Sophos Cloud Optix
The British government is proposing new legislation which would allow the police and secret service to monitor internet users’ email and web activity.
Unsurprisingly, privacy campaigners are up in arms about the plan which would force internet service providers to give British intelligence agencies’ real-time access to electronic communications.
However, the authorities argue that it is necessary for national security and to fight terrorism, online child abuse and organised crime.
Presently, ISPs keep details of which websites users visit, and who they send and receive emails and internet phone calls from, for 12 months. This information can be accessed retrospectively by investigators, provided the correct legal hoops (such as being granted a warrant from a magistrate’s court) were jumped through.
Under the new proposals, ISPs would install hardware from GCHQ – the Government’s electronic snooping agency – allowing investigators to tap into a real-time feed of data, and examine when communications were sent, and who to, in order to build up intelligence on criminal activity.
It’s important to realise that what’s *not* being talked about is third parties being able to read your emails. For one thing, seasoned criminals may very well be strongly encrypting their emails anyway – making them impenetrable.
Instead, spooks would be able to snoop on who sent an email, who its intended recipient was, when it was sent and geographic locations.
Nevertheless, there’s still a lot you could glean from such information.
Nick Pickles, director or the campaign group Big Brother Watch, condemned the proposals, comparing them to surveillance in China and Iran:
"[This is an] unprecedented attack on privacy online and it is far from clear this will actually improve public safety, while adding significant costs to internet business. No amount of scare-mongering can hide the fact that this policy is being condemned by MPs in all political parties."
There is likely to be widespread anger about the proposals, from civil liberties groups, internet companies, the online community and politicians (who will fear that backing the plans may hurt them in the ballot box), believing that surveillance in the UK has gone too far.
It remains to be seen whether the legislation will successfully make its way through parliament, but if you are worried that access to the data will not be properly controlled, or simply find the idea deeply troubling, then you may wish to take steps now to protect your communications.
For instance, if you communicate via a web-based service – such as GMail or Facebook – rather than an email client then you may wish to ensure that your communications are encrypted by enabling HTTPS.
That way, your ISP will only know that you’ve visited, for example, GMail and Facebook, but won’t know what you did while you were there. The authorities would need to demand information from Google and Facebook to uncover that information.
Furthermore, you may wish to turn to anonymising proxies and Virtual Private Networks to have a much tighter level of control over who can see who you are communicating with, and which websites you are visiting.
I fear that the very people that snooping plans are intended to uncover – serious organised criminals gangs, the high-rolling fraudsters, the child abuse networks – are the very ones who are already using technology to avoid being snooped upon.
There may be some criminals who are caught through such government powers – but at what cost to freedom and privacy?
Image credit: Shutterstock
Enabling SSL would only work if we assume that GCHQ doesn't have a trusted CA certificate, which would enable them to impersonate any site and spy on encrypted traffic.
This will just force everyone to turn to ToR – or "evil.com", as the press are calling it. The government will then claim that anyone using ToR must have something to hide, so they should be locked up just in case.
If they manage to do that, it will probably be noticed as it was with Iran, and they will receive bad press about it.
Except that nobody in the UK will see the bad press, as they'll block access to any website which refuses to censor its content in accordance with UK laws.
And no, I'm not making that up. They've already proposed legislation to force Google, Twitter, Facebook et al to censor their results for UK users to comply with super-injunctions. It's a small step from that to blocking news stories which "threaten public security" by criticizing the government.
With commercial gateway products that scan SSL (m86/finjan is one), the point about using HTTPS is pretty mute in this context.
It's moot.
If you are not engaging in illegal activity like blowing something up, killing someone or selling drugs and or weapons, why are you sweating it so much. If the government wants to watch me text my girl the different sexual activities we will be engaging in tonight then so be it, They might learn something. Keep it real they are already listening and watching, but keep in mind the amount of data that is flowing though the net, there computer only flags messages using key words like I used above and even then it gets analyzed more by the system before it will be viewed by a human. There are just not nor ever will be enough staffing to read and or even give a rats butt about reading John/Jane Does personal Email. cont….
> If you are not engaging in illegal activity (…),
> why are you sweating it so much.
http://en.wikipedia.org/wiki/Salami_tactics
What a lame piece. Privacy has nothing to do with security… Privacy is a human trait, it's built into our genetic and nurtured in many cultures of the world. When you go to the toilet or make love to your wife/girlfriend, you do it in private, right? Is that because your afraid or have something to hide? Likewise, when I have a private conversation, I really don't want government snoops to be listening in, whatever their reason.
Sentinel150: Your capacity to underestimate the paranoia of those who operate the machinery of political states pegs the naivete meter. Political statism is an entrenched special interest concerned only about its own survival, not the hapless, overwhelmed-by-too-much-data operation you evidently imagine it to be.
You don't know WHAT part of the data they snoop is going to fall under their arbitrary judgment as being deviant, unlawful, seditious, or otherwise perceived as threatening to their interests. What if it's YOUR data? If they decide to criminalize behavior that you think is within your rights, what defense will you give then?
Your argument–essentially, that "If you oppose surveillance, you must be doing something illegal”–is bogus. Legality is not the ultimate criterion that determines what is right or wrong. The oppression committed by totalitarian states is legal within their self-created systems. That doesn't make it right.
You are a slave to the mentality of political legitimacy–the notion that the state is the ultimate moral authority in human society. In fact, it is ultimately the means by which moral principle is "officially" subverted. You can rationalize it all you want, but it is precisely that attitude that enables it to continue.
Cont….Are you afraid? don't do it on line, there is no "right" to use the internet. Tell her in person that you want to eat her, lol not in a text.
P.S. I do think government meddles in too much and needs to get out of our personal lives, but I also realize that for them to protect my family in this day and age I need not hinder their ability to gather data. I don't have anything to hide and if I did it would not be communicated in plan speech or electronically. Fear not the gov. Fear you own mind
The Criminals already know how to avoid a lot of the proposed measures so this bill amounts to big brother & little else, the oddity is that both the Conservatives & Liberals were in agreement that they should repeal a lot of the measure that the Labour government had put in previously then go & pull this out of the bag.
It's a broadsided attack on civil liberty & an intrusion upon the common citizenry's privacy & I hope it gets shot down in flames by any & all MP's with a conscience.
I wonder if the government know about TOR and VPN's and if they do will they make them illegal or will you need goverment permission?
As the governments of Iran, Egypt, Syria etc. etc. found out you can’t monitor/block access to the internet, people just find a way around it.
And you honestly think that this isn't already being done by Governments such as Australia.. Wake up and look at the what the intelligence community can already do. The governments just want to act on what they already know.
It is already done in a way in Canada; 3 years ago, we were a few people due to follow a course about the rules on dangerous goods transportation (in french, the short is TMD). One person had send me an email using TMD in the title and in the text, asking me when the course was due, 2 days before the start of the course and guess what… the email arrived 2 days after the course ended (a 2-day course). There is already an automated checking for key words in all emails in Canada. Of course I have since refrain from using such short acronym as TMD (has Mass Destruction in it). I want my emails to arrive in short time, not being late because they rung a bell in the spy room and someone had to check them before sending them back to me. 😛
This reminds me of the driver of a container lorry en route from the UK to the Middle East, immediately after the 9/11 atrocity. He was detained for a couple of days in Italy because the label on the consignment bore the English word LADEN.
Intelligence services are supposed to be intelligent, but a computer will only do what it is programmed to do.
"For one thing, seasoned criminals may very well be strongly encrypting their emails anyway – making them impenetrable."
OK
"Instead, spooks would be able to snoop on who sent an email, who its intended recipient was, when it was sent and geographic locations."
And how will they do that? via the encrypted header's?
Every Mail Transport Agent worth its salt already records the sender/recipient/datetime tuple in its log files. The sender/recipient information is part of the protocol and potentially completely independent of the message/header content that would be encrypted. Although to be fair they're often the same in the protocol and in the message headers.
(And before anyone mentions that ESMTP with TLS provides an encrypted channel, please note that I'm describing the logging performed by the MTA itself, not information gleaned by snooping the wire traffic.)
then the goverment can just make a standard request. I still don’t see how this helps the police etc. catch criminals.
I am disgusted by this, time to write a contemptuous letter to my MP.
Anyone who is a terrorist or criminal will avoid detection with encryption and TOR, only low hanging fruit and the ordinary citizen will be targeted.
So begins our sleepwalk into a tyrannical Orwellian nightmare that is a Stasi agent's wet dream.
BTW one last comment
David Davis (Conservative MP) told the BBC “What this is talking about doing is not focusing on terrorists or criminals, it's absolutely everybody's emails, phone calls, web access…"
Well, so much for the Government's Cyber Security Strategy, which should really be encouraging measures for improving the security of all networks and the privacy of all communications.
Just two of the practical implications of this:
As Richard points out, this only works against SSL if GCHQ has a copy of the trusted cert, or some other method I'm unaware of. The certification authorities rely on people trusting them to stay in business, and if word got out the CAs were handing certs to the government, that trust would be destroyed. Self-signed certs become generally more trusted than third-party signed ones.
The last 12 months have already been pretty bad for the cert authorities.
The other thing that might be affected is the (massively over-hyped) cloud computing industry. This does little to reassure the substantial number of businesses and people who don't yet trust 'the cloud' with their data, because there's no guarantee of security during both storage and communication.
Frankly I am more concerned about those who monitor communications stealing research by watching where you visit. If you have a new idea and are collecting data, the monitor can conclude what you are developing and sell the idea to someone else. Also sending trade secrets to coauthors of your project in an encrypted email does no good if the government can view that email and your secrets are no more. Inventors will have no rights.
I grew up behind the Iron Curtain. Even at the height of totalitarian communism, our correspondence was, at least nominally, confidential. Our glorious democratic government is now trying to do openly to everyone what the bad, despotic regime of my youth did to only a few dissidents covertly, because even they were embarrassed by doing that. Times have changed a lot, I see.
What many people have not recognised (partly due to hysterical reporting in the tabloids) is that to intercept the content of the traffic will still require a warrant authorised by a court.
Perhaps put this in a different context: if I visit lots of sites discussing organic chemistry, then exchange emails with Pakistan and finally book tickets to Islamabad, then perhaps under these proposals, the authorities have a stronger case for obtaining a warrant for the interception of my communications. If they do not have the up-front info then it becomes much more difficult to show probable cause.
But they have to read the content of the TCP/IP packets in order to extract email addresses.
The authorities do not need to read the packet data to establish the existence of the communication.
Reading of packets is already being implemented by the ISP. The communications are then indexed and that index handed over to the authorities if a valid warrant is submitted.
The change makes no difference to that process except that a warrant is no longer required on the part of the authorities to access the stored index of communications.
A warrant is still required to read the content of the communications.
So they lock you up for being a thrill-seeking tourist who brews his own beer.
And how long will they wait after the equipment is installed to decide that requiring a warrant is too much hassle? That MI5/MI6/the police/the DVLA/your local council should be able to access this information without any oversight whatsoever?
After all, we're trying to stop paedo-terrorists here! We don't have time for such mundane matters as law, justice, and presumption of innocence. Won't someone please think of the children!
And don't worry about the DVLA selling your information to criminals. They've promised that they won't do it again, and *this time*, they really mean it. They didn't have their fingers crossed or anything!
What about the government getting your bank details pin numbers etc will they lose them? we tend to type so much information when shopping on line and yes i here you say these are normally secure, however can we really be sure they are secure anymore? The government of the day has lost so many of our personal records, medical records, DHS records, etc etc, personal records are constantly turning up somewhere.
Dave,
These proposals, if enacted, will allow the disclosure without a warrant of the _existence_ of communications between various parties, not their content.
The _conent_ of the communications cannot be intercepted legally without a warrant and that will remain the same.
In your scenario, the authorities will be able to access information which indicates that you probably use online banking, but not your details without a warrant.
By the way, I sincerely hope you are not entering you bank card PIN number into a website as you have suggested in your text. Never give anyone your PIN.
Old hat folks, sorry, but just type the words RAF Memwith Hill into Google; they have been watching our emails and text messages for many years now. The difference is that now it is being carried out legally and transforms covert eavesdropping into admissible evidence in a court of law: it never was before.
By allowing such an act to pass we are in danger of setting a highly questionable precedent. Arguably such an act could eventually lead down a dark path with the potential to strip us of a civil right to privacy. Such intrusion not only threatens the fundamental right of free speech and liberty; but also the very essence of such right wing legislation could clearly affect the very principles of free information which has made the internet such a revelation to society. What these powerful decadent institutions can't stand is the fact that the world wide web web has begun a revolution in the way the society sees, thinks an now educates itself. We have perhaps for the very first time had an opportunity to perceive the world for what it really is, and question the greed, tyranny and wealth of an isolated few percent who seek the control of the 'powerless' majority and keep us firmly in our place. If we allow this to happen we are bypassing democracy once more and the Orwellian nightmare looms ever closer.
This all stinks of covering up the cash for dinner talks with the PM. Seems that as soon as the press got interested in these PM dinner talks, the government released a press release that caused panic fuel buying, and now this? I call shenanigans!!!