I bet the Queen's internet history won't be kept, nor that of other members of the Royal Family. I'm looking at you Prince Andrew...
But that's none of my business.
Queen Elizabeth II today signs off on Parliament's Investigatory Powers Act, officially making it law in the UK. Her Maj not only had the last word on the new legislation — aka the Snoopers' Charter — she had the first. She publicly announced what the law would be called during the official opening of Parliament after last …
It'll all be kept. Making exceptions for a handful of people is easier in the client which queries the ISP databases than in each ISP.
And then there'll be some Konami code in the client which removes the exceptions, because someone will want that.
Perhaps everyone should change their name by deed poll to Prince Andrew.
It's the spinning engines of Babbage!
...none of these dazed and sullen portraits matched the memory. "Is there any reason why you wouldn't have this man?"
"Perhaps your man has no criminal record," Tobias said. "We could run the card again, to check against the general population. But that would take us weeks of Engine-spinning, and require a special clearance from the people upstairs."
"Why so long, pray?"
"Dr. Mallory, we have everyone in Britain in our records. Everyone who's ever applied for work, or paid taxes, or been arrested." Tobias was apologetic, painfully eager to help. "Is he a foreigner perhaps?"
"I'm certain he was British, and a blackguard. He was armed and dangerous. But I simply don't see him here."
"Perhaps it is a bad likeness, sir. Your criminal classes, they like to puff out their cheeks for criminal photography. Wads of cotton up their noses, and suchlike tricks. I'm sure he's there, sir."
"I don't believe it. Is there another possibility?"
Tobias sat down, defeated. "That's all we have, sir. Unless you want to change your description."
"Might someone have removed his portrait?"
Tobias looked shocked. "That would be tampering with official files, sir. A felony transportation-offense. I'm sure none of the clerks would have done such a thing." There was a heavy pause.
"However?" Mallory urged.
"Well, the files are sacrosanct, sir. It is what we're all about here, as you know. But there are certain highly placed officials, from outside the Bureau—men who serve the confidential safety of the realm. If you know the gents I mean."
"I don't believe I do," Mallory said.
"A very few gentlemen, in positions of great trust and discretion," Tobias said. He glanced at the other men in the room, and lowered his voice. "Perhaps you've heard of what they call 'the Special Cabinet'? Or the Special Bureau of the Bow Street police…?"
"Anyone else?" Mallory said.
"Well, the Royal Family, of course. We are servants of the Crown here, after all. If Albert himself were to command our Minister of Statistics…"
"What about the Prime Minister? Lord Byron?"
Tobias made no reply. His face had soured.
"An idle question," Mallory said. "Forget I asked it. It's a scholar's habit, you see—when a topic interests me, I explore its specifics, even to the point of pedantry. But it has no relevance here." Mallory peered at the pictures again, with a show of close attention. "No doubt it is my own fault—the light here is not all it might be."
Who can view my internet history?
A list of who will have the power to access your internet connection records is set out in Schedule 4 of the Act. It’s longer than you might imagine:
Metropolitan police force
City of London police force
Police forces maintained under section 2 of the Police Act 1996
Police Service of Scotland
Police Service of Northern Ireland
British Transport Police
Ministry of Defence Police
Royal Navy Police
Royal Military Police
Royal Air Force Police
Security Service
Secret Intelligence Service
GCHQ
Ministry of Defence
Department of Health
Home Office
Ministry of Justice
National Crime Agency
HM Revenue & Customs
Department for Transport
Department for Work and Pensions
NHS trusts and foundation trusts in England that provide ambulance services
Common Services Agency for the Scottish Health Service
Competition and Markets Authority
Criminal Cases Review Commission
Department for Communities in Northern Ireland
Department for the Economy in Northern Ireland
Department of Justice in Northern Ireland
Financial Conduct Authority
Fire and rescue authorities under the Fire and Rescue Services Act 2004
Food Standards Agency
Food Standards Scotland
Gambling Commission
Gangmasters and Labour Abuse Authority
Health and Safety Executive
Independent Police Complaints Commissioner
Information Commissioner
NHS Business Services Authority
Northern Ireland Ambulance Service Health and Social Care Trust
Northern Ireland Fire and Rescue Service Board
Northern Ireland Health and Social Care Regional Business Services Organisation
Office of Communications
Office of the Police Ombudsman for Northern Ireland
Police Investigations and Review Commissioner
Scottish Ambulance Service Board
Scottish Criminal Cases Review Commission
Serious Fraud Office
Welsh Ambulance Services National Health Service Trust
No chance for anything to go wrong there.
Welsh Ambulance Services National Health Service Trust?
Why on earth should they have the right to look at anybodies browsing history (let alone mine...)?
What's the justification? Do the Welsh ambulance services national health service trust need to check to make sure their customers haven't caught a computer virus?
so what's going to happen :
The NHS will know your browsing and purchase history, then know you smoke, drink too much alcohol and eat too much junk food. ( or well have suspicions )
Then when you go to see Dr Donald Duck, your local NHS GP, he might say
"Well Mr X, I can see you've been a very bad boy, and now treatments are rationed on lifestyle I'm afraid you a well and truly b*****ed "
its the future, and I guess we all know this is how it could turn out ...
Use Cash in Canada and the government will consider that probable cause for further investigations. That was the reason given for removing the $1,000 dollar note from circulation and why cash deposits of $5,000 or more or cash deposits of large number of smaller denominations have to be reported. Using cash is a criminal activity.
It would be useful to have a brief description of the hoops through which one of these many agencies must jump before gaining access to the stored data. That, along with who can grant access, might be a deal more important than who can request and receive the data.
Careful now, sensible talk like that has no place on Internet forums:
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/473745/Factsheet-Internet_Connection_Records.pdf
Also states that local authorities will never have access.
Although I'm completley opposed to this and have been wondering if my UK based VPS provider will be required to keep records; and if I can buy a DrayTek Vigor and route all my traffic over an IPSEC tunnel to the VPS.....
All these references will be stored at your ISP & you'll pay for the storage, so the more you generate, the more you pay.
Plus it will soak up your data allowance, not everyone has an unlimited connection
Plus anyone searching your ICR log can search through a couple of gigabytes with a laptop in minutes the random entries won't help
This post has been deleted by its author
That's great until the plod break down your door because your script accidentally connected to a server hosting child porn.
Of course, you know you're innocent, but your lawyer will tell you that although you could try and fight it in court, it'll take years, and loads of cash, and everyone will still think you're a kiddie fiddler anyway, so the safest thing to do is plead guilty.
now there's an idea. A slight variant ... a script that randomly puts some characters or even words into Google, get a few search results from several pages. Just does a curl of some of them with randomised timing , run it via cron a plausible times. The ISPs search history would just be full of random poo poo.
My comments from 5 months ago http://forums.theregister.co.uk/forum/containing/2897276
And before that http://forums.theregister.co.uk/forum/containing/2797508
It seems no one listens
As soon as the ICR logs are up and running you can no longer trust any site you visit not to contaminate it with dodgy references, your only solutions are to use VPN's or Tor to bypass the ICR and these have their own drawbacks
The internet was designed to survive nuclear strikes, Theresa May just destroyed it with a pen
As usual, laws like this tend to suffer from the "Law of Unintended Consequences": secure messaging encryption, TOR proxies and VPNs are now commodified so that anyone who has something they want to hide from the state can easily do so and, more importantly, it's better hidden than used to be possible.
The government can collect all the fucking data it wants; it'll do them little good. But I worry a lot about what happens after the inevitable data breaches: criminals now have extremely good reasons to try and get hold of this stuff and the government have conveniently offered to put all the data in one place.
Bad guys getting hold of the log is one thing, but it's too easy to plant evidence in your ICR log without your knowledge, all it takes is a couple of lines of JavaScript inserted into a legitimate 3rd party script and content from any site in the world can be downloaded to your PC and be logged in your ICR without your knowledge and no antivirus or antimalware in the world can stop it.
> Bad guys getting hold of the log is one thing, but it's too easy to plant evidence in your ICR log without your knowledge
Yes but, according to my forensics course years ago anyway, it is difficult to prove to whichever standard is required by the situation at hand, that it was a particular person accessing the questionable material. Besides, in sane societies (which squarely excludes England) the mens rea would need to be unambiguously established.
Then again, that's a small consolation. If someone is trying to bring you down (e.g., because you would come in handy as a prosecutable suspect when they can't find the actual culprit, cf. the Guildford four) you've got a pretty big problem, because they're not just going to go away.
It doesn't work that way if they use 'Cain & Able' to plant files set with dates months or years before the date they attacked the PC I'm told. Then try proving to a court of law that you didn't even own the device or hard-drive at that time. And when half a dozen coppers have been spreading lies where you live your a kiddie fiddler someone will have put that on-line and no doubt any jury will be contaminated as no-one can resist looking up, or getting a family member to lookup, a defendants name once their on a jury these days... And the damage done by the long delays of getting devices forensically analysed leading to years on remand or bail is already well known.
If you are of interest to a law enforcement agency, and if you use anonymizers or VPNs or encrypted messaging, that is likely to increase their interest and bring closer scrutiny. If they have a decently plausible justification, they may be able to obtain a warrant (or UK equivalent, if different) for access that is much more intrusive than metadata collection, and much more likely to succeed in obtaining information about your activities in connection with whatever caught their attention in the first place.
The short version: if the police are interested in you, they generally will find ways to investigate you.
> The short version: if the police are interested in you, they generally will find ways to investigate you.
Yes, but presumably the other gentleman is advocating circumvention precisely because they should not be sticking their noses into the general populace's lives. However, as pointed out, the net result is that it now makes it *harder* for them to track those who are of actual interest.
I find it interesting that fairly straightforward and likely enough correct statements are so often downvoted and disputed.
The point was that if the police are interested in you, no matter the reason, using a VPN or TOR is unlikely to deter them or interfere significantly with their ability to pursue that interest. And it is not at all obvious that it will make it harder. Communication data surveillance is only one of their tools, and for in-country residents probably is one of the least important.
> The point was that if the police are interested in you
Tom, none apart from you are talking about the cases where the police *are* legitimately interested in you.
What we're talking about is when every fucking man and their dog got essentially unrestricted access to your communications *even though* they have no legitimate interest in you.
This is the whole point. IF someone is of interest, then the relevant authorities should go and get the proper authorisation and carry out a proper investigation. Scooping up everyone's data in the hopes it might contain something of interest can hardly be called investigatory, as this act's title suggests,...it's simply an invasion of privacy.
If you are only trying to avoid mass surveillance pretty much any vpn will do. There will always be a need for targeted surveillance, and as long as it requires an effort and has some oversight then I'm prepared to put up with it.
It's this 'Collect everything, from everyone' aspect that just about anyone in the public sector will be able to view that I object to - it's just to damned easy to abuse this kind of power.
Just keep moving yourself above that low bar and avoid doing things that will attract *serious* attention and this becomes a war of attrition. It's always been a lot easier to make things harder than it is to make things easier, so we should manage to stay ahead of the game*.
*This assumes they don't make encrypted traffic illegal of course. It would be totally idiotic and financially suicidal to do so, but I still wouldn't put it past them to actually try.
Not just VPN - you want a DNS provider who isn't your ISP. Your browser doesn't actually ask your ISP for a URL, it asks to set up a connection to an IP address (though your ISP might snoop any unencrypted packets to see what else it can find, and for SSL that might leak the domain name), and it gets the IP address by asking a DNS provider for it (which typically defaults to your ISP's caching DNS server.) By doing DNS lookups somewhere else, you can reduce the amount of data your ISP collects. This doesn't always keep the snoopers from seeing it (e.g. anycast-based DNS servers like Google's 8.8.8.8 will typically connect you to their nearest server, which will typically be in your country), but it does increase the work they need to do, and you can further separate the queries in time by caching DNS results in your computer.
@Mage
Yes, but how would you know they are not working for GCHQ?
I have less of an issue with GCHQ and security services, subject to proper oversight, but it is the inclusion of non-security service busybodies that is the issue. Think of the children? Well, if there is a child protection/safety issue, then whatever organisation can/should get the Police involved.
If you live in a Five Eyes country, you probably would be more at risk using externally-based facilities (possibly including TOR). In the US, at least, legal protections are much stricter on (legal) residents than they are on those in other countries who are not US citizens. I have not seen anything detailed about it, but suspect that there are side agreements among Five Eyes governments to not target (or to be gentle about targeting) each other's citizens.
None of that would apply to external communication endpoints. The applicable legal protections might not be honored, but they might, and for the US, at least, there is some evidence that they are. Where they are, they might be effective, and that is better than the case where they do not exist at all.
You start with discarding the first page of Google search results (who, by the way, will have logged your search, so maybe use DuckDuckGo instead, or startpage.com).
Next, you evaluate where they actually are - geo-locate the IP address of the service (use http://www.ipligence.com/geolocation, for instance). If it's UK or US, forget it. Germany is still relatively OK. Then you work out who the actual company is and where they are based. Again, if in US or UK forget it as they can be forced to divulge data without too much in the way of due process.
After that it's more a matter of testing throughput - if someone offers you a VPN of speed X, it means they have to handle a dataflow coming in from whatever Internet location you access as well as the data flow outbound towards you.
That should get you going.
AC,
thanks, something to start with.
Re speeds & stuff, even though we're in the middle of Devon, we get 50 down / 100 up on our broadband, could that have any bearing re potential VPN providers on my 'shopping list'?
Your help is much appreciated, please have one on me!
Regards,
Jay
If you're technically skilled and can configure OpenVPN or one of its cousins, then get a VPS (Virtual Private Server) with a European provider (excluding Scandinavia, including Russia) and set it up yourself. OVH for example are a reliable option and they have stood up for their users before.
It's not actually going to make you any safer, but it is a good way to make a statement.
Re speeds & stuff, even though we're in the middle of Devon, we get 50 down / 100 up on our broadband, could that have any bearing re potential VPN providers on my 'shopping list'?
It appears your speed will not be the issue, but their speed might be. It's not as easy as just bandwidth, there's also the question of how much contended it is (how many people share the same pipe) and where their exit points are.
The Swedish provider FrootVPN suggested by @Farcycle looks indeed interesting, just be aware that Sweden has the FRA law - a law that facilitates the intercept of specifically foreign traffic. It's still far better controlled than laws curtailing UK law enforcement, but it exists for a reason..
This is purely and simply against the law.
It makes a mockery of Anti discrimination laws that are currently in statute, protecting LGBT individuals so its impossible to implement. And that's just an example off the top of my head. It is illegal under UK law to reveal someone's status without their express permission. This would out every single LGBT individual in the UK so fast their feet wouldn't touch. Expect privacy for your 3 year old trans child? Yeah right, social services will know before you can sign up to the mailing list.
Oohh look, this person was researching cancer or hiv treatments - let's blackmail them by threatening to tell their employer. Ooh this student is researching and doing a modern day Kinsey report.. Paydirt... And hes black? Double Paydirt and he's Muslim??! *cue a when Harry met Sally scene* or that overlogging episode from South Park...
I think our German royal family should either get the chop in their entirety or sent back where they came from. Danny Dyer might be a rude, arrogant chimpanzee of a man, but at least he's English (sorta). We could always have an independent royal complaints committee - three strikes and you're impaled up the bottom in Hyde Park.
And why, pray tell, do the food standards and anything to do with Wales need to know about my personal information? The only reason I'd go there again (family holidays, it didn't end well) would involve the more modern denizens of Bovingdon tank museum and a broad interpretation of "omelettes & eggs".
Heinrich Himmler must be laughing himself sick!
I'll have to ring Putin and see if he's got any Junin going spare... A nice dose of irony that, wiping out the conservatives with a Argentinian disease..
just to say i love you. I couldn't agree more with your comments. i personally would question why individuals privacy is stored and shared.. yet the legislators are private from inspection.
i truely cannot believe this sh*t has gone through completely untouched (well.. not significantly). The fact its been happening for years .. nobody bats an eyelid.
but.. if it's been happening for years... why are such events as 7/7 etc.. not stopped.
Surely the gov "spies" need to target the bad sites? not their visitors every personal detail??
its a huge open door of the nanny state psych. and gone unchallenged. In the years of poll tax, we overthrew and changed the law with displays of public dissatisfaction. why are we not doing that now??
i'm sickened.
hugs
7/7 wasn't stopped because it wasn't in the interest of the government to stop it. They were warned that certain people were looking for ammonium nitrate fertiliser who didn't have any reason to want it. I know because it was a member of my family who bloody warned them. They ignored the warnings. These charming gentlemen managed to buy it off farm anyway (despite being followed by piggies for months) ... And then the police tried to put the boot into my relative, who told them in no uncertain terms to, as the Plymouth Brethren might put it, to "go *bleep* thyselves, up the fundament, lacking the soothing balm of lubricant".
There are people who will tell you 9/11 was a false flag operation, including fbi/nsa senior employees. I can't help wondering whether it was known all along what was being planned and 7/7 was allowed to play out to get us, amongst other events, to where we are now.
There are some seriously sick individuals in government, Theresa May is just the visible tip of the turd burg and we just steamed into it at 22kts.
Incidentally, I think the sociopaths charter even breaks Magna Carta! Isn't that a pleasant thought?
"i truely cannot believe this sh*t has gone through completely untouched"
I know. Brexit distracted everyone and pushed the door wider open. El Trumpo created even more distraction.
We've held this off successfully for years, but someone dropped the line somewhere...
As mentioned in previous comments someone somewhere will hack in and obtain all this stored info. The question is who do I sue for failing to keep my data safe?
a) The ISP because they suffered the data breach
b )The government because they forced the ISP to retain this information
c) Myself because the above will have iron clad protection from being responsible for any loss of data and I should have used Tor and a VPN running through another VPN to a satellite that encrypts the encrypted data and downloads it to another PC through another VPN (can't have too many), 3 decryption programs, back through TOR and then to my PC - so it is all my fault.
Ok, now this shitshow is law, time for a sweepstake or three. Closest guess to the correct date wins 100 internet points*
1) Time until a civil servant/copper/fireman/ambulance driver etc. gets caught looking up the records for their ex/friend/SO/parent/favourite celeb?
2) Time until a civil servant (etc) gets caught selling details of a lookup to the press. 50 bonus points if you can guess which organisation this will be (The Met has already been picked)?
3) Time until there's a large scale breach exposing the details of more than 100 people?
* Internet points cannot be used, transferred or sold. They are in fact completely useless, but they might earn you 20 hours of community service.
I just had a thought, this bill will murder investment in the UK.
Imagine it,
You want to send sensitive company data to any employees, securely, you can't.
You want to leave said data on an intranet with web access securely, oh look, you can't.
You want to research a company with a view to a takeover, in private, hah some chance
Even if I'm being overly paranoid, if companies haven't legged it because of brexit, they'll be leaving in droves if they can't rely on secure internet as a general principle.
It's commercial suicide.. Especially since we're a service economy.. Cue the Jarrow Dataminers strike 2017..
You want to send sensitive company data to any employees, securely, you can't.
=> PGP will protect the data. If sending the data is authorized, would the metadata matter?
You want to leave said data on an intranet with web access securely, oh look, you can't.
=> On an intranet with web access: Does the act really cover internal transmission? Surely you did not mean web access from the public Internet and securely in the same sentence.
You want to research a company with a view to a takeover, in private, hah some chance
=> For those of us lacking the knowledge and imagination, it would help to have a plausible scenario in which searching public sources would be a problem.
Even if I'm being overly paranoid, if companies haven't legged it because of brexit, they'll be leaving in droves if they can't rely on secure internet as a general principle.
=> As I understand it, the act has little to do with Internet security, but something, maybe a lot, to do with privacy of some kinds of information in some circumstances.
It is one thing knowing of second and third party browsing histories, it is quite something else completely different, to know what to do with the information in order to extraordinarily render ones position safe and secure for emerging technologies and renegade operations.
One trusts, or is it that one can only hope, that the Royal Household has competent knights on their team au fait with the delicate intricacies of such plays in Great Games. To be found out as a naked emperor, as all hapless fools are ensured and assured to be, guarantees crowns and jewels lost.
I'm just waiting for Buckingham Palace to announce that Sir Talbot Buxomly will be taking up his duties in reference to the above..
Prince Charles : "Is he qualified?"
Journalist "he's a violent, bigoted, mindless old fool"
Prince Charles: "Ah, somewhat overqualified..."
I bet if Ben Elton and the team behind Blackadder had ever pitched a script like modern reality they'd have been told to go sober up.
My heartfelt contrafibularities for the Blackadder the Third reference.
I've just installed Opera on all of my computers. It may not be the best browser, but it does have a built-in VPN and I'm not making it easy for these bastards on general principle. Given the history of misuse of law in this country there is no chance whatsoever that "those with nothing to hide" will be safe from anything.
I also very much doubt the legality of this under EU law, but at best that's a temporary reprieve, it'll just resurface in a few years.
@amanfromMars 1
Hello amanfromMars, Greetings!
Not being offensive or anything, just reading your (and previous) prose and am truly curious.
Were you, in your youth maybe, of the hippy persuasion, and possibly a little over enthusiastic with the extended dropping of a certain acidic compound?
Long, long ago, some foreign cretin once (without my knowledge) slipped me some inside a soft-centred square of chocolate in a Continental canal-side bar, and - after I got over the odd behaviour of my arms wanting to float up towards my head every time I took my eyes off them - I spent a happy few hours watching regiments and battalions of bricks doing a march, wheel and counter-march routine along the opposite canal wall. Interspersed with the fantastic multicoloured rippling wash of small boats along and amongst the marching bricks it was an extraordinary experience - and yet, there's something about your prose that immediately reminds me of that sunny (and rainbow coloured) afternoon.
Or are you perhaps an admirer of Lewis Carroll's 'Jabberwocky'?
No offence meant I assure you, just honest curiousity about your unique style.
I suppose one can consider oneself somewhat blessed, Cardinal, if one’s natural default in life’s experiences and experiments is not to run away with and be taken over by enthusiasm to lose oneself and control of oneself and/or others in the cruel addictive command of excess.
And spiking a chocolate confection with Albert Hofmann’s finest is certainly tantamount to a crime against sanity. ’Twas undoubtedly a cretinous deed, indeed.
It is more than just pleasing though to read that it was for you that particular time, a happy trip, whenever journeys of horrors are also so freely available to the unwary and scary.
I know that the ISP's have to keep a list of the sites you go to, but what about all of the subsequent links - what I mean is, just looking at El Reg, if I load it without No Script 7 different sites are contacted. All of those need to be recorded?
Theresa May - A name to go with it!
Wonder what history will call the current Parliament - 'The Worthless Parliament'? 'The Shameful Parliament'? 'The Parliament of Lickspittles' that yawn and sign away the essential privacy of their citizens (and their own families) with barely a debate or word of protest?
Well. their names will be there for all to see for as long as Hansard (and history) lasts.
Perhaps we should in future refer to the current shower as 'The Regime' rather than 'the Government'. They seem to have taken the first step down a VERY slippery slope.
Both my parents spent 6 years in the Forces, fighting against Hitler and his ideas.
Don't think they were fighting for Theresa May and hers though.
...says you won't be logging the sites I visit, Theresa.
It's also a handy way of viewing smut on a mobile, without the prudish network providers sticking their nose into your traffic.
Also, I do believe there are utilities that will spray the internet with false trails on your behalf to keep cyber plod busy. Brexit. Trump. State Surveillance. The world's gone mad.
@AC
GCHQ probably have that in hand already.
With every juicy titbit being filed away in the blackmail bank for future use as needed.
(They who control the politicians control the levers of power - Permanently!) (Herbert Hoover) (probably)
Christ - What sort of country is being created here.
It's not Britain (as I've always known it) anyway.
It's not Britain (as I've always known it) anyway.
No, it's Ms May's private wet dream police state. She just needs to get the interfering EU out of the picture and she'll be free to push through even more mindbloggling gross indignities and abuse of personal rights.
It's o.k. :-) If the government actually uses this power correctly it could be of great benefit to the country... (hear me out :-) What "IF" they actually correlated all the URL usage so that HMRC had a valid means to track the tax owed for online UK purchases?
Might sound a little out there, it may though be a great way to ensure big companies actually paid the correct amount of UK TAX at source. Still depends if they actually have the testicles for it.
This is exactly the argumentation that brings this kind of legislation to your door, into your bedroom and up your sphincter.
It was for the pedophiles. It was the terrorists. It was for the tax evaders.
Yes, I would sign away my liberty and embrace Hitler so that everybody pays the tax that's due. Especially the jews.