1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News Government to publish new Snooper's Charter Bill

Discussion in 'Article Discussion' started by Gareth Halfacree, 4 Nov 2015.

  1. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    12,603
    Likes Received:
    1,915
  2. yodasarmpit

    yodasarmpit No longer the other Brett.

    Joined:
    27 May 2002
    Posts:
    11,237
    Likes Received:
    147
    Seems incredibly naive, banning encryption would simply break the internet and the use of a simple VPN would render history retention useless.
     
    Last edited: 5 Nov 2015
  3. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,306
    Likes Received:
    322
    Although it's to early to know wouldn't simply changing your DNS servers to ones outside the UK bypass any recording of the sites you visits?

    EDIT: Re the man-in-the-middle (MITM) attacks on their own customers: Don't the Security Services already have that capability? Not knowing the details of how a MITM attack is done i maybe wrong, but don't the SS already have both the technically and legal powers to carry out Computer Network Exploitation (CNE): aka hacking into devices.
     
    Last edited: 4 Nov 2015
  4. Anfield

    Anfield Well-Known Member

    Joined:
    15 Jan 2010
    Posts:
    5,099
    Likes Received:
    397
    Theresa May, the answer to the question which two words make freedom and common sense flee in horror.

    Nope, all your data still has to go through your isp, so they'll still know what you wanted from the non isp dns and what came back.
     
  5. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    12,603
    Likes Received:
    1,915
    Nup, but using a VPN with its endpoint outside the UK would. (Well, except for Windows' habit of leaking DNS queries...)
    Yes, but this is very, very different. At the moment, the security services would have to target a specific network, attack it, and install their own back-door without being noticed; under the new Bill, they just have to ask the service provider nicely. Let's use a couple of examples:

    Current Method
    Bob encrypts a message with Alice's key, and sends the encrypted message via Messaging App. Alice decrypts the message and reads it. The Messaging App has no idea what the message was, and cannot tell the security services; they will need to go directly to Bob or Alice to find out.

    Proposed New Method.
    Bob encrypts a message with what he thinks is Alice's key, but is actually Messaging App's key, and sends the encrypted message via Messaging App. Messaging App's server decrypts the message and re-encrypts it with Alice's actual key before sending it on. Now, the security services can simply ask Messaging App for a copy of the message - or, chillingly, for a copy of all messages - without having to involve Bob or Alice.

    That's what the government is proposing: a ban on end-to-end encryption in favour of encryption which has additional keyholders beyond its users - either the companies themselves, who will be required to turn message content over on request, or the security services so they can decrypt the content at will.

    Nice, eh?
     
  6. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    12,603
    Likes Received:
    1,915
    The draft Bill is now live on GOV.UK, and it claims to 'not impose any additional requirements in relation to encryption over and above the existing obligations in RIPA [Regulation of Investigatory Powers Act.' It does, however, include a section extending the right of 'equipment interference' - modifying or otherwise attacking computers, smartphones, tablets, and other communication equipment for the purpose of eavesdropping or mass communication capture - beyond the security services to law enforcement and the armed forces.
     
    Last edited: 4 Nov 2015
  7. Hakuren

    Hakuren New Member

    Joined:
    17 Aug 2010
    Posts:
    156
    Likes Received:
    0
    Orwell couldn't write it better.
     
  8. theshadow2001

    theshadow2001 [DELETE] means [DELETE]

    Joined:
    3 May 2012
    Posts:
    5,163
    Likes Received:
    141
    How exactly can they ban end to end encryption?
     
  9. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    12,603
    Likes Received:
    1,915
    By voting to turn a Bill into an Act, the same way they ban anything else. (But, as per my update, the draft Bill as-written does not seek to ban end-to-end encryption, beyond reaffirming that it may already be illegal if applied by the service provider under the existing Regulation of Investigatory Powers Act.)

    The relevant section, on Page 29, 62.b:
    So, by my reading, the Government's argument is that end-to-end encryption is already illegal under RIPA, if applied by the Communications Service Provider. In other words: you're still free to send me an email encrypted with GPG, but heaven forefend you use a service like Tor Messenger which automatically encrypts content and doesn't keep a decrypted copy and/or skeleton key.

    Fun fact: this means that everything from Apple's iMessage to Microsoft's Skype is retrospectively illegal in the UK, unless said companies are offering backdoors in their encryption to the Government. I guess we'll find out if they are when said services either continue running without modification or go dark...
     
    Last edited: 4 Nov 2015
  10. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,306
    Likes Received:
    322
    @Anfield & Gareth, I'll take your word for the DNS thingy as IDK enough about the inner workings of DNS resolution.

    @Gareth, Apologises i should have said/stated that isn't what they're proposing with the MITM thing something they already do, that isn't what this bill proposes is just to make what they already do easier, less detectable, quicker.
     
  11. theshadow2001

    theshadow2001 [DELETE] means [DELETE]

    Joined:
    3 May 2012
    Posts:
    5,163
    Likes Received:
    141
    What I should have said is can't people just source their software outside the uk. But if they put emphasis on the service providers then a good deal of software will be compromised. Unless they use non uk service providers.

    Cert Cameron went to school with some data storage mogul. :D
     
  12. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,306
    Likes Received:
    322
    Sorry for bringing this up again, i was a little rushed with last reply.

    Without having read the details of the new Snoopers Charter is it know yet how their going to record the sites people visit? By that i mean could/are they going for the cheapest option, saving the DNS logs for a year?
     
  13. Phil Rhodes

    Phil Rhodes Hypernobber

    Joined:
    27 Jul 2006
    Posts:
    1,415
    Likes Received:
    10
    Presumably.

    As with most of these things, given the VPN/Tor/etc services available, the sad fact is that well-set-up organised crime will find this preposterously easy to work around, no matter how much of a vicious old hag Teresa wants to be.
     
  14. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,306
    Likes Received:
    322
    That's not my understanding of it, isn't the Communications Service Provider (CSP) what we understand as peoples Internet Service Provider?
     
  15. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    12,603
    Likes Received:
    1,915
    No, it's anyone providing a Communications Service. So, your ISP, your telephone company, Microsoft, Apple, Google, whoever. If they provide a service you can communicate by, they're a Communications Service Provider - otherwise it'd just say "ISP."
     
  16. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,306
    Likes Received:
    322
    Not the most authoritative source i know but this wiki article disagrees, is how the government defines the meaning in the bill?

    EDIT: Just skimming through the PDF of the bill now so forgive me if this turns out to be wrong, but from my understanding someone like Microsoft, Apple, Google would/could be the communications service that someone is using but critically their not the provider, the provider (i think) would be your ISP.
     
    Last edited: 4 Nov 2015
  17. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    12,603
    Likes Received:
    1,915
    Don't rely on a Wikipedia language stub for this sort of thing. Let's go to the horse's mouth and have a look at this PDF:
    As unlikely as it may seem, I do have something of an inkling regarding that about which I speak... :p
     
  18. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,306
    Likes Received:
    322
    Well that's why i said it wasn't the most authoritative source and asked if we knew how the government defines the meaning in the bill.

    I never claimed you didn't, i even said forgive me if my understanding turned out to be wrong. :(

    As neither of us are lawyers (you're not are you?:)) we are probably going to have to wait for a definitive answer, but i would still respectfully disagree with your interpretation of what a CSP is, while i don't question the information you quoted, I'm still not convinced as a "telecommunications service" is not the same thing as a "communications service provider"

    Adding to my hesitation/skepticism to call it either way is also if, as you suggest, that's how RIPA defined it then why had those services like Microsoft, Apple, Google not been (afaik) abiding by the laws laid out in the RIPA bill.
     
  19. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    12,603
    Likes Received:
    1,915
    Dude, read what I quoted. The whole quote, not just the bold bits. Now read it again. Now again. Once more for luck.

    Now let me paraphrase it, just in case you've been reading what you expected to see and not what was actually there:

    A Communications Service Provider (CSP) is defined as an operator providing a telecommunications service. (Agreed?)

    A telecommunications service is defined so as to specifically include internet-based services such as web-based email, messaging applications, and cloud-based services. (Agreed?)

    Therefore, an operator providing an internet-based service such as web-based email, messaging applications, and cloud-based services is a Communications Services Provider.

    Those aren't my definitions; they're the Government's.

    Now, you can be sceptical or hesitant all you like, but you'll also be wrong.

    Oh, and as to being a lawyer: no, I'm not - but I do interview them.
     
  20. Bungletron

    Bungletron Well-Known Member

    Joined:
    25 May 2010
    Posts:
    1,169
    Likes Received:
    62
    Cheers for going through all that dude! If you are right this is no **** up either: when the government says to a comms service, 'tell me what they said' the wording seems to suggest they want to give the service no excuse to hide behind for handing it over.

    Just a thought, if I set up an encryption company that did no communications at all and then made plugins to work with every major communication app going do you think that would be cool?
     

Share This Page