Category Archives: Privacy

Speak To Me Someone

The Friday Night Song

3 Comments

Filed under FNS, Personal, Privacy

Investigatory Powers Act

‘The Investigatory Powers Act is world-leading legislation’
Amber Rudd (Home Secretary)

One might ask, what part of the world are we leading exactly:
North Korea, Cuba, China and Saudi Arabia?

north-korea
Passed into UK law on 29th November 2016 with barely a whimper.
(Replaces the Data Retention and Investigatory Powers Act – DRIPA)

‘…it establishes a dangerous new norm, where surveillance of all citizens’ online activity is seen as the baseline for a peaceful society.

Collect evidence first, the government is saying, and find the criminals later.’
Jim Killock (Open Rights Group)

At a Glance:
Telecoms providers obligated to retain data on British Citizens web activity (ICR) for 12 months.

Legalises the surveillance and ‘Targeted Equipment Interference’ (hacking) activities undertaken over many years by GCHQ and other agencies, including the collection of metadata and hacking of individuals computers and phones. (As exposed by Edward Snowden in 2013)

Legalises the wider power of ‘Bulk Equipment Interference’ (Mass Hacking) into large groups of computers and mobile phones of citizens overseas.

Provides for access by 48 named groups to the stored data, and establishes a ‘Request Filter’ (Common Database) enabling access through a single source. (Still being defined by the Home Office)

Allows access to masses of stored personal data, even if the person under scrutiny is not suspected of any wrongdoing.

Police can request viewing journalists’ call and web records. (Seen as a potential death sentence for whistleblowing and investigative journalism).

Technology companies and service providers can be asked to remove encryption on a given user’s device or service, where ‘Practicable’.
However, unlike the Apple case in the US, it’s expected that any cases in the UK will take place in private.
‘Any warrants issued to a company to decrypt users’ data will come with a gagging order, forbidding the firm from discussing it. There wouldn’t be any public debate about it.’ Harmit Kambo (Privacy International)

Who can access our data?
Amongst the more obvious police, military, and security services are a few less obvious, including:

Food Standards Agency
Department for Work and Pensions
Department for Transport
Department of Health
Revenue and Customs
English Ambulance Trust
Scottish Ambulance Service
Welsh Ambulance Service
Health and Safety Executive
Fire and Rescue Authority
Competition and Markets Authority

Comments:

‘The UK now has a surveillance law that is more suited to a dictatorship than a democracy.’
Jim Killock (Open Rights Group)

‘We have created the tools for repression.’
Lord Strasburger

‘None of us online are now guaranteed the right to communicate privately and, most importantly, securely.’
Renate Samson (Big Brother Watch)

‘The UK … joining the likes of China and Russia in collecting everyone’s browsing habits.’
Anne Jellema, ( World Wide Web Foundation)

This snoopers charter ‘has no place in modern democracy. The bulk collection of everyone’s internet browsing data is disproportionate, creates a security nightmare for the ISPs who must store the data, and rides roughshod over our right to privacy.’
Sir Tim Berners-Lee Inventor of World Wide Web.

‘It’s sad that the Snowden revelations backfired so spectacularly here. Rather than rolling back powers, they’ve been used to legitimize these practices.’ Harmit Kambo (Privacy International)

‘The UK has just legalised the most extreme surveillance in the history of western democracy. It goes farther than many autocracies.’
Edward Snowden (NSA whistle blower)

Investigatory Powers Act 2016
Links to all 305 pages;
http://www.legislation.gov.uk/ukpga/2016/25/pdfs/ukpga_20160025_en.pdf
http://www.legislation.gov.uk/ukpga/2016/25/contents/enacted

I wonder how many of our MPs have read, and understood, this piece of art?

Other Sources:
http://www.theverge.com/2016/11/23/13718768/uk-surveillance-laws-explained-investigatory-powers-bill
https://www.theguardian.com/world/2016/nov/19/extreme-surveillance-becomes-uk-law-with-barely-a-whimper
http://www.ibtimes.co.uk/governments-snoopers-charter-has-no-place-modern-democracy-says-inventor-world-wide-web-1594092
http://www.huffingtonpost.co.uk/entry/investigatory-powers-act-becomes-law-royal-assent_uk_583d91d8e4b072ec0d60680d
http://www.theverge.com/2016/11/23/13718768/uk-surveillance-laws-explained-investigatory-powers-bill
http://arstechnica.co.uk/tech-policy/2016/11/investigatory-powers-act-imminent-peers-clear-path-for-uk-super-snoop-law/
http://www.jomec.co.uk/blog/how-the-uk-got-a-world-leading-surveillance-law/
https://www.theguardian.com/world/2014/jan/27/nsa-gchq-smartphone-app-angry-birds-personal-data

4 Comments

Filed under News, Politics, Privacy, Technology

All About TTIP & ISDS

Just reading about BHS and how easily money can be made
(if you have the right contacts);

Sir Philip Green bought BHS for £200m in 2002, extracted £400m and then sold it to a consortium for £1 in 2015

The consortium, Retail Aquisitions led by Dominic Chappell, extracted £25m before putting it into administration on Monday (25 April 2016) with debts of over £1.3bn.

No need for them to worry too much about about the £571m pensions black hole left in BHS, which will, in all probability, be largely filled by the Government’s Pensions Protection Scheme.

Nice work if you can get it. Green is said to be worth 3.5billion

If I’d realised the investment would return £25m within a year, I could have offered Sir Philip £2 for it.

All of which serves as a timely reminder of what Corporations might hope to gain if the TTIP deal is concluded in the EU, which was largely the reason Obama was in Europe this week. Little surprise that he should want the UK to remain in the EU.

RT reporter Jonathan Pie’s view of TTIP, January 2016

And from the Independent yesterday;

Mr Obama’s trip to Europe has been seen as an effort to drum up support for TTIP before the end of his time in the White House.

He has been pushing for its completion since parties were scheduled to sign in 2014, promising the treaty would remove “regulatory and bureaucratic irritants and blockages to trade”.

The Transatlantic Trade and Investment Partnership will have “few or no benefits to the UK”, according to the only official assessment of the deal commissioned by the UK Government.

The warning was disclosed in response to a Freedom of Information request by anti-TTIP campaigners Global Justice Now.

‘…the deal could give corporations the power to sue governments when they pass regulation that could hit firms’ profits through an international court called the Investor-State Dispute Settlement (ISDS).’

‘United Nations figures show US companies have made billions of dollars by suing other governments nearly 130 times in the past 15 years under similar free-trade agreements.

Details of the cases are often secret, but notorious precedents include tobacco giant Philip Morris suing Australia and Uruguay for putting health warnings on cigarette packets.’

“Ultimately, we conclude that an EU-US investment treaty that does contain ISDS is likely to have few or no benefits to the UK, while having meaningful economic and political costs,” the report said.

What is TTIP? And six reasons why the answer should scare you
Lee Williams, Independent October 2015

1 The NHS
Public services, especially the NHS, are in the firing line. One of the main aims of TTIP is to open up Europe’s public health, education and water services to US companies. This could essentially mean the privatisation of the NHS.

2 Food and environmental safety
TTIP’s ‘regulatory convergence’ agenda will seek to bring EU standards on food safety and the environment closer to those of the US. But US regulations are much less strict, with 70 per cent of all processed foods sold in US supermarkets now containing genetically modified ingredients. By contrast, the EU allows virtually no GM foods.

3 Banking regulations
TTIP cuts both ways. The UK, under the influence of the all-powerful City of London, is thought to be seeking a loosening of US banking regulations, effectively handing all those powers back to the bankers.

4 Privacy
The ACTA (the Anti-Counterfeiting Trade Agreement) was thrown out by a massive majority in the European Parliament in 2012 after a huge public backlash against what was rightly seen as an attack on individual privacy where internet service providers would be required to monitor people’s online activity. It’s feared that TTIP could be bringing back ACTA’s central elements, proving that if the democratic approach doesn’t work, there’s always the back door.

5 Jobs
The EU has admitted that TTIP will probably cause unemployment as jobs switch to the US, where labour standards and trade union rights are lower. It has even advised EU members to draw on European support funds to compensate for the expected unemployment.

6 Democracy
TTIP’s biggest threat to society is its inherent assault on democracy. One of the main aims of TTIP is the introduction of Investor-State Dispute Settlements (ISDS), which allow companies to sue governments if those governments’ policies cause a loss of profits. In effect it means unelected transnational corporations can dictate the policies of democratically elected governments.

More about TTIP in these 2015 videos;

9 Comments

Filed under Politics, Privacy

Cyber War Pt 2: Unintended Consequences

This follow up to ‘Cyber War – Real Time View‘ delves slightly deeper, and examines the possibility of ‘unintended consequences’

NORSE ScreenShot
Another view of attacks, again from security company Norse.

There are two important aspects regarding these images:

1. The people behind the attacks are not necessarily residing or even acting from the country the attacks appear to come from. As was noted last time, ‘this is a war without frontiers, uniforms, or even a clearly defined enemy’. Its important not to view this as one country versus another country type of war. It’s far more subtle than that.

2. The map mainly serves so show the scale and type of the attacks as monitored by Norse. It is not a complete picture of all worldwide threats. It under-reports because it doesn’t include attacks on sites that aren’t monitored by Norse. Other security companies will have similar maps that aren’t publicly available. Without access to that data, the real scale of intrusion attempts cannot be accurately assessed.

Many of these attacks are simply about theft. Data is money, and attackers are looking to steal private data to sell on to willing buyers.

The theft from ‘Target Stores’ in 2013 involved 40 million credit cards, and 70 million customer details. It was estimated that between 1 to 3 million card details were sold on by the thieves, netting around $54 million

Target aren’t alone, these have been subject to a large scale loss of data in 2014;
Staples – 1.16 million cards, Michaels (retail chain) – 2.6 million cards, Home Depot – 56 million cards and 53 million email addresses, Sony – Theft of 5 unreleased films, and 47k Social security numbers (including 15k staff) many will full personal details, JP Morgan Chase – 76 million households and 7 million small businesses data, and New York’s Attorney General advised that over 8 years, 22.8 million private records were exposed.

However, its not always about theft.

Industrial espionage or malicious intent can be the motives, such as disrupting a company or organization’s operations, sometimes re-routing or delaying the logistics chain. There is also the example from 2013 where drug dealers hacked the Belgium Antwerp port computers, with the intent to smuggle drugs into the country.

Probably the most public malicious attack was the Stuxnet worm, (2008-2010). An infected USB stick delivered a payload intended to achieve a very specific result, and targeted only the Siemens devices that controlled the Iranian centrifuges used for uranium enrichment. It’s believed that 20% of the Iranian centrifuges were destroyed by Stuxnet.

The worm was later confirmed to be a joint USA / Israeli operation, and although achieving its objective, it wasn’t without problems. The worm was designed not to travel outside the the nuclear facility. However an error in the code allowed the worm to replicate and spread all over the internet. It was claimed that no ‘unintended consequences’ occurred as a result, but some reports suggest otherwise. The Russians claimed that their nuclear facility was infected with the worm and, in the UK, a French owned nuclear reactor unexpectedly shut down. EDF confirmed that the reactor also used Siemens controllers, but denied that the Stuxnet virus was involved. In a secret war, how would we ever know?

However, whatever the truth, it does appear that no catastrophic events occurred. Will we be so lucky the next time, when the people who design malicious code fail to grasp the significance of the unintended consequences of their work?

This attack highlighted how unprepared countries and organisations are to defend or respond to such action. It also showed how catastrophic unintended consequences might occur.

Most of all, it showed the potential of Cyber-warfare – the ability to collapse complex infrastructures.

Similar malware could cause havoc if allowed to infiltrate the computers in large corporations or infrastructure such as Power, Water or Communications.

This isn’t a war in which people are merely spectators. In many cases they are the players. Often the doors are left open by the users themselves.

A major retail chain suffered a crippling attack last December, during a peak trading period. Despite having invested in an extensive central security team, it transpired that a senior director had download porn onto his work computer and unwittingly introduced the malware into his business.

Many intrusions occur because an individual had a lapse with their own security. One intrusion technique is APT (Advanced Persistent Threats) where a specific individual is identified, and then repeatedly targeted with the expectation that eventually one intrusion will be successful.

‘Security should be viewed as a shared responsibility that reaches well beyond the traditional view of it residing in a single department.’ …Senior Director NTT Com Security

This should be the standard thinking, but it’s far from it.

Security is not ‘configure and forget’. It requires constant monitoring and user interventions. Often the simple solutions are most effective.

Around 60% of attacks on web applications in the UK are ‘SQL injection‘, typically exploiting known vulnerabilities in software. It’s not reported how many are successful, but since NTT Com Security research shows that 76% of known vulnerabilities identified in Businesses were over 2 years old, its not hard to see why they are so popular with attackers. The simple act of regularly updating operating systems and applications would block them.

Everyone has responsibility for computer security.

When the lights go out, or communications fail, or water fails to run out of the tap, it’s quite possible that someone, somewhere enabled the malware intrusion by downloading some forbidden file onto their PC without first considering the possible ‘unintended consequences’.

That might be all it takes.

 

 

4 Comments

Filed under Privacy, Technology

Cyber War – Real Time View

The world has no shortage of war, so it’s no surprise to discover another one.
But this one is different in that it doesn’t involve all the traditional tools of war; armies, guns, tanks, missiles, drones, and country invasion. Although it does retain the ability to inflict pain, suffering and misery.

It has been fueled by the growth in technology, and thrives on the inability of individuals to consider the unintended consequences of their actions.
Like all modern wars, it can be viewed on a screen, just like a computer game.

NORSE ScreenShot

Click the image to follow the action provided by security company Norse .

These are real time attacks from one computer to another, probing security systems, looking for a way in. But don’t be misled by the implication this is ‘China’ vs the ‘USA’, or any other country.

It’s way more subtle than that.

This is a war without frontiers, uniforms, or even a clearly defined enemy.
The attack location can be anywhere on the planet, as can the target.
Attackers can include small-time thieves, drug dealers, arms dealers, organized crime, commercial competition, activists, rogue states, secret states, and governments, to name just a few.

It’s under reported, so makes it difficult to know which activities are the result of cyber attacks and which aren’t. Quite often those that suffer the outages aren’t certain either.

On the 8th July this year, one day after the China stock market crash, several incidents happened on the same day in USA. Computer ‘glitches’ were blamed;

1. The NYC subway system left a few trains stuck in some stations for extended periods of time.
2. United Airlines’ computer system stopped working, forcing all flights from the airline to be grounded.
3. The New York Stock Exchange’s computerized trading system also stopped working, causing trading to be suspended, a big deal in one of, if not the, world’s largest trading market.
4. Following the New York Stock Exchange failure, the Wall Street Journal’s website also malfunctioned.
5. Over 2,500 residents in Washington, DC lost power.

Co-incidence?
Maybe, but the capacity of cyber-war to devastate Power, Water or Communications infrastructure is proven.

A recent internet outage lasting only 5 days provided a sharp and timely reminder to me of just how dependent we have become on technology, and how difficult life could be with sustained outages.

The mesmerisingly pretty graphics mask that reality.

 

(If time permits, I’ll post a more detailed perspective later).

 

 

12 Comments

Filed under Privacy, Technology

Nothing to Hide, Nothing to…

linkedin-mistakes
Aside from any concerns about invasion of privacy and the protection of personal data (which are by no means trivial) under the proposed Data Retention and Investigation Powers (DRIP) Act, there is also the prospect of inaccurate data being held in secret databases.

Today’s Express has a story that made me think not only about stored data, but also the accuracy of stored data. It describes the chaos and incompetence which are inherent in bureaucracy when the Home Office admitted it had not only lost 114 files relating to child abuse, but that a further 36,000 other files had gone astray. The NHS mislays the files of 2,000 patients every day.

Most organization can fall prey to incompetence, poor practices, or simple errors, but this is without even considering the contents of files. I recently knew of a doctor who, when he saw his own (newly electronic) file, was horrified to discover that although it was his file, it contained someone else’s notes.

Anyone who has experience of IT will appreciate the difficulty in keeping databases ‘clean’, avoiding duplicated files or inaccurate data. GIGO (garbage in, garbage out) was a common expression years ago, but seems to have been forgotten today. Information is only as good as the systems entering it into storage.

The new DRIP legislation requires the service providers to store the data, which is a good cost saving measure for the government, but it’s hard to imagine that any service provider will welcome the additional costs involved. Nor perhaps will they make any great efforts to ensure it’s clean data.

This could be a serious point of weakness – can the data be trusted to be accurate?

Many people have experienced frustrations, or worse, when information contained in places such as credit databases has been inaccurate, but at least there is the opportunity to inspect and challenge.

More worryingly, how dangerous might be erroneous data contained in secret databases?

In July 2005, Jean Charles de Menezes set of to work. He was lawfully in the UK, did nothing out of the ordinary, nor did he behave or dress in a way that might attract attention. On that morning he was followed by police as he traveled on two buses before finally entering Stockwell tube station and boarding a train. Menezes was killed with 7 bullets through his head.

Jean Charles de Menezes was followed because he had been misidentified as a suspect involved in the attempted bombings the previous day.

How confident are MPs who vote to pass the new law that information trawled from non-suspects under the DRIP regulations will not lead to cases of mistaken identity, possibly with tragic consequences?

Those who understand the inadequacies and inaccuracies inherent in most database systems will know the answer, even without considering the incompetences inherent in bureaucracy.

What mechanisms for oversight are in place? How will ordinary people know what’s been stored against their name? Who will monitor the information? What right of redress is available?

What shall we call this new country of ours?

Has it come to point where we begin to fear our own security services, not because of any misdemeanors we’ve committed, but because the secret information they hold on us might be wrong?

 

3 Comments

Filed under News, Politics, Privacy

‘DRIP’ feeding the Surveillance Society

 

lawSociety
“We are concerned that introducing emergency legislation does nothing to enhance the rule of law or address the fact that we are increasingly becoming a ‘surveillance society’. The history of emergency legislation is not exemplary, with laws being used for purposes for which they were not intended. Today’s news is particularly worrying, given the emergency legislation will go against a court judgment on human rights. There needs to be a public debate about how to strike the right balance between security, freedom and privacy. We need to simplify and clarify a complex and confusing legal framework and ensure that it protects human rights.”

The Law Society president, Andrew Caplen 10th July 2014

Emergency UK ‘Data Retention and Investigation Powers (DRIP) Act’.

Within days, MPs are being asked to approve DRIP, providing little time to debate or digest any of the implications with regard to balancing liberty, privacy and security. In this clip, Tom Watson describes it as ‘anti-democratic’, and ‘hasty legislation… that invariably goes wrong’;

The NeedleBlog guide to the new UK Emergency Legislation, DRIP:

The bill is being rushed through to ‘urgently put in place new laws to “plug a hole” in legislation following ruling by the European Court of Justice (ECJ)’.
It will ‘protect the public from criminals, terrorists and paedophiles’.

That hole occurred in April this year, when the ECJ  declared their ‘2006 EU Data Retention Directive’ was invalid and ruled that it violated two basic rights, respect for private live and protection of personal data.

The Directive had caused protests in several member states when it was first introduced in 2006. In Germany, 34,000 appealed to their supreme court, and in Austria 11,000 filed a complaint which reached the European Court of Justice. Supreme courts of several EU member states declared the entire directive, the implementation or parts thereof as unconstitutional. The Irish high court referred the issue to the ECJ in 2013.

Any protest in the UK however, was ignored and the UK government introduced ‘The Data Retention (EC Directive) Regulations 2009’, which required phone companies and Internet Providers to store data for 12 months.

The 2006 EU Data Retention Directive had compelled member states to store communications data for between 6 – 24 months. It required that the data from mobile, fixed phone and computer communications to be stored. This would include; the identity of the user, their physical address, IP address, identity of recipient, type of communication, time and length of communication, and locations and type of communication devices. It did not authorise the storage of the communication data content. At the time the UK were keen to extend the EU Directive’s powers.

Following the suspension of the Directive in April 2014, the UK was ‘considering the judgment’. This Emergency Legislation (DRIP) is the result of that consideration.

It has been widely claimed that the DRIP is merely the same as the old ‘2006 EU Directive’ but now under UK law. However;

‘Sections 4 and 5 of the bill also hugely expand the scope of the U.K. authorities’ surveillance powers, despite government insistence that this is not the case. Section 4 would allow authorities to demand customer data from overseas providers, and section 5 would sweep new kinds of communications data into the fold, potentially including that for social networks, forums and instant messengers. In addition, the government would be able to expand its powers further by regulation, instead of having to draw up new legislation.’
Read more

and this

Most of these amendments come down to inserting the words “outside the United Kingdom” into the existing RIPA text, in sections governing which ISPs and companies are covered by the legislation.
Similarly, the notes also make clear that the DRIP Act would “clarify” that the definitions of “telecommunications service” include “internet-based services, such as webmail,” and section 5 says intercept powers would cover any service that “consists in or includes facilitating the creation, management or storage of communications
Worryingly, DRIP would also make it possible to order communications providers to retain “all data or any description of data” — the accompanying notes say this couldn’t mean retaining more than metadata, but the wording of the bill itself doesn’t appear to be that clear.
Read more here

Aside from the ambiguity described above, storing content data is not permitted under this legislation. However, that should not prove problematic for the government, since it can already collect content using a legal loophole which allows monitoring the contents of Google searches, Facebook, Twitter, YouTube and overseas emails, because they are deemed to be “external communications”.

As in 2009, this UK Act will likely be passed, and go unnoticed by the masses as yet another another nail is driven into our democracy, and our privacy further eroded.

Ironically, next month, this country is poised to commemorate the centenary of World War One, and celebrate our freedoms, for which many paid the ultimate price. It’s probably fortunate that they are no longer here to see the ease with which they are now being squandered.

4 Comments

Filed under News, Politics, Privacy