News Government to publish new Snooper's Charter Bill

Gareth Halfacree · 4 Nov 2015

Calls for encryption ban, history retention.
http://www.bit-tech.net/news/bits/2015/11/04/new-snoopers-charter/1

yodasarmpit · 5 Nov 2015

Seems incredibly naive, banning encryption would simply break the internet and the use of a simple VPN would render history retention useless.

Corky42 · 4 Nov 2015

Although it's to early to know wouldn't simply changing your DNS servers to ones outside the UK bypass any recording of the sites you visits?

EDIT: Re the man-in-the-middle (MITM) attacks on their own customers: Don't the Security Services already have that capability? Not knowing the details of how a MITM attack is done i maybe wrong, but don't the SS already have both the technically and legal powers to carry out Computer Network Exploitation (CNE): aka hacking into devices.

Anfield · 4 Nov 2015

Theresa May, the answer to the question which two words make freedom and common sense flee in horror.

Corky42 said: ↑

Although it's to early to know wouldn't simply changing your DNS servers to ones outside the UK bypass any recording of the sites you visits?
Click to expand...

Nope, all your data still has to go through your isp, so they'll still know what you wanted from the non isp dns and what came back.

Gareth Halfacree · 4 Nov 2015

Corky42 said: ↑

Although it's to early to know wouldn't simply changing your DNS servers to ones outside the UK bypass any recording of the sites you visits?
Click to expand...

Nup, but using a VPN with its endpoint outside the UK would. (Well, except for Windows' habit of leaking DNS queries...)

Corky42 said: ↑

EDIT: Re the man-in-the-middle (MITM) attacks on their own customers: Don't the Security Services already have that capability? Not knowing the details of how a MITM attack is done i maybe wrong, but don't the SS already have both the technically and legal powers to carry out Computer Network Exploitation (CNE): aka hacking into devices.
Click to expand...

Yes, but this is very, very different. At the moment, the security services would have to target a specific network, attack it, and install their own back-door without being noticed; under the new Bill, they just have to ask the service provider nicely. Let's use a couple of examples:

Current Method
Bob encrypts a message with Alice's key, and sends the encrypted message via Messaging App. Alice decrypts the message and reads it. The Messaging App has no idea what the message was, and cannot tell the security services; they will need to go directly to Bob or Alice to find out.

Proposed New Method.
Bob encrypts a message with what he thinks is Alice's key, but is actually Messaging App's key, and sends the encrypted message via Messaging App. Messaging App's server decrypts the message and re-encrypts it with Alice's actual key before sending it on. Now, the security services can simply ask Messaging App for a copy of the message - or, chillingly, for a copy of all messages - without having to involve Bob or Alice.

That's what the government is proposing: a ban on end-to-end encryption in favour of encryption which has additional keyholders beyond its users - either the companies themselves, who will be required to turn message content over on request, or the security services so they can decrypt the content at will.

Nice, eh?

Gareth Halfacree · 4 Nov 2015

The draft Bill is now live on GOV.UK, and it claims to 'not impose any additional requirements in relation to encryption over and above the existing obligations in RIPA [Regulation of Investigatory Powers Act.' It does, however, include a section extending the right of 'equipment interference' - modifying or otherwise attacking computers, smartphones, tablets, and other communication equipment for the purpose of eavesdropping or mass communication capture - beyond the security services to law enforcement and the armed forces.

Hakuren · 4 Nov 2015

Orwell couldn't write it better.

theshadow2001 · 4 Nov 2015

How exactly can they ban end to end encryption?

Gareth Halfacree · 4 Nov 2015

theshadow2001 said: ↑

How exactly can they ban end to end encryption?
Click to expand...

By voting to turn a Bill into an Act, the same way they ban anything else. (But, as per my update, the draft Bill as-written does not seek to ban end-to-end encryption, beyond reaffirming that it may already be illegal if applied by the service provider under the existing Regulation of Investigatory Powers Act.)

The relevant section, on Page 29, 62.b:

The Government said:

RIPA requires CSPs to provide communications data when served with a notice, to assist in giving effect to interception warrants, and to maintain permanent interception capabilities, including maintaining the ability to remove any encryption applied by the CSP to whom the notice relates.
Click to expand...

So, by my reading, the Government's argument is that end-to-end encryption is already illegal under RIPA, if applied by the Communications Service Provider. In other words: you're still free to send me an email encrypted with GPG, but heaven forefend you use a service like Tor Messenger which automatically encrypts content and doesn't keep a decrypted copy and/or skeleton key.

Fun fact: this means that everything from Apple's iMessage to Microsoft's Skype is retrospectively illegal in the UK, unless said companies are offering backdoors in their encryption to the Government. I guess we'll find out if they are when said services either continue running without modification or go dark...

Corky42 · 4 Nov 2015

@Anfield & Gareth, I'll take your word for the DNS thingy as IDK enough about the inner workings of DNS resolution.

@Gareth, Apologises i should have said/stated that isn't what they're proposing with the MITM thing something they already do, that isn't what this bill proposes is just to make what they already do easier, less detectable, quicker.

theshadow2001 · 4 Nov 2015

What I should have said is can't people just source their software outside the uk. But if they put emphasis on the service providers then a good deal of software will be compromised. Unless they use non uk service providers.

Cert Cameron went to school with some data storage mogul.

Corky42 · 4 Nov 2015

Anfield said: ↑

Nope, all your data still has to go through your isp, so they'll still know what you wanted from the non isp dns and what came back.
Click to expand...

Sorry for bringing this up again, i was a little rushed with last reply.

Without having read the details of the new Snoopers Charter is it know yet how their going to record the sites people visit? By that i mean could/are they going for the cheapest option, saving the DNS logs for a year?

Phil Rhodes · 4 Nov 2015

Presumably.

As with most of these things, given the VPN/Tor/etc services available, the sad fact is that well-set-up organised crime will find this preposterously easy to work around, no matter how much of a vicious old hag Teresa wants to be.

Corky42 · 4 Nov 2015

Gareth Halfacree said: ↑

So, by my reading, the Government's argument is that end-to-end encryption is already illegal under RIPA, if applied by the Communications Service Provider. In other words: you're still free to send me an email encrypted with GPG, but heaven forefend you use a service like Tor Messenger which automatically encrypts content and doesn't keep a decrypted copy and/or skeleton key.
Click to expand...

That's not my understanding of it, isn't the Communications Service Provider (CSP) what we understand as peoples Internet Service Provider?

Gareth Halfacree · 4 Nov 2015

Corky42 said: ↑

That's not my understanding of it, isn't the Communications Service Provider (CSP) what we understand as peoples Internet Service Provider?
Click to expand...

No, it's anyone providing a Communications Service. So, your ISP, your telephone company, Microsoft, Apple, Google, whoever. If they provide a service you can communicate by, they're a Communications Service Provider - otherwise it'd just say "ISP."

Corky42 · 4 Nov 2015

Not the most authoritative source i know but this wiki article disagrees, is how the government defines the meaning in the bill?

EDIT: Just skimming through the PDF of the bill now so forgive me if this turns out to be wrong, but from my understanding someone like Microsoft, Apple, Google would/could be the communications service that someone is using but critically their not the provider, the provider (i think) would be your ISP.

Gareth Halfacree · 4 Nov 2015

Corky42 said: ↑

Not the most authoritative source i know but this wiki article disagrees, is how the government defines the meaning in the bill?

EDIT: Just skimming through the PDF of the bill now so forgive me if this turns out to be wrong, but from my understanding someone like Microsoft, Apple, Google would/could be the communications service that someone is using but critically their not the provider, the provider (i think) would be your ISP.
Click to expand...

Don't rely on a Wikipedia language stub for this sort of thing. Let's go to the horse's mouth and have a look at this PDF:

Acquisition and Disclosure of Communications Data Code of Practice said:

Throughout this code an operator who provides a postal or telecommunications service is described as a communications service provider (‘CSP’). The meaning of telecommunications service is defined in RIPA and extends to CSPs providing such services where the system for doing so is wholly or partly in the United Kingdom or elsewhere. This includes, for example, a CSP providing a telecommunications system to persons in the United Kingdom where communications data relating to that system is either, or both, processed and stored outside the United Kingdom. Section 4 of the Data Retention and Investigatory Powers Act 2014 (‘DRIPA’) clarified that communications data acquisition powers under RIPA are exercisable in respect of those CSPs that provide a service to the United Kingdom from outside of the country.
[...]
Sections 2(1) and 81(1) of RIPA defines ‘telecommunications service’ to mean any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system (whether or not one provided by the person providing the service); and defines ‘telecommunications system’ to mean any system (including the apparatus comprised in it) which exists (whether wholly or partly in the United Kingdom or elsewhere) for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electro‑magnetic energy. Section 2(8A) of RIPA makes clear that any service which consists in or includes facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system are included within the meaning of ‘telecommunications service’. Internet based services such as web‑based email, messaging applications and cloud‑based services are, therefore, covered by this definition. The definition of ‘telecommunications service’ in RIPA is intentionally broad so that it remains relevant for new technologies.
Click to expand...

As unlikely as it may seem, I do have something of an inkling regarding that about which I speak...

Corky42 · 4 Nov 2015

Gareth Halfacree said: ↑

Don't rely on a Wikipedia language stub for this sort of thing. Let's go to the horse's mouth and have a look at this PDF
Click to expand...

Well that's why i said it wasn't the most authoritative source and asked if we knew how the government defines the meaning in the bill.

Gareth Halfacree said: ↑

As unlikely as it may seem, I do have something of an inkling regarding that about which I speak...
Click to expand...

I never claimed you didn't, i even said forgive me if my understanding turned out to be wrong.

As neither of us are lawyers (you're not are you?) we are probably going to have to wait for a definitive answer, but i would still respectfully disagree with your interpretation of what a CSP is, while i don't question the information you quoted, I'm still not convinced as a "telecommunications service" is not the same thing as a "communications service provider"

Adding to my hesitation/skepticism to call it either way is also if, as you suggest, that's how RIPA defined it then why had those services like Microsoft, Apple, Google not been (afaik) abiding by the laws laid out in the RIPA bill.

Gareth Halfacree · 4 Nov 2015

Corky42 said: ↑

As neither of us are lawyers (you're not are you?) we are probably going to have to wait for a definitive answer, but i would still respectfully disagree with your interpretation of what a CSP is, while i don't question the information you quoted, I'm still not convinced as a "telecommunications service" is not the same thing as a "communications service provider"
Click to expand...

Dude, read what I quoted. The whole quote, not just the bold bits. Now read it again. Now again. Once more for luck.

Now let me paraphrase it, just in case you've been reading what you expected to see and not what was actually there:

A Communications Service Provider (CSP) is defined as an operator providing a telecommunications service. (Agreed?)

A telecommunications service is defined so as to specifically include internet-based services such as web-based email, messaging applications, and cloud-based services. (Agreed?)

Therefore, an operator providing an internet-based service such as web-based email, messaging applications, and cloud-based services is a Communications Services Provider.

Those aren't my definitions; they're the Government's.

Now, you can be sceptical or hesitant all you like, but you'll also be wrong.

Oh, and as to being a lawyer: no, I'm not - but I do interview them.

Bungletron · 4 Nov 2015

Gareth Halfacree said: ↑

Dude, read what I quoted.
Click to expand...

Cheers for going through all that dude! If you are right this is no **** up either: when the government says to a comms service, 'tell me what they said' the wording seems to suggest they want to give the service no excuse to hide behind for handing it over.

Just a thought, if I set up an encryption company that did no communications at all and then made plugins to work with every major communication app going do you think that would be cool?

Log in or Sign up

News Government to publish new Snooper's Charter Bill

Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

yodasarmpit Modder

Corky42 Where's walle?

Anfield Multimodder

Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

Hakuren What's a Dremel?

theshadow2001 [DELETE] means [DELETE]

Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

Corky42 Where's walle?

theshadow2001 [DELETE] means [DELETE]

Corky42 Where's walle?

Phil Rhodes Hypernobber

Corky42 Where's walle?

Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

Corky42 Where's walle?

Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

Corky42 Where's walle?

Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

Bungletron Minimodder

Share This Page

Log in or Sign up

News Government to publish new Snooper's Charter Bill

Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

yodasarmpit Modder

Corky42 Where's walle?

Anfield Multimodder

Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

Hakuren What's a Dremel?

theshadow2001 [DELETE] means [DELETE]

Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

Corky42 Where's walle?

theshadow2001 [DELETE] means [DELETE]

Corky42 Where's walle?

Phil Rhodes Hypernobber

Corky42 Where's walle?

Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

Corky42 Where's walle?

Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

Corky42 Where's walle?

Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

Bungletron Minimodder

Share This Page

Useful Searches