Monday, 24 November 2014

Theresa May loses the plot again?

Once again we are seeing more crap about snooping on Internet users. The BBC article is as vague as the rest, with comments like "A law forcing firms to hand details to police identifying who was using a computer or mobile phone at a given time is to be outlined by Theresa May."

Firstly, that is impossible. You cannot tell who is using a computer or mobile from an IP address. At best you can tell subscriber details, if they exist, and maybe a location where the IP is initially routed (but it may then go on to anywhere in the world). So what is being asked is impossible.

But what is also odd is that there are already laws such as DRIPA requiring logging of IP when people connect to be held for a year; and allowing the authorities to get subscriber details under RIPA. If we are to assume they mean "subscriber" then that already exists, so what new laws are being suggested?

As I said on Sky News, this is pointless. Because of blocks on legal porn, everybody now knows how to access a VPN or use a TOR browser. This used to be a bit obscure, and not something most people would know or use, but now it is mainstream stuff. People have legitimate legal reasons to use these tools. If someone wanting to watch legal porn can find a TOR browser you can bet that every terrorist will be able to.

Now, bear in mind, that the EU have already said that the sort of blanket surveillance in DRIPA is not legal, so adding more cannot be legal. We should not have to live in a police state! There is a price for freedom, we all know, and lest we forget that we have had to pay a price for that freedom in the past - so lets not give it away now.

So please, Theresa May, give it a rest.
  • It is not legal or moral to blanket snoop on citizens
  • It does not show who is actually using an IP
  • It is simple for anyone doing anything dodgy to bypass
  • It can only impact innocent people and increase costs for everyone


  1. > DRIPA requiring logging of IP

    The schedule to DRIPA (which, itself, is the same as that under the 2009 regulations it replaced), does not cover ports — I suspect that the mainstay of the proposal would be to encompass port numbering retention, to facilitate "tracking back" from an apache log to a subscriber on a NAT'd/PAT'd network.

  2. If they're going to try to make subscribers somehow responsible for what happens on their IP, where does that leave anyone who runs a TOR exit node or FON access point (like, err, anyone with one of those BT Hopeless Hubs)?

  3. I assume this will now go the way of Speeding tickets, and they will remove the right to silence, and legally compel self-incrimination. (RK is committing a criminal offence if they fail to identify the driver.)

    We are already in a police state.

    1. *If* AAISP is served with a retention notice, and is unsuccesful in challenging it *and* generates the data in question, else is served with a notice requiring disclosure, does not argue that it is technically impracticable and does not challenge it on any other basis but fails to comply — then, AAISP might be in breach of its statutory duty, enforceable via injunction, but not a criminal offence, as far as I can recall.

    2. I never get this.

      I have a car which everyone in the house is able to use. I cannot possibly say who was driving at a particular time. Only that I was not driving.

      How can I be committing an offence if I don't say?

    3. I suspect they argue that you are meant to be "keeping" the vehicle and therefore should know. But I agree, it is crazy. Apparently there is some loophole where you have to disclose, but you don't have to sign or swear what you said, and the court therefore cannot take it as proof if the person you say says they were not.

    4. I think you are right RevK, they assume you should know, but that's irrelevant, as even if you do, why should you be compelled to tell them.

      If you are accused of murder, you don't have to either confess or tell them who did it. It's up to the prosecution to prove you guilty or let you go, yet with speeding you have to do their work for them via a confession.

      I can see this ending up the same - as the subscriber you either confess or tell them who did the Bad Thing™, if you don't you are either guilty of the offence yourself or guilty of "failing to provide the bad person's details"

    5. Regarding cars, I've been in a few situations where people have tried to dodge responsibility. E.g. I was cycling last year, then I stopped at a red light and a bus overtook me to go through it. I have video evidence of the vehicle (route/licence plate) along with the date and time, but the bus company said that they didn't know who was driving it. The police took the registered owner (company director?) to court for failure to provide details, which I think is reasonable.

      I'm in a similar situation at the moment - I was hit by a motorbike back in April, and again I have video evidence. However, the registered keeper has refused to talk to the police, so they're taking him to court in a couple of weeks for failure to provide details.

      I think that in a situation like this, the owner has 2 options:
      1) Keep track of everyone who uses the vehicle.
      2) Accept responsibility for what they do. If they injure/kill someone, or cause damage, you're the one who pays the fine and/or goes to prison.

    6. My wifi has no password for guests to use and access... much more convinient. If someone drives past and uses my wifi ... well it's worth the hassle for me. The wifi is called "Don't Use Me!"...

    7. If someone used a gun to shoot your leg the owner of the gun couldn't be compelled to say whether or not they shot you.

  4. John, you feel that way about the situation that affects you (although, it's a different argument with the motorbike as if there was an accident they had to stop and exchange details, and if you have their registration on camera you can claim on the insurance on that vehicle regardless of who was driving it as I understand it) but how about we reword it like this.

    "Regarding internet subscriptions, I've been in a few situations where people have tried to dodge responsibility. E.g. I was browsing a torrent website and noticed that someone was connected to a tracker downloading a copyrighted film. I have logfile evidence of the IP address, along with the date and time, but the subscriber said they didn't know who did it. The police took the subscriber to court for piracy, which I think is reasonable. I'm in a similar situation at the moment - a game I made was pirated back in April, and again I have logfile evidence. However the subscriber has refused to talk to the police, so they're taking him to court in a couple of weeks for failure to provide details. I think in a situation like this, an internet subscriber has 2 options: 1) keep track of everyone who uses the connection. 2) accept responsibility for what they do, if they do anything illegal, or cause financial damage, you're the one who pays the fine and/or goes to prison".

    I guess you'd feel differently about the above! But, given the track record with cars, I can see this being the situation we end up in. There is precedent for this!

    My opinion is that in the case of the bus and the red light, no charges should have been brought. They could not prove who was guilty. In the case of the motorbike, there is an offence of failing to stop at the scene of an accident, but if they can't prove who was riding they would have nobody to charge for that. However, you should be able to claim damages from their insurance as you have evidence that vehicle hit you and the road traffic act would deem the insurer liable.

    1. But who's insurance? Maybe two people independently insured the bike

    2. This debate again! Nobody "insures the bike". People are insured. It may be that there is a person that is only insured to ride that bike. It may be that a person has insurance that covers anyone riding their bike. But the bike itself does not have an insurance policy itself.

    3. I guess I meant "insured themselves [and/or others] for the bike". Bad phrasing on my part

    4. "I think in a situation like this, an internet subscriber has 2 options: 1) keep track of everyone who uses the connection. 2) accept responsibility for what they do, if they do anything illegal, or cause financial damage, you're the one who pays the fine and/or goes to prison". "
      Option 3), a neighbour has sat there and bruteforced your Wi-fi or someone has compromised your PC, leaving you to face the "financial damage" of what they do.
      Your crime? You aren't a hardened system admin and you dared to use a PC on the Internet or have wifi.
      Unlike a car (where a car thief steals your car, you report it and if they knock someone over its not your responsibility) PC's and Wifi can be hijacked / "stolen" for days/weeks/months without a person knowing.

    5. You're right the person is insured not the bike, but the owners insurance would have to pay out:

    6. Yes, read that article, makes no sense.

    7. That's a completely different situation. The bike was sold, original owner didn't cancel insurance and the purchaser didn't have any insurance. The only valid insurance running was the original owner.

      I suspect the seller was tying to increase NCB by not cancelling insurance and leaving it running without having a bike.

    8. I have had this debate before - it makes no sense. The insurance policy is a contract between insurer and the original owner. Either it cover the new owner riding (some policies cover any rider) then that is fine and payout is fine, or it doesn't, in which case why would they pay out as there is no policy in place for that rider on that bike and no insurance contract with anyone that has suffered any loss or liability. Either way there is no way the original owner should be out of pocket. Sadly, as with most news reports, the details that explain what happened in reality are greatly lacking.

    9. Fuzzycat, I agree the owner in that post even says that's what he's trying to do. I've done it myself before - sold my 125, which was my 2nd bike, with 2 months to run on the insurance that originally cost me £65 ish. As there was a £35 cancellation fee, it would actually COST ME to cancel it, whereas leaving it running was free, and got me another years "spare" NCB in case I lost my NCB on the main bike.

      But if the original owners insurance can be held liable for an accident by the new owner who didn't have insurance, then in the other scenario, surely the current owners insurance can be held liable for an accident that occurred while the bike was being ridden by a person who may or may not have been the owner.

    10. I think this explains some of why the insurer would be liable, although it seems as though with an unidentified driver it would be the MIB...

    11. From the new report there was some issue with implicitly "giving permission" to the new owner and he was disqualified or something. The permission giving was implicit in the sale. If that was the issue then simply ensuring you video on your phone the sale where you state "I do not give you permission to ride this without your own valid insurance" would cover you.

  5. In the case of the red-light-running bus, I think it's reasonable for a commercial operator of a large, commercial-transport-class vehicle to keep records of who is driving each vehicle at any given time. Or, at least, who is *supposed* to be driving it. It is also reasonable for the authorities to demand access to these records when reasonable doubt arises over the identity of the driver. Failure to keep these records - and to exercise control over their employees' driving standards - should result in revocation of the commercial operator's licence to operate large, commercial-transport-class vehicles.

    This is a safety-of-life thing. It also helps that many buses now have internal CCTV, on which the driver is likely to be identifiable.

    In the case of the motorcyclist, it would appear that the rider either failed to stop at the scene of the accident, or knowingly provided false details in an attempt to evade prosecution for his dangerous behaviour. In such a case, the identity of the motorcycle (registration plate) is a valuable tool for identifying the owner, who is the most likely rider.

    Identifying a particular motorcyclist is more difficult than a bus driver, due to their understandable propensity to wear helmets, but usually a bike's owner has some idea about who he's lent it to or whether it's been nicked, and might be able to show that he wears different leathers or a different helmet than was seen at the scene - or, conversely, he might *not* be able to show such a thing.

    Again, this is a safety-of-life situation. I consider taking dangerous drivers and riders off the road to be a noble goal.

    Operation of a computer on the Internet, on the other hand, is *not* safety-of-life critical. It is also not possible, in general, to prove that traffic involving a particular IP address is linked to a particular person - particularly when home routers routinely allow multiple users simultaneously, or conversely a mobile device can easily be handed from one person to another. In many cases, it is possible to show that a street address is associated with a line subscription, which is valuable information for law enforcement, but the investigation has to proceed from there by other means.

    And, as others have pointed out, there is the possibility of theft of service, or more subtly, proxying. ISPs are not legally responsible for the specific actions of the subscribers whose traffic they carry; neither should individual operators of Tor exit nodes be legally responsible for the specific actions of other Tor users, especially since they don't (and can't!) even know who they are.

    1. Ah, but terrorists!
      If it saves one life.

      I jest, of course. They'd save more lives with these new flying drone defibrillators in a week than terrorists manage in an average year.