Posts by king_tut

Re: Thoroughly underwhelming joint Committee

> why this bill should be shelved

One thing to bear in mind with any effort to shelve this bill. Everything apart from the ICRs (i.e. the ISP mandated logging of metadata), and to a small extent the National Security Notices, is already being done, and being done with very little oversight. Shelving the bill would retain the status quo - namely that things like Equipment Interference (hacking) will continue under the Wireless Telegraphy Act, with no oversight, will continue. Be careful what you wish for.

Re: Thoroughly underwhelming joint Committee

@streaky

Absolutely! Everyone who has a clue should put in a submission - I'm already working on mine, covering a number of points (which I'm posting on my blog as well)

It needs to be informed evidence though. Just ranting about privacy will be ignored. If concrete examples can be given, etc, then a lot more notice will likely be taken. Hell, if they like the submission, they may even request you come down and given evidence in person.

Note that the link you provided was for the Science & Technology committee, so evidence should be limited to technical matters.

There is also the joint committee on the bill itself, which can be contacted for wider issues/evidence: http://www.parliament.uk/business/committees/committees-a-z/joint-select/draft-investigatory-powers-bill/contact-us/

Re: Thoroughly underwhelming joint Committee

Not his scary homophobic views, but his overall authoritarian stance. If you're bored, I recommend you reading his truly bizarre speech on the Investigatory Powers Bill: http://www.theyworkforyou.com/lords/?id=2015-07-08a.190.0&s=speaker%3A13253#g198.0

And he's one of only 4 joint committee members who have even spoken on the IP Bill, DRIPA, or the Anderson report!

For more details on the breakdown: https://kingtut666.wordpress.com/2015/11/26/no-evidence-of-balance-the-joint-committee-on-draft-investigatory-powers-bill/

Re: IPBill

@Doctor Syntax

Under s6, the Investigatory Powers Commissioner can opt to levy a fine (monetary penalty notice) if an interception occurred without lawful authority (defined in s5 - basically that a warrant is in place), but wasn't intentional. i.e. if a cockup happens and you accidentally intercept someone/something you shouldn't have. However, s6(3)(c) gives a get-out-of-jail of if the person was making an attempt to act in accordance with a warrant, so not all cock-ups are covered.

Appeals would go through the First-Tier Tribunal, which is a court of law. Essentially the situation is like a fixed penalty notice.

If the interception was intentional, and without lawful authority, then it's a crime under s2, with 2 years in jail and/or a fine as the penalty.

In this particular case, it appears that a warrant would have been present, but wouldn't have gone through the process correctly. I'm not sure therefore whether there was, or was not "lawful authority". Yet another bit of the IP Bill that needs proper definition. Ho hum :)

Re: @ King Tut

> IMEI blocked? so just the ne'er-do-wellers will use the phone on another network (or country)...

True. But that doesn't affect the confidentiality or integrity of my data, or any usefulness wrt my phone number as an identity (i.e. the subjects of this discussion)

Plus, if more people got their IMEI blocked, then stealing phones would be less profitable...

Re: @ King Tut

Yep, SIM lock as well. And I had the IMEI blocked within 30 mins.

It's depressing how little attention people take to their own security :(

Re: a user’s identity is their public key

Some more detail here...

Basically, the identity (in this case a phone number, but could be an email address or whatever) is used as a public key (sort of), but the key thing is that a Key Management Server (KMS) is used to provide the private key for that public key. The KMS ensures only the holder of that identity gains access to the private key. The KMS is equivalent to a root certificate in terms of trust.

There is no requirement for one big KMS etc. Instead, each 'service' can run its own KMS. E.g. want to be able to use your phone number to do secure comms to the NHS, you can register with the NHS's KMS. Want to also have secure comms between a group of friends, you can run your own KMS on a server you trust. Each KMS will create a different private key for the given identity.

Want to be able to access a load of services that trust each other - they'll either have one big KMS, or some kind of trust relationship between them.

Re: @ King Tut

> GCHQ don't need to nick your phone, they can intercept the text messages.

As can many other people. Your voice calls and text messages are only encrypted during the wireless stage between your phone and the base station - everything else is in the clear. GCHQ (+NSA, FSB, DGSI/DGSE, BND/BfV, and so on) are I'm sure more than happy for you to use insecure comms - the current situation.

Re: @ King Tut

I have. And it was locked, so I didn't lose anything.

But still, the key point for secure comms is protecting device<->device. The "a user’s identity is their public key" is specific to secure voice - I don't think the standard is suggesting anything else.

Outside that is a human problem, which neither MIKEY-SAKKE nor any of the other equivalent standards would do anything to fix. Blaming a protocol for not fixing a problem it wasn't aiming to fix, is like saying the El Reg is a shite website because they haven't sent me any hookers recently.

It's a fair point that people need to realise that phone != person. I'd hope that was generally obvious. This is precisely why you need to authenticate to your back when you phone it - even if you're phoning from your mobile, which they have as your number in records. The phone number is easily spoofed if you've the right kind of connection, and so mustn't be trusted, even excluding the theft argument. Instead, you're authenticating by something you know, rather than something you have. The difference is, that if you're using secure voice comms, you can be reasonable sure that the confidentiality of that person<->org authentication is secure - a major difference from the situation now.

Re: On the back of a fag packet

@xj650t: I think you're under-estimating the number of URL requests - don't forget advertising etc.

However, let's look at the numbers a different way: 10000 requests/user/day, 200 bytes average per request, = 2MB/user/day. = 730MB/user/year, £50/2TB hard drive, = 1.8p/user/year (plus SAN costs etc)

And if you look at https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/473769/Internet_Connection_Records_Evidence_Base.pdf it's entirely likely that # of criminals caught would be >0.

Re: TOR Lite for the masses?

@Nifty

> With a rushed out bill like this, a privacy arms race will start.

It's not especially rushed out. This is a draft, which will then go through two different committees*, will then be introduced as a normal bill in parliament, will go through the commons (1st, 2nd reading*, committee*, 3rd reading*) then lords (1st, 2nd reading*, committee*, 3rd reading*). Each * marks a debate. They're looking for this to go through late in 2016. That's really not rushed.

I also think you're vastly overestimating how much the average person cares about privacy. And I think it's unfortunate that so few people do care.

Re: Logging all requests or just some?

> They won't be logging domains because resolution to ip addresses happens on the user's computer (and quite possibly soon in the browser to secure DNS).

Note that for HTTPS connections, the ISP can know the hostname of the service you're accessing, due to SNI: https://en.wikipedia.org/wiki/Server_Name_Indication

Re: A Request

@TimR: I don't work for El Reg, but that is precisely the sort of thing I'm working on at the moment. I expect that within a week or two you'll find my, and many other people's, analysis on line. Which a Reg writer will then skim through and write an article :)

I'm not up to the ICRs yet in my read through. God it's a long document...

Re: Cautiously optimistic

@Charlie Clark

> The biggest question the bill has to answer is why is it needed at all? It's just another expensive and ineffective powergrab that further limits civil liberties. hm, how long do we need to consider that?

They've partially tried to make that point in the intro to the document, but with nowhere near enough detail. The David Anderson QC report was much better IMHO.

From what I can see so far though, there are very few new powers (although there are definitely some, which the gov isn't being honest about). A lot of the things being talked about as new, weren't. Instead, they were previously indirectly allowed as a side effect of the Intelligence Services Act, Wireless Telegraphy Act, and a few others, and had no real oversight or protections in place. This Bill is apparently trying to collect and collate all the different related powers in one single place, and put them under a uniform and good (albeit with some big issues) warrant and oversight regime.

This Bill shouldn't cost much money, and is a _vast_ improvement over RIPA and DRIPA in many areas.

Re: Cautiously optimistic

@Nick Kew: Yeah, I'm rather bemused by the downvotes, especially as I didn't think I'd said anything especially controversial. Ho-hum :)

As an aside, I'm now on pp63, and have found a few issues I don't like. Have 2 pages of notes already, and haven't gotten to the scary stuff yet (bulk interception).

Re: Cautiously optimistic

Re: Ledswinger

>> Be polite now, being rude doesn't advance your valid point

> I didn't think that calling the OP a government lickspittle was being rude, more a matter of record.

Personally I do feel it rude, but that's not relevant. What was relevant is that the poster making that claim made (IMHO) no valid supports. I'm also intrigued where this 'record' is that describes OP as a gov lickspittle as I know for a fact he isn't, and has regularly complained about RIPA, DRIPA, and other laws.

Source: Am OP :)

Re: Cautiously optimistic

>> This is vastly better than previous Bills, and based on May's statement I am cautiously optimistic

> Speak for yourself, government lickspittle.

Hmmm, a good start to your argument.

> This is the sort of behaviour that for years we've known to be the province of totalitarian regimes like East German and North Korea. I don't need to read 200+ pages of poorly written rubbish to know that this is a mad, bad and stupid idea, from mad, bad, and stupid people.

Nice to see evidence for your argument - you have an opinion and don't need any facts to support them...

> If that pasty faced rich boy and his boot faced home secretary thinks they are going to solve anything by spying on the entire population, then it only shows even more what a pair of vacuous twerps they both are. I don't want my government spying on me and everybody else just in case the police, taxman or bunglers of local government think it might be useful. I don't buy all this "terrible, terrible threats" nonsense that the security services peddle.

You don't like the current government. Okay. Neither do I, but that's not relevant. Interesting that you don't think there are any threats whatsoever, and appear to believe there are never any cases where interception would be needed. I'm a tad astonished, given the many many cases were intercept has proven vital, but ho hum...

> I don't believe it to be the case, but if not being able to spy on my computer use hinders the plods, maybe that's the price of freedom.

I agree a balance is needed. But your extreme position is broadly speaking no different to that of someone who believes we should spy on everyone all the time just in case they may commit a crime (note: that _isn't_ what the draft bill is asking for)

Re: Cautiously optimistic

> Irrespective of whether I've read the draft bill or not (and I haven't), I have to question in what world legislation that permits warrant-less internet surveillance of an entire population

It doesn't, a warrant is needed. And there isn't surveillance of the entire population.

Note that there are some things very close, and I agree there are dangerous issues here, but are you saying that all the different warranted powers should not be allowed?

Re: "where life is at immediate risk"

Apart from that local councils can't intercept or obtain the data, so that's irrelevant.

Re: Security Theatre and/or Snooping

While I agree that these can be circumvented, I also think you're over-estimating many criminals. And just because something can be circumvented, doesn't of itself mean that it's not useful. The lock on your door can easily be circumvented - is locking your door security theatre?

It's a fact that a lot of criminals are stupid. Furthermore, the further prior to committing a crime, the less OpSec they show. Finally, you can get unlucky - your VPN may not spin up properly and your set up may fail open, leading to you accidentally accessing a site not using your protection. Examples abound of this.

Re: Cautiously optimistic [Emergency provision]

@IT Hack: This is exactly the detail that needs thinking about. I absolutely can see there being a need for the provision. I also see how it can be abused. The question is - what is the impact of abuse. For example, if the judge then refuses to sign off, will that immediately be referred to IOCCO? Will it be made public, or will the subject be made aware so that they can sue. Or will it be hushed up?

If the latter - the provision is bad! If some of the former, the political risk of abuse could be high enough to make sure that abuse doesn't happen.

... is invalidated in its entirety by the ruling?

Only section 1 (data retention) of DRIPA was disapplied with this ruling. The other parts which covered some wording tweaks to RIPA (s3, s5), the extra-territoriality of RIPA (s4), or improvements to (s6) and reporting on (s7) oversight all remain.

Re: Called it :)

Further to this, and remembering that IANAL, I think there's a quick fix the government could do. Under RIPA s1(3) and s1(4) the secretary of state can introduce regulations with additional provisions. Under s1(4)(d) these provisions may include restrictions on access.

Regulations are secondary legislation that needs to be laid before parliament but for which there's no debate etc. There's not even necessarily a yes/no vote on them.

If the secretary of state issues regulations that require that a) data retained can only be accessed for serious offences, and b) a warrant or similar needs to be signed by a judge prior to each access, then that _may_ be sufficient to continue access. Doing so would meet both of the "in so far" bits of the judgment (see para 122 of the full judgement at https://www.judiciary.gov.uk/judgments/david-davis-and-others-v-secretary-of-state-for-the-home-department/ )

Re: Called it :)

If the legislation is unlawful does that mean prosecutions made under it are now also unlawful and subject to appeal, or maybe even automatic overturn?

There weren't any prosecutions AFAIK, so this is moot - this relates to what the ISPs etc had to do to retain the data, not what the police etc could do with it (which is covered by RIPA). There would only have been a prosecution if an ISP refused to comply with a retention notice.

Also, technically it's only section 1 of the law that has been disapplied - which is the bit dealing with data retention.

As for whether prosecutions could have been overturned, I'm not sure. The fact that the court is suspending their judgement until March 2014 - i.e. DRIPA s1 remains valid until then - in order for the government to fix things implies to me that there wouldn't have been grounds for an overturn. But then I'm absolutely not a lawyer, so I may well be talking out of my arse.

Yep - under RIPA Part III

A couple of examples from a quick Google:

- http://www.theregister.co.uk/2009/11/24/ripa_jfl/

- http://www.bbc.co.uk/news/uk-england-11479831

In both cases I think there wasn't any doubt they had the passwords. I'm not aware of any cases where there was doubt whether the person _could_ unlock the files, or where that was a plausible defence.

Re: Fundamental misunderstanding of telecoms

You're absolutely correct, from the technical side. Having the keys allows ad-hoc decryption around the world. And there is definitely a danger of abuse. There are therefore two questions:-

1) Should these agencies have ways to gain access to intercept product. If no, then there's no danger of abuse, but there will be an increased danger from assorted serious crimes including terrorism. How much of an increase is a difficult question - I think the gov regularly overplays this, but I think there is definitely a risk. If yes, then...

2) What can you do to stop abuse, or detect if it happens. This is all about oversight, and technical controls to audit and control access. I would hope, and expect, that there will be technical controls to anything which gains access to product, that the relevant warrant details need to be entered. The oversight can then check these. Note that I primarily care about UK citizens, although proportionality should be maintained everywhere - just because your wife pops over to Poland to visit friends doesn't give you the right to spy on her.

I also think that details of the technical controls, and how the oversight operates, must be public - that's the only way we can trust it. We have to a) be able to judge for ourselves whether the controls would be sufficient, and then b) trust in the oversight bodies, and that they will use the controls. This is ultimately where the recent "GCHQ broke the law" ruling came in - (a) is pretty much what EU law requires, and GCHQ weren't making the knowledge public. They still haven't enough, IMHO, and I want to see improvements there.

It should be noted that I think David Anderson and IOCCO are doing a good job. I'm less comfortable with the ISC - there are too many "insiders" in the ISC who have publicly been in the authoritarian camp.

Re: Fundamental misunderstanding of telecoms

Yep, nation/states jealously guard their prerogatives. But then allowing anyone to hack anyone else with no controls just leads to anarchy.

Citizens _can_ go on the offensive. It's called elections. Elected officials can reign in the intelligence services, if they want. Unfortunately, most people are idiots, perfectly happy to sleep-walk into crappy situations with crappy elected officials.

The overlap is the whistleblowers, and I firmly believe there should be whistleblower protections. It's a difficult situation though - when does whistleblowing (telling the public about abuses which are, or probably are, happening) become leaking secrets (telling the public about things which aren't abuses but cause measurable damage to intelligence operations). This is where good quality oversight is absolutely vital - an area that could be improved in the UK, and is an absolute mess in the US.