Tuesday, 29 March 2016

How to save libraries?

I've been writing about this sort of thing for a while.
Everyone thinks libraries have a positive role to play in the world, but that role differs greatly based on whether you’re talking to a librarian or a patron. Ask a patron what libraries have in common and they’d probably answer: they share books with people. Librarians give a different answer: they share a set of values. It’s time for libraries to step up to those values by supporting access to the Internet and taking the lead in fighting to keep the Internet open, free, and unowned.
The fit is obvious.  Libraries have always been about free, anonymous access to information.  We're facing two crises in the UK (and elsewhere):  the closure of libraries due to austerity measures and the erosion of privacy as the result of government and corporate snooping.

Libraries could become more relevant again by providing not just internet access but anonymous internet access and by training the public in how to understand privacy issues and use privacy tools.  They could provide Tor Exit Relays, like the Kilton Library in Lebanon, NH.

Libraries are well-suited to be in the business of providing global free, anonymous, open information access and these two birds could be killed with one stone.  The problem, of course, is that governments aren't, as a rule, very interested in global free, annonymous, open communications or - for that matter - in libraries.  Whatever libraries do in this area will probably have to be funded by communities.  I'd be happy to donate.

Fake taxi

No, not that fake taxi.  This one:
NYPD has at least five undercover ‘Cop Cabs’
That next taxi you hail could be driven by New York's Finest.
Sinister.  I can see some legitimate reasons for taxi-looking undercover police cars, but there are even more opportunities for abuse.  

Saturday, 19 March 2016

The FBI's warning about car hacking

Image result for car hacking
For fuck's sake

Yep, good stuff.  I'm more concerned about hackers stealing the car's data than I am about their shutting down the engine on the motorway.  I've owned several cars that did that all by themselves anyway.  I'm even more concerned about the people who sell us cars or insure them or who just really want to know harvesting that data.  It can not be in the drivers' best interests.

WRT the image: 

Seriously, journalists?  Can you actually be this lazy? You illustrated an article about hacking cars with... this? That's the best you could come up with?  FUCK ME. About 94% of articles about privacy or security are illustrated with partial shots of keyboards with a key featuring a padlock or even - for fucks sake - the word "security" or something.  Those are bad enough.  But this one? This fucking one? You have an entire internet out there filled with pictures of crashed cars or people with laptops plugged into cars or - for fuck's actual sake, KITT. You need to try a lot harder from now on.

Wednesday, 16 March 2016

Popular platforms getting serious about encryption?

Source: XKCD

The UK is by no means the only place trying its hardest to destroy all privacy.  Fortunately, some companies are fighting back.

In response to the FBI's attack on Apple's use of encryption-based security methods, some of the biggest names in technology are reported to be planning an expanded use of encryption for user data that passes through, or is stored on, their products and services.
 Whatsapp, Facebook, Google, Snapchat, Apple...

Encryption is the only tool we have against snooping governments (domestic and otherwise) and criminals.  One of the reasons encryption technology has been slow to reach the mass market is that it confuses people and tools have historically been tricky to use.  As it inevitably becomes more mainstream, these problems will disappear.  Companies like these championing encryption will surely help.

An open letter from dozens of legal experts: Snooper's Charter not fit for purpose

Cory Doctorow reports at Boing Boing:
But now comes the most damning condemnation of all, an open letter signed by dozens of law professors and legal experts, from across the UK, declaring that the law "fails to meet international standards for surveillance powers" and is "not fit for purpose."
 The full letter appears in the Guardian.  The authors have three main objections to the bill;
First, a law that gives public authorities generalised access to electronic communications contents compromises the essence of the fundamental right to privacy and may be illegal. 
Second, international standards require that interception authorisations identify a specific target – a person or premises – for surveillance.
Third, those who authorise interceptions should be able to verify a “reasonable suspicion” on the basis of a factual case. 
The bill falls far short of these international standards.

The letter is signed by lots and lots and lots of legal experts.
snoopers charter flowchart
Source: The Huffington Post

My MP on the Snooper's Charter

Phil WIlson, MP
Phil Wilson, MP Sedgefield

I wrote to my MP, Phil Wilson of Sedgefield constituency, urging him to speak out against the Investigatory Powers Bill.

I didn't have much hope.  We have some history together, disagreeing on this and similar issues and he has lately stopped replying.  He did reply to this letter, however, although it was not to my liking.
Here it is:
Thank you for your email.  
I am currently attending a foreign visit as part of my commitments as a member of the defence select committee and therefore will not be in the Commons this evening to participate in the vote. 
However, I do support the principle of introducing legislation that can deliver an up-to-date and effective legal framework for the police and security services to help prevent and investigate serious crimes such as murder, child sexual exploitation, terrorism and locating missing people. However, it is essential that any such legislation must be subject to robust safeguards and independent scrutiny and that it must be transparent, necessary and proportionate.
The Labour Party will not therefore be opposing the Bill at Second Reading this evening but will continue to robustly challenge and improve the Bill in the coming weeks and months.
Once again, thank you for your email.
Kind regards,
Mr Wilson shows no apparent understanding of the issues, although I and many others have spelled them out to him several times.  The only way to 'fix' the bill is to scrap it entirely.  Improvements can certainly be made but they wouldn't address the fundamental problem.

Tuesday, 8 March 2016

There is no single set of data that constitutes an internet connection record

Image result for worse not better
The Investigatory Powers bill (Snooper's Charter) has recently been revised.  Although the Home Office assures us that the comments on the original from various advisory committees have been addressed in the rewrite, this apparently is not the case.  For example, we saw here that they 'addressed' a serious privacy concern by adding the word "privacy" to an otherwise unchanged section.

Unsurprisingly, this is far from the only flaw in the IP revision.  For example, the bill still refuses to define what constitutes an "Internet Connection Record", which is the user data the bill would require ISPs to keep and to share with the government.   This is the best the bill comes to a definition:
The core information that is likely to be included are: an account reference, a source IP and port address, a destination IP and port address and a time/date. However, there is no single set of data that constitutes an internet connection record, it will depend on the service and service provider concerned.
I can think of only one reason to repeatedly refuse to define what customer data ISPs will be forced to keep and/or divulge.  The construct 'Internet Connection Record' is a proxy for "whatever we want at the time".  The revisers of the bill didn't take time to pin this definition down, but they did take time to actually extend the proposed powers.  Whereas previously the draft was concerned with "internet communications services", the revised bill includes... well everything. Ever.

It's a common theme throughout. The Home Office has used the revision as an opportunity to make the bill worse, not better.

Wednesday, 2 March 2016

How the Snooper's Charter revisions dealt with "the majority of recommendations from the 3 committees"

In a statement accompanying the latest revisions to the Snooper's Charter, Theresa May said:
I am pleased to say that the revised bill … give[s] effect to the vast majority of the recommendations made by the three committees

 One of these alterations was from the intelligence and security committee, who said:
Overall, the privacy protections are inconsistent and in our view need
strengthening,” it said. “We recommend that an additional Part be included in the new legislation to provide universal privacy protections, not just those that apply to
sensitive professions.
 This is a pretty serious concern and a hugely important recommendation.  The Home Office responded by adding the word "privacy" to a section heading.  Needless to say, the section does not address the most important privacy concerns.

Tuesday, 1 March 2016

BBC on the Snooper's Charter

The BBC has disappointed everyone but governments, security services and criminals - foreign and domestic - with its coverage of the Snooper's Charter.  Its party line seems to be that the measures will be difficult or impossible to implement. They will, but that's not the biggest problem.  The biggest problems are almost dismissed by the BBC as things that only 'campaigners' need to worry about.  I mean, look at this:
Ministers say the new powers, to be published later, are needed to fight terrorism, but internet firms have questioned their practicality - and civil liberties campaigners say it clears the way for mass surveillance of UK citizens.
The ands and buts betray a party line, I think.  The 'but' is that internet firms might find it difficult to enforce (and fuck them, right?) and the 'and' suggests that privacy and liberty campaigners' concerns are marginal to the debate.  Remember what we're talking about here; the paragraph should read:
Ministers say the new powers, to be published later, are needed to fight terrorism, but it is perfectly clear that they aren't needed and won't be effective.
I've seen this kind of language all over the BBC's coverage.  I doubt it's accidental. Look at this, for example:
The Home Office was forced to revise the draft bill after concerns it did not do enough to protect privacy and was too vague. The revised version is expected to reflect these concerns.
No it isn't. I don't know of anyone who expects that.  It's expected that small compromises will be made which won't change the privacy, security and safety implications of the original bill. It's expected that terrorists won't be slowed down much, if at all, by these measures.

The BBC goes on:
Ministers want the new bill to become law by the end of the year, citing the urgent demands of national security and crime prevention.
Not really. They tend to cite the urgent demands of getting the bill through before the sunset clause on the previous bill expires in December.
A warrant from the home secretary will be required for officers to access the content of emails - and a new Investigatory Powers Commission would be able to veto such requests.
So the government will decide whether or not the government can do what it likes with our data and a government agency will be set up to police it?  I....might just see a slight flaw in this reasoning.
Powers to hack into computers and smart phones - so called "equipment interference" - will be extended to include "threat to life" situations - to save someone who is at risk, or to locate a missing child or vulnerable person.
OK, so who do they hack in order to solve a crime? Will we know about the hacks? Will we know whether they helped solve the crime?  Of course not. Will 'threat to life' include any activity someone obviously not impartial decides it will?  Of course it fucking will.

On backdoor shenanigans:
The Home Office says the new legislation will address concerns expressed by Apple and other tech giants about encryption, which protects messages from being hacked.
The tech giants feared being forced to fit "backdoors" to their devices or make other changes to encryption that would compromise their customers' security.
Officials said the revised version of the Investigatory Powers Bill would put beyond doubt that companies can only be asked to remove encryption that they themselves have applied, and only where it is "practicable" for them to do so.
Almost as though "practicable" is something those companies could decide. It isn't, it will surely demand broken encryption and back doors while pretending it doesn't. They can't

The bill is horrific. The BBC isn't supposed to be a government mouthpiece, but that's exactly the way it's acting. Nobody has ever explained why these measures would stop terrorism or how we'd know if they did or didn't. Come on, BBC, you're not fooled either so stop pretending you are.

Child protection fail

When we try to protect children, what are we trying to protect them from?  Is it from bad words or bad things?  Growing up too quickly or being prepared for adult life?  It's hard, I know and decisions can be difficult.

But it seems fairly clear that this is not a good way to do it.
A search engine aimed at children, which blocks many common search terms including the words menstruation and balls, has gone viral.
Wait, the search engine has gone viral? I doubt that's what the BBC means.  Here are some other terms the BBC says are blocked (I wonder if the ones they tried says more about journalists than anything else?)

  • Lesbian 
  • Gay
  • Circumcision (but not FGM)
  • Suicide (but not self-harm)
and, weirdly (weird that the journalists conflated the two):

  • Pamela Anderson (but not 50 Shades of Grey)
This is apparently what you'll get if you search for LGBT:

search for lesbian

You see, that's the problem right there.  It's assumed that things to do with LGBT issues are 'unsafe' for children, whatever that means. Blocking access to material on those issues is certainly not safe for children who face those issues and neither is labelling them as an unsafe topic safe for anyone else.  Or for society; it promotes the idea - to LGBT and non-LGBT children and adults alike that there's something indefinably wrong with talking about sexuality and sexual identity in general and certain varieties of each in particular.

But that's just part of a more general problem.  First, of course, there is no way to guarantee that any particular search term is 'safe', however anyone chooses to define it.  So blocking search times can't improve safety.  Second, a moderately determined child could easily find whatever they want with that search engine without using FORBIDDEN SEARCH TERMS.  And, of course, good luck to parents who think their kids can't get past any blocks on other search engines.  

It's a terrible implementation of a terrible idea.  It won't keep children safe (again, however you define it) and it will encourage riskier behaviour than googling.

Revised Snooper's Charter to be published today

Big Brother logoThe UK Home Secretary, Theresa May, will today release a revised version of the Snooper's Charter, which she claims address criticisms from MPs and peers.  Three parliamentary committees made a total of 129 recommendations and the Home Office says that the majority of these are reflected in the revised bill.

That does not immediately inspire confidence, especially since some of the recommendations were about tightening up language and definitions.  'Majority'?  'Reflected'?  That's not at all the same as saying that they've implemented most of the recommendations.

According to The Guardian, the revisions include:
The Home Office’s proposed changes include

  • Six codes of practice setting out how the security services will use the powers in the bill, including access to personal communications data, state computer hacking and bulk acquisition of data.
  • Stronger privacy safeguards including the need for a senior judge to approve security service access to a journalist’s communications data. The Home Office said this was needed to ensure the willingness of sources to provide information to journalists.
  • A “double-key” ministerial warrant backed by judicial approval when UK security services ask foreign intelligence agencies to undertake work on their behalf.
  • A pragmatic approach to encryption that will require technology companies to remove encryption that they have themselves applied where it is practicable for them to do so.
  • The period for “urgent” warrants issued for the most intrusive surveillance without judicial approval is to be reduced from five to three days.
The Home Office says:
We have strengthened safeguards, enhanced privacy protections and bolstered oversight arrangements.
That remains to be seen.  It seems quite clear, however, that the revisions won't address the main concerns, of which there are many.  For example, government and security services' access to citizens' 'Internet Connection Records' (which, as far as I'm aware, still hasn't been properly defined) requires the say-so of a minister rather than a judge, unless that citizen is a journalist wishing to protect a source.  It seems likely that 'technology companies' will be forced to implement broken encryption and to decrypt their customers' data when asked (asked by whom is not clear).  And, of course, it is unlikely to explain what constitutes a 'terrorist threat', how the bill will help to prevent terrorist attacks or how the public will be able to decide whether any results are worth the privacy hit.

We'll see what emerges later today, but I don't have much confidence that the major concerns will be addressed.  What we know for sure is that the bill will be rushed through as quickly as possible to meet the sunset deadline of December 2016, when the DRIPA sunset clause expires.