Hacker News new | past | comments | ask | show | jobs | submit login
Britain passed the “most extreme surveillance law ever passed in a democracy” (zdnet.com)
651 points by eeZah7Ux on Nov 17, 2016 | hide | past | favorite | 291 comments



As a UK resident, this irks me beyond belief. It's a sickening invasion of human rights[1]. To echo u/rubberstamps sentiments, it's such that there's been little to no coverage of this in the media.

But it's the same everywhere, introduce an encroaching bill, have uproar from those with the heads screwed on (the minority). Let it grow a little stale in the publics eye and keep reintroducing with slight alterations it until it passes into law.

There's a definite sense of helplessness and hopelessness when approaching the subject with the public. Even within IT there's a sense of 'who cares'. I had a conversation about it just last weekend. I asked for my roommates phone so I could look at all his emails, sms, etc. He gave it to me and said he doesn't care.

How do those who want to maintain privacy reach out to people and let them know it's not OK? Because this is not OK.

Anyway - off to study journalism.

[1] - https://www.liberty-human-rights.org.uk/human-rights/privacy


"A new leader will be elected, they'll flip the switch, say that because of the crisis, because of the dangers that we face in the world - some new and unpredicted threat - we need more authority, we need more power. And there will be nothing the people can do at that point to oppose it. It will be turnkey tyranny." - Edward Snowden (June 2013)


Right on, except you misspelled "Joseph Goebbels."


If your off to study journalism you might fit this that I just published today handy. It's important to remember that surveillance in both the media and activism scene in the UK has also meant significant physical surveillance. Meaning both surveillance of movement and also infiltration. We are writing a series of things about this (secure meetings with sources, covering protests, dealing with arrests etc) based on the content in Umbrella App.

"How journalists and activists can identify and counter physical surveillance"

https://medium.com/@roryireland/how-journalists-and-activist...


Strange the Umbrella App link gives me a 403 https://secfirst.org/fdroid/repo/ Can't find it within the FD app.


Yeah your the third person today to say that to us. We checked it was working outside with direct download link at https://secfirst.org/fdroid/repo/umbrella.apk. As far as we can tell there is an issue with F-Droid build but our devs are looking at it at the moment to see can we solve from our side.


Actually, as a temporary fix its working if you go to F-Droid and then add our repo

"https://secfirst.org/fdroid/repo/umbrella.apk"


Thank you :)


Learn political organizing skills, which address these issues: How to build awareness, appeal to people, organize them, etc.

As many veterans of past civil rights battles have said: Don't get mad, organize!


I think we should also focus on making our current technology impervious to this type of tracking. If the flaw exists in the system that exposes our personal information then we should work to plug the hole. I think organizing is important too but I guarantee someone is going to try this type of power grab again in the future.


We can make our tech impervious to tracking time and time again. Follow best practices, etc. It absolutely does help.

The shortfall comes in with backdooring and just getting access. There's nothing stopping a government that strongarms laws like this into law, from strongarming a company into giving access to data.


Mesh networks? Everything P2P.


Gnunet on the right track: https://gnunet.org/


Technology can be made impervious to spies but organisations based on humans cannot.


I've just started out freelancing, this is the kick in the pants I need to fill my downtime.


Fill your downtime with work to fill your pipeline.

Unless you plan on selling freelancing services related to anti-surveillance work (Security, building an audience in the area) really filling your time with anything but sales is going to hurt in a years time


If what you do during your downtime is directly related to your work then it can hardly be called downtime, now can it?


I assumed with the reference to starting freelancing (s)he referred to "time I normally would have spent at work but now cannot bill (i.e. 9-5 M-F) as opposed to "time that never used to be work (i.e. Sleeping, weekends etc)"

Otherwise the freelancing comment would have been superfluous

But you read it how you like.


I've noticed that Britons, generally speaking, put a lot of trust in authority. They'll shrug it off or rationalize it when their government introduces another perverted law - the NHS works, so it can't be that bad, surely. Britain lacks a sizeable and vocal government-distrusting counterculture like they exist in Germany or the US. How you go about introducing that artificially, I don't know. The frog is being boiled too slowly.


Ah, yes. The US, where you don't have so much surveillance... but cops can just take your money because they feel like it. British police also follow the Peelian principles, so they do fewer things like send SWAT teams to batter down people's doors and point guns at innocents.

I'm not really seeing how US government application of authority is better than the UK's on the basis of a vocal citizenry.


That is interesting. Living in Sweden, and having lived in the UK for 15 years, I feel the Brits trust their government much less than the Swedes do. In the UK there is strong resistance against a national ID card, as an example. Whereas in Sweden you can hardly live without one.

I got the feeling that the Brits didn't trust their government with that info and control it implies. In Sweden we have the opposite: ID cards are seen as an asset and surveillance cameras are severely restricted by the government, for privacy reasons.


Resistance to the national ID card idea mostly came down to two things 1) cost to government, and 2) cost to citizens.

There's also the fact that ~87% of the population already hold a passport, and some of those that don't likely have a drivers license.


The funny thing is that the cost to the individual is negligible and the cost to government (and business) is low compared to the benefits. Less fraud, efficient identification processes etc.


I think we're fairly moderate people in general, so it's not so much excessive trust as just some kind of tacit understanding that things won't go to extremes because we're British (and also a tendency to avoid extreme reactions). I guess sometimes that's dangerous because there's a faslse sense of security, but perhaps there's other benefits to that.


Interestingly, privacy matters less to "wage-slaves" than to entrepreneurs.

Entrepreneurs value their reputations more, having to gain approval from strangers more often. Meeting with a customer/VC/bank/mayor/state committee/supplier for the first time? good chance they'll google you.

In a typical corporate desk job, they do some basic checking (arrest record) at hire, then leave you alone.

I'm sorry this doesn't help directly, but it I share it to help interpret the apathy of your typical human. Perhaps if they considered the future when they might be subject to judgment by a group they don't know.


Offtopic but why not call entrepreneurs "revenue slaves" or "investor slaves" if we are going to be fair.


I've always found the pro-privacy argument "well let me see your email than" to be weak. But when someone responds to this "here, no problem" this indicates exactly what the problem is: Apathy.

A lack of privacy induces apathy. This is exactly what your friend responded from and acted upon. The better argument to start with, and one that counters apathy, is: I do not value privacy because I have many things to hide but rather because I have many things I value.


> But it's the same everywhere, introduce an encroaching bill, have uproar from those with the heads screwed on (the minority). Let it grow a little stale in the publics eye and keep reintroducing with slight alterations it until it passes into law.

So, is this the mere-exposure effect in practice? Or is there another psychological effect at play here?


I think it's that the government[0] can repeatedly propose the bill and wear down the public's will to fight it. They[0] don't appear to lose any/much standing from continuous proposals and people become apathetic towards continued fighting.

[0]whoever that may mean


Does something like this make a strong case for UK having a formal constitution to check the power of Parliament to make laws like this?


Not really. The UK is a signatory to the European Convention on Human Rights and the law can be challenged under that. See for instance here: http://www.theregister.co.uk/2016/01/20/human_rights_court_r...


This summarizes all what I could not forge into words.


Glad I could help, more than anything this was me getting the sense of helplessness of my chest!


Then you'd better do something because pretty soon you won't have the option to leave for a more enlightened jurisdiction.


Like the U.S? No point soon...


I think 'anigbrowl meant the Brexit thing...


No, the grandparent was correct...sadly. No hyperbole intended.


Yikes. All the more reason to embrace technologies like the Decentralized Web.

The solution to government surveillance is not laws - we've already seen that laws don't stop secret shadow government entities - the only defense is technology.


> Despite the uproar, the government's opposition failed to scrutinize any significant amendments and abstained from the final vote. Killock said recently that the opposition Labour party spent its time "simply failing to hold the government to account".

What the hell is the point of the Labour party these days? They are absolutely not an effective opposition. Worthless bastards, one and all.


What is Jeremy Corbyn supposed to do? He was elected twice by the overwhelming majority of party members on a socialist platform, but the majority of his MPs aren't socialist and support a "Blairite" (neoliberal) agenda. Since his election, those MPs have tried to force him to resign, staging various incidents (an MP calling Ken Livingstone a Nazi apologist for pointing out the existence of the Haavara Agreement, a heckler at a Gay Pride march who it transpired was an employee of a Blairite PR firm, a brick through an MPs window, except it wasn't her window and there was no brick, and several other incidents) and forced an unnecessary leadership election (and a court case challenging the incumbent's right to stand), when they could have been attacking the Government's policies. They refuse to join his shadow cabinet, so many of its members lack experience.

That's the current situation. Those MPs who caused the trouble can't be deselected until the next election. If Jeremy Corbyn was replaced by neoliberal, Labour wouldn't oppose government policies to anything like the extent it now does, and would almost certainly lose any subsequent general election. Or we could dispense with democracy altogether.


The trouble with this is that Corbyn has done nothing whatsoever to oppose the Snooper's Charter or Brexit or the Psychoactive Substances Act or the (now delayed) attempt to neuter the House Of Lords (in fact I suspect he fully supports all of those).

What could he do? Step aside.


>Corbyn has done nothing whatsoever to oppose the Snooper's Charter or Brexit //

Corbyn campaigned on the ground against Brexit all over Britain. It largely wasn't reported on in the national press though. Actually getting out amongst the people is seemingly his thing.

Corbyn appears to be being a socialist, shock!, and not dictating the position people should take but suggesting a position and fronting the position of the members of his party.

My take on Corbyn is if you want him to act then get the Party to support it.


He expended orders of magnitude more effort on the ground campaigning for himself weeks later. Of course, one campaign might have involved him sharing a platform with other political parties (more unacceptable, in Jeremy Corbyn's head, than attending IRA funerals or events run by SWP front groups that fellow leftists pointedly asked him to boycott) and preferably not use his supposedly pro-EU speeches to dismiss the economic arguments they'd made in favour of staying in the EU. The other involved attend rallies of people that had turned out to deliver him unquestioning applause and adulation.

It's Corbyn's closest ally in the Labour Party who is now suggesting that anyone with the temerity to still think leaving the EU is a bad idea is "on the side of certain corporate elites". That's certainly not following the lead of the membership.

On the Snooper's Charter he abstained, and whipped his party into abstaining. You can't blame anybody but Jeremy Corbyn for that.


And be replaced by which Labour MP who opposes these, who has widespread support as potential leader?


What the hell is the point of the Labour party these days? They are absolutely not an effective opposition.

Hear, hear. They've even done a 180 over Brexit, which they now support, against the majority of their supporters.

Labour claims this is because they respect the referendum, which is ridiculous. It'd be like the Democrats becoming pro-life and anti-immigrant to "respect" the presidential election. You don't just give up your own ideals and platform for what won - well, not unless you're the modern Labour party.


Why would they oppose it? It was their idea in the first place. Putting the entire population under constant electronic surveillance may be the one thing they agree with Tories about.

https://en.m.wikipedia.org/wiki/Interception_Modernisation_P...


The value of the £ has been the official opposition since Brexit.


"The value of the £ has been the official opposition since Brexit."

I wonder if you realize that a declining value of the pound is likely to be positive for the British economy ? It's not certain, but very likely ...

In fact, it might even be considered a feature of BREXIT.


The reduction of the exchange rate is unlikely to actually help the UK. Have a look at some of the academic research, while business leaders and politicians believe that a reduced exchange rate helps exporters there's not that much evidence for it. Also, even if it does help exporters from the perspective of average voters costs and inflation will go up - which they may not have thought through.


CGP Grey: Why the UK Election Results are the Worst in History:

https://www.youtube.com/watch?v=r9rGX91rq5I


>Worthless bastards, one and all. Why write this crap? The labour party is the biggest left wing party in Europe, are you saying everyone inside it is worthless?


They are also staggeringly ineffective and can't seem to decide what they stand for. Miliband was OK despite the "controls on immigration" equivocation, but since then the party has turned into a circular firing squad.

Going back into history, I'm fairly sure we saw attempts at invasive surveillance under Blair's Labour; Regulation of Investigatory Powers Act, and the failed ID cards scheme.

It's not even clear whether they're able to oppose Brexit.


That's because Blair's Labour Party was as right wing and authoritarian as the Tories they replaced. Both Corbyn's supporters and opponents know well what they stand for. The problem is it isn't the same things.

The only people who have any moral right to oppose Brexit are the Scottish nationalists and the Northern Irish republicans. England and Wales voted to leave.


That's because Blair's Labour Party was as right wing [..] as the Tories they replaced.

That's revisionist, and demonstrably false. The Blair government brought in gay adoption, a minimum wage, the Freedom of Information Act, the Human Rights Act, civil partnerships, banned fox hunting with dogs, increased NHS investment by >25% in real terms, achieved the lowest unemployment in 50 years, slashed child poverty, and more. Minimum wage alone was considered a bold left wing move at the time. Blair made modern Tories softer, if anything.

It's sad that the Iraq debacle caused people to write off what was the most progressive and beneficial government this country had seen in decades - I can't see how anyone could equate it to the governments of Major or Thatcher.


I think it's a good example of why a simple left-right dichotomy doesn't cut it. The Blair government had a lot of great social-democrat policies and was genuinely redistributive. It also relied on control-freakery and media management; all policy had to come from the Blair-Campbell office. There was no mechanism for incorporating friendly critique. And some of its policy was genuinely illiberal, especially in the antiterrorism & surveillance area.

That may have been a hidden tradeoff for taking on the security establishment enough to get a peace deal in NI.


It wasn't just Iraq - it was PFI, identity cards, workfare, privatize-everything and a bunch of other stuff including the above-mentioned (and already pretty crap) RIPA. The "tough on crime" tabloid-feed propaganda ended up creeping into their actual political platform (thanks to Blunkett and friends), and by the end Blair just wasn't listening to anyone, completely lost in a Catholic neocon trip with authoritarian undertones. It wasn't just people writing him off, it was him shutting out everyone else and refusing to reconsider what had become untenable positions.


I stand corrected. Still right wing, but less right wing than, and similarly authoritarian as, the Tories during Labour's time in government. Source: https://www.politicalcompass.org/ukparties2010


Not hugely true. Blair's government improved the NHS and vastly improved the mess with Railtrack and decades of Tory underfunding of the railways.

They were more right wing than the proceeding labor administration which was what 1979? But then that's probably a good thing otherwise they'd never have been voted into office.

Parties have to shift with public sentiment and clearly Blair saw that and shifted to the New Labour ideology as evidenced by his 1997 landslide.


Are they willing to oppose?

Looking at it from the continent, it seems to me that Corbyn is entirely happy with getting out of EU, and is only "opposed" because he's supposed to be "in opposition".


The Labour Party's abstention on this bill is unforgivable. We need to hold the Conservative government to account for their deceit and utter incompetence. We need a strong opposition party now more than ever. But Labour have completely failed in that regard.

Yes, I realise Labour is up against our mostly Labour-hating right-wing national press who seem as culpable as our politicians in perpetuating lies and untruths to push their own agenda. (Is there any country in Europe that has a national press as vile, racist, and nasty as our national press in the UK?)

Labour should be pummelling the Conservative party for their endless lies and dishonesty. They should have ripped the Conservatives to shreds over this bill (as they should have for Brexit too).

Politics in the UK has never felt so oppressive, depressing and dysfunctional in recent memory than it is now. And it's probably only going to get worse.


There's an important difference between the members of the party and its members of parliament.


From the Labour wonks and spads I know, Corbyn was against it, but Burnham was adamant that he needed to support the bill to be seen as "tough on terrorism". Little comfort. Horrible, inevitable news.


A place to corral dissent, nothing more. Putting Jeremy Corbyn in charge and getting all the radicals to sign up as members to keep in there (in the wildly mistaken belief that he would stand up for the causes the radical left holds dear) was simply a way of getting an up-to-date list of radical thinkers in the UK, who ave now identified themselves as such, and indeed paid a few quid each for the privilege.

Assume your primary political platform has already been compromised and start setting up new loosely connected networks now.


The courage to abstain.


Yes, that's the correct response, blame Labour for all of this.


I didn't read it as blaming Labour, but rather stating a fact - they have done nothing to challenge this bill.


Will the citizens allow it to be passed if they knew about it via some news source? Of course "news" now a days is about kardarshians or justin beiber than about things that requires serious attention. This may have hardly got tiny little square cm area in newspapers or 30 seconds air time. Thus sinks democracy. People who are informed are way less in number than non-informed people, but all get to vote thus diluting the vote of well informed people(whose size smaller and smaller as quality of news sources declines). I think there needs to be a law that punishes false information, but at the same time protects journalism.


Quite a lot of them would be in favour of it as a means of "fighting terrorism". It's not so much what is reported as how it's spun.

The really big thing is the "internet connection record": every TCP connection you make is supposed to be logged by the ISP: https://www.gov.uk/government/uploads/system/uploads/attachm...

(just look at that list of justifications. Of course! It's about catching paedos! The all purpose justification for everything.)

Besides, it's been buried under the bigger politics news of the moment - Trump and the continuing mystery of Brexit.


This sounds like a potential (new?) attack type though. Just have software that pings certain illegal websites and bam - the target is now a paedo or whatever the attacker wishes.


Generating fake evidence to blackmail someone? No one would do that. They are too busy chasing terrorists.


For those that don't understand this comment, intelligence agencies are known for generating fake evidence and allegations to take down targets - and it's well known that intelligence agencies such as the NSA and GCHQ are not charged with missions to track down terrorists.

A very clever sarcastic comment I think will probably go under the radar because the OP omitted a "/s".


In the UK you can already go to prison for refusing to hand over the password to encrypted data. The thing is, anything can be encrypted data. So in theory someone can say that you have encrypted child pornography on your drive, and theoretically, you can go to prison for refusing to give your password to it, even if it doesn't exist.


Come visit my website! Make sure you have JavaScript enabled, friend! :o)


Overcomplicated, just send 'em an email with an <img> link.


its all misuse of language. a spade should be called spade. Here is a situation, the people staying in their own country and fighting against outside forces. Who is real terrorist? Those outside forces that have no business being there in the first place are the ones doing real terrorizing. The war on terrorism is just a double speak. Its war for profits for political and monetary gains.

If as much as 10% of the energy and money spent for all this nonsense was actually used to fight poverty and improve infrastructure and research, we would've been technologically advanced to year 2100 already!


I accepted long time ago I will never be let into the US because of those HN comments, so...

If you regularly kill civilians at random with high explosives, with no way for them to even know something bad will happen, to the point you instill in them the fear of a clear blue sky, isn't that terrorism?

Hello drone strikes in Pakistan...


One fighting man is a terrorist. Thousand fighting men makes an army.


I think you all are missing the bitter irony in the parent's comment.


No, it makes a terrorist organization.

(Also, there's zero fighting men on the shooting side, under these conditions it's more like people taking potshots with Hellfires).


Many people who didn't grow up with online communications don't value online communications and don't expect them to have the same levels of privacy as paper mail - but they'd be horrified if someone else opened their post.

If you mailed each of them (via traditional post) an envelope that was torn open and taped together with a message saying 'the government is doing this to all your mail' they may think differently.


I think that would be an effective public information campaign and this idea should be given serious consideration.


Seconding this. Great physical metaphor, gets to the point. Happy to help out if anyone is serious about it (I'm in the UK).


Not any more now that no one writes real letters. How many people write letters, come to that how many people did write many letters even when it was the only way of doing it, not many I think. I'm 61 and I don't think that my parents wrote many more letters than I do and that is almost none.

So I think it wouldn't be hard to spin opening letters in just the same way as opening network packets. After all only people who are already unusual write letters and those who are different are automatically suspect.

People should be careful of what they wish for. Arthur C. Clarke and Stephen Baxter wrote an interesting novel on the consequences of living in a panoptic society, The Light of Other Days.


They not only allowed it to pass, a disturbing number support it. The "Nothing to hide, nothing to fear" line has been rolled out in force, and if you express concern in public about this bill, you get suspicious looks. What sites are you visiting that you're so nervous about the government seeing? Some kind of terrorist or pedophile, are you? Then those same people will go home and download torrents of the latest movies, or watch them on their dodgy Kodi box, without a second thought. After all, that's not web browsing, and even if it is, it's not really like they're doing anything wrong, is it?


I think that is the key difference. People feel like these are only minor infractions and that those that have the data will only go after the "real" bad guys. Not realizing that there is a thin line being tread in that argument. Especially since historically we've seen movie studios able to get the data to send cease and desist letters. I also don't think people realize how easy it is to sift through that data.

Also I find it interesting that argument holds so much ground since it has been the catch phrase of tyrannical governments for a hundred years. In Sinclair's "The Profits of Religion: An Essay in Economic Interpretation" and from the mouth of Goebbels. Usually people try to distance themselves as far as possible from the NAZIs.


> Will the citizens allow it to be passed if they knew about it via some news source?

The answer is yes, unfortunately. The government in question has a history of terrifying it's citizens into passing legislation. "Shock Doctrine".

Similarly in the United States, people very willingly accept legislation that erodes civil rights because they are frightened and because the purpose and scope of the legislation are obscured.


> I think there needs to be a law that punishes false information

> Thus sinks democracy.

Fixed the order of statements for you..


I meant a law for journalists, similar to malpractice lawsuits against doctors, if they keep spreading misinformation as news.


See your comment's sibling. You can sue for libel or negligence.

I found this page useful:

http://www.dmlp.org/legal-guide/proving-fault-actual-malice-...


Note that there are already laws that punish false information in some contexts, such as perjury, fraud and libel.


> I think there needs to be a law that punishes false information

Dangerous game to play there - who decides what is 'false information', is it the same body that doles out the punishment? If so, we're back at square one.


There's a push by the state to have communications providers enforce their truth for them going on today.

The above commenter is not speaking about something theoretical.


Yes, this has received extensive coverage over the last two years. Google "BBC snoopers' charter" for some examples.


Snoopers charter did get coverage. I didn't think it would pass. If people in UK voiced enough against it to their corresponding representative and this still passed, what good is democracy. It's a new government. They can keep it untill next elections unless there is massive rally against it. By then all this becomes status quo and the slippery slope continues


It passed because uk.gov is passing all kinds of vile crap while everyone is distracted by Brexit.

Most people barely have time and energy for one campaign, never mind ten. So we're going to be seeing a lot more of this.

This is the most toxic and least competent government I've ever seen. And I've seen a few.


Protect your privacy with a VPN, either run your own or use one of the available providers. It's a shame you need to do this, but that's just the state of things.

Run your own with OpenVPN: https://openvpn.net

VPN providers(not affiliated, just ones myself or colleagues use): https://www.expressvpn.com https://www.goldenfrog.com/vyprvpn https://nordvpn.com


VPN will not protect your privacy, as VPN providers are monitored by state police and VPN protocols have been broken and backdoored by intelligence agencies (as disclosed in the Snowden Documents).


just setup own vps with vpn and use encryption


https://en.wikipedia.org/wiki/Karma_Police_(surveillance_pro...

The GCHQ sit on the internet infrastructure, decrypt TLS sessions, and correlate accounts and activity to individual granularity.

The backbone of the internet is tapped, including from the termination of IPSEC/IKE into your VPN out to the internet again.

Giving the advice to people to "use encryption" and "use VPN" is going to get people killed.

Please, be responsible.


>decrypt TLS sessions

How do they do that? Do you understand how TLS works? They would have to MITM every session, and it would be immediately obvious as the key exchange wouldn't line up.

Unless you're implying they've found a way to solve the discrete logarithm problem?


Decrypt tls sessions? Please fuck off.


Oh there's a ton of ways to do it, from stripping, downgrade attacks, backdoored constants, precomputed tables for low order groups, shadow ca certs, etc.

I recommend reading the Snowden Documents, which disclosed a number of successful at-scale attacks on the PKI infrastructure.

I find it surprising there's so much ignorance in the Hacker News community about the state of encryption, especially given the newsworthiness of the Snowden Disclosures.

I also find the prevalence of 'shoot the messenger' regarding HN folks getting angry at me for pointing out publicly known issues with the current practice of commercial and consumer encryption.


Quote from his documents about tls DECRYPTION (exactly decryption) would be much more convincing than "oh there is a ton".


Sure, there's been good journalist work compiling the state of the art here: http://www.spiegel.de/international/world/nsa-documents-atta...

But also, being familiar with the cryptography you are attempting to have conversation about is a basic starter. For example, there were attacks listed in the prior comment following the "oh there's a ton" header. You seemed to have glazed past those, but they are familiar topics to those who habituate themselves with the technicalities of cryptography and its practice.


Thanks for the link. I've read all of the docs (presentations slides) related to ssl/tls and found only one weak point (Debian sessions). And none of them have information about decryption of collected traffic - collected encrypted traffic is useless, only possible (at this moment) way is to intercept multiple things in live mode and try to decode data.

It's sad, but I'm still saying "use encryption", because alternative is "don't use encryption" and it's obviously worse. So I'm much more responsible than those who are trying to propose second option.


Sure thing!

Unfortunately I'm afraid that you missed a lot of the content! You had asked for specific documents, not news reporting that pieced the context together (for example following the code names of the various programs together to understand how the system works as a pipeline).

In doing so, I'm afraid you're deeply underestimating the capabilities of the NSA, which expert analysis of the documents in question along with the technologies, related programs and internal customer requests indicate something much more startling than Debian session issues.

To put a point on that: TLS is broken at scale for billions of internet browsing sessions across platforms.

Give the short amount of time you've looked at the documents, I understand the misinterpretation you've arrived at. At the same time it's really impressive that you bothered to try to read the documents at all and should be commended.

Please feel encouraged to continue reading.

A large number of documents are hosted on edwardsnowden dot com and search functionality is provided here: https://search.edwardsnowden.com/

Der Spiegel, The Guardian and The Intercept provided good analysis of the documents as they were being released and that can be found at the websites respectively.

> It's sad, but I'm still saying "use encryption", because alternative is "don't use encryption" and it's obviously worse. So I'm much more responsible than those who are trying to propose second option.

Yes. I agree with this. Just don't recommend this as 'enough' to people who have serious need to protect their communications. If someone is worried about their porn habits, sure. But recommending this for sensitive use (journalists, dissidents, organizers, politicians, administrators) can lead to very serious outcomes.

For these cases, it is important to have frank conversations about the limitations of freely available and widely distributed tools.


They do, if your connection can be forced into using a low grade cipher, or you made the mistake of allowing DH[E] with a common group. Both mistakes which were (are?) common, incidentally. They were decrypting a good fraction of global TLS traffic not so long ago...


It's social engineering, not tls decryption.


If you go down that route, convincing the public to use and standardizing backdoored and broken cryptography would also count as social engineering.

The communications are decrypted.

This is done through a combination of backdoored cryptography, state of the art cryptanalysis, and mass social engineering (propaganda).

Namely, you're not proposing something that's mutually exclusive to decryption of data.


I wrote what I wanted to write, enough with sophisms.


I understand that you wrote what you wanted to write.

Unfortunately what you wrote was FUD in the worst case and misinformed in the best.

Anyway I think we both are at a point where we understand the other's point of view. Thank you for the conversation. I believe we both hope a lot of HN folks will stumble over it over the next few days. :)


And again you are trying to offend me even when i'm trying to stay calm in this conversation. And it's all just because I recommended to use encryption, lol. Fuck off and bye.


Eugene.

We agree about the need to use encryption.

We disagree about it's limitations, and how to use it effectively.

Unfortunately this isn't a theoretical debate. Journalists, for example, around the world are being killed at increasing rates by governments, with this year reaching an all time high. State surveillance is an issue of tremendous importance for civil rights and personal freedoms. Our conversation and recommendations have to be sober and give candid, informed advice.

I think you absolutely have the right motivations: to encourage people to protect themselves from state coercion and violence.


What is your view of Private Internet Access [1] in terms of their claims of "zero knowledge" privacy?

[1] https://www.privateinternetaccess.com


I use https://ipredator.se.

"IPredator was launched in 2009 as a response to a growing trend of Internet censorship, in restrictive regimes as well as so-called open societies. Our main goal is to provide a seriously non-discriminating access flatrate for the Internet."

I may be mistaken, but I believe it was built by or connected somehow with The Pirate Bay.

https://en.wikipedia.org/wiki/IPredator


If you run your own VPN will they not just log traffic from the endpoint (if in the UK) then tie it to you with billing records?


Depends where you're running your VPN. If you're running it on a server in the US they might not have access to that information.


Skip the US. Our surveillance agencies are in bed, and American VPN providers can be strong-armed with an NSL. Use a VPN incorporated and with exit points in a more neutral/second-world country.


I personally recommend;

https://www.mullvad.net/


Second that! Vultr offers OpenVPN as a one click app, it's super easy to get it running on a $5 vps.


What is the easiest way to explain to the average citizen that the "Nothing to hide, nothing to fear" argument is not a good reason to let the Government keep tabs on your online activities? Most people don't give any thought to online privacy that it truly scares me.


"Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say."

- Edward Snowden


That argument isn't good enough, unfortunately. As many people will respond with "well, yeah, I don't have anything important to say."


The fact that they can't even think that they might want to be able to say "I value my human rights" at some point is severely worrying. Bunch of philosophical zombies.

If they're anything other than white skinned, blue eyed, blonde haired, heterosexual, male, centrist-politically leaning (or one of the other few extremely simplistic predefined options - analogy: the block-shapes-through-the-board children's game) - history called. It's got some advice to give - but, of course, barely anyone is listening. (except the government. No, they're listening plenty... just not to history - they're too busy listening to the sound of hubris!)


But everybody is equal!


the only way I have had any success is to describe the problem in terms of "wrong place wrong time" + "misinterpreted evidence" scenarios. this is something I wrote up a while back to try to explain it to a family member:

---------------------------------------------------------------

Imagine a crime takes place in a certain area. Using surveillance technology, police identify everyone who was in the area around the time of the crime. They do this through license plate recognition, face recognition, cell phone tracking, and credit card receipts. You happen to be on that list because you were shopping at a nearby store earlier.

You're now technically a suspect in a crime, although there's a thousand other suspects, and you have nothing to hide, so no big deal, right?

A witness saw the perpetrator running away from the crime. They only saw them from the back, but report that the suspect is a tall white male around 40 years of age.

So police narrow down that list to just people who fit this description. Uh oh, the list is now only about 50 people, and you're one of them.

The crime appears to be a potential race-motivated hate crime. Using web profiling, investigators search for those 50 people to look for any history of involvement with hate groups. The algorithm they use has over-zealously classified certain extreme right wing news sources as potential markers for hate crime.

You're not particularly worried, I mean, you're obviously not some crazy racist. There's no way they'd be interested in you.

But you forgot - six months ago, you started to get interested in the immigration debate, and posted on several anti-immigration forums.

With the additional profiling, the list narrows down to 8 suspects, including you. You happen to fit other markers for this kind of crime as well - you live alone, work a less prestigious job, neighbors say you don't go out much.

Now you're a suspect in a crime. You'll almost certainly not be convicted, because there's no direct evidence. But good luck explaining that to your employer, your family, your friends, and the criminal defense lawyer you now have to pay for.

Still think you have nothing to hide?


Nice write-up. Bonus: It comes just in time for traditional Thanksgiving family arguments!


This doesn't read as very convincing to me. Do you have experience of the justice system?

There's no way the CPS in the UK would take a "well he was probably in the general area based on his number-plate, and he reads the Toadygraph newspaper and is in the 52% who are for Brexit", even along with matching a general profile for criminals, and seek a prosecution on that basis. Not to mention it would be a huge miscarriage of justice to convict. And that the courts don't have time for arsing around with people who may have a tenuous link to an area where a crime may have been committed; we don't have time, seemingly, for the "certain" cases.

But what about the people who don't support racism/xenophobia, read a mix of news sources, aren't male (and so don't match with crime profiling). Are you saying their argument for not needing strong encryption is valid? That would seem to be a corollary of your hypothetical situation, you've cherry picked long-shot situations compounded together that would lead to a case laughed out of court - no motive, no evidence, no credible witnesses.

>Still think you have nothing to hide? //

Seems like ~99% of people reading that who weren't convinced before hand would say "yes".

Also, if they're savvy they know that the store where you went has your MAC address logged for customer tracking and corroborates your story (due to "privacy violation"), the car-park away from the scene on their number-plate cam shows you stayed in the area long after the alleged crime and so weren't fleeing, another shop has you on their instore tapes at the time the police say the crime was committed.

Now the Toadygraph has picked up your story and someone leaked that you wouldn't have been picked up if you weren't a reader; the Barclay brothers are threatening to pull their Tory party funding and so the PM is putting pressure on the presiding Chief of Police to make an example of the department responsible.

Lawyers are starting to contact you (they got your info because you left your friend list open on Facebook) and are offering to lodge a case for unlawful arrest for you and the compensation they're suggesting looks promising ...

Meanwhile people are wondering why the police didn't catch the perp; the police say it's because they don't have access to all the data they need due to public privacy concerns ...


No, I don't have experience with the UK justice system, so perhaps my comment isn't as relevant for this specific article.

That said, even if this specific scenario isn't realistic, discussions about the problems with surveillance state don't have to be grounded in "what happens right now" because the information stored today is available to future regimes and the specific technology involved is continuously changing.

> But what about the people who don't support racism/xenophobia, read a mix of news sources, aren't male (and so don't match with crime profiling). Are you saying their argument for not needing strong encryption is valid?"

Not at all, and I'm surprised that's what you would conclude from my statement. Obviously not every crime ever has that specific profile. The point was that when you have tons and tons of information about everyone, that is all categorized and geotagged and searchable and machine-learnable, it's a LOT easier for a completely innocent person to become a suspect.


I like to use the fact that nothing to hide and privacy are different. You don't hide the fact that you use the bathroom, but you still go to a dedicated private room and close the door.


And the only time you might decide to hide the fact is when faced with the knowledge that someone may come, at any time, and force the door open.


I find this 2006 column by Bruce Schneier to be most lucid and succinct:

The Eternal Value of Privacy

http://archive.wired.com/politics/security/commentary/securi...


Logically speaking, hundchenkatze's riposte seems best: that hiding and privacy are two different things.

Practically speaking, I believe it's impossible to convince most people, including myself, to change their behaviour online. In my opinion this is because most people feel detached from any instrumental or guiding role in their society. They simply have no agency, no say in what is done to them and what is done in their name. Because of this perceived abyss between them and the state, the notion that its magnifying glass will be turned, one day in the future, upon them personally, is incredible. The distance is too great. And because they feel like they have no stake in the fate of their society, their browsing habits are anyway innocuous: they probably rightly think that they won't raise any flags. To leap from that state of affairs to a future in which individuals start to be singled out for their browsing habits requires an effort of the imagination that most of us don't have the time or energy to undertake in the detail needed for it to be realistic or even actionable.


Many of the responses given to this question are fairly weak, eg. "but what if you don't want people to see you naked?". Invasion of privacy affects someone's dignity, sure, but it's the fact that it makes one _politically neutered_ that's the actual issue and is harder to explain.

Here's one response: "Imagine if you ever wanted to join the Occupy Wall Street movement or something like that. All of a sudden the government, who will now see you as a threat, can go through everything you've ever done and hold it against you. Remember that one time you pirated a movie? Jail time. Remember that one time you experimented with drugs? Jail time. They will dig up something from your past and use it against you. Oppression is not a theoretical idea and not only an historical problem. Having all information about yourself available essentially makes you politically neutered."

I'll be putting together a set of real-world examples to further emphasize the point.


John Oliver's "Dick Pics" seem like a pretty good argument that can reach average citizens.

https://www.youtube.com/watch?v=XEVlyP4_11M


The relevant part is https://youtu.be/XEVlyP4_11M?t=1487, at 24m47s in.

Do average citizens send pictures of their genitalia to people? Are you saying that the gov is downloading everyone's photos, or are you saying they have the capability.

I want law enforcement to have the capability to access images pertinent to an investigation when they have a warrant; it seems harmful to justice to prevent that by legislation. Oliver appears to be saying because the government can access such information they're necessarily over-powered; surely without such capability then they'd be incapable of following even the most basic of criminal organisations and certainly incapable of tracking information pertinent to defence from foreign powers and, yes, domestic terrorism.

"If the government were looking at pictures of my penis that would upset me."

The question is if you say "would you agree to the government being able to see all the pictures on a device of a suspected criminal, eg in a murder investigation" how many will say "no because they might see an image of the suspects dick and so it would be an invasion of privacy". Now "if you were the main suspect in a murder investigation, should the government be allowed to see the pictures you stored on your device"?

We all now a large proportion of people would want to hide naked images of themselves from casual observers, but TBH if the cost of cracking a terrorist ring is a government operative seeing a picture of me naked then I'll tie a bow on it and send it in gift wrap; I'm shy but it's only a body part.

The argument has been simplified by Oliver beyond what is relevant. There's much more nuance than he's pretending there is IMO.

Now, if the government agencies have agents viewing for private reasons images that are downloaded, or they're accessing data that has been acquired illegally then we have something to work on. Doubtless that happens.

PS: I'll admit I've not followed the Snowden case in depth as it's not particular interesting to me. I'm much closer to the "nothing to hide" people than the "the government know what toilet paper I use the world will end tomorrow" people [nice and objective!] as you may have surmised.


I'm closer to the "nothing to hide" sentiment too (and personally I believe that a lot of privacy we take for granted is a historical aberration created by urbanization and is doomed to be removed by the progress of technology). Nevertheless, reducing the series of laws to the question of "will this particular law allow the government to see my dick (and if so, under what circumstances)" is useful, because it focuses on the things an average citizen can understand and relate to, while at the same time revealing that not every surveillance law actually implies snooping on private data.

"Dick pics" are actually a pretty good example of something one clearly doesn't want to share with third parties, but may not be aware that they're already sharing (or can be sharing under circumstances that may not be immediately obvious).


Point out that surveillance is an issue concerned with the integrity of attorney-client privilege, dissidents and journalists who DO have things to hide even though they are not criminal.


The tactic I always use is that historically, the government does not have good intentions when collecting data on ethnic minorities such as myself.


My counter to this argument is I ask "Who decides what you should hide?" The answer is the government, which is not always on your side or right or ethical. I think (hope) people in the US will get this argument now more that Trump has been elected.


>The answer is the government //

Which is short for "the democratic will of the people" in a democracy. If the government is some elite group that you don't want governing you then vote them out.


"Nothing to hide, nothing to fear"

"And yet here you are, wearing clothes."


Read up on the history of government abuse of power and explain to them why doing nothing wrong will not protect them, and the necessity of standing up for others.


No no no, this is a very ineffective tactic because most people don't have the time, energy, or ability to read and comprehend history sufficiently well.

Just ask them if they'd be comfortable with Donald Trump or Nigel Farage being able to read their browsing history for a year. If they are, there's no point in talking to them. If they're not, then introduce them to Tor.


I don't mean you should tell others to read, I mean read up on it yourself and tell others what you learned.


I guess in the US you could take advantage of the current Trump Scare.


Oddly I can't find any other sources reporting this. I'd have expected it to show up in at least one other place else (e.g. BBC news for example).

I'm not trying to imply that it's not accurate, I'm just confused by the lack of info. And the article doesn't really reference anything other than other zdnet articles, so it's really hard to tell exactly what form of the act got passed - did all the really controversial stuff actually make it in?


Here's the Open Rights Group (a UK group who aspire to emulate the EFF) on the latest development - note in particular the link at the bottom of the article, to their "campaign hub" on the bill:

https://www.openrightsgroup.org/press/releases/2016/ipb-will...

And, for what it's worth, a brief report from The Register:

http://www.theregister.co.uk/2016/11/16/british_pols_sign_of...




The BBC is dodgy. That might sound like blasphemy, but year after year I'm increasingly aware of blatant bias, omissions, misrepresentations. The BBC is not to be trusted.


Quite old, but there was an article on the BBC: http://www.bbc.co.uk/news/uk-34713435


When this was originally proposed I thought it would never get passed because it sounded like something right out of 1984. Amazing. I thought the ridiculous 'Agree to this cookie' nonsense was stupid but this is now just very creepy. National database for keylogging next?


Don't worry, the 'Agree to this cookie' thing is an EU directive. So that's what the UK is currently destroying their economy in order to be free from.


'Agree to the cookie' has the opposite intention: it's warning you that a company (often Google) is tracking your behaviour online.


This is bad news for Brits. One problem I see is the storage. If the ISP stores this information it makes their users open to hacking of personal data. A bigger problem than the phone hacking scandal. [0]

The title is inaccurate. Australia introduced storage of Internet usage logs (metadata) at ISP providers for two years in 2015. [1],[2]

[0] http://www.telegraph.co.uk/news/2016/11/17/three-mobile-cybe...

[1] https://en.wikipedia.org/wiki/Mass_surveillance_in_Australia...

[2] https://en.wikipedia.org/wiki/Telecommunications_(Intercepti...


So the British government is just rubber stamping what they had already been doing in secret and technically illegally for the last twenty years.

I can't wait till they get hacked and someone dumps every parliamentary minister and lord's dubious Google searches for the public to see.


It was illegal until they brought in retroactive legislation in the middle of the night making it legal for them to hack. What's the point in having laws?

Most politicians want these intrusive powers in spite of them being against the ECHR Act. Nobody to vote for or dare you vote at all?


ISP and mobile phone company 'Three' has 6 million customer database records compromised same day as this story. http://www.bbc.co.uk/news/business-38022309

You probably won't have to wait long.

Although it won't actually reveal search content, only that they went to Google.com (and maybe that their browser tried to preload content from the top search result domains?)


The whole planet is descending into fascism, put in place by the old generation who doesn't understand technology while the new one is too busy inventing the next toilet sharing app.

I guess everyone will enjoy this last century...


It will be interesting to see the response when this data is hacked and the browsing histories of the politicians who passed it are released to the public.


It doesn't even need to be hacked. Sooner or later some politician will get that info on his/her opponent, it's inevitable. And, compared to your average person, a politician has a lot more at stake.


This will be highly effective, provided release this can still be done in a controlled internet.


Coming into possession of such information will soon be a crime in and of itself.


The first thing that comes to mind here is that data is only good if it is quality data... dirty data isn't good or reliable.

Coming up with a way to dirty the data from our IPs (i.e. a program that randomly hits domains via multiple browsers that everyone just runs as a background service)


I think this too and am considering running a web crawler full time.

If enough people were willing to do this we could create a massive distributed index to rival google's.


Not that simple. Unless you get some prodigies involved in this, the government will be able to apply more math at filtering the noise that we'll be able to throw at generating it.


Just run a tor exit node. Problem solved, sort of.


Until you're being questioned in connection with child porn. I'm glad that tor exists but the crimes that some people commit with it make it impossible for me to run an exit node. There are things I don't even want to be remotely be associated with.


How is this any different from the EU Data Retention Directive we've had for a decade already?

Somebody should make a "feature matrix" and explain this.


Are you referring to the Data Retention Directive [1], which was invalidated in 2014? Or are there still other EU-wide laws on data retention?

[1]: https://en.wikipedia.org/wiki/Data_Retention_Directive


I wasn't aware it was invalidated. Of course, once each member state implemented this directive into national law and I don't believe the national laws immediately became void.

For example, a quick google shows that just last month the Constitutional Court in Romania declared the Big Brother law doesn't infringe on the constitutional rights so data retention continues. All data is kept for 3 years.


If we can't fight them in the courts then we fight them where we are comfortable. Now more than ever we need to start outpacing the law using technology. We've done this before and we can do it again. Bits move faster than bureaucracy :)


I will just leave this here: https://www.privateinternetaccess.com


I just feel like using a VPN, while legal, might already put you on some list of "suspicious" users. Surely, if you have something to hide, then you are worth investigating closely.


Which is why we need to push as many people as possible to use VPN's, they already have too much straw and too few needles so lets give them even more straw.

The reality is that no one in the know thinks this has anything to do with terrorism and everything to do with political control.

If you don't have the right to privacy then all other rights are subverted, previous governments have used the state security apparatus to monitor perfectly legal political activities, they've proven again and again they can't be trusted with this kind of power and we let them give themselves more (and legalise all the illegal shit they where already doing).

The reality is the UK (which traditionally has been a less free society for a 'free' society) is rapidly sliding into something you can't realistically call a free society.


The surveillance state has always been about political control. Terrorism is merely the justification.


>Terrorism is merely the justification. //

You've lost sight of any balance when you start claiming that terrorism is just an idea used to justify state oversight and not an actual problem of organised harm/killing of peaceful civilians.

https://en.wikipedia.org/wiki/7_July_2005_London_bombings - presumably you think that's just a huge fiction created so the government can get hold of your holiday snaps.


I think one can acknowledge that terrorists and terrorist attacks are definitely a real thing that exist, and at the same time one can think that the current reaction is completely out of proportion, where the whole society is giving away its freedoms to prevent a really minor threat?


I'd happily live with the lightning strike probability of being involved in a terrorist attack than the certainty that the government will abuse this data to subvert opposition.

Trading the rights of millions of people to combat terrorism hurts more people than the terrorists could ever hope to touch.

This doesn't even factor in solutions terrorists can use to avoid surveillance, or answer the question of if all this surveillance even reduces terrorism in the first place.


52 people killed in those bombings, eleven years ago.

More people than that died in 1 week of road accident deaths in the same year, and in 2 weeks of road accident deaths in 2013 [1]

Talking about numbers and causes of deaths in the UK, for comparison:

The UK Office of National Statistics (ONS) published that death registrations increased from 2014 to 2015, saying "There were 24,065 more deaths registered in the first three months of 2015 compared with the same period in 2014, with 11,865 of these extra deaths registered in January alone, when flu was circulating at its highest levels." - totals, 501,424 deaths in 2014 and 529,613 deaths in 2015. [2]

ONS also published: "In 2014, nearly a quarter of all deaths (23%; 116,489 out of 501,424) in England and Wales were from causes considered potentially avoidable through timely and effective healthcare or public health interventions."

and "In 2014, just under a third of deaths (32% or 1,443 out of 4,571) in children and young people aged 0 to 19 years in England and Wales were from causes considered avoidable through good quality healthcare" [3]

In the news today, NHS people are warning that there isn't enough money to provide all the services it needs to, even with the planned budget increases. [4]

There just isn't any comparison in the numbers. Terrorism is not fiction, the hugeness of terrorism is fiction - at least, it appears to be, absent any concrete details of numbers of plots discovered and averted, which we'll never get.

But if 52 dead is one of the biggest attacks in the UK in decades, how likely is it that avoided attacks would even approach 1400 children per year who die of preventable causes, let alone 11,000 people/1 year who apparently died of flu while flu vaccines exist?

[1] https://www.gov.uk/government/publications/annual-road-fatal...

[2] https://www.ons.gov.uk/peoplepopulationandcommunity/birthsde...

[3] http://www.ons.gov.uk/peoplepopulationandcommunity/healthand...

[4] http://www.bbc.co.uk/news/health-38019771


OK and the highest rate of murders in large countries around the world is something like 30 per 100,000 .. so we should just let people commit [other] murders because they're low incidence compared to cancer say?

How do you think that murder rate will change if you don't seek to address it at all?


We were talking specifically about terrorism in the UK, not murders in the USA.

USA should ban private gun ownership, obviously. This would do a lot for their murder rate, it would do a lot for their "people killed by toddlers" rate, and it would be a lot cheaper and less invasive than ISPs logging 300M internet access records for a year.

Prioritize things which have high impact, are easy to address, and have specific good outcomes. Not "anti terror" metrics which are vague, difficult and expensive to address, and have extremely low impact.

TSA isn't a good system. And it doesn't become a good system just because 'we have to do something about some crimes'. Sure. Do something better, and do it about more important problems.


What you are trying to avoid is mass surveillance.

Targeted attacks by intelligence agencies and police forces are probably a lost battle anyway.


Trying to avoid getting caught in a 'lets see who visited this random page in the past YEAR because it recently added some "illegal" content, so all who visited must be punished' situation.


I'm using SOCKS over SSH. SSH is kinda part of my job, so it shouldn't be suspicious, right? Oh. I forgot. I'm a linux user, who runs custom firmware on his router, probably already treated as dangerous.


Been using these guys for a few years now, best use of $40/yr. You'll occasionally get blocked on certain sites (which you can often fix by simply changing location), but their infrastructure is definitely impressive. I get to use the full speed of my connection, which ironically is not always the case when I'm not connected through PIA (there's definitely some selective throttling going on, even though my ISP pretends there isn't).

So sure, I'm probably on a bunch of watch lists, but at this point it's hard to care anymore, it feels like everybody is in one way or another, everybody will be found guilty should someone decide so... I actually have legitimate reasons for using VPNs, but moves like this from governments around the world just give me even more of an incentive to use VPNs.

One can only hope that politicians will be done in by the very same rules they're blissfully pushing through.


Does Netflix work through it? I have an DO box that I use as a VPN, and Netflix has blocked it recently.


Unfortunately, Netflix doesn't work through PIA, they apparently aggressively block IP ranges from most major VPN providers, so the issue isn't specific to PIA. This is a bit of a "screw you" to privacy-conscious people, but then again Netflix have their own issues to deal with (whether legitimate or not is a different conversation). Two things I do on occasion: have a box dedicated to watching Netflix, that isn't on a VPN (which might not help if you're trying to bypass national licensing restrictions), the other is to tunnel my connection to one of my servers through the VPN, which works fine, though it's a bit of a pain.


Don't think so. Netflix got really good at blocking all vpn and datacentre ips


I've had PIA, AirVPN, and now iVPN. Definitely a fan of iVPN. They are organizational members of the EFF (for what it's worth), and their service has been the fastest I've used thus far. A bit pricey though.


Until VPNs become illegal...


That would be a very hard fight for them since enforcing it without fundamentally breaking the way the internet works would be very expensive to a lot of very wealthy companies and sadly in this 'democracy' the people with the money are heard the loudest.


> That would be a very hard fight

Not at all. It's enough to point the finger at commercial VPN providers and claim the the users are doing suspicious things including filesharing, and encourage ISPs to block VPN providers by address block.

Many ISPs would love to do that because they want to inspect cleartext traffic and sell metadata.

Of course corporate VPNs would be left untouched. There.


> It's enough to point the finger at commercial VPN providers and claim the the users are doing suspicious things.

The problem there is we live in a containerised world, how would they stop someone running a 'recipe' that creates a VPN on something like AWS/Digital Ocean and uses that as the VPN exit point.

The only way to deal with that is to have a central licensing authority for VPN's where you have to hand over the keys, that's going to be a massive and expensive fight for them.


> how would they stop someone running a 'recipe' that creates a VPN on something like AWS/Digital Ocean

They don't need to. Even if 10% of citizens were able to do that, controlling and censoring information for the 90% is way more than enough to manipulate people perceptions and ideas, and thus, democracy.

Not even Stasi or the "great firewall" of China aimed at 100% success rate - they simply don't need to.


>controlling and censoring information for the 90% //

What you appear to be alleging is that by being able to access the threads I saw on Al-Jazeera or Reddit or what-have-you that the government can somehow control the information I'm receiving enough to manipulate me to serve their political ideals. Freedom of the press may not be perfect in the UK but it seems close enough that a government can't manipulate democracy simply by monitoring internet use.

UK population is 65M. Reported crimes (which includes littering and traffic violations AFAICT) is about 1 per mille in the UK [1]. There's no way the gov are using the criminal justice system to control the population to a significant extent, they certainly can't control the criminals. The prisons are full. The establishment can try to jump up crimes but the scale they need to do that to control the population seems enormous compared to the resources available.

If you can write a lie on the side of a bus and have the country vote against their best interests then why on Earth would you try and carefully contrive criminal activity in order to stop people from visiting websites you don't like to subtly alter a few people's perception of the political situation. Seems entirely bonkers.

[1] http://www.nationmaster.com/country-info/stats/Crime/Total-c...


> Seems entirely bonkers

Throughout the last 100 years there has been examples across many dictatorships and engineered democracies where incredible amount of efforts has been spent on achieving information control. Dragnet surveillance proved many times to be effective at chilling free speech and intimidating dissenters.


Did those places have a strong rule of law, free press, legislation giving human rights freedoms, very open government. We're not really talking about information control either, it's data gathering. I hear you on the chilling effect but can't really believe that anything i say in my lifetime will be sufficient to prompt a judge to allow a warrant against me.

Sure, with a huge regime change this sort of law could later prove troublesome but we'd have to have changed our entire way of life first it seems.

Your reaction seems reasonable if you're in a malevolent dictatorship, despite its problems I don't find the UK being anywhere close to that politically.


> enforcing it without fundamentally breaking the way the internet works

China does this. They fundamentally break the way the internet works. They don't seem to care.


then people would just resort to steganography. it wouldn't be terribly difficult to mask asymmetric traffic that appeared to come from a youtube-like "site", or symmetric traffic that looks like skype video but with encrypted packets inside the compressed video transport layer. This is an unwinnable fight and I can't believe anybody would be stupid enough to try.


the chinese great firewall is quite good on those topics AFAIK


Used hide.me so far. Speeds there were really good and the company is not located in Europe or us.

But this is much cheaper, any experience? Especially using it in the UK, does it increase latency significantly?


https://www.tunnelbear.com/ gives you 500MB of traffic for free.


By a company called "London Trust Media" run from Los Angeles, CA? Uhm, I don't know...


A company with a history of covering up breaches and making very dubious claims about their ability to resist law enforcement.


How is that supposed to help? Go sell snake oil elsewhere, recommending this stuff actually puts peoples lives at risk.


The only thing putting people at risk is portraying privacy as suspicious. Everyone should use a VPN.


Yeah right, because using PIA==privacy.

How about we refer people to actual privacy tools like Tor instead?


Tor has zero to do with privacy and everything to do with anonymity.


Does anonymity not imply privacy?


No, due to browsers leaking data and state actors controlling tor end points.

They still know know someone out there is doing something, and can build ad profiles and threat profiles on them, they just can't link those profiles to you easily: that is anonymity.

Privacy would be inability to build useful profiles.


Interesting. But if someone could remain anonymous, even with a profile being created for that "anonymous entity" and there is nothing tying that anonymous profile back to a real person, that would still seem to be private to me. If the anonymous profile could be connected to a real person, that would seem to be neither anonymous, nor private.


Is that ever possible? Every interaction is going to have side channels and fingerprints.


You can't entirely defeat it, but you can eliminate, or disassociate, as many things as possible.


Nonsense. Protecting traffic from nosy ISPs and carriers is exactly privacy and it's one of Tor's stated goals.


Plaintext over Tor is still plaintext.


Of course, but your ISP is not going to read it.


More so than PIA? Also make sure to tell the Tor project that, all of their marketing material disagrees with you.


There is no single method of protecting privacy; VPNs are privacy against commercial-level actors.

Tor has its own bounds, but people should use that, too. I generally think the internet is barely usable over TOR, but I don't need state-level privacy.

My point being is that these are valid tools with valid uses, and people should understand and use them, NOT that VPNs are anything other than a way of encrypting and proxying traffic.


>I generally think the internet is barely usable over TOR //

I've only used tor browser (adding to the noise!), nothing beyond web. Could you go in to what makes the internet "barely usable" over TOR, do you mean speed or is there other things you're trying to accomplish that can't be done?


It's really just a speed thing—it's not worth the anonymity tradeoff for me.

Of course, maybe I should put my money where my mouth is and use it to improve it for people who DO find the tradeoff worth it.


A VPN like Private Internet Access is among the best things a consumer can do to protect their privacy.

PIA is $3.33/month. My internet bill is $50/month.

I like to think of it as a $3 upgrade from an open line to a secure line. It's a no-brainer for me. Really it should be a default option from your ISP, only they can make a hell of a lot more than $3.33/month from you if they can read all of your data.


As a UK resident: I know that I can only avoid logging traffic by using a vpn.

But the domain logging part bothers me the most. Does anyone here know how they will do it? Could I just use another dns server? Or will they intercept http header?

If I'm not mistaken, they could still extract the domain names from https traffic but no exact history?

Anyway, a reason more to use https everywhere, reduces sharply what they can see.


Most of the negative comments on this story are in the context of stopping a state actor whose specifically targeting you. The rest of this comment is covering the "drag net" effect of this legislation - any one individual is not being targeted, it's a situation where everything is caught up.

If you change nothing then your provider will be able to track your DNS traffic (site you're going to) and unprotected traffic (non-HTTPS). You can't use another DNS server because the protocol is in the clear so they could just track that even if it's not on their network - though it would be real work and they might not bother to do so.

Using a VPN will protect all your network traffic which means both DNS looking up the domain and traffic to/from the sites you're going to. Note that the VPN provider should be outside the UK jurisdiction - from there decide on your level of paranoia.


>I know that I can ... avoid logging traffic by using a vpn.

Are you sure? I'd expect you be hard pressed to explain how that would be the case. Hint: how do you facilitate secure key exchange with an untrusted man in the middle? I know public key exchange is a thing, but I don't know much about it, just that I wouldn't trust it. Do you?

Check this link, for example: https://www.ietf.org/mail-archive/web/ietf/current/msg93416....


We have to remember that this law still forces ISPs to do something that costs them money. They won't do more than requested in the law, especially if it means buying more servers just for that.

Agencies can of course do that, but that's independent of the law.


Why would it cost them money, when the tax payer can afford it?


VPN has been thoroughly defeated. China, UK and US state law enforcement monitor VPN use. (Snowden documents, for example, revealed that VPN traffic can be readily decrypted.)

ISPs and police will use every mechanism including DNS, HTTP, IP addresses, CRL behavior, ad tracking markers embedded in pages and more to determine your browsing behavior and history.

The best way to defend yourself against this is to lie down and comply.


Do you have a link to the "VPN has been defeated" documents? Didn't Snowden say exactly, that the only thing to trust is strong encryption?

> ISPs and police will use every mechanism including DNS, HTTP, IP addresses

Surely VPN will protect you from all of that?

My main concern is police/isp's logging all VPN traffic, and then when they want to use some of it, they subpoena your VPN provider for the keys. Though, maybe forward security fixes this? They could also secretly force every provider to log everything at all time? But surely there are enough providers that some would have leaked it?


I was going to write up a dossier, but found one created by Der Speigel here: http://www.spiegel.de/international/world/nsa-documents-atta...

Yes, trust strong encryption.

VPN isn't strong encryption. Or rather, VPN is not necessarily strong encryption as most of the VPN standards and implementations have either been backdoored or weren't designed for strength against state actors.


> most of the VPN standards

What VPN standards are you talking about?


IPSEC, IKE.


From the (excellent list of) papers you listed, it seems the weaknesses are not so much that the encryption can be broken, but that you can do all kinds of man in the middle and timing attacks. Does this mean, that as long as you are not being actively attacked, the security is acceptable? That is, if you are only trying to avoid passive logging?

I guess in either case, it would be better to just go with openvpn. I really don't understand why it isn't natively supported in Android, OSX etc.


No.



I know this is not a great solution, but wouldn't a week long ban on UK IP addresses by major websites (Google, Facebook etc.) raise awareness? (or a redirect to a page describing why this law is the issue)


Share holders ain't gonna love that


How difficult would it be to swamp the monitoring system with noise?


That's what I'm thinking as well. I only need to do a crawler, doing HEAD requests only, piping into /dev/null, in theory.


So all your head requests get filtered out when the db gets queried. Leaving all your gets and posts etc.

Also better hope your crawler doesn't hit any illegal sites (there are loads according to UK law).


> (there are loads according to UK law).

No, there really aren't.


It sickens me that Britain passed the most extreme surveillance law ever.

America is supposed to be number 1 at everything. C'mon congress, get on the ball! Don't let America be out done by Britain.


In America,the government doesn't need a law to conduct extreme surveillance. They just do it and don't give a shit what the public think.


We prefer to do it outside the public eye. Why have laws when you can do it in secret?


After I heard this was likely to get passed, I set up a VPN on my server based in France. I now funnel my traffic through this VPN, so now all web connections are end-to-end encrypted and not subject to UK ISP logging. I suggest to everyone who is capable of setting up and running a server to do something like this.


As other people have said, there are a few steps you can take to protect yourself in the near to medium term future:

1) Use Signal 2) Use Tor 3) Use a VPN 4) Reduce your digital footprint - especially if you use social media

What was once paranoid fantasy now just seems like prudence. What a time to be alive, eh?


1) Signal does not and can not protect information about who you are in contact with, when you contact or are contacted by them, and how long your conversation is.

2) Tor has been both infiltrated organizationally, academically broken, and is occupied by police on most of its exit nodes. This without the operational burden it puts on users. Tor is 'just okay' at protecting users, and should never be used alone.

3) Use a VPN you can trust. Most VPN (especially cheap and free services) are monitored by state police.

4) To add here, try not to have your pictures and locations uploaded online and do not carry a cell phone.

I want to add to the list:

5) Do NOT be a target. This is the opposite rule of the usual "if you have nothing to hide": DO NOT have anything to hide. Your opponents in the game of 'hide' are intelligence agencies and state police. It's much better that you comply and focus on narrow interesting technical problems than social or civil rights - as being outspoken and interested about the latter makes you a target.


5) is probably the most depressing thing I've read for some time. We should all make the effort to do exactly the opposite.


Disagree with 5.

You just need to know a target not be one. And by know that means ever have sent an email. The plumber you contacted last year for example. When he gets investigated you are on the list.

Avoiding working on social or civil rights? Seriously? So just let things get worse but I'm all right jack?

4 is the best but unfortunately following this makes one marginalized in this society. Being contactable is almost expected. Is the citizens band still a thing?


Good points, and an interesting addition too.


Is it possible to confidently bypass this intrusion of privacy using vpn's or some other system?


Wow, didn't realise it had made it this far let alone being passed today.

Does this law cover non-residential IP traffic? I would like to set up a VPN but would prefer to be recognised as being physically located in the U.K. while browsing Google and Netfix.


Since people are mentioning VPN, be aware which server you use. You might want to stay away from servers in 14 eyes countries.

https://en.wikipedia.org/wiki/UKUSA_Agreement#9_Eyes.2C_14_E...

Few useful resources when deciding between VPNs

1. That one privacy guy - https://thatoneprivacysite.net/vpn-comparison-chart/

2. https://www.privacytools.io/


Isn't this sort of thing inevitable? I mean, the more technology advances the easier and cheaper it becomes to build terrorist devices or WMDs. Therefore society, in order to protect itself, has to be vigilant about how the relevant knowledge disseminates. An analogy might be an individual guarding against suicidal thoughts.

More interesting to me is how to create mechanisms to control who gets access to the data and under what circumstances. I think in the UK we have a pretty bad record of local councils and other busybodies using snooping powers not intended for them.


So, they just codified what they have been doing for the past decade. Much like the E911/etc bill here in the US, apparently ones use of technology removes _ALL_ pretenses of privacy.


I hope the ISP's add a separate line item to internet bills for all of the costs to implement this system so people can see how much this is costing them.


BTW, these would totally be incompatible with EU privacy shield laws. Enjoy your 'deregulated' post Brexit state


Outsourcing to companies what its intelligence agencies have been doing for decades.

https://en.wikipedia.org/wiki/Karma_Police_(surveillance_pro...


Who exactly is going to pay for this? The govt or ISP/consumer?

And if as another comment suggested, what happens if there's a concerted effort of spamming the system? How much data are they actually willing to hold?

People aren't so apathetic on issues when told they have to pay more.


The way I read the story, this law which was passed is Modifying surveillance laws, rather than completely Oppressing people with something new.

What can the average British subject do? I know they Do not have the funds nor the legal and political Acumen to do anything about it.


This leads me to consider that although ISPs previously weren't forced to collect users' browsing history, they had the legal right to. The only difference the bill does is to share the power corporations had with the government.


This is just crazy. It like anyone could be a criminal, so let's treat everyone like one? Feels like a huge invasion of basic human rights.

Alas, I feel like the US isn't far behind. It feels like this will be the norm soon enough.


What do you do when your leaders go against the will of the people? You get new leaders. When they do t again? Try again? When they just keep doing it? Then what?


What do you do if this is the will of the people?


It's time for user-friendly p2p, local internets.


packet amateur radio


What are the most effective measures a British citizen could take right now to escape this surveillance?


Why are people in UK tolerating this?



Soo... What is the UK government so scared of that they need to do this?


Assuming these decisions are bred out of any sort of 'necessity' is assuming sincerity from the government.


The same thing every government is.

A peasant revolt.


The people. You're now in a political cold war where one half of the population is effectively held hostage by the other. Democracy is already over for all practical purposes.


I'll be generous. Probably to catch more criminals, and to police more cost effectively. Doesn't mean this is right.


Political opposition and dissent.


The British people.


Is there a way that I can browse privately or just not at all any more?


Let's fervently hope we won't see a demonstration of how to organize a devastating terrorist attack in the UK without using a single telephone or internet connection.


The "extremest", one could say.


Blofeld is happy, at least.


What a sensationalist title, I was expecting a comparison with other surveillance law in others countries and the result to be something outrageous. Turns out it's just sensationalism and it ends up being the kind of surveillance that has been enacted around the world in the last few years, mandatory ISP data retention has been active for 10 years in France[1].

It was even a European directive, directive 2006/24/EC or data retention directive[2], for all members of the European Union from 2006 to 2014 when it was invalidated through the Court of Justice of European Union. Interestingly this directive came into existence while the Uk had the presidency of EU in 2005. >According to the directive, member states will have to store citizens' telecommunications data for a minimum of 6 months and at most 24 months.

Why is zdnet trying to put this UK law as if it was something out of the ordinary ? Switzerland[3], Canada's bill C-51[4], Germany[5], Australia[6], Italy[7], and more [8] (Estonia, Greece, Spain, Hungary, Latvia, Lithuania, Luxembourg, Malta, Portugal, Ireland) all have mandatory data retention law.

Then again none of those are actual democracies (the closest being switzerland) and that's pretty much the reason these laws made to spy on citizens are possible.

[1]:https://en.wikipedia.org/wiki/Law_on_the_fight_against_terro... [2]: https://en.wikipedia.org/wiki/Data_Retention_Directive [3]: http://www.bbc.com/news/world-europe-37465853 [4]: https://en.wikipedia.org/wiki/Anti-terrorism_Act,_2015 [5]: https://www.huntonprivacyblog.com/2015/10/16/german-parliame... [6]: https://en.wikipedia.org/wiki/Telecommunications_(Intercepti... [7]: https://edri.org/edrigramnumber3-16italy/ [8]: https://www.purevpn.com/blog/data-retention-laws-by-countrie...


> Why is zdnet trying to put this UK law as if it was something out of the ordinary ?

Because the 2006/24/EC data retention directive [1] didn't say anything about browsing history and even then was invalidated by the Court of Justice of European Union. The new UK law however:

"The law will force internet providers to record every internet customer's top-level web history in real-time for up to a year, which can be accessed by numerous government departments; force companies to decrypt data on demand -- though the government has never been that clear on exactly how it forces foreign firms to do that; and even disclose any new security features in products before they launch."

[1] http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2... (read "Article 5" "Categories of data to be retained")


Brazil has passed that a few years ago as part of Marco Civil - 1 year period too, which can be extended per request from the authorities:

>Art. 13. Na provisão de conexão à internet, cabe ao administrador de sistema autônomo respectivo o dever de manter os registros de conexão, sob sigilo, em ambiente controlado e de segurança, pelo prazo de 1 (um) ano, nos termos do regulamento.

It demands the storage for 1 year of "connection access registers", defined as:

>VIII - registros de acesso a aplicações de internet: o conjunto de informações referentes à data e hora de uso de uma determinada aplicação de internet a partir de um determinado endereço IP.

I.e. user IP, access data, and info on the accessed website/application.


It's similar, but a little less bad than this UK one.

- It requires ISPs to identify their clients, and site administrators to keep log of access. Thus, no party must keep a complete identifiable log. The police must join the pieces every time they use the data.

- It has no provision for the government forcing companies into disclosing user's data. Brazilian law has no "decrypt data on demand" requirement. It's only about access logs.

- There's no provision for the government hacking into people's computers (although that may exist on some other law I don't know about).

Anyway, it's a bad law. If it was evenly enforced, it would forbid a lot of services people use in Brazil.


Its not the same thing, as in Brazil the investigation forces will need to get a warrant from a judge to have access to that data. Exactly the same way it happens for phone records or private bank accounts.

This data is protected by law, and is considered private.. so only a judge, in a ongoing investigation, when asked by police forces, when investiganting crimes for instance, can grant access to this data.

As i understand from what i read in the article, the UK government has direct access to that data, so the privacy of its citizens is not respected or granted by the rule of law.


They do not need a warrant, read Article 11.


It says exactly the opposite of what you are trying to imply.

>Article 11. In any operation of collection, storage, custody and treatment of records, personal data or communications by connection providers and internet applications in which at least one of these acts occurs in the national territory, shall be obligatorily respected the legislation and the rights to privacy, the protection of personal data and the confidentiality of private communications and records.

http://www.planalto.gov.br/ccivil_03/_ato2011-2014/2014/lei/...


The new Prime Minister Theresa May does not hold any principles that would place limits on the powers of the government. She was a well known "champion of the snoopers charter," (wiki) when she was home secretary. There is a british tendency to be overbearing authoritarians that provides fuel to their various secession movements. Britain is unlikely to maintain its current borders for many years after Brexit.


> does not hold any principles that would place limits on the powers of the government

This is why opposition exists. If only the were doing their job, instead of fighting amongst themselves.


>There is a british tendency to be overbearing authoritarians

It's not IMO a British tendency but instead a tendency of the British upper classes as they feel they are superior in every way to the lower classes and so deserve superior rights and freedoms .. and once the EU is out of the way they'll be able to get rid of the convention on human rights and return things to their former glory.

Next year I hear May is going to bring in a child tax where if you have more than one child and don't sell the extra ones in to serfdom you have to pay an additional 50% income tax on income up to the first £32k. /s




Applications are open for YC Winter 2023

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: