UK Investigatory Powers Bill Take 2
[UPDATE 6/7/2016 As reported by Slashdot News, UK Investigatory Powers Bill passes through the House of Commons. The bill now only has to pass through the House of Lords in order to be signed into law.
[UPDATE 3/16/2016] As Telegraph News reports, UK Parliament has passed the IP Bill by 266 votes after hours of debate. Read below what this means for the internet users in the UK and the international web community.
At the beginning of March 2016, UK and the rest of the world got a glimpse at an updated Investigatory Powers Bill, otherwise known as Snoopers Charter. It has international significance, as it hopes to set the legal framework for other surveillance laws internationally. However, the rush to pass it and the ignored criticisms has everyone worried.
The IPBill has taken some time to get where it is today. You can say it’s been at least 4 years in the making – with the first draft introduced late last year. Intended to replace the expiring DRIPA Act, the first draft of IPBill was not met favourably. Three separate parliamentary committees as well as countless MPs criticized it on counts of clarity, consistency, coherence, premise of mandatory encryption backdoors, data collection by ISPs, privacy issues and more.
The second draft of the Investigatory Powers bill was presented to the parliament this week. Despite home secretary Theresa May arguing that it reflects the majority of 122 recommendations by MPs, actually extends surveillance powers rather than reigning them in as was hoped.
The first impressions of the new draft flooded the social media:
What’s new in the second draft of the IPBill:
- Extended scope of proposed authority powers- allowing them access to all web browsing records in specific criminal investigations (original draft stated only illegal websites and communications services would be accessed)
- It was more clearly spelled out ISPs would have to store internet connection records, although they have stated the significant costs of doing so would have to be passed down to customers.
- Investigation of some urgent cases would allow access to user web data prior to warrant being issued by the judge – the change was made for a just warrant turnaround time from 5 to 3 days
- There would be no need for metadata warrant.
- Additional authorization has been created to protect journalists and those in similar professions
- Hacking into someones personal web data or hardware was not only acknowledged as means to be used by the authorities, but also authorized as means of investigation in some cases where life was at risk
- Police were granted more power to access data – “where necessary and proportionate”
- UK Mobile operator devices can be subject to backdoor access – if warrant is obtained they will be required to “provide facilities or services of a specified description”. Any operator can be forced to provide literally any service, if it’s within their technical capability to do so, including removal of “electronic protection” (which would includes encryption).
- Home Office published a number of draft Codes of Practice (six) that explain in detail how the powers will be used and why they’re required.
- Clarity is still admittedly lacking in hopes of having some elements of the bill function as a ‘live document’ which might change as it is ‘future proofed’.
How could IPB affect you?
• ISPs will have to keep peoples internet web history for up to a year under the new surveillance bill. As most data retention laws this probably means the collection of metadata, which is not full content of your web and mobile interactions, but enough to composite a profile of your online activity, id who you interact with and when. The content of your online activities is not as important as your online habits, preference patterns in combination with your personal details. That type of information is very valuable. If any of the companies (ISPS + Telcos) or government agencies mishandle internet user information – the cybersecurity breach could become a huge and costly fiasco. With so many stakeholders involved – the likelihood of mishandled data is quite high.
• Communications companies will be legal bound to help access peoples mobile devices and computers
• Agencies will be allowed to interfere with electronic devices to help collect information from a device
• Several judges will be appointed as Judicial Commissioners to administer intrusive capabilities. Around seven judges will be appointed as judicial commissioners for authorizing more intrusive capabilities, such as when agencies see the content of communications and collect bulk data – they will also have the power to veto warrants signed by senior ministers
• Investigatory Powers Commissioner will be appointed to keep police and police services in check
• You will end up paying for the program. ISPs and Telcos would incur a lot of expenses in managing the data collection, in addition to costly security measures and administration of government agency requests to access data. Back in 2012 it was estimated that enacting ‘Snoopers Charter’ would cost an estimated 2.5 Billion UK Pounds.
Timeline going forward
- A revised Bill was introduced to Parliament, where it will receive careful Parliamentary scrutiny
- First debate House of Commons march 14th
- The government hopes it will win the backing of MPs by the summer and by the House of Lords this autumn.
Ways to avoid mandatory data retention
- Get a VPN
A VPN encrypts your data through a secure tunnel before accessing the internet – this protects any sensitive information about your location by hiding your IP address. Virtual Private Networks connects you to the internet through an alternative path than your ISP. The only information visible to them is that you are connected to a VPN server and nothing more. All other information is encrypted by the VPN’s protocol. This is handy when you don’t want your real IP traced back to you.
• Connect via Proxy
All packets exchanged between the internet and your device go through a remote machine used to connect to the host server. The IP address of the proxy server appears to be that of a remote machine, which enables the user to hide their true IP address. However, web proxy does not encrypted your traffic.
Learn more: VPN vs. Proxy
• SOCKS5 Proxy for Torrenting and P2P
SOCKS5 is an internet protocol which routes packets between a server and a client using a proxy server. To put it simply – your data is routed through proxy server that generates an arbitrary IP address before you reach your destination. It is a good option for torrenting or P2P, but not web-browsing. Learn more: SOCKS5 Proxy.
• Use offshore Email Account
There a number of email services that are not based in countries that have mandatory data retention laws. However, be mindful of other online data retention and sharing programs out there– pay attention to their privacy policies and the country they are based in.
• Tor Network
Tor Network is a privacy network is designed to hide information of which computer actually requested the traffic. Routing traffic through different nodes, it makes it difficult to say whether your computer initiated the connection or it may just be acting as a relay, relaying that encrypted traffic to another Tor node. Learn more: Anonymous Browsing with Tor Network