Browns proposed Data Retention Bill
On line Privacy and Security Life on-line is getting tough, more and more surfers are being snooped, not just by criminal gangs but also big business and government. The recent scandal of, so called, respectable ISPs trying to form an alliance with a Phorm, a known distributor of spy ware is just the tip of the iceberg. The proposed new data communications legislation is going to turn all the preceding privacy legislation on its head. The new legislation will require service providers to keep traffic logs (but not content,) of phone calls, emails, instant messages and texts. Well, there is not too much new there, we have all grown used to the fact that this information is quite often available on our billing receipts and actually stored inside our cellphones. However, there is subtle shift in focus, previously the relevant legislation was primarily concerned with protecting the privacy of the consumer, the new legislation is solely focused on extending the powers of "Big Brother" to snoop. What is worse, the proposed legislation requires service providers to keep records of internet traffic. This means that every web page you visit will be recorded and available. This is exactly the information that Phorm was intending to gather. One has to ask, once the service providers are forced to gather and store this information, how long will it take for them to turn it into a commercial product, this could be done completely legally just by changing the service providers privacy policy! At the moment, the bodies which are able to access retained data in the United Kingdom are listed in the Regulation of Investigatory Powers Act 2000 These are - * Police forces (as defined in section 81(1) of RIPA) * National Criminal Intelligence Service * National Crime Squad * HM Customs and Excise * Inland Revenue * Security Service * Secret Intelligence Service * Government Communications Headquarters The justifications for accessing retained data in the United Kingdom are set out in the Regulation of Investigatory Powers Act 2000 (see above) * in the interests of national security; * for the purpose of preventing or detecting crime or of preventing disorder; * in the interests of the economic well-being of the United Kingdom; * in the interests of public safety; * for the purpose of protecting public health; * for the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department; * for the purpose, in an emergency, of preventing death or injury or any damage to a person's physical or mental health, or of mitigating any injury or damage to a person's physical or mental health; * for any purpose (not falling into the above) which is specified for the purposes of this subsection by an order made by the Secretary of State. One could argue, as Gordon Brown is doing, that this is a measure of public security and crucial for the fight against organised crime, terrorism and all the other bogey men that are used to scare Joe Public into being a good little economic unit. What bugs me is that the surveillance network in this country is now so extensive that, with very little effort, an agent of the security service could keep me under more or less constant video surveillance as I travel from Lands End to Johnn'o Groats, and he would never once have to leave his office. Ok, I can hear you saying that if I am a bad guy, you don't have a problem with this. Right, fine, except recent cases where this legislation has been used include: * Local Authorities checking out who is overfilling wheelie bins. * Local Authorities checking on whether a school child actually lived in the catchment area of a desirable school. The truth of the matter is that once the legislation is in place, it will be used for things that it was never intended. Data mining, Traffic Analysis, Information Processing and all the other tools that are in the real world armoury of James Bond are incredibly sophisticated, to a level that is difficult for a layman to appreciate. Using these tools, the state, (and anyone else with access to the data,) are in a position to build detailed profiles of every household in the country.Given a data set that has been collected over a number of years, these profiles can be refined down to the level of the individual. Even worse shock horror, recent cases of lost data have revealed that the information will not even be stored in this country, but the US and hence available to foreign powers. So are we totally at the mercy of service providers, multi national corporations and big brother government? Well currently it is only proposed legislation, so we have a chance to influence the debate and hopefully derail the entire project. But, from past experience, I prefer to have a plan B. Which in this case means I have started to research privacy software, proxies and the like. Tor Onion Network Commercial Proxy servers have an inherent weakness in that the initial contact from our computer to the proxy passes through your ISP as unencrypted traffic. Also, the proxy is subject to data retention laws of the host country. Fortunately, there is another solution. The US Defense Advanced Research Projects Agency, (DARPA,) who gave us the internet, also gave us an onion router called Tor. The aim of the project was to allow those poor citizens of oppressive, anti-democratic, Big Brother governments, uncensored and unmonitored access to the internet. The project initially passed to the Electronic Freedom Foundation, who still give legal support, but is now run by a group of volunteers as part of the open source GNU movement. Essentially it is a network of daisy chain routers that pass traffic, that has been encrypted before it leaves your PC, through thedaisy chain to an exit node. Once at the exit node, it is decrypted and appears on the internet. Return traffic is encrypted passes back through another daisy chain to your PC where it is decrypted and appears on your browser. The encryption is public/private key and the private key changes each time you make a request. Routers on the the daisy chain do not have access to the keys and do not know the traffic contents. This fact is very important for the legal protection of anyone running a router and, according to the EFF would constitute a key plank of defence in any legal proceedings brought about as a result of running a Tor router. (see note 1) The basic package can be easily installed using Vidalia GUI control panel. For various reasons, it is best to have to browsers, one torrified and one that is open, I use FireFox and Opera. This way, when I am going to my bank or other sites where I want my identity known, I do not have any problems. Using Tor is interesting, because the exit node can be anywhere the google home page takes a trip around the world. Generally google is pretty good and will give hits to English language sites in response to English language queries. The biggest problem I have is that because many search queries are originating from that exit node and I have a habit of leaving the google results page open while using a new tab to view the site of interest, google sees my open link is as a bot. This is easily solved by remembering to close the google search tab. If you have left the link open, close the tab and make sure that the google cookie has been removed. Like all systems the degree anonymity provided is dependent on using the technology in appropriate manner. It is not fool proof, there are three or four basic methods of attack: * A hacker can listen at exit nodes and intercept un-encrypted email, passwords etc * If not used properly, there can be DNS leaks where un-torified programs use DNS look ups outside the Tor network * In theory, James Bond can plant undercover routers onto the network and by overstating his bandwidth, build a picture of traffic on the network. This does not compromise anonymity, but does yield information that some people find extremely valuable. Having said this, people in the GNU movement are generally technologically sophisticated and his presence would be noted by those same traffic analysis techniques. The biggest weakness of all is the individual user. If you are one of those people that habitual clicks on the free download link, then this is not for you. It will do you absolutely no good at all. Also, there is some fairly basic techniques where by hackers can plant JavaScript tracers, remote images and iframes onto a websites of interest. What that means is that, unless he is technically very sophisticated, somebody going on to the Tor network to look for kiddy porn is going to run pretty much the same risks of having the police at the door as he would on an open network. Conclusion I myself am not engaged in practices that are illegal, (except occasionally smoking a little bit of pot,) but I am deeply concerned about my privacy, the right to free speech and general direction of government policy towards increased surveillance of the population. The more people that use the network and the more people that offer an internet connection as a router, the more secure the network becomes. While the Tor network can be used by people with a less than savoury intent, it is primarily a tool of privacy and free speech. It was designed with the intent, and is primarily used, to enable people to evade the obtrusive monitoring of anti democratic Big Brother Governments like the: Soviet Union , China, Myanmar, Cuba... As a result, I would urge everybody to join this network, (or equivalent,) and make any proposed internet surveillance unworkable. References Information on the law as it exist now see : http://en.wikipedia.org/wiki/Data_retention Information on who can use stored data : http://en.wikipedia.org/wiki/Regulation_of_Investigatory_Powers_Act_2000 Gordon Browns legislative agenda 2008/9 : http://www.official-documents.gov.uk/document/cm73/7372/7372.pdf Tor Onion Routing Network : http://en.wikipedia.org/wiki/Tor_%28anonymity_network%29 Vidalia, Tor & Privoxy download : http://vidalia-project.net/ Tor project : http://www.torproject.org/ Tor legal perspective : http://www.torproject.org/eff/tor-legal-faq.html.en Electronic Freedom Foundation : http://www.eff.org/ Note 1: The author is not aware of anyone who has been prosecuted in Nato/Western jurisdiction,as a result of running a Tor router. The only reference I have found to legal action against a TOR operator was a 2006 case in Germany, where some members of a paedophile ring had been using the Tor network and as a result, the exit nodes had shown up as part of the police investigation. After extensive searching for follow up reports, to the best of my knowledge, the case against the the Tor operators was quietly dropped, although the prosecution of the paedophile ring went on to make international news.
On line Privacy and Security Life on-line is getting tough, more and more surfers are being snooped, not just by criminal gangs but also big business and government. The recent scandal of, so called, respectable ISPs trying to form an alliance with a Phorm, a known distributor of spy ware is just the tip of the iceberg. The proposed new data communications legislation is going to turn all the preceding privacy legislation on its head. The new legislation will require service providers to keep traffic logs (but not content,) of phone calls, emails, instant messages and texts. Well, there is not too much new there, we have all grown used to the fact that this information is quite often available on our billing receipts and actually stored inside our cellphones. However, there is subtle shift in focus, previously the relevant legislation was primarily concerned with protecting the privacy of the consumer, the new legislation is solely focused on extending the powers of "Big Brother" to snoop. What is worse, the proposed legislation requires service providers to keep records of internet traffic. This means that every web page you visit will be recorded and available. This is exactly the information that Phorm was intending to gather. One has to ask, once the service providers are forced to gather and store this information, how long will it take for them to turn it into a commercial product, this could be done completely legally just by changing the service providers privacy policy! At the moment, the bodies which are able to access retained data in the United Kingdom are listed in the Regulation of Investigatory Powers Act 2000 These are - * Police forces (as defined in section 81(1) of RIPA) * National Criminal Intelligence Service * National Crime Squad * HM Customs and Excise * Inland Revenue * Security Service * Secret Intelligence Service * Government Communications Headquarters The justifications for accessing retained data in the United Kingdom are set out in the Regulation of Investigatory Powers Act 2000 (see above) * in the interests of national security; * for the purpose of preventing or detecting crime or of preventing disorder; * in the interests of the economic well-being of the United Kingdom; * in the interests of public safety; * for the purpose of protecting public health; * for the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department; * for the purpose, in an emergency, of preventing death or injury or any damage to a person's physical or mental health, or of mitigating any injury or damage to a person's physical or mental health; * for any purpose (not falling into the above) which is specified for the purposes of this subsection by an order made by the Secretary of State. One could argue, as Gordon Brown is doing, that this is a measure of public security and crucial for the fight against organised crime, terrorism and all the other bogey men that are used to scare Joe Public into being a good little economic unit. What bugs me is that the surveillance network in this country is now so extensive that, with very little effort, an agent of the security service could keep me under more or less constant video surveillance as I travel from Lands End to Johnn'o Groats, and he would never once have to leave his office. Ok, I can hear you saying that if I am a bad guy, you don't have a problem with this. Right, fine, except recent cases where this legislation has been used include: * Local Authorities checking out who is overfilling wheelie bins. * Local Authorities checking on whether a school child actually lived in the catchment area of a desirable school. The truth of the matter is that once the legislation is in place, it will be used for things that it was never intended. Data mining, Traffic Analysis, Information Processing and all the other tools that are in the real world armoury of James Bond are incredibly sophisticated, to a level that is difficult for a layman to appreciate. Using these tools, the state, (and anyone else with access to the data,) are in a position to build detailed profiles of every household in the country.Given a data set that has been collected over a number of years, these profiles can be refined down to the level of the individual. Even worse shock horror, recent cases of lost data have revealed that the information will not even be stored in this country, but the US and hence available to foreign powers. So are we totally at the mercy of service providers, multi national corporations and big brother government? Well currently it is only proposed legislation, so we have a chance to influence the debate and hopefully derail the entire project. But, from past experience, I prefer to have a plan B. Which in this case means I have started to research privacy software, proxies and the like. Tor Onion Network Commercial Proxy servers have an inherent weakness in that the initial contact from our computer to the proxy passes through your ISP as unencrypted traffic. Also, the proxy is subject to data retention laws of the host country. Fortunately, there is another solution. The US Defense Advanced Research Projects Agency, (DARPA,) who gave us the internet, also gave us an onion router called Tor. The aim of the project was to allow those poor citizens of oppressive, anti-democratic, Big Brother governments, uncensored and unmonitored access to the internet. The project initially passed to the Electronic Freedom Foundation, who still give legal support, but is now run by a group of volunteers as part of the open source GNU movement. Essentially it is a network of daisy chain routers that pass traffic, that has been encrypted before it leaves your PC, through thedaisy chain to an exit node. Once at the exit node, it is decrypted and appears on the internet. Return traffic is encrypted passes back through another daisy chain to your PC where it is decrypted and appears on your browser. The encryption is public/private key and the private key changes each time you make a request. Routers on the the daisy chain do not have access to the keys and do not know the traffic contents. This fact is very important for the legal protection of anyone running a router and, according to the EFF would constitute a key plank of defence in any legal proceedings brought about as a result of running a Tor router. (see note 1) The basic package can be easily installed using Vidalia GUI control panel. For various reasons, it is best to have to browsers, one torrified and one that is open, I use FireFox and Opera. This way, when I am going to my bank or other sites where I want my identity known, I do not have any problems. Using Tor is interesting, because the exit node can be anywhere the google home page takes a trip around the world. Generally google is pretty good and will give hits to English language sites in response to English language queries. The biggest problem I have is that because many search queries are originating from that exit node and I have a habit of leaving the google results page open while using a new tab to view the site of interest, google sees my open link is as a bot. This is easily solved by remembering to close the google search tab. If you have left the link open, close the tab and make sure that the google cookie has been removed. Like all systems the degree anonymity provided is dependent on using the technology in appropriate manner. It is not fool proof, there are three or four basic methods of attack: * A hacker can listen at exit nodes and intercept un-encrypted email, passwords etc * If not used properly, there can be DNS leaks where un-torified programs use DNS look ups outside the Tor network * In theory, James Bond can plant undercover routers onto the network and by overstating his bandwidth, build a picture of traffic on the network. This does not compromise anonymity, but does yield information that some people find extremely valuable. Having said this, people in the GNU movement are generally technologically sophisticated and his presence would be noted by those same traffic analysis techniques. The biggest weakness of all is the individual user. If you are one of those people that habitual clicks on the free download link, then this is not for you. It will do you absolutely no good at all. Also, there is some fairly basic techniques where by hackers can plant JavaScript tracers, remote images and iframes onto a websites of interest. What that means is that, unless he is technically very sophisticated, somebody going on to the Tor network to look for kiddy porn is going to run pretty much the same risks of having the police at the door as he would on an open network. Conclusion I myself am not engaged in practices that are illegal, (except occasionally smoking a little bit of pot,) but I am deeply concerned about my privacy, the right to free speech and general direction of government policy towards increased surveillance of the population. The more people that use the network and the more people that offer an internet connection as a router, the more secure the network becomes. While the Tor network can be used by people with a less than savoury intent, it is primarily a tool of privacy and free speech. It was designed with the intent, and is primarily used, to enable people to evade the obtrusive monitoring of anti democratic Big Brother Governments like the: Soviet Union , China, Myanmar, Cuba... As a result, I would urge everybody to join this network, (or equivalent,) and make any proposed internet surveillance unworkable. References Information on the law as it exist now see : http://en.wikipedia.org/wiki/Data_retention Information on who can use stored data : http://en.wikipedia.org/wiki/Regulation_of_Investigatory_Powers_Act_2000 Gordon Browns legislative agenda 2008/9 : http://www.official-documents.gov.uk/document/cm73/7372/7372.pdf Tor Onion Routing Network : http://en.wikipedia.org/wiki/Tor_%28anonymity_network%29 Vidalia, Tor & Privoxy download : http://vidalia-project.net/ Tor project : http://www.torproject.org/ Tor legal perspective : http://www.torproject.org/eff/tor-legal-faq.html.en Electronic Freedom Foundation : http://www.eff.org/ Note 1: The author is not aware of anyone who has been prosecuted in Nato/Western jurisdiction,as a result of running a Tor router. The only reference I have found to legal action against a TOR operator was a 2006 case in Germany, where some members of a paedophile ring had been using the Tor network and as a result, the exit nodes had shown up as part of the police investigation. After extensive searching for follow up reports, to the best of my knowledge, the case against the the Tor operators was quietly dropped, although the prosecution of the paedophile ring went on to make international news.