UK police are after cyber snooping powers equivalent to what, in an analog world, would be knowing what magazines you read but not which articles or page numbers.
The Investigatory Power Bill, a draft of which had been due to be published this week, is being viewed by many as the latest twist on the much-reviled Communications Data Bill – more commonly known as the Snooper’s Charter.
But as the Guardian reported on Saturday, the House of Lords (the UK’s parliamentary upper house) might be planning to delay the draft of the bill, which seeks to revive measures forcing telecoms to retain users’ browsing data for 12 months.
Such surveillance legislation is in the realm of the undead: it’s been poking its head above the grave since 2012.
The Investigatory Powers Bill is similar to the powers in the shelved Snooper’s Charter in that it would require companies to retain phone and email data.
It would also prevent people from sending encrypted messages via social media: in other words, say goodbye to popular messaging apps like WhatsApp, Facebook Messenger and Snapchat if the government gets its way.
David Anderson QC, the UK’s independent reviewer of terrorism legislation, said in his report on the Investigatory Powers Review (PDF) that the Home Office has provided him with this definition of the information that would be included in its definition of the “weblogs” it seeks to access:
Weblogs are a record of the interaction that a user of the internet has with other computers connected to the internet. This will include websites visited up to the first ‘/’ of its [url], but not a detailed record of all web pages that a user has accessed. This record will contain times of contacts and the addresses of the other computers or services with which contact occurred.
In other words, the government could see that you’re visiting a porn site, for example, but not which flavor of kink you clicked on.
It was put another way by Graham Smith, an expert in IT law and partner at Bird & Bird, who told The Register that the police are reportedly seeking power that’s equivalent to recording…
...every magazine you've read, but not which articles on which pages.
Tim Farron, Liberal Democrat leader, told The Independent that his party is ready to muster its 112-strong bloc of peers to thwart any measures that could threaten individual liberty, given Tories’ ongoing quest for powers that aren’t “proportionate,” he said:
Liberal Democrats will always support proportionate measures to increase our security, but we must not allow cornerstone civil liberties to be swept away.
We will wait with interest to see the detail of the draft bill, as the Tories have long argued for powers that are not targeted and not proportionate. We blocked the snooper’s charter in government and would strongly resist any attempt to bring it back. It would be a dramatic shift in the relationship between the state and the individual, and fundamentally strikes the wrong balance between liberty and security.
His party has already blocked the Snooper’s Charter, he said, and would “strongly resist any attempt to bring it back.”
The police say they’re after web browsing histories because traditional means of surveillance are outmoded and not up to the task of keeping up with the online activities of terrorists, paedophiles and criminal gangs.
Critics dismiss the idea.
The Independent quotes Rachel Robinson from the civil rights group Liberty, who said that it “defies belief” that the government persists in seeking “extraordinarily intrusive” powers that “none of our major intelligence allies think [are] acceptable to use on their people.”
Robinson:
These measures have already been rejected by a cross-party parliamentary committee and the Independent Reviewer of Terrorism Legislation. We will resist them in the strongest terms.
Image of Palace of Westminster courtesy of Shutterstock.com
Christopher Pipe (@cplrc)
Hardly inspires confidence when the Home Office doesn’t seem to know what a weblog is!
Maynot
So, it’s probably a good time to install a VPN linked to servers in a different jurisdiction. Which jurisdictions are currently recommended?
E.Belcourt
According to what I remember of the Snoopers Charter, doing that puts you in the naughty books.
incandescent
My preference, maybe a tad out there but…. Can we run a variant on the * preference services (ie TPS and MPS); but one where I can opt in to full scrutiny of my comms. That way what I do can be seen and assessed for risk. And therefore probably discounted. I’ve always taken the view that anything I do over the internet was probably insecure anyway…
Mahhn
Laws like this will result in people downloading the internet onto Exabyte drives and passing it around to copy it. Get a updated version every month. The only way spies will know what your looking at is when they bum rush your house and dissect your log files, if you don’t run a no write bootable media as you should for that. The internet will only be used for fake news (CNN, Fox and such), purchase and video games.
Stoat
If this is passed, the best form of civil disobedience would simply be to overwhelm the loggers with as much cruft as possible.
There are a number of browser extensions which exist to thwart this kind of snooping by constantly fetching random pages.
ISP logging doesn’t work if you go to https:// (secure) URIs, as the queries don’t pass through their proxies.
This kind of snooping isn’t to “find terrorists” but to ensure that if they govt takes a dislike to someone, that they can manufacture enough “evidence” to convict them of anything they want.
“If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him.” – Cardinal_Richelieu (supposedly)
Mark Stockley
Note that the gov. wants to store everything before the first slash – in other words the hostnames you visited.
That would be recorded in the HTTP proxy logs as you say but many people also use their ISP for DNS.
Also your computer has to be talking to another computer in order to negotiate the TLS connection and the IP address of that computer can be logged. Name-based hosting is not an option for HTTPS sites so IP addresses tend not to hide lots of different HTTPS websites as they do with HTTP although SNI (as used by Naked Security) is changing that.
2072
except that for SNI to work the TLS handshake has to include the desired host-name in clear (so that it can choose the proper certificate…). So SNI is cheaper and more practical but reveals information to a potential eavesdropper.