

Read the last four paragraphs of the article, for instance. They only deal with how much of a headache end to end encryption is for authorities - and leaves it at that. What about what the civil liberty groups say about how it protects security and privacy?


> The BBC has been a mouthpiece for both the UK and the US government for quite a few years.

This is quite well known—at least to people who think about such matters. Strangely, it seems to have been missed by the majority of HN.

It's a state sponsored news agency: the BBC are the recipients of a "TV tax" (licence fee, if one watches TV).


It's an organization funded by tax payers. That doesn't automatically mean it is a state mouthpiece. Unfortunately, they have not been very bold in their reporting since the Hutton Inquiry:

https://en.wikipedia.org/wiki/Hutton_Inquiry


The BBC is not funded by tax payers. It's funded by the TV License which is not compulsory. If you choose not to watch live broadcast television then you don't pay for a TV license.


Your definition would mean VAT isn't a tax. Just avoid the luxuries[1] and you avoid the VAT.

You have to pay the licence fee even if you never watch any BBC broadcast material. A person who only ever watches ITV would have to pay the licence fee.

And non-payment of the licence fee was a criminal offence with fines, and non-payment of the fine sent many people to prison.

It feels like a tax.

[1] also tampons and sanitary towels, which probably don't feel like a luxury purchase.


I hate to "well actually" you Dan :)

I was informed by a TV license "officer" that provided you detune BBC channels you can still watch commercial channels. In the same way that I am permitted to listen to BBC radio channels (for which no license is required) via a Sky box.

TV licensing have to prove that you're watching on-air BBC broadcasts.


Incorrect, you need a license if you watch or record live TV broadcasts, regardless of channel. Sounds like you were misled.

http://www.tvlicensing.co.uk/check-if-you-need-one/topics/Li...


In the UK even if you do not watch TV at all (live or recorded) you have to pay the BBC Tax / TV license fee under certain circumstances.

Best known one is having a car with a live video feed (e.g. a reverse camera to the dashboard) -first ones were Range Rovers and other luxury cars but these features are now arriving within more "bread and butter" cars as well.

Still better than in Germany where they recently turned it into a per-household tax to be paid even if you don't watch any TV / broadcast at all.


Incorrect, I pay no license fee as I only watch things through non-live streaming services such as Netflix, NowTV and iPlayer.

I used to have a TV license and cancelled it. When they asked why I was cancelling, I said that I consumed my entertainment through non-live streaming services and they were happy. That was at the end of last year and I haven't heard anything since.


just half true - you're right with regard to recorded broadcast, but...

Do you drive a modern car, do you have surveillance cameras at your property / your offices? - Bang you have to have a TV license in the UK even if you don't watch any TV.

Every year thousands of people in the UK are pulled to court / persuaded to pay thousands of £s to settle enforcement cases against them (or even go to prison) because they only look at half of the rules.


No, you don't. You're reading the legislation incorrectly which can happen if you just read it sequentially. Nobody goes to prison because their car has a reversing camera, that's absurd.

Whilst true that in Section 9 (Part 3) of 2004 No. 692 ELECTRONIC COMMUNICATIONS BROADCASTING The Communications (Television Licensing) Regulations 2004[0] a 'television receiver' is defined as:

    any apparatus installed or used for the purpose of receiving (whether by means of wireless telegraphy or otherwise) any television programme service, whether or not it is installed or used for any other purpose.
...the key part is Section 363 of Part 4 of the Communications Act 2003[1] which states:

It an offence to

    * install or use a television receiver or

    * possess or have control of a television receiver with the intent to install or use it or

    * possess or have control of a television receiver and know or have reasonable grounds for believing that another person intends to install or use it without a valid TV Licence issued under the Communications Act.
If you own or possess a television set without installing or using it as a TV receiver (e.g. you only use it to watch videos or DVDs, or as a monitor for a games console) then you don’t need a TV Licence. This is what the ''television programme service' refers to in Section 363 - the key part being that a TV receiver is concerned with the reception of live or 'virtually live' broadcasts.

This has been confirmed many times and directly by the BBC in this FOI request[2]

[0] http://www.legislation.gov.uk/uksi/2004/692/pdfs/uksi_200406...

[1] http://www.legislation.gov.uk/ukpga/2003/21/part/4

[2] https://www.whatdotheyknow.com/request/laws_on_tv_license


Mind pointing me towards where it states this? Some examples of the court cases would be nice too, seeing how they're so plentiful.


> In the UK even if you do not watch TV at all (live or recorded) you have to pay the BBC Tax / TV license fee under certain circumstances.

This isn't true.

You can quite happily watch iPlayer or 4OD or Netflix and not be liable to pay the license fee as long as what you're watching isn't live or being broadcast at that very moment.


You can avoid the TV License Fee if you only watch BBC iPlayer, or stick to things like Netflix.

It basically applies to any TV being watched as it is being broadcast at the time so you are liable to pay anything if you only watch shows after they have been aired.

Myself I tend to watch Netflix, some iPlayer and 4OD stuff and I do not have to pay anything.

That doesn't stop them sending letters once in a while to check though.


wrong - you need a TV license for "ANY" live broadcast in the UK - as mentioned in another comment here this includes any live camera feed (surveillance / in cars / etc) - so even if you never watch any TV (recorded or live) there a plenty of cases where by the law (under threat to go to prison) you have to sponsor the BBC.

The BBC is the only recipient of TV license fees in the UK - of course after plenty of cost created on the way between the consumer / license payer to the BBC / payee.

BTW the BBC is also the TV licensing authority in the UK and is authorised by the government via the Communications Act 2003 to collect and enforce the TV license fee. One of the companies in the Capita conglomerate has been "entrusted" by the BBC / the government to collect the TV licensing fees.


Well, representatives and the documentation from the TV Licensing authority themselves that they provided me with would seem to disagree with you.

A lengthy correspondence with them led them to conclude that because my TV was not connected to a TV aerial or cable, and I only used it to watch Netflix and iPlayer from my computer, I did not in fact need a TV license.

I've been through this dance with them three or four times.


>The BBC is not funded by tax payers. //

Has this changed in the last 2 years?

Previously, when I looked, the BBC stated that they received a substantial sum from direct taxation in addition to the license fee. On that basis you pay in part and the BBC is funded [partially] by tax payers. IIRC it amounted to about 5% of the take from license fee payers.

Ah, decided to track it down ... http://downloads.bbc.co.uk/annualreport/pdf/2014-15/BBC-FS-2..., p.34 - "grant-in-aid" funding £243.6 Million up to March 2015 (6.5% of the license fee income).

However it looks like this has stopped in 2015:

"Grants from Government departments For the year ended 31 March 2014, the BBC World Service received Grant-in-Aid from the Foreign & Commonwealth Office. Previously, BBC Monitoring also received a grant from the Cabinet Office. These grants have been drawn down to meet estimated expenditure in the year but unspent amounts do not have to be repaid, as long as they fall within predetermined limits. The grants are recognised as income in the financial year that they relate to."

Very minor nitpick: you should say "consume live broadcast TV" as blind people don't watch but still have to pay.


TV licenses are an excise tax on TVs. If you own a TV capable of receiving broadcasts, you have to pay.


The guardian is very left leaning as well, a more neutral paper would be better.


A newspaper cannot be neutral. The real problem with the BBC is that it is officially proud to be neutral but it is not. I way prefer a lot of non neutral papers, where I know before hand their base political/economic/social views. This way I can go and read both sides of the story or if not that important, read just one side knowing that it is a partial view.


The BBC is by far the most neutral news source I have ever encountered. It's constantly subject to attack by both the government and the public, to the extent that it's terrified to take a stance on any issue.


This is what you think and this is the problem because you are not alone at all. I highly recommend you reading this book: "NEWSPEAK in the 21st Century". It is highlighting the fact that the BBC is not neutral for a lot of critical issues. This is why I prefer "opinionated" papers.

Sorry for this thread going maybe a bit off-topic, but this a subject I am pretty attached too. Again, I am not saying that the BBC is not doing great work, but just that it is not as neutral as what the opinion think it is.

http://www.amazon.co.uk/NEWSPEAK-21st-Century-David-Edwards/...


Thanks for the book tip will have a look at it.

Having worked in news for some years and seen how (esp. online) news are produced and weighted for priority, it is to say, that it is quite a sad state of affairs.

I stopped reading the news, following any news at all. If news do reach me and my interest exceeds a internal threshold, I start investigating the topic further.

So having a view from outside my home country might be interesting.


Cowardice is not neutrality. This is how we get global warming denialism given unreasonable amounts of airtime, using the "Views On Shape Of Earth Differ" approach.


Yes, that's a problem. But the two aren't mutually exclusive.


Hold on - there's no 'it' (it can rarely be said to speak with one voice) and where do you get 'terrified' from? 'Attack' is also pejorative. It is entirely appropriate that a public broadcasting organization paid for license holders to the tune of £3.7 billion or so, is subject to extensive positive and negative critical comment.


BBC neutral? Jokes on you :)


They're not supposed to be taking a stance, only reporting, that's the whole point.


There are basically no neutral papers in the UK. The Independent sort of tries, and the FT/Economist tend to be accurate with the facts but reflexively probusiness/neoliberal.


The Economist is increasingly pro-BIG-business, pro-establishment, rather than fair/free-market (as it used to be).


Good to know that I'm not the only one who's noticed this. It used to be my favorite paper, but I'm disappointed with the direction it's taken lately.


There's no requirement to or expectation that they will be. Papers are not required to present any kind of balance, as long as what they say is broadly true (external pluralism), for a given value of true. The broadcast media (the free-to-air ones) are required to be demonstrably internally pluralistic, to show a variety of sources and viewpoints within their output - and that applies across BBC, ITV, Ch4 and Channel 5, but not Sky News; goes back to when Radio came on stream in the 1930s.


Yes. Americans keep expecting "neutrality", which is hard to define and impossible to achieve.


The FT is not that neoliberal, it is fairly generally liberal, and generally more left wing than most of its readership by quite a margin, although it is quite varied.


Left-leaning? So privacy is a left-wing thing?


Left and right are increasingly meaningless labels. These days it is more pro-establishment vs anti-establishment.

For example, the most vocal people on privacy are an amalgam of independent thinkers on the "left" (The Guardian, etc) and independent thinkers on the "right" (Ron Paul, etc.)

While the "leftist" Hillary Clinton calls Snowden a traitor (so do a lot of "right"-wing people, too).


Although Britain's left wing party, Labour, is pro surveillance, even it seems under Corbyn, who is himself a target.


Stop it – this article is completely fine. It quotes the government, explaining what the plan is. It explains the views of other parties and what they think is wrong with the proposals. It quotes a civil liberties group, who explain why it's bad.

This is exactly what news should be. If you want more in-depth analysis or opinions, you should be looking elsewhere.


Hang on - he has a point, the BBC has become very pro government with its commentary and the way they choose to present information. Particularly above the fold.


I never understand this viewpoint, I read the BBC for online news and the Telegraph at home, it's very easy to see which one is pro government/pro Tory.

The BBC is basically going to be gutted by the current government, I don't buy into this world where they're pro government, I find they're fairly neutral while a lot of the people criticising it are almost certainly anti Tory.


Being less pro-Tory than the Telegraph is hardly a challenge. The Telegraph is the propaganda arm of the Tory party. As in they literally run press releases from CCHQ as news stories.

The BBC should aim for their coverage to reflect facts, not just be a the-truth-is-in-the-middle triangulation of Labour and Tory positions. Their neutrality and balance mostly consists of getting a comment from the Tories and then getting a comment from Labour, with the assumption that doing so will cover all sides of any issue. One of the aims of any decent media organisation should be to challenge the establishment, but when the BBC is constitutionally unable to criticise positions where Labour and Tories both agree then it's unable to fulfil that role.


How do you contribute that to the economy? Your profile is blank.


That's probably how.


Not sure why BBC is getting a hard time for reporting the news.


I don't see anyone reporting that the bill mentions encryption.


The BBC is being a good state mouthpiece today - the fact that they're quoting May as saying it doesn't hold previously contentious matters (I.e. Breaking encryption) is disingenuous to say the least.

No, it's not.

The bill will say that "unbreakable" encryption is illegal - which means all encryption, as if it's breakable, well, it's not really encrypted, is it.

Source please – I've not seen this language indicated anywhere.

they haven't arrested anyone at talktalk, who are tge ones who had such poor infosec that script kiddies could blow them wide open. Instead they're arresting children.

Poor information security isn't a crime. Breaking into computer systems is.


>Source please – I've not seen this language indicated anywhere.

http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/1...

>Poor information security isn't a crime.

https://en.wikipedia.org/wiki/Data_Protection_Act_1998


Thanks for the source, it's interesting that The Telegraph is the only paper reporting this. IOW, I'll believe it when I see it.

The Data Protection Act does not in practice criminalise poor information security – it does criminalise the lack of things like a risk assessment. Short of actual negligence, nobody will be prosecuted due to the hostile actions of a third party. Probably not a bad thing, as it would be obviously ludicrous to do so.


The actual language in the bill is unclear as it's not been published yet and all we have to go on is competing Home Office press releases.


Poor information security is a crime when that information involves personal information. The Data Protection Act requires that personal information is kept secure. Just because no one has been prosecuted yet doesn't mean they couldn't or shouldn't be.


UK law basically says "assess the risk and take appropriate measures." Short of criminal negligence, it's extremely unlikely that anybody will be prosecuted.


The Talktalk data leak actually seems like criminal negligence. I don't know the British law, but that level of negligence at least should be criminal.


"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

TalkTalk did not take appropriate measures against unauthorised processing.


Poor information security isn't a crime.

Actually, it can be, for example if it results in data protection violations[1]. However, UK law is slightly unusual in this respect, in that while there are technically criminal offences involved, at present the main ones can't lead to arrest or jail time, only monetary fines. A couple of years ago there was talk of consulting on changing this, though I'm not sure what the situation is following the recent general election.

[1] https://www.cps.gov.uk/legal/d_to_g/data_protection/#offence...


A bank not locking their vaults would probably be slapped with a few dozen criminal charges in court. Why would that not apply for electronics? If you've committed to protecting the data, you're supposed to make a reasonable effort to actually do so.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: