I obviously feel sorry for all of the friends and families of the 128 killed in Paris last night, it is horrific.
How should the world react to those that want to incite terror? Should we be terrified?
Well, firstly, let me also say I also feel sorry for the 3,000 or so people killed in road fatalities yesterday as well, and today, and tomorrow, and every day (1,240,00 a year). Even with attacks like this, and 9/11, terrorism still remains a drop in the ocean in terms of any real threat to people's lives from so many directions (road fatalities being just one). Whilst we all die, it is horrific when someone dies unexpectedly in the prime of their life, and there are many ways we can tackle all of these threats. Terrorism is one tiny aspect of that ongoing battle - an aspect we still need to address, obviously.
In my opinion, to tackle these attacks, we need to try and get to the root cause and understand why we have a global society that creates such people. Why people want to create terror for their political aims. I can understand why politicians want to create terror for political aims, and they do that a lot, but we need to understand what we can do to make society better to minimise the perceived need for such attacks in the first place. What are we, as a people, doing wrong.
In my opinion, the way to go is not to create more of a police state. As I am sure people in France know more than most, a police state will create resistance - people who do not like the state, and that is the very seed of terrorism, surely.
Now is not the time to give up our human rights! That is letting the criminals win.
What we do not need is for this one incident to put a rocket up the latest snooper's charter, monitoring everything we all do, and making it "guilty until proven innocent". We need evidence based and proportional government, now, more than ever.
Last time there was an attack in France it came to light that the criminals were already under surveillance. What is the betting that the same is true with this case? I can't see that adding more surveillance of the 99.9999% of people who are not criminals will help.
2015-11-14
2015-11-12
What privacy can we promise you?
Someone has asked me today to be careful what I promise customers, and he is right to be cautious, so I thought I would explain what we can and cannot do as an ISP.
For a start, private communications will always be possible. There are ways to send messages that nobody else can read - such systems exist, and can even be done using pen and paper.
But what if even that is made illegal, and nobody can even send encrypted data - well, there are systems called steganography where the "noise" in something like an image or video is used to carry an encrypted message, and no way to prove that there is a message. There are even "plausible deniability" systems where you can provide a key to produce the innocent message that was encoded and again no way to prove that there was another message hidden.
So, in short, normal people, and criminals, and terrorists, will always be able to communicate privately. That is a fact of life and mathematics. This also makes all of this surveillance crap a bit pointless.
But what about the Draft IP Bill? At this stage it is a tad hard to say for sure - as the exact details of what the "Internet Connection Records" will be are unclear. Here I am talking about the mass surveillance by ISPs part of the bill - there are also mass surveillance by GCHQ, etc, and targeted surveillance. However, at this stage encryption is not actually banned.
Up to now the logs could be from email servers, telephony, text, but not a lot else. Now they could be more - including logs from web sites, and maybe even logs from DNS servers. What is not clear is if an ISP would be required to deep packet inspect data as it passes and make logs of activity where there is no server involved in the ISP. We hope not, not least because that is hard and expensive.
However, the good news is encryption is not banned as such - what is clear that you have to be doing the encryption yourself! If you rely on any third party to do it, perhaps even Apple, then the bill (as it stands now) could expect the third party to break or undo the encryption they are offering. There are apps for some phones, and of course a whole load of packages for PCs of all sorts based on PGP which allow end to end encryption which you do control yourself. Bear in mind that the bill would allow hacking of your computer though, so make sure you have good firewalls and trust nobody as anyone could be conscripted to get your data and do so secretly. My guess is that the safest O/S for this will be linux as there is no provider that can be ordered to put in back doors or break it "legitimately" and as such the hacks would have to be via vulnerabilities.
But back to what we can do as an ISP.
Let's be clear here - we do expect people to abide by the law - but also, it is none of our business what you do with your Internet connection. We are not your mum, or the police, and though we are not trying to actively impede them in any way, but we just want to get on and do our job and that is all. We value your privacy and see no reason to compromise that unless someone comes along with a proper targeted warrant backed by a proper judicial process.
Obviously, with a suitable order, we can disclose subscriber details for an IP address, but we always stress the this does not identify a person or user, or even that the source of any IP traffic is in the premises and not spoofed, relayed, Tor, or the result of a virus, just in case the police officer in question is not aware of that! Indeed, a request for "user" details is always rejected saying we have no details of "users" - they have to resubmit asking for "subscriber" details to make this point really clear.
As for RIPA requests we have had? We have had a couple to find subscriber details of an IP, one of which was plainly a waste of everyone's time and not in any way criminal and just showed how stupid the whole process was. We have had a few for phone numbers to identify subscriber, but pretty much all of these are spoofed CLI so one of our numbers but not in use, or numbers that are not even ours, or numbers used by another telco from our blocks. It seems our customers are pretty good at not being targets of RIPA requests, and we'd like to keep it that way.
You can tell we are not keen on the mass surveillance aspects. So we want to find ways of avoid them.
The biggest thing is that we have never been subject to a retention order, so no legal requirement to retain anything routinely for all customers. We also don't have any government "black boxes" to allow covert monitoring of anything in our network. Thankfully we are too small.
We do provide itemised phone bills, and those hang around - we are not sure of a tidy way to not keep them as they are needed if any billing dispute. One thought was to send digitally signed call records on the bill, and then delete them - that way, if there is a dispute, you have to provide the call records, but we can validate that they are genuinely from us and unchanged. That may be a way forward for call records.
We do have logs for things like email, but they are for diagnostics and support, and not kept for long. We don't log DNS. We'd like to not have any logs for any significant time other than necessary to help support technical issues.
What if we get a retention order? That is tricky. Assuming for a moment it does not mean deep packet inspection and creating new logs for Internet Connection Records, what of DNS logs, email logs, and the like. Well, we could move the key services we offer off-shore. Most things, like an email server or even a voice server, do not have to be in the UK to work. If done right, we could move all things that need logging to a jurisdiction that does not require logging. It would be tricky - we'd have to set things up as hands-off as possible, but this are services we could be paying a foreign company to run for us. We did wonder what the rules are for Isle of Man, for example, or maybe we keep it in the EU. We could even have the third party send digitally signed call records to our customer directly so we never have them, just sending us the totals for billing purposes.
The irony here is that at present, within a short time, a RIPA request could get some data out of us, especially itemised phone bills. But force us to record all data for a year and it may be that we have zero data to report. Whilst this will stop any fishing expeditions, or automated collection and collation of records on the public, it will impede some legitimate investigations - so maybe it is better to keep us on-side here and helpful rather than forcing our hand?
That said, you don't know what the law will end up doing, and it could be that we are expected to record data from deep packet inspection, or worse, that BT wholesale and TT wholesale are forced to. If that happens, then there is little we can do except repeat the tips on encryption, end to end, and in your own control.
We hope we don't ever get a retention order, and one aspect of the bill is that we can challenge it. The gagging order part is going to be tricky as it could try to force us to commit fraud, and that may be a stumbling block. I doubt the government want warrant canaries tested in UK law, so I would hope that alone means they avoid giving us an order ever. If they were tested and deemed valid, that could undermine gagging orders in many laws.
So, good luck to all in preserving your basic human right to privacy. We'll try and do our part on that.
For a start, private communications will always be possible. There are ways to send messages that nobody else can read - such systems exist, and can even be done using pen and paper.
But what if even that is made illegal, and nobody can even send encrypted data - well, there are systems called steganography where the "noise" in something like an image or video is used to carry an encrypted message, and no way to prove that there is a message. There are even "plausible deniability" systems where you can provide a key to produce the innocent message that was encoded and again no way to prove that there was another message hidden.
So, in short, normal people, and criminals, and terrorists, will always be able to communicate privately. That is a fact of life and mathematics. This also makes all of this surveillance crap a bit pointless.
But what about the Draft IP Bill? At this stage it is a tad hard to say for sure - as the exact details of what the "Internet Connection Records" will be are unclear. Here I am talking about the mass surveillance by ISPs part of the bill - there are also mass surveillance by GCHQ, etc, and targeted surveillance. However, at this stage encryption is not actually banned.
Up to now the logs could be from email servers, telephony, text, but not a lot else. Now they could be more - including logs from web sites, and maybe even logs from DNS servers. What is not clear is if an ISP would be required to deep packet inspect data as it passes and make logs of activity where there is no server involved in the ISP. We hope not, not least because that is hard and expensive.
However, the good news is encryption is not banned as such - what is clear that you have to be doing the encryption yourself! If you rely on any third party to do it, perhaps even Apple, then the bill (as it stands now) could expect the third party to break or undo the encryption they are offering. There are apps for some phones, and of course a whole load of packages for PCs of all sorts based on PGP which allow end to end encryption which you do control yourself. Bear in mind that the bill would allow hacking of your computer though, so make sure you have good firewalls and trust nobody as anyone could be conscripted to get your data and do so secretly. My guess is that the safest O/S for this will be linux as there is no provider that can be ordered to put in back doors or break it "legitimately" and as such the hacks would have to be via vulnerabilities.
But back to what we can do as an ISP.
Let's be clear here - we do expect people to abide by the law - but also, it is none of our business what you do with your Internet connection. We are not your mum, or the police, and though we are not trying to actively impede them in any way, but we just want to get on and do our job and that is all. We value your privacy and see no reason to compromise that unless someone comes along with a proper targeted warrant backed by a proper judicial process.
Obviously, with a suitable order, we can disclose subscriber details for an IP address, but we always stress the this does not identify a person or user, or even that the source of any IP traffic is in the premises and not spoofed, relayed, Tor, or the result of a virus, just in case the police officer in question is not aware of that! Indeed, a request for "user" details is always rejected saying we have no details of "users" - they have to resubmit asking for "subscriber" details to make this point really clear.
As for RIPA requests we have had? We have had a couple to find subscriber details of an IP, one of which was plainly a waste of everyone's time and not in any way criminal and just showed how stupid the whole process was. We have had a few for phone numbers to identify subscriber, but pretty much all of these are spoofed CLI so one of our numbers but not in use, or numbers that are not even ours, or numbers used by another telco from our blocks. It seems our customers are pretty good at not being targets of RIPA requests, and we'd like to keep it that way.
You can tell we are not keen on the mass surveillance aspects. So we want to find ways of avoid them.
The biggest thing is that we have never been subject to a retention order, so no legal requirement to retain anything routinely for all customers. We also don't have any government "black boxes" to allow covert monitoring of anything in our network. Thankfully we are too small.
We do provide itemised phone bills, and those hang around - we are not sure of a tidy way to not keep them as they are needed if any billing dispute. One thought was to send digitally signed call records on the bill, and then delete them - that way, if there is a dispute, you have to provide the call records, but we can validate that they are genuinely from us and unchanged. That may be a way forward for call records.
We do have logs for things like email, but they are for diagnostics and support, and not kept for long. We don't log DNS. We'd like to not have any logs for any significant time other than necessary to help support technical issues.
What if we get a retention order? That is tricky. Assuming for a moment it does not mean deep packet inspection and creating new logs for Internet Connection Records, what of DNS logs, email logs, and the like. Well, we could move the key services we offer off-shore. Most things, like an email server or even a voice server, do not have to be in the UK to work. If done right, we could move all things that need logging to a jurisdiction that does not require logging. It would be tricky - we'd have to set things up as hands-off as possible, but this are services we could be paying a foreign company to run for us. We did wonder what the rules are for Isle of Man, for example, or maybe we keep it in the EU. We could even have the third party send digitally signed call records to our customer directly so we never have them, just sending us the totals for billing purposes.
The irony here is that at present, within a short time, a RIPA request could get some data out of us, especially itemised phone bills. But force us to record all data for a year and it may be that we have zero data to report. Whilst this will stop any fishing expeditions, or automated collection and collation of records on the public, it will impede some legitimate investigations - so maybe it is better to keep us on-side here and helpful rather than forcing our hand?
That said, you don't know what the law will end up doing, and it could be that we are expected to record data from deep packet inspection, or worse, that BT wholesale and TT wholesale are forced to. If that happens, then there is little we can do except repeat the tips on encryption, end to end, and in your own control.
We hope we don't ever get a retention order, and one aspect of the bill is that we can challenge it. The gagging order part is going to be tricky as it could try to force us to commit fraud, and that may be a stumbling block. I doubt the government want warrant canaries tested in UK law, so I would hope that alone means they avoid giving us an order ever. If they were tested and deemed valid, that could undermine gagging orders in many laws.
So, good luck to all in preserving your basic human right to privacy. We'll try and do our part on that.
Play nice or "they" could make life difficult for you
I have now had this from a couple of people, and my wife is also concerned.
Basically, discussing ways to avoid mass surveillance, for example, making separate companies, and winding one up if it gets a retention order, or moving DNS servers outside the UK, etc.
These would all be legal means to take action for good moral reasons. Indeed, even if not good moral reasons, they would be legal actions which I should not be afraid to take.
In any civilised country nobody should be afraid of taking legal steps to achieve their own objectives.
Whilst I do not personally think they would make life difficult for me, or even that they could in any meaningful way (we play by the rules and don't have any skeletons in the closet), I am not the sort of person who would give in to such fears anyway. I was bullied at school, and that gives you a philosophy of standing up to bullies and for doing what is right.
But this actually made me think a bit - and this is one of the issues with the proposed bill. We have many laws now where there are things that might be technically illegal but are not enforced. Steps that make everyone a criminal, but nobody sees that as something that matters. Have I ever cycled on a pavement that is not a cycle path? Have I ever accessed an extremist web site and could be accused of being involved with terrorists as a result? Have I ever accessed a site that provides copyright infringement of some sort?
Now, with more and more things like this, you just need to add the mass surveillance, and bingo - you can intimidate anyone for any reason. Using your browsing history to find something which could be used to make a case against you under some obscure law that nobody considers serious, and using that to silence you when you say or do something else which is legal.
Mass surveillance is that key step so that you can enforce "thought police" properly and intimidate anyone you don't like.
I hate to go all Godwin's law on you, but is this not exactly the sort of police state that ended up with Nazi Germany? Are we on that slippery slope, really? It is that time of year when we are meant to remember these things - so let's remember and not go any further down this road please.
Basically, discussing ways to avoid mass surveillance, for example, making separate companies, and winding one up if it gets a retention order, or moving DNS servers outside the UK, etc.
These would all be legal means to take action for good moral reasons. Indeed, even if not good moral reasons, they would be legal actions which I should not be afraid to take.
In any civilised country nobody should be afraid of taking legal steps to achieve their own objectives.
Whilst I do not personally think they would make life difficult for me, or even that they could in any meaningful way (we play by the rules and don't have any skeletons in the closet), I am not the sort of person who would give in to such fears anyway. I was bullied at school, and that gives you a philosophy of standing up to bullies and for doing what is right.
But this actually made me think a bit - and this is one of the issues with the proposed bill. We have many laws now where there are things that might be technically illegal but are not enforced. Steps that make everyone a criminal, but nobody sees that as something that matters. Have I ever cycled on a pavement that is not a cycle path? Have I ever accessed an extremist web site and could be accused of being involved with terrorists as a result? Have I ever accessed a site that provides copyright infringement of some sort?
Now, with more and more things like this, you just need to add the mass surveillance, and bingo - you can intimidate anyone for any reason. Using your browsing history to find something which could be used to make a case against you under some obscure law that nobody considers serious, and using that to silence you when you say or do something else which is legal.
Mass surveillance is that key step so that you can enforce "thought police" properly and intimidate anyone you don't like.
I hate to go all Godwin's law on you, but is this not exactly the sort of police state that ended up with Nazi Germany? Are we on that slippery slope, really? It is that time of year when we are meant to remember these things - so let's remember and not go any further down this road please.
2015-11-11
Why internet is not the same as telephone - lesson for MPs
The telephone can be relatively simple - remember the old ones with mechanical switches and dial - this is not complex technology.
When you use the telephone and dial a number, the telephone company has equipment that works out where the call has to go.
- It works out routing for the call across the network
- It connects all of the way end to end
- It ensures the data (voice) gets from one end to the other intact, in order, and reliably
- It keeps that connection in place
- At the end it dismantles that connection
- It makes a record of the connection for billing purposes
I hope that all makes sense.
Now for the Internet and why it is different.
First off, yes, things using the Internet typically still makes a connection end to end to another device over the network and has the data (even voice) go reliably from one end to the other. The connection starts, continues, and ends in much the same way as a telephone call.
But there is a HUGE DIFFERENCE in the way this is done. In the telephone network all of the clever stuff is in the telephone network. The phone company does all the work to establish and maintain and then dismantle the connection. The Internet works very differently, the end devices turn that connection in to tiny packets of data and send those via the network.
The network operator does not see any connections at all - they see packets. Indeed, making a connection is just one of many ways for end devices to communicate over the Internet. It is possible to send packets with no reply, send packets that get one packet reply, or send packets that even go to more than one place at once. All of the clever stuff is done in the end devices, and only there is the concept of a connection seen or possibly logged in some way.
This is why the Internet does not have any sort of Internet Connection Record in the same way as telephone systems have a Call Data Record, because the network operator does not see connections! There don't even have to be connections in any logical sense and many protocols work without a logical connection being made. The network operator looks at one thing only - the destination of each packet, so it can get the packet one step closer to that destination. Individual routers and network operating companies do not even need to know the route the packet will take, just the next step to which they have to send a packet to get it one step closer.
- Telephone: The intelligence and "connection" logic exists in the network so easy to log
- Internet: The intelligence and "connection" logic exists in end devices and not the network
So the idea of getting Internet communications operators to log and retain Internet Connection Records is totally nonsense.
2015-11-10
Computer vaccine? #IPBill
There are many computer viruses, and there are quite a lot that spread but otherwise remain dormant - just checking with a "command and control" means of some sort waiting to be part of some bot-net attack one day.
But I wonder if there is merit in the concept of a virus you choose to contract, sort of like a vaccine that promote the creation of anti-bodies.
I was thinking of something that uses a small amount of traffic (so low cost) to access web sites. Nothing more than a basic http request on the main page - maybe not even finishing the TCP connection to load the whole page even, but enough to be logged in an "Internet Communications Record" as envisaged by the Draft Investigatory Powers Bill.
The virus would connect to all of the popular social media and email sites and make connections, and then on to the less popular sites to do with terrorism or porn or anything else. It is technically a really simple virus.
The concept is two fold:
Well, let us hope this bill is amended to hell and does not have the mass surveillance, bit if it does, the "mass" can make the surveillance "interesting" at least.
But I wonder if there is merit in the concept of a virus you choose to contract, sort of like a vaccine that promote the creation of anti-bodies.
I was thinking of something that uses a small amount of traffic (so low cost) to access web sites. Nothing more than a basic http request on the main page - maybe not even finishing the TCP connection to load the whole page even, but enough to be logged in an "Internet Communications Record" as envisaged by the Draft Investigatory Powers Bill.
The virus would connect to all of the popular social media and email sites and make connections, and then on to the less popular sites to do with terrorism or porn or anything else. It is technically a really simple virus.
The concept is two fold:
- Poison the logs of Internet Connections Records with crap making the whole IP Bill even more pointless than it is now. After all, any serious criminal will use Tor or VPNs and so on.
- Create plausible deniability - you can claim any Internet Connections Record found relating to you must be the work of the virus. The virus would deliberately have no logs and deliberately include totally random web sites.
Well, let us hope this bill is amended to hell and does not have the mass surveillance, bit if it does, the "mass" can make the surveillance "interesting" at least.
#IPBill Police ask you to break in to A&A offices and steal a hard drive?
One of the most disturbing parts of the Draft Investigatory Powers Bill is section 46(4)(c) which allows a suitably authorised officer to "ask any person whom the authorised officer believes is not in possession of the communications data but is capable of obtaining it, to obtain it..."
Now, "ask" or "request" are odd phrases to use in any law, and I have encountered legislation that uses it before. The PECR section 32 where I "may request" that the ICO take enforcement action - but you can request all you like and they have confirmed that the law does not "require" them to even consider your request. Obviously merely asking someone to do something does not, in itself convey any duty or requirement on them to actually do it, even if asked by a policeman! So just delete that clause surely!
However, it is not so simple, as section 50(2) says "It is the duty of a telecommunications operator who is obtaining or disclosing communications data, in response to a request or requirement for the data in pursuance of an authorisation, to obtain or disclose the data in a way that minimises the amount of data that needs to be processed for the purpose concerned." Now this is tricky as it seems to be simply saying you only minimise the data you get, but it sort also says you have a duty to actually "obtain" the data even if just "requested" to get it rather than being a "requirement" (as per other sections). So it sort of gives "ask" some power all of a sudden! [update: as someone points out, this is only those "obtaining" or "disclosing" so is not forcing one to "obtain" if "asked", even so, see below that you can be "required" to obtain data anyway]
Also section 66 says "It is an offence for a telecommunications operator, or any person employed for the purposes of the business of a telecommunications operator, to disclose, without reasonable excuse, to any person the existence ..." so you have to keep the request quiet.
Also section 65 makes this lawful, well, maybe. It makes the "asking" lawful, and anything you have to do as a "requirement", but does not actually make lawful the complying when simply "asked" to do something, even if you have a duty to comply!
But that is only "telecommunications operators", right? Well, yes, and sort of no. 193(10) defines that as anyone that "offers or provides a telecommunications service to persons in the United Kingdom"but goes on in (11) with "“Telecommunications service” means any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system (whether or not one provided by the person providing the service).". Note the lack of "public" in the provision, so anyone that merely "facilitates" the making use of a telecommunications system to others, even if not for profit, not part of a business and even if not to the public, is a "telecommunications operator". that means that even if you just pay the bill for your family's broadband you are a "telecommunications operator" and could be "asked" to do stuff by the police, secretly, even if what you are asked to do is illegal.
Note that 46(40)(d) allows an authorised officer to "require" a telecommunications operator obtain data, and 50(1) makes it a duty to comply, so anyone who is deemed a "telecommunications operator" can be ordered to do anything necessary to obtain communications data from anyone by any means, and 65 makes it lawful.
So police can order people to do things, such things are deemed lawful regardless, and they have to be kept secret.
What a lovely country we all live in. I may have to move.
Now, "ask" or "request" are odd phrases to use in any law, and I have encountered legislation that uses it before. The PECR section 32 where I "may request" that the ICO take enforcement action - but you can request all you like and they have confirmed that the law does not "require" them to even consider your request. Obviously merely asking someone to do something does not, in itself convey any duty or requirement on them to actually do it, even if asked by a policeman! So just delete that clause surely!
However, it is not so simple, as section 50(2) says "It is the duty of a telecommunications operator who is obtaining or disclosing communications data, in response to a request or requirement for the data in pursuance of an authorisation, to obtain or disclose the data in a way that minimises the amount of data that needs to be processed for the purpose concerned." Now this is tricky as it seems to be simply saying you only minimise the data you get, but it sort also says you have a duty to actually "obtain" the data even if just "requested" to get it rather than being a "requirement" (as per other sections). So it sort of gives "ask" some power all of a sudden! [update: as someone points out, this is only those "obtaining" or "disclosing" so is not forcing one to "obtain" if "asked", even so, see below that you can be "required" to obtain data anyway]
Also section 66 says "It is an offence for a telecommunications operator, or any person employed for the purposes of the business of a telecommunications operator, to disclose, without reasonable excuse, to any person the existence ..." so you have to keep the request quiet.
Also section 65 makes this lawful, well, maybe. It makes the "asking" lawful, and anything you have to do as a "requirement", but does not actually make lawful the complying when simply "asked" to do something, even if you have a duty to comply!
But that is only "telecommunications operators", right? Well, yes, and sort of no. 193(10) defines that as anyone that "offers or provides a telecommunications service to persons in the United Kingdom"but goes on in (11) with "“Telecommunications service” means any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system (whether or not one provided by the person providing the service).". Note the lack of "public" in the provision, so anyone that merely "facilitates" the making use of a telecommunications system to others, even if not for profit, not part of a business and even if not to the public, is a "telecommunications operator". that means that even if you just pay the bill for your family's broadband you are a "telecommunications operator" and could be "asked" to do stuff by the police, secretly, even if what you are asked to do is illegal.
Note that 46(40)(d) allows an authorised officer to "require" a telecommunications operator obtain data, and 50(1) makes it a duty to comply, so anyone who is deemed a "telecommunications operator" can be ordered to do anything necessary to obtain communications data from anyone by any means, and 65 makes it lawful.
So police can order people to do things, such things are deemed lawful regardless, and they have to be kept secret.
What a lovely country we all live in. I may have to move.
2015-11-07
Gagging Retention Orders
The Draft IP bill 77(2) states that a telecommunications operator must not disclose the existence or content of a "retention notice". A "retention notice" is the notice requiring that communications data be retained for up to 12 months and is not related to specific targeted surveillance. They are the "mass surveillance by ISPs" part of the bill.
Why not disclose the existence?
Maybe they don't want people to know which ISPs have had retention notices? But surely everyone will know the big players are going to be subject to one, such as BT, Virgin, Talk Talk, etc, so why would that be a secret?
Maybe they think people will choose an ISP that is not subject to a notice. But that makes no sense. For a start, anyone involved in any serious crime would assume they are monitored and use the simple step of Tor or VPN to bypass any such monitoring anyway. Also, whilst those served a notice cannot say anything, those not served can state they have not been served (as A&A do) so the public can still choose an ISP not served with such a notice.
Why not disclose the content?
Again this is odd - the notice will require retention of communications data, and the government have already said what the worst case scenario of that is - the names of every web site you visit. So why hide what the notice says?
Maybe they want to collect even more data than we thought - but in that case the notice should be public as the public have a right to know what is going on. This should not be a law saying you can collect almost anything you want, and then secret notices detailing how far they have actually gone with that. We need transparency.
Remember, this is not targeted surveillance - it would not be tipping off a suspect if a retention notice is served on an ISP. And indeed, many ISPs would not want to say if they have been served a notice or not in public anyway.
Why there should not be any gagging order, i.e. scrap clause 77(2)
Assuming this awful bill comes to law and ISPs are expected to somehow magically collect web addresses people visit and carry out this mass surveillance on the innocent citizens of the UK, this is a huge technical and operational headache for ISPs. If the notices are secret then each ISP is on their own to solve that problem. If the notices are not secret then ISPs can present details of their solutions in the various industry forums like ISPA and UKNOF. Indeed, knowing the details of notices, third party solutions suppliers can produce equipment to meet the requirements of notices.
There is also the matter of whether the police and authorities that may want to get at the data somehow have to know which ISPs have been served notices and what data they retain.
One wonders if a (R)IPA request from the police could be replied with "Sorry, I cannot provide any data relating to your request as to do so could reveal if we have been served with a retention notice which would be in breach of 77(2) of the IPA if we have, and if we have not, then we have no data to provide anyway".
So ultimately the secrecy will create worse solutions, slower, and at much higher cost. Is that really the best way to spend public money?
Why not disclose the existence?
Maybe they don't want people to know which ISPs have had retention notices? But surely everyone will know the big players are going to be subject to one, such as BT, Virgin, Talk Talk, etc, so why would that be a secret?
Maybe they think people will choose an ISP that is not subject to a notice. But that makes no sense. For a start, anyone involved in any serious crime would assume they are monitored and use the simple step of Tor or VPN to bypass any such monitoring anyway. Also, whilst those served a notice cannot say anything, those not served can state they have not been served (as A&A do) so the public can still choose an ISP not served with such a notice.
Why not disclose the content?
Again this is odd - the notice will require retention of communications data, and the government have already said what the worst case scenario of that is - the names of every web site you visit. So why hide what the notice says?
Maybe they want to collect even more data than we thought - but in that case the notice should be public as the public have a right to know what is going on. This should not be a law saying you can collect almost anything you want, and then secret notices detailing how far they have actually gone with that. We need transparency.
Remember, this is not targeted surveillance - it would not be tipping off a suspect if a retention notice is served on an ISP. And indeed, many ISPs would not want to say if they have been served a notice or not in public anyway.
Why there should not be any gagging order, i.e. scrap clause 77(2)
Assuming this awful bill comes to law and ISPs are expected to somehow magically collect web addresses people visit and carry out this mass surveillance on the innocent citizens of the UK, this is a huge technical and operational headache for ISPs. If the notices are secret then each ISP is on their own to solve that problem. If the notices are not secret then ISPs can present details of their solutions in the various industry forums like ISPA and UKNOF. Indeed, knowing the details of notices, third party solutions suppliers can produce equipment to meet the requirements of notices.
There is also the matter of whether the police and authorities that may want to get at the data somehow have to know which ISPs have been served notices and what data they retain.
One wonders if a (R)IPA request from the police could be replied with "Sorry, I cannot provide any data relating to your request as to do so could reveal if we have been served with a retention notice which would be in breach of 77(2) of the IPA if we have, and if we have not, then we have no data to provide anyway".
So ultimately the secrecy will create worse solutions, slower, and at much higher cost. Is that really the best way to spend public money?
Subscribe to:
Comments (Atom)
eufyMake UV Printer E1 more experience
I am very much getting the hang of it now. Crystal glass is an issue, and still one option still to try involves a primer, which is on its w...
-
This is an appeal for (sensible) comments. I am working on revised A&A tariffs for broadband. For those that are not sure how they wor...
-
Broadband services are a wonderful innovation of our time, using multiple frequency bands (hence the name) to carry signals over wires (us... -
For many years I used a small stand-alone air-conditioning unit in my study (the box room in the house) and I even had a hole in the wall fo...