Britain and Apple Fucking Your Privacy
https://yro.slashdot.org/story/16/11/17/164203/britain-has-passed-the-most-e... The UK has just passed a massive expansion in surveillance powers, which critics have called "terrifying" and "dangerous." The new law, dubbed the "snoopers' charter," was introduced by then-home secretary Theresa May in 2012, and took two attempts to get passed into law following breakdowns in the previous coalition government. Four years and a general election later -- May is now prime minister -- the bill was finalized and passed on Wednesday by both parliamentary houses. Civil liberties groups have long criticized the bill, with some arguing that the law will let the UK government "document everything we do online." It's no wonder, because it basically does. The law will force internet providers to record every internet customer's top-level web history in real-time for up to a year, which can be accessed by numerous government departments; force companies to decrypt data on demand -- though the government has never been that clear on exactly how it forces foreign firms to do that that; and even disclose any new security features in products before they launch. Not only that, the law also gives the intelligence agencies the power to hack into computers and devices of citizens (known as equipment interference), although some protected professions -- such as journalists and medical staff -- are layered with marginally better protections. In other words, it's the "most extreme surveillance law ever passed in a democracy," according to Jim Killock, director of the Open Rights Group. https://mobile.slashdot.org/story/16/11/17/1448219/iphones-secretly-send-cal... Russian digital forensics Elcomsoft says iPhones send near real-time logs to Apple servers even when iCloud backup is switched off. The firm adds that these logs are stored for up to four months. From a report on the Intercept:"You only need to have iCloud itself enabled" for the data to be sent, said Vladimir Katalov, CEO of Elcomsoft. The logs surreptitiously uploaded to Apple contain a list of all calls made and received on an iOS device, complete with phone numbers, dates and times, and duration. They also include missed and bypassed calls. Elcomsoft said Apple retains the data in a user's iCloud account for up to four months, providing a boon to law enforcement who may not be able to obtain the data either from the user's carrier, who may retain the data for only a short period, or from the user's device, if it's encrypted with an unbreakable passcode. "Absolutely this is an advantage [for law enforcement]," Robert Osgood, a former FBI supervisory agent who now directs a graduate program in computer forensics at George Mason University, said of Apple's call-history uploads. "Four months is a long time [to retain call logs]. It's generally 30 or 60 days for telecom providers, because they don't want to keep more [records] than they absolutely have to. So if Apple is holding data for four months, that could be a very interesting data repository and they may have data that the telecom provider might not." "call logs. It's generally 30 or 60 days for telecom providers, because they don't want to keep more [records] than they absolutely have to" Lol, what?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 1. I wonder what effects this will have on encryption. Since encryption cannot be "decrypted on demand" if it is good encryption, this means that likely true encryption will be banned in UK? 2. And what are the details on allowing hacking, does this mean that spooks can lawfully bulk hack anyone/everything? And for those whom say "this does not affect me, I do not live in UK", yes this does affect everyone. Alot of your internet traffic gets routed all over the world including UK before reaching destination. Any data captured by UK on you can be shared with your government without probable cause or suspicion of crime. This is done through intel sharing agreements within spy alliances such as FVEY. For security concerns I propose we boycott all and any technology, products, services, or businesses based in UK that complies with "the law" and has anything to do with technology or communications out of security concerns. What government is doing here is fragmenting society and industry by making the "legal white economy" incompetent, weak, and insecure through excessive intervention and laws that are not compatible with modern times. While any company that wants to succeed and keep their data and operations secure will have to resort to the free market system "black economy" since government made rules are incompatible with modern era of technology. Then the free market will thrive as the "white economy" based businesses will rightfully suffer as a result of compliance. -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJYMwv1AAoJEAYDai9lH2mwwjwP/1aQFcZqgGiluPfKcyBnSGol msUTpNcyOudpf/kGW3PrucrypXBImtFzx4dgaiaamjUwhhxQkZqzLeXDVfMS38Xs r5he/KpugKsnZJx4raJCXwAqoZRNPsaMSFUnf+ifkjWnod8CYulv6CSYPRdmhtIV ktHXO8qTL64I1RwNKCimA0brOqQcAPKr+6yhRDUg3305Ebn6NC1IwMNI8CVWxk4f ZzUGIybo+3Ar+Oc9CWLxU+gRZLoEYLHii8RH1hNMRqiFMojfLNlDdX+nGeuz2X/+ Fw/MgbZymoem+OJfemurEFY6HB+h6oxIL7rvv4KhAaMn2ByuVpGf8nwGM2tcbsV2 NJh+xwoj7QlCfefy+pIWorcTcII2DhEaciko+Jy80Vev4YT6Sic5AU/yAcfQDNJR FUp2FtISm8TbjdL5SJpiqow0hjGyI/2tV0odFe5N+glDR+d9qMOYHfKqHnh+Z2Wh duL2q09SlpCDZaXECKeBOEg6JuKqycAoXGejr6bjWRaQYsc5AzMpDFUXBG5Dsxf2 +soIwncmW5wllsF+BTu7HMUUYBHWso48R3bN08YGEZNmiXSJwFtE5vO+dWY958Fk cMOqDZsFDjjF13faaAduBhFqrlwWTfCE35LPQl9nMSEHnvHyIRLUK54Uw5pZxD84 2DJFZFE56URf4g1RA1sY =wCkd -----END PGP SIGNATURE----- -- Cannon PGP Fingerprint: 2BB5 15CD 66E7 4E28 45DC 6494 A5A2 2879 3F06 E832 Email: cannon@cannon-ciota.info
On 11/21/2016 08:02 AM, Cannon wrote:
1. I wonder what effects this will have on encryption. ...
It's prudent to assume (at least) that adversaries see all of your clearnet traffic, and are hacking at all accessible IP addresses. So you encrypt and hide as needed. If that's illegal where you are, you either get laws changed, take the chance of not getting caught, or move. Risk of extradition is a problem, I admit. But it's probably not a huge risk, unless you attract too much attention ;)
On Mon, Nov 21, 2016 at 3:02 PM, Cannon <cannon@cannon-ciota.info> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
1. I wonder what effects this will have on encryption. Since encryption cannot be "decrypted on demand" if it is good encryption, this means that likely true encryption will be banned in UK?
They've previously said that this won't be the case. Whether that proves true is something else, of course, especially as they've still not been able to explain exactly how they intend those companies to decrypt. In reality various bits are almost certain to hit the European Court and get shot down, though it might then get resurrected post-Brexit. ICR's in particular probably don't stand much chance of surviving. No-one's quite sure exactly which providers are going to be expected to keep the logs either, as there's no definition of what a CSP is. It's almost a given that consumer ISPs will be required to, but who else? I currently have no idea what, if any, of the various services I make available will be affected. I'd shut down operations before even considering complying with some of the requirements.
2. And what are the details on allowing hacking, does this mean that spooks can lawfully bulk hack anyone/everything?
Apparently they need to constrain the scope a little and be targeting something specific, but essentially, yes. For security concerns I propose we boycott all and any technology,
products, services, or businesses based in UK that complies with "the law" and has anything to do with technology or communications out of security concerns.
If you're going to do that, be very vocal about the business you would have done, and why you weren't able to trust them. Doing it quietly will change nothing. In particular, there's a good chance those companies won't be allowed to disclose that they've had to comply. Warrant canaries arguably don't work as well in the UK as (IIRC) you can be ordered to avoid doing anything that might lead to disclosure of the order, which would include failing to update the canary. At least, I recall reading that somewhere. Theresa May's had a hard-on for this capability for years though, so there's some serious determination behind seeing it all come to pass, so it's going to be some time before common sense prevails (if ever) -- Ben Tasker https://www.bentasker.co.uk
On 21/11/16 15:02, Cannon wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
1. I wonder what effects this will have on encryption.
Since encryption cannot be "decrypted on demand" if it is good encryption, this means that likely true encryption will be banned in UK?
If you get served an order, you probably can't use forward secrecy. That's about all that has changed in respect to encryption. There are other changes, mainly to required communications data retention regimes for ISP's, which are far more invasive in civil liberty terms. Mechanisms to require decryption have been in place for years, since 2000 with RIPA, and some before. FSVO "much" they don't actually get used much, but they are there. This part of the new Act only takes away the ability to say "I can't do it, I don't have the means (the key)", and only on some people (communications service providers), and only after they have been served an order to keep the "means of decryption". An order under the new Act is only an order to, effectively, keep records of keys used - a requirement to disclose them or use them to decrypt ciphertext takes a warrant which is much harder to get. (though those warrants are not as hard-to-get as they should be, or used to be - the Act changes that too, in a way which I personally believe is much more sinister in terms of the quantity of surveillance than anything the Act does in the new orders). Note, it only applies to those who have been served an order to keep keys used - and an order can only be served on communications service providers, it cannot be served on private individuals or most [1] internet sites. You can, partly, still use FS - supposing you used Diffie-Helman, you would have to keep a record of your key-establishing secrets, rather than discarding them. Which mostly nullifies the point of using FS: however not totally - the other party, if they haven't been served an order, could discard their key-establishing secrets. Oh, and if Bob is not a "communications service provider", or is one but hasn't been served an order, or is outside the UK, then that part of the Act has no effect on Bob or Alice at all. :) The Home Office are shooting themselves (or rather us, the UK) in the foot a bit here. Very minor gain, lots of bad. [1] but not all websites are exempt. If a site allows communications between individual visitors (rather than just between visitors and the site) then it can be served an order. Or at least that's what the Home Office said, though I don't entirely agree that that is what the actual effect [2] of the Act will be. So most social media sites can be served an order to keep keys used, or eg if they use don't use FS but do use SSL/TLS they would have to keep their private keys if served an order. [2] eg it is unlikely, but perhaps a little uncertain, that cloud providers, or something like Apple iCloud, could be served an order.
2. And what are the details on allowing hacking, does this mean that spooks can lawfully bulk hack anyone/everything?
Almost anyone, in theory at least - but not everyone.
And for those whom say "this does not affect me, I do not live in UK", yes this does affect everyone. Alot of your internet traffic gets routed all over the world including UK before reaching destination.
Yes.
Any data captured by UK on you can be shared with your government without probable cause or suspicion of crime. This is done through intel sharing agreements within spy alliances such as FVEY.
Yes. Though I don't see how a boycott would change this, international traffic would still get routed through LINX.
For security concerns I propose we boycott all and any technology, products, services, or businesses based in UK that complies with "the law" and has anything to do with technology or communications out of security concerns.
Any of those based in the UK will in practice have to comply with any orders served on them. Though some might float canaries. I don't think a boycott would achieve much.
What government is doing here is fragmenting society and industry by making the "legal white economy" incompetent, weak, and insecure through excessive intervention and laws that are not compatible with modern times.
Agreed.
While any company that wants to succeed and keep their data and operations secure will have to resort to the free market system "black economy" since government made rules are incompatible with modern era of technology. Then the free market will thrive as the "white economy" based businesses will rightfully suffer as a result of compliance.
Perhaps - though it probably won't happen in the UK :( -- Peter Fairbrother
participants (5)
-
Ben Tasker -
Cannon -
grarpamp -
Mirimir -
Peter Fairbrother