Hacker News new | comments | ask | show | jobs | submit login

Has now been published in draft:


No explicit ban on encryption, but the existing RIPA obligation to decrypt when you have the capability and are made to. Potential madness in the "Equipment interference" section, although the bill claims this is already authorised under different legislation.

The Bill uses "communications data" to mean what we would call "metadata", ie everything except the contents.

"Equipment interference allows the security and intelligence agencies, law enforcement and the armed forces to interfere with electronic equipment such as computers and smartphones in order to obtain data, such as communications from a device. Equipment interference encompasses a wide range of activity from remote access to computers to downloading covertly the contents of a mobile phone during a search."

The irony - if that's the word - is that a site visit history is largely useless as metadata.

Only the most stupid people are going to visit "verydangerousterrorismsite.com" without going through a VPN. And visits to Facebook or Google are just noise without the details.

It's hard not to suspect that the real reason for the legislation is to legitimise dissident profiling, voter sentiment analysis, and thoughtcrime tracking.

I'm expecting an attempt to ban personal use of VPNs (without a commercial license) by around 2020.

"Largely useless" only to fight external threats. As you say, it's invaluable for controlling internal dissent and abuse the system. Knowledge of a visit to AshleyMadison or YouPorn becomes instant blackmail material, regardless of contents.

Note for Eurosceptics: you know what the last bastion against this autocratic movement is? Yup, the European Court of Justice, backed by all those highly-worded treaties. Lose that, and you'll get back being hostage of your national elites.

you know what the last bastion against this autocratic movement is? Yup, the European Court of Justice, backed by all those highly-worded treaties. Lose that, and you'll get back being hostage of your national elites.

Yet here we are, anyway.

Remind me which government gave us the Data Retention Directive?

And which tribunal struck it down?

From https://en.wikipedia.org/wiki/Data_Retention_Directive :

> On 8 April 2014, the Court of Justice of the European Union declared the Directive invalid in response to a case brought by Digital Rights Ireland against the Irish authorities and others.

If the Snooper's Charter makes it through, the ECJ is the only hope to strike it down and keep it down, considering how Labour is hardly free of authoritarian tendencies. That's the truth, as uncomfortable as it might be for eurosceptics.

And which tribunal struck it down?

Only several years late, of course. It's a bit weak to suggest that the EU is our saviour when it comes surveillance.

I'd rather place my faith in the ECtHR.

No, I'm just saying that removing the EU layer you lose another chance of fighting against the current (and/or future) wave of power-crazy national elites.

I don't see how a supranational government is any better than a national one, though. If anything, they're more remote and intransigent, and pretty much have a revolving door between the two. I trust neither when it comes to this issue.

The EU is historically influenced by "virtuous" countries, which have little interest in signing bad laws; "bad" countries benefit as a result. The European Parliament, with its proportional representation system and loose alliances, can often be more easily influenced on big, visible issues, than the hardcore-conservative first-past-post Westminster (where party loyalty is paramount).

The EU is not perfect (the Commission in particular is the root of a lot of "evil" activity), but if you believe in checks and balances, it's yet another power you can appeal to when things look dire on the home front.

Vote Pirate in the EU elections.

The ROI of banning VPNs is very minor...What would they get in return? Providing investigators with easier access to information they can already get? Whereas banning VPNs would be an expensive legal and enforcement hurdle and has the potential to cause media/civilian backlash.

So why ban VPNs when they are already expanding they're existing ability to:

a) get access to information held by service providers (which include VPNs)

b) "remote access to computers to downloading covertly the contents of a mobile phone during a search."

In practice, a VPN does nothing to prevent them from accessing the sites you visit. Other than requiring some additional paperwork to send an information request to VPN (not even a warrant) to fill in the gaps which passive surveillance can't provide. Plus the VPN will give people a false sense of security... so they wont think twice about visiting [verybadsite.com].

It's more along the lines of using that metadata to know what time you visited a website so they can match activity on the website to your timestamp. This is also how they have in the past found you're responsible for something without having to get logs from your VPN. Another usage where this will be useful will be for peer to peer networks, now police can easily find out exactly what you have downloaded via bittorrent. And if tox.im type of 'p2p chat networks' become used, that would help them more than it would if you used a centralized chat service as it's previously been stated that the metadata (who communicates with who) is more useful than the contents.

On another note, do we know yet whether the police could bulk ask for everyone's connection history or do they need 'reasonable suspicion of a crime'?

As far as I can tell, bulk collection does require a warrant (as per the bulk powers section) and is limited to security / intelligence agencies (does that include police?).

Police have to request the ICRs for an individual on a case-by-case basis, going through a 'senior officer' who takes advice from a single point of contact (SPoC), although I can't find any criteria for SPoC selection.

In any case, there's no judicial oversight on ICR requests as far as I can see.

The section on interception is awful.

* "Warranted interception is used only for intelligence purposes." * "Warranted interception is governed by RIPA."

There is of-course, no mention of unwarranted interception. One must presume that there is no unwarranted interception of communications being actioned.

I agree, it's really not very clear.

The problem I think is that ICRs don't fall under the rules for interception. They seem to be a part of communications data:

A kind of communications data, an ICR is a record of the internet services a specific device has connected to, such as a website or instant messaging application.

Communications data doesn't have the same warrant requirements.

As far as I can tell, ICRs (Internet Connection Records) will be subject to the same availability restrictions as "communications data".

So no warrant would be needed to get a list of domains a person has visited.

So no warrant would be needed to get a list of domains a person has visited.

Which is a great idea, because what you really want is people in high stress jobs not turning to organisations like mental health charities or alcohol support groups for help because they fear being outed, or people concerned about medical conditions not using on-line services provided by the NHS for fear of putting up insurance premiums, never mind the obvious things like compromising the high profile, married political candidate who visited bestgaypornevah.com every day last month.

The idea that any information that would normally be effectively private should be subject to government snooping without a good reason and proper oversight is inevitably a chilling effect, and it's all too likely that in the worst cases some people in the kinds of situation I mentioned before will literally die because of it. As much as I hate over-the-top political rhetoric, if we're going to have this debate for real now, I suspect the civil liberties groups are going to have start making blunt, bold statements like that to make their case.

It would also help if the people debating these issues in Parliament better understood the technical implications of some of the proposals and therefore why some of the safeguards also proposed in this debate won't or can't actually work. For example, even if we accept that logging visited web domains and making those logs subject to warrantless examination is justified, I'd like to know what technical mechanisms the average MP believes to exist for identifying and recording the domain name of all visited web sites reliably but nothing more, and how much they think it would cost ISPs to implement those mechanisms across the board.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact