MISC-11: Review Draft Investigatory Powers Bill

Linking to a mirror of the current draft of the bill in case the source link (https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/473770/Draft_Investigatory_Powers_Bill.pdf) is updated or changes at some point in the future.

Not had an awful lot of time to even get started, but plenty of people are way ahead of me with a few nasties being found

- http://arstechnica.co.uk/tech-policy/2015/11/snoopers-charter-uk-govt-can-demand-backdoors-give-prison-sentences-for-disclosing-them/
- https://conspicuouschatter.wordpress.com/2015/11/07/uk-draft-ip-bill-who-is-a-telecommunications-operator/
- https://conspicuouschatter.wordpress.com/2015/11/05/uk-draft-ip-bill-the-last-policy-discussion-about-surveillance-before-the-mass-gagging/
- https://theintercept.com/2015/11/05/seven-major-takeaways-from-the-u-k-s-proposed-surveillance-rules/
- https://conspicuouschatter.wordpress.com/2015/11/04/investigatory-powers-bill-the-juicy-bits/

With there being a thread on reddit about opposing it
- https://www.reddit.com/r/unitedkingdom/comments/35g7tc/oppose_the_snoopers_charter/

This bit is particularly scary (from https://conspicuouschatter.wordpress.com/2015/11/05/uk-draft-ip-bill-the-last-policy-discussion-about-surveillance-before-the-mass-gagging/)

Keeping surveillance evidence out of courts, and the defenseÂ's hands

S.42(1-4) of the Draft IP Bill prevents anyone involved in interception from ever mentioning it took place as part of any legal proceedings. Note that this section is absolute: it does not have exceptions, for example in relation to the public interest: such as the ability to discuss the benefit or downsides of part interception activities; no exception for talking about this to MPs, or other democratic representatives; or even to exculpate anyone who otherwise would be wrongfully found guilty. Similar provisions (S.120(a)) keep the fruits of bulk interception out of courts.

The gagging applies to (as a minimum)

- Equipment Interference (Cracking)
- Bulk Communications Data Collection
- Implementing Interceptions Capability
- Retention Notices
- Targeted Warrants
- "Technical Capability Notices" (Implementing backdoors)

Essentially, any power the IPB bill grants is protected by permanent, absolute secrecy. What a fine democratic nation we live in.....

As with RIPA, in order to view Internet Connection Records (ICR), Plod only need sign-off from a "desginated" superior officer.

Judicial sign off will be required for
- trying to identify a Journalist's confidential source (excludes the Intelligence agencies)


Government minister followed by "Judicial Commissioner" sign-off required for
- Interception of content of communications

In "urgent" cases, the minister can bypass the commissioner.

For the definition of Content, the bill's a little flimsy, but as far as Web browsing goes they've specifically limited themselves:

Content of a communication
(6) The content of a communication is the elements of the communication, and any
data attached to or logically associated with the communication, which reveal
anything of what might reasonably be expected to be the meaning of the
communication but—
(a) anything in the context of web browsing which identifies the
telecommunications service concerned is not content, and
(b) any meaning arising from the fact of the communication or from any
data relating to the transmission of the communication is to be
disregarded.

and

190 Subsection (9)(f) provides for the retention of internet connection records. Internet connection
records are a record of the internet services that a specific device connects to – such as a website
or instant messaging application – captured by the company providing access to the internet.
They could be used, for example, to demonstrate a certain device had accessed an online
communications service but they would not be able to be used to identify what the individual
did on that service. Clause 47 provides certain restrictions on the acquisition of internet
connection records. Clause 193 provides that in the particular context of web browsing
anything beyond data which identifies the telecommunication service (e.g. bbc.co.uk) is
content.

and

451 Subsection (6)(a) provides that in the particular context of web browsing anything beyond data
which identifies the telecommunication service (e.g. bbc.co.uk) is content. Accordingly
bbc.co.uk, google.co.uk or facebook.com would be communications data but data showing
what searches have been made on Google or whose profiles have been viewed on Facebook
would be content.

Which ignores just how identifying/embarassing a list of visited domains could be.

The "Request Filter" from the Draft Communications Data Bill (http://www.publications.parliament.uk/pa/jt201213/jtselect/jtdraftcomuni/79/79.pdf) is still ever-present, and as before it basically translates to "We're going to build a fuck-off big database of everything we can, but don't worry there's going to be an interface in front off so requests can be limited down to the 'relevant' stuff".

Mind you, seems the Home Office don't like it when it's portrayed like that - https://twitter.com/TheRegister/status/662335345921363968

As others are way ahead of me at reading the bill, and doing a fantastic job of identifying the issues, I'm not going to bother doing a writeup of the bill.

Instead, I've moved onto running a practical demonstration of what can actually (and incredibly easily) be pulled out at a network level, including effectively bypassing the protection that a lot of people assume HTTPS will give them.

Will start writing it up shortly so I can publish

Write up published at https://www.bentasker.co.uk/documentation/security/313-ipb-nothing-to-hide-and-nothing-to-fear-but-you-can-still-nob-off