No explicit ban on encryption, but the existing RIPA obligation to decrypt when you have the capability and are made to. Potential madness in the "Equipment interference" section, although the bill claims this is already authorised under different legislation.
The Bill uses "communications data" to mean what we would call "metadata", ie everything except the contents.
"Equipment interference allows the security and intelligence agencies, law
enforcement and the armed forces to interfere with electronic equipment such as computers
and smartphones in order to obtain data, such as communications from a device.
Equipment interference encompasses a wide range of activity from remote access to
computers to downloading covertly the contents of a mobile phone during a search."
Only the most stupid people are going to visit "verydangerousterrorismsite.com" without going through a VPN. And visits to Facebook or Google are just noise without the details.
It's hard not to suspect that the real reason for the legislation is to legitimise dissident profiling, voter sentiment analysis, and thoughtcrime tracking.
I'm expecting an attempt to ban personal use of VPNs (without a commercial license) by around 2020.
Note for Eurosceptics: you know what the last bastion against this autocratic movement is? Yup, the European Court of Justice, backed by all those highly-worded treaties. Lose that, and you'll get back being hostage of your national elites.
Yet here we are, anyway.
Remind me which government gave us the Data Retention Directive?
From https://en.wikipedia.org/wiki/Data_Retention_Directive :
> On 8 April 2014, the Court of Justice of the European Union declared the Directive invalid in response to a case brought by Digital Rights Ireland against the Irish authorities and others.
If the Snooper's Charter makes it through, the ECJ is the only hope to strike it down and keep it down, considering how Labour is hardly free of authoritarian tendencies. That's the truth, as uncomfortable as it might be for eurosceptics.
Only several years late, of course. It's a bit weak to suggest that the EU is our saviour when it comes surveillance.
I'd rather place my faith in the ECtHR.
The EU is not perfect (the Commission in particular is the root of a lot of "evil" activity), but if you believe in checks and balances, it's yet another power you can appeal to when things look dire on the home front.
So why ban VPNs when they are already expanding they're existing ability to:
a) get access to information held by service providers (which include VPNs)
b) "remote access to computers to downloading covertly the contents of a mobile phone during a search."
In practice, a VPN does nothing to prevent them from accessing the sites you visit. Other than requiring some additional paperwork to send an information request to VPN (not even a warrant) to fill in the gaps which passive surveillance can't provide. Plus the VPN will give people a false sense of security... so they wont think twice about visiting [verybadsite.com].
On another note, do we know yet whether the police could bulk ask for everyone's connection history or do they need 'reasonable suspicion of a crime'?
Police have to request the ICRs for an individual on a case-by-case basis, going through a 'senior officer' who takes advice from a single point of contact (SPoC), although I can't find any criteria for SPoC selection.
In any case, there's no judicial oversight on ICR requests as far as I can see.
* "Warranted interception is used only for intelligence purposes."
* "Warranted interception is governed by RIPA."
There is of-course, no mention of unwarranted interception. One must presume that there is no unwarranted interception of communications being actioned.
The problem I think is that ICRs don't fall under the rules for interception. They seem to be a part of communications data:
A kind of communications data, an ICR is a record of the internet services a specific device has connected to, such as a website or instant messaging application.
Communications data doesn't have the same warrant requirements.
So no warrant would be needed to get a list of domains a person has visited.
Which is a great idea, because what you really want is people in high stress jobs not turning to organisations like mental health charities or alcohol support groups for help because they fear being outed, or people concerned about medical conditions not using on-line services provided by the NHS for fear of putting up insurance premiums, never mind the obvious things like compromising the high profile, married political candidate who visited bestgaypornevah.com every day last month.
The idea that any information that would normally be effectively private should be subject to government snooping without a good reason and proper oversight is inevitably a chilling effect, and it's all too likely that in the worst cases some people in the kinds of situation I mentioned before will literally die because of it. As much as I hate over-the-top political rhetoric, if we're going to have this debate for real now, I suspect the civil liberties groups are going to have start making blunt, bold statements like that to make their case.
It would also help if the people debating these issues in Parliament better understood the technical implications of some of the proposals and therefore why some of the safeguards also proposed in this debate won't or can't actually work. For example, even if we accept that logging visited web domains and making those logs subject to warrantless examination is justified, I'd like to know what technical mechanisms the average MP believes to exist for identifying and recording the domain name of all visited web sites reliably but nothing more, and how much they think it would cost ISPs to implement those mechanisms across the board.