########################################################################################## MISC-11: Review Draft Investigatory Powers Bill ########################################################################################## Issue Type: Task ----------------------------------------------------------------------------------------- Issue Information ==================== Priority: Major Status: Closed Resolution: Done (2017-07-06 15:49:14) Project: Miscellaneous (MISC) Reported By: btasker Assigned To: btasker Affected Versions: - Draft IPB Reading Targeted for fix in version: - Draft IPB Reading Labels: Interception, Interpretation, IPB, Legislation, Mass-Collection, Privacy, Time Estimate: 360 minutes Time Logged: 0 minutes ----------------------------------------------------------------------------------------- Issue Description ================== Have already had a skim read of the published Draft IPB, but need to have a more thorough review of the published IPB. Creating this issue to record notes whilst reading the bill and other resources. LAN-64 is concerned with the measures required to ensure our data isn't caught up in the proposed dragnet, so may require updating depending on what is noted within this issue. ----------------------------------------------------------------------------------------- Issue Relations ================ - relates to MISC-19: Design Investigatory Powers Act workarounds - Draft Investigatory Powers Bill (Projects Static) (http://projectsstatic.bentasker.co.uk/General/Draft_Investigatory_Powers_Bill.pdf) - A Practical Demonstration of what IPB will allow (bentasker.co.uk) (https://www.bentasker.co.uk/documentation/security/313-ipb-nothing-to-hide-and-nothing-to-fear-but-you-can-still-nob-off) ----------------------------------------------------------------------------------------- Activity ========== ----------------------------------------------------------------------------------------- 2015-11-04 19:57:34 btasker ----------------------------------------------------------------------------------------- Linking to a mirror of the current draft of the bill in case the source link (https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/473770/Draft_Investigatory_Powers_Bill.pdf) is updated or changes at some point in the future. ----------------------------------------------------------------------------------------- 2015-11-04 20:04:00 ----------------------------------------------------------------------------------------- btasker added 'IPB Interception Interpretation Legislation Mass-Collection Privacy' to labels ----------------------------------------------------------------------------------------- 2015-11-07 23:38:03 btasker ----------------------------------------------------------------------------------------- Not had an awful lot of time to even get started, but plenty of people are way ahead of me with a few nasties being found - http://arstechnica.co.uk/tech-policy/2015/11/snoopers-charter-uk-govt-can-demand-backdoors-give-prison-sentences-for-disclosing-them/ - https://conspicuouschatter.wordpress.com/2015/11/07/uk-draft-ip-bill-who-is-a-telecommunications-operator/ - https://conspicuouschatter.wordpress.com/2015/11/05/uk-draft-ip-bill-the-last-policy-discussion-about-surveillance-before-the-mass-gagging/ - https://theintercept.com/2015/11/05/seven-major-takeaways-from-the-u-k-s-proposed-surveillance-rules/ - https://conspicuouschatter.wordpress.com/2015/11/04/investigatory-powers-bill-the-juicy-bits/ With there being a thread on reddit about opposing it - https://www.reddit.com/r/unitedkingdom/comments/35g7tc/oppose_the_snoopers_charter/ ----------------------------------------------------------------------------------------- 2015-11-07 23:55:59 btasker ----------------------------------------------------------------------------------------- This bit is particularly scary (from https://conspicuouschatter.wordpress.com/2015/11/05/uk-draft-ip-bill-the-last-policy-discussion-about-surveillance-before-the-mass-gagging/) *Keeping surveillance evidence out of courts, and the defense’s hands* -- BEGIN QUOTE -- S.42(1-4) of the Draft IP Bill prevents anyone involved in interception from ever mentioning it took place as part of any legal proceedings. Note that this section is absolute: it does not have exceptions, for example in relation to the public interest: such as the ability to discuss the benefit or downsides of part interception activities; no exception for talking about this to MPs, or other democratic representatives; or even to exculpate anyone who otherwise would be wrongfully found guilty. Similar provisions (S.120(a)) keep the fruits of bulk interception out of courts. -- END QUOTE -- The gagging applies to (as a minimum) - Equipment Interference (Cracking) - Bulk Communications Data Collection - Implementing Interceptions Capability - Retention Notices - Targeted Warrants - "Technical Capability Notices" (Implementing backdoors) Essentially, any power the IPB bill grants is protected by permanent, absolute secrecy. What a fine democratic nation we live in..... ----------------------------------------------------------------------------------------- 2015-11-08 00:08:11 btasker ----------------------------------------------------------------------------------------- As with RIPA, in order to view Internet Connection Records (ICR), Plod only need sign-off from a "desginated" superior officer. Judicial sign off will be required for - trying to identify a Journalist's confidential source (excludes the Intelligence agencies) Government minister followed by "Judicial Commissioner" sign-off required for - Interception of content of communications In "urgent" cases, the minister can bypass the commissioner. ----------------------------------------------------------------------------------------- 2015-11-08 00:09:25 btasker ----------------------------------------------------------------------------------------- For the definition of Content, the bill's a little flimsy, but as far as Web browsing goes they've specifically limited themselves: -- BEGIN QUOTE -- Content of a communication (6) The content of a communication is the elements of the communication, and any data attached to or logically associated with the communication, which reveal anything of what might reasonably be expected to be the meaning of the communication but— (a) anything in the context of web browsing which identifies the telecommunications service concerned is not content, and (b) any meaning arising from the fact of the communication or from any data relating to the transmission of the communication is to be disregarded. -- END QUOTE -- and -- BEGIN QUOTE -- 190 Subsection (9)(f) provides for the retention of internet connection records. Internet connection records are a record of the internet services that a specific device connects to – such as a website or instant messaging application – captured by the company providing access to the internet. They could be used, for example, to demonstrate a certain device had accessed an online communications service but they would not be able to be used to identify what the individual did on that service. Clause 47 provides certain restrictions on the acquisition of internet connection records. Clause 193 provides that in the particular context of web browsing anything beyond data which identifies the telecommunication service (e.g. bbc.co.uk) is content. -- END QUOTE -- and -- BEGIN QUOTE -- 451 Subsection (6)(a) provides that in the particular context of web browsing anything beyond data which identifies the telecommunication service (e.g. bbc.co.uk) is content. Accordingly bbc.co.uk, google.co.uk or facebook.com would be communications data but data showing what searches have been made on Google or whose profiles have been viewed on Facebook would be content. -- END QUOTE -- Which ignores just how identifying/embarassing a list of visited domains could be. ----------------------------------------------------------------------------------------- 2015-11-08 00:11:51 ----------------------------------------------------------------------------------------- btasker changed Project from 'Home' to 'Miscellaneous' ----------------------------------------------------------------------------------------- 2015-11-08 00:11:51 ----------------------------------------------------------------------------------------- btasker changed Key from 'HOME-23' to 'MISC-11' ----------------------------------------------------------------------------------------- 2015-11-08 00:12:05 ----------------------------------------------------------------------------------------- btasker added 'Draft IPB Reading' to Version ----------------------------------------------------------------------------------------- 2015-11-08 00:12:09 ----------------------------------------------------------------------------------------- btasker added 'Draft IPB Reading' to Fix Version ----------------------------------------------------------------------------------------- 2015-11-08 00:12:12 ----------------------------------------------------------------------------------------- btasker changed status from 'Open' to 'In Progress' ----------------------------------------------------------------------------------------- 2015-11-08 01:58:44 btasker ----------------------------------------------------------------------------------------- The "Request Filter" from the Draft Communications Data Bill (http://www.publications.parliament.uk/pa/jt201213/jtselect/jtdraftcomuni/79/79.pdf) is still ever-present, and as before it basically translates to "We're going to build a fuck-off big database of everything we can, but don't worry there's going to be an interface in front off so requests can be limited down to the 'relevant' stuff". Mind you, seems the Home Office don't like it when it's portrayed like that - https://twitter.com/TheRegister/status/662335345921363968 ----------------------------------------------------------------------------------------- 2015-11-12 15:05:45 btasker ----------------------------------------------------------------------------------------- As others are _way_ ahead of me at reading the bill, and doing a fantastic job of identifying the issues, I'm not going to bother doing a writeup of the bill. Instead, I've moved onto running a practical demonstration of what can actually (and incredibly easily) be pulled out at a network level, including effectively bypassing the protection that a lot of people assume HTTPS will give them. Will start writing it up shortly so I can publish ----------------------------------------------------------------------------------------- 2015-11-13 13:47:20 btasker ----------------------------------------------------------------------------------------- Write up published at https://www.bentasker.co.uk/documentation/security/313-ipb-nothing-to-hide-and-nothing-to-fear-but-you-can-still-nob-off ----------------------------------------------------------------------------------------- 2017-07-06 15:49:14 ----------------------------------------------------------------------------------------- btasker changed status from 'In Progress' to 'Resolved' ----------------------------------------------------------------------------------------- 2017-07-06 15:49:14 ----------------------------------------------------------------------------------------- btasker added 'Done' to resolution ----------------------------------------------------------------------------------------- 2017-07-06 15:49:21 ----------------------------------------------------------------------------------------- btasker changed status from 'Resolved' to 'Closed'