back to article Net privacy wars will be with us always. Let's set some rules

Quick question number 1. Do you trust Google? The Movement for an Open Web (MOW) doesn't. It's taking Big G to the UK's Big C – the Competition and Markets Authority – over the forthcoming Chrome IP Protection feature. Google Google dragged to UK watchdog over Chrome's upcoming IP address cloaking READ MORE Quick question …

  1. Neil Barnes Silver badge
    Big Brother

    who it is that doesn't trust us – and why

    Governments don't trust their electors - they might vote for the wrong party next time.

    Search engines makers don't trust their users - they might not go to the page we've been paid to put at the top of the list.

    Browser makers don't trust anyone - they might have the temerity to use a different browser.

    OS makers don't trust anyone - how dare the user choose options other than those which we have, in our magnanimosity, selected for them?

    Computer makers don't trust anyone - you want to run an OS that isn't the one that mandated all these clever security chips?

    There's an old Yorkshire saying: they're all mad bar thee and me, and I'm not right sure about thee... The only half-way secure internet is one with hard encryption in transit. If you want to know who I talk to, use traffic analysis - but get a warrant first. But gentlemen do not read other people's mail.

    1. Anonymous Coward
      Anonymous Coward

      Re: who it is that doesn't trust us – and why

      "but get a warrant first"

      And that is the centre of the big state objectives. In every possible instance where there is a genuine need, they already could get a warrant. The point is they don't want to. The article refers humorously to "liberal democracies", but where are these fabled places? The US, UK, EU all have governments insisting that they need sweeping powers to monitor and intercept their own citizens communications with zero meaningful oversight, and all are pressing ahead with different means to achieve the same goal.

    2. jmch Silver badge

      Re: who it is that doesn't trust us – and why

      All of the above, absolutely. A bit more detail into the government part, because that's the context for which the final comment seemed mostly directed at....

      ...for a large part of the development of liberal democracy, there were a lot of 'gentlemen's rules', and while a lot of principles about seperation of power, avoiding conflict of interest etc did eventually get codified into constitutions and laws, there are still a large number of practices that evolved based on an understanding that the people in politics would operate from a basic code of honour. There have always been shysters in politics, but representative democracy opened the door to them in volume, since large populations give rise to both larger democratic institutions as well as a higher ratio of voters to representatives (making it easier for shysters to get elected from among a large voter pool who do not know them personally, only from propaganda). And now, many of these gentlemen's rules are no longer observed, and those observing them are taken advantage of.

      As more and more shysters entered politics for their own benefit, the potential grew for more collusion and corruption between legislative bodies, administrative bodies and large business interests. Again, corrupt businessmen, politicians and administrators are nothing new, they just became supercharged by the "economies of scale" provided by population and industrial growth. What was already correctly identified 50+ years ago as the 'military-industrial complex' is now a supercharged cancerous growth that also includes tech companies (which are, first and foremost, data-gathering/processing aka spying companies).

      All of this has been built on asymmetric information - in spite of the liberal mantra of transparent government and private personal life, the reality is that everyone's private life is available to those in power with a few clicks of a button (what's a warrant requirement after all, when judges are politically appointed??), and Freedom of Information legislation barely scratches the surface of the inner workings of government. (In addition to which, all the entities tasked with oversight and enforcement of the laughably weak rules in place are, themselves, branches of government).

      So saying "Governments don't trust their electors - they might vote for the wrong party next time" is also itself only scratching the surface... every government employee is beholden in some way to political will to keep or advance in their job, and every politician is beholden to the lobbyists who pay for their election campaign (and yes there are many honest exceptions but far less than the actively corrupt or those simply keeping out of the line of fire). If people really knew what was going on behind the scenes, they wouldn't be voting for a different party, they would be storming the Bastille.

      1. Anonymous Coward
        Anonymous Coward

        Re: who it is that doesn't trust us – and why

        All of the above.

        Just to drive home the notion of "shysters" seeking power, there's a book worth looking up for a read which deals with psychopaths entering businesses and the consequences of that. It isn't a huge leap to believe the exact same happens with regard to politics. "Snakes in Suits" ISBN 978-0-06-083772-3

        Meanwhile, this luddite wants to know, how will these rules stop browser companies from not 'operating' in a jurisdiction and us peons simply choosing to use their unadulterated browsers? Several companies of late threatened to 'leave' if certain security holes were hammered into end-to-end encryption so I can see this happening on some level for future insecure browser rules.

        I don't have to drink the government kool-aid right?

    3. yetanotheraoc Silver badge

      Re: who it is that doesn't trust us – and why

      upvoted for magnanimosity

    4. Anonymous Coward
      Anonymous Coward

      We're all doomed...

      Summary: "We're all doomed... don't trust anyone, don't trust the system, don't trust the MSM. Only trust me (and Trump (and Putin))."

      1. Dimmer Silver badge

        Re: We're all doomed...

        I would think it would be a viable business model to have a firewall or antivirus that randomizes the tracking data outbound and increase it by a factor of say, 10? Burn their resources.

        If the guys that made Snort and Tarpit made it, I would trust them.

        1. Anonymous Coward
          Anonymous Coward

          Re: We're all doomed...

          Sorry. I probably needed to add a <sarcasm> or <parody> tag. The proportion of negativity, pet-peeve and rant in this forum is unbearable and I sometimes wonder about the hidden agenda behind these posts. Hence the reference to the Trump/Putin couple.

          1. Michael Wojcik Silver badge

            Re: We're all doomed...

            "There's too much complaining here!"

            Yogi Berra has a worthy successor, it seems.

  2. Tubz Silver badge

    Covert monitoring in the lands of the free and democracy, at least the axis of evil states don't try and hide what they are doing behind fancy laws and acronyms, may I dare say it, even the Nazis far more open when it came to state monitoring.

    1. ChoHag Silver badge

      Don't try and hide what they're doing?

      Is that why there's a Special Military Operation going on in Ukraine and not, say, a war?

      (and it's all going according to plan...)

  3. Mike 137 Silver badge

    "The eIDAS regulation is about trust"

    Actually, it's not about trust at all - it's about being forced to accept potential exposures that you may not even be aware of. That's what the tech politicos mean when they say "trust". Real trust is based on being informed and having the option not to trust, but the choice we have been handed is "accept blindly anything we throw at you or do without this service". And both the tech behemoths and governments seem to be in agreement that this is perfectly OK, despite cases where not accepting this may be life threatening. Already some five years ago the vast extent of tracking on government and health service web sites was clearly documented, but nothing seems to have changed for the better. Indeed the UK health service has recently made national scale changes to how folks can book appointments with their GP -- now exclusively via a central NHS online portal. This of course opens the possibility of the central NHS having a record of every interaction between patient and doctor, which you don't have to be paranoid to construe as a backdoor method of circumventing the central medical records register that was rejected by both the UK and European supreme courts as too intrusive.

    But quite apart from the privacy implications, the extent to which we unwittingly accept the presence of third party trackers and scripts with unknown function every time we visit a web site (even one we have decided to trust in the genuine sense) has become a major cause for concern. Not least from the security perspective it's darned dangerous, as is evidenced by the number of ransomware attacks the occur because someone 'clicked on a link'. It's impossible to trust something you are completely unaware of, so we must stop misusing the word to signify blind acceptance, or preferably abandon the bad practice its misuse signifies. Some hope, I fear.

  4. Woodnag

    Hypocrisy

    El Reg uses doubleclick... tracking straight back to Google.

    1. JulieM Silver badge

      Re: Hypocrisy

      According to my DNS, which answers all requests on port 53 no matter what IP address they were supposed to go to, doubleclick has IP address 127.0.0.2 .....

  5. Arthur the cat Silver badge

    But what about obvious, prior work-arounds?

    The eIDAS regulation makes an enormous change by mandating man-in-the-middle attack technology that it would be illegal for browser makers to defend against.

    As I've pointed out before, Firefox (and a lot of other code) gets its trusted root CAs from a plain text file rather than having them built into the browser. A file that any old text editor can change. Mozilla might possibly be forced to stuff the EU's dodgy roots in there (but they're a US not for profit, so the jurisdictional squabbles would be interesting), but anybody and their dog can fork a copy and offer alternative root sets as well as individuals doing their own thing on the installed file.

    1. Graham Cobb Silver badge

      Re: But what about obvious, prior work-arounds?

      Yep. Although the problem will be that commercial sites will get their certificates from the compromised CAs. So it will be impossible to access, say, my bank without compromise.

      So we may have to go back to having separate devices: one we trust, which only works with a small set of sites, and one we know is telling various governments about everything we display on our screen.

      1. Anonymous Coward
        Anonymous Coward

        Re: But what about obvious, prior work-arounds?

        I for one would advocate avoiding businesses / websites that enforce state spying.

      2. John H Woods

        Re: But what about obvious, prior work-arounds?

        Does Qubes help with this?

    2. mpi Silver badge

      Re: But what about obvious, prior work-arounds?

      > but anybody and their dog can fork a copy and offer alternative root sets as well

      No, anyone and their dog cannot.

      Go ask a random person on the street what "forking a browser" means. I can almost guarantee that the mental image that person forms in his head will include an eating implement, and a lot of confusion.

      "Truncating the systems root CA File" and "Re-synchronizing the plasma frequencies of the dilithium-manifold" may as well be the same sentence as far as most people on this planet are concerned. Just because something is simple for people in tech, doesn't mean it is for the vast majority of humans.

      1. Anonymous Coward
        Anonymous Coward

        Re: But what about obvious, prior work-arounds?

        I agree. But I also think an open-source 'app' will swiftly follow such legislation and 'patch' state mandated insecurity.

        The end point to all this will be jurisdiction overlap where 5-eyes style agreements on local law would overlap to enforce all this as widely as possible so their intelligence sharing is still worth a damn. That's when we'll all be downloading our browser fork or patches from Sealand hosted sites.

        Shortly after, the USA will invade Sealand citing national security and hidden chemical weapons under the waves as proof they're right to do so.

        Perhaps this dark future will push people off of going online and go for a walk instead.

  6. OhForF' Silver badge

    Do i trust (Google or Governments)?

    The question is incomplete, do i trust them to do what?

    There is no institution and there are very few people i'd say i trust absolutely. I do put some trust in my Gorernment, e.g. i trust them to try and protect my physical safety but i'd not trust them to protect my private data. I although have complete trust that the politicians that make up said government will do whatever is in their best interest and that is about the same level of trust i assign to Alphabet.

    The rules need to say private data stays private.

  7. drankinatty

    How to weigh the equities?

    One is intentionally evil and wants to exploit the breach of your privacy for profit. The other is just erratic in its attempt to manage one's behavior -- though not immune to the frailties of competing (and some special) interests in its application of democracy. Hardly seems like a valid comparison. There are two different bodies of law that govern intentional acts and mere negligence.... Oh what a sticky wicket...

    1. nijam Silver badge

      Re: How to weigh the equities?

      > One is intentionally evil and wants to exploit the breach of your privacy for profit.

      The other is intentionally evil and wants to exploit the breach of your privacy for power.

      1. Snowy Silver badge
        Coat

        Re: How to weigh the equities?

        Not sure they are different, profit (money) and power have the same kind of relationship as mass and energy. If you apply the correct method you can change one for the other and vis-versa.

  8. StrangerHereMyself Silver badge

    Deeply suspicious

    I'm deeply suspicious not just of the EU, but the governments who are quietly supporting the EU's drive to subvert and undermine encryption in Europe.

    I feel they're abusing the EU to push through laws which they know they cannot pass in their own countries for fear of a political backlash. By going the EU-route they can proclaim they had "no choice" but to implement these laws because the EU demands it of them.

    As far as I'm concerned democracy is dead in Europe. It is deeply troubling that democratic nations would want legislation which allows them to control their populace. They all sell it as a prerogative to combat child pornography and terrorism, but we all know these will not be affected by these laws (or merely as a side-effect). The real aim is to rat out "undesirables" that are critical of the government policies.

    1. Graham Cobb Silver badge

      Re: Deeply suspicious

      "EU-washing" of policies is nothing new - and is the main reason moderate UK governments didn't support leaving the EU until the idiots took over. It is so very, very convenient for any government to have someone to blame for policies unpopular with either the electorate or their own back-benchers.

      The loss of it has caused the rise of the extremist and/or populist factions of all the parties we have seen in the last couple of years.

      1. StrangerHereMyself Silver badge

        Re: Deeply suspicious

        I would even go so far as to proclaim that the EU didn't come up with these laws themselves, but that they were whispered in their ear by EU member states.

        I've seen member states publicly oppose similar legislation only to turn around and approve it anyway at the end of legislative process. I feel they're deliberately misleading their constituents about their intentions.

  9. HereAndGone

    Unintended Fake Security

    A few years back (okay more than a few years - I'm old) I looked at our corporate security system that implemented essentially the same thing via mandatory certs to access the corporate gateway. It used "Bluecoat" as I recall. One interesting feature was that I could go to an untrusted self signed web site (my own ... which should never be trusted) and the corporate MiTM would helpfully intercept the encrypted communication before forwarding the connection onward, in the process telling my browser the connection was certified secure, because it was as far as the corporate gateway.

    I'm sure this has been fixed by now ... yeah I'm sure ... pretty sure ... too obvious not to have been fixed ... optimistic ... ?

    1. Michael Wojcik Silver badge

      Re: Unintended Fake Security

      Many organizations use a captive CA and OS mechanisms for updating trust-anchor stores to do TLS termination and interception. That's hardly unusual. Yes, browsers with trust stores separate from the OS make this a bit more difficult, but because that causes user inconvenience, users will generally be happy to follow instructions from organizational IT to add the organization's roots.

      Don't use work equipment for anything you don't want your employer to see. It's as simple as that.

  10. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like