Liberty News

A judicial review of the Data Retention and Investigatory Powers Act (DRIPA) has been granted permission by Mr Justice Lewis in the High Court today. Open Rights Group (ORG) and Privacy International (PI) intervened in the case, which was brought by Tom Watson MP and David Davis MP, represented by Liberty. ORG and PI have now been given permission to make further submissions in advance of the next hearing.

Legal Director Elizabeth Knight said:

After the Court of Justice of the EU declared the Data Retention Directive invalid, the UK government had the opportunity to design new legislation that would protect human rights. It chose instead to circumvent the decision of the CJEU by introducing the Data Retention and Investigatory Powers Act (DRIPA), which is almost identical to the Data Retention Directive.

Through our submission, we hope to help demonstrate that DRIPA breaches our fundamental human right to privacy and does not comply with human rights and EU law.

ORG's submission addresses the EU data protection regime in place before the Data Retention Directive (in particular the Data Protection Directive, the E-privacy Directive and the E-Commerce Directive) and why we consider DRIPA does not comply with the requirements of the regime in light of the clear guidance from the CJEU.

The Investigatory Powers Tribunal (IPT) gave its judgment in a major surveillance case brought by Privacy International, Liberty and Amnesty International. Disappointingly, the IPT ruled against the NGOs and accepted the security services' position that they may in principle carry out mass surveillance of all fibre optic cables entering or leaving the UK and that vast intelligence sharing with the NSA does not contravene the right to privacy because of the existence of secret policies.

The decision should enable the European Court of Human Rights (ECtHR) to proceed with hearing the Privacy not PRISM case brought by ORG and others. It also means that Privacy International, Liberty and Amnesty International may join us in the ECtHR.

The NGOs challenged the government's surveillance practices on the grounds that it breached our rights to privacy and freedom of expression. Read Privacy International's summary of the judgment here.

It is a disappointing decision, but not a surprising one. ORG and the other human rights groups have long argued that the IPT is unable to provide an adequate remedy. It is able to hold secret hearings (as part of the hearing in this case was) without telling the claimant what happened at those hearings. There is no right of appeal from a decision of the IPT. In this case the government refused to divert from its neither confirm nor deny policy regarding the existence of its surveillance programmes, which meant the case had to consider hypotheticals.

ORG, Big Brother Watch, English PEN, Article 19 and Constanze Kurz have a case in the ECtHR that challenges the government's surveillance practices on very similar grounds. Our Privacy not PRISM case questions the human rights compliance of GCHQ's TEMPORA programme, carried out under s.8(4) Regulation of Investigatory Powers Act (RIPA) and the use of information obtained from the NSA's PRISM programme. The case has been given a priority status by the ECtHR but is currently on hold pending today's decision by the IPT.

The IPT case has forced the government to disclose previously secret polices, reveal its overly broad definition of external communications and admit that it can obtain communications from the NSA without a warrant. These disclosures will assist all of the rights groups' arguments in the ECtHR.

The decision means that the adjournment of our case is likely to be lifted soon. How soon this happens will depend on whether the claimants in the IPT decide to apply to the ECtHR and whether the court allows them to join our case. Privacy International has already indicated that it intends to complain to the ECtHR.

We await the decision of the ECtHR as to when it will re-start our case and begin its scrutiny of the government's surveillance practices. All parties will now look to the ECtHR to defend our human rights where the IPT has failed to do so.

Britain's surveillance laws, which have recently been used by the police to seize journalists's phone records in the Plebgate and Huhne cases, are not fit for purpose and need urgent reform, a Commons inquiry has found.

The Commons home affairs select committee says that the level of secrecy surrounding use of the Regulation of Investigatory Powers Act (Ripa) allows the police to engage in acts which would be unacceptable in a democracy .

The committee chairman, Keith Vaz, said the surveillance law was not fit for purpose:

Using Ripa to access telephone records of journalists is wrong and this practice must cease. The inevitable consequence is that this deters whistleblowers from coming forward.

The MPs' inquiry followed claims by Sun and Daily Mail journalists that the Metropolitan and Kent police forces were secretly using the powers to trawl through thousands of phone numbers to detect their confidential sources in high-profile stories.

In response Home Office ministers have claimed they will revise the Ripa rules on communications data requests involving sensitive professions such as journalists and lawyers.

Emma Carr, director of Big Brother Watch, said:

When a senior Parliamentary Committee says that the current legislation is not fit for purpose, then this simply cannot be ignored. It is now abundantly clear that the law is out of date, the oversight is weak and the recording of how the powers are used is patchy at best. The public is right to expect better.

The conclusion of the Committee that the level of secrecy surrounding the use of these powers is permitting investigations that are deemed unacceptable in a democracy, should make the defenders of these powers sit up and take notice. At present, the inadequacy and inconsistency of the records being kept by public authorities regarding the use of these powers is woefully inadequate. New laws would not be required to correct this.

Whilst this report concentrates on targeting journalists, it is important to remember that thousands of members of the public have also been snooped on, with little opportunity for redress. If the police fail to use the existing powers correctly then it is completely irresponsible for the Home Office to be planning on increasing those powers.

Failure by the Government to address these serious points means we can already know that there will be many more innocent members of the public who will be wrongly spied on and accused. This is intolerable.

Police are to get powers to force internet firms to hand over details linked to IP addresses in order to help them help snoop on people's internet use.

The anti-terrorism and security bill will oblige internet service providers (ISPs) to retain information linking IP (Internet Protocol) addresses to individual subscribers.

The home secretary, Theresa May, said the measure would boost national security, but again complained that Liberal Democrats were blocking further steps.

Loss of the capabilities on which we have always relied is the great danger we face, May said. The bill provides the opportunity to resolve the very real problems that exist around IP resolution and is a step in the right direction towards bridging the overall communications data capability gap.

However, the Lib Dems insisted that the communications data bill -- branded the snooper's charter -- was dead and buried . The party also stressed that the deputy prime minister, Nick Clegg, had been calling for the IP measures since spring 2013.

The technical details are either sparse or misleading, maybe deliberately. Home and mobile broadband users have obviously had their IP address recorded and logged for sometime along with logs of messages and websites visited. I believe that the bill is targeted at internet access on mobile phones where an IP address is shared by many users simultaneously without retaining detailed user records per IP message.

The Register obtained a slightly getter explanation from the Home Office:

Every internet user is assigned an IP address to ensure communication service providers know which data should go to which customer and routes it accordingly. Addresses are sometimes assigned to a specific device, such as a broadband router located in a home or company. But they are usually shared between multiple users and allocated randomly by the provider's automated systems.

Many providers currently have no business reason for keeping a log of who has used each address. It is therefore not always possible for law enforcement agencies accessing the data to identify who was using an IP address at any particular time.

Such communications data is a vital tool in the investigation of terrorist and criminal activity, and significantly contributes to the conviction of child sex offenders.

The inability to link IP addresses to individuals poses serious challenges for law enforcement agencies. The proposed measures would reduce the risk of terrorism by improving the ability of the police and other agencies to identify terror suspects who may be communicating with each other via the internet.

It would also help to identify and prosecute organised criminals; cyber bullies and computer hackers; and protect vulnerable people. For example, it can be used to identify a child who has threatened over social media to commit suicide.

This legislation will not however address all the capability gaps that the Draft Communications Data Bill aimed to fill. These gaps will continue to have a serious impact on law enforcement and intelligence agencies. For example, the provisions will not enable the retention of weblogs -- a record of information relating to a communication between a user and the internet, including a record of websites that have been visited.

Update: Retaining MAC addresses

27th November 2014. See article from publicaffairs.linx.net

The Counter-Terrorism and Security Bill amends the definition of relevant communications data that Internet providers are required to retain. The apparent intention is to ensure that Internet providers retain IP port numbers or machine MAC addresses when these are necessary to distinguish users, such as when the network is employing Carrier-Grade Network Address Translation (CGN).

An international coalition of more than fifty actors, musicians and intellectuals have announced their support for Edward Snowden, WikiLeaks, whistleblowers and publishers. Some are also encouraging donations to the Courage Foundation --which runs the official legal defense fund for Edward Snowden and other whistleblowers, as well as fights for whistleblower protections worldwide -- with tweets and social media posts.

The courage that Edward Snowden and other whistleblowers and truthtellers have shown and continue to show is truly extraordinary and necessary in helping the public have access to their historical record through media, said Sarah Harrison, WikiLeaks Investigations Editor and Director of the Courage Foundation. WikiLeaks and Harrison ensured Edward Snowden's safe exit from Hong Kong and secured his asylum. We cannot thank these cultural icons enough for showing their support.

The announcement coincides with the expanded theatrical release of Laura Poitras' critically acclaimed documentary CitizenFour -- providing a first-hand account of Edward Snowden's disclosure of the NSA's mass surveillance program.

Signed by Susan Sarandon, Russell Brand, Peter Sarsgaard, M.I.A., Thurston Moore, David Berman, Vivienne Westwood, Alfonso Cuaròn and several other artists and intellectuals, the statement praises the work of whistleblowers such as Snowden, highlighting the need to support these individuals as they face social and legal persecution for their revelations to the public. The statement reads:

We stand in support of those fearless whistleblowers and publishers who risk their lives and careers to stand up for truth and justice. Thanks to the courage of sources like Daniel Ellsberg, Chelsea Manning, Jeremy Hammond, and Edward Snowden, the public can finally see for themselves the war crimes, corruption, mass surveillance, and abuses of power of the U.S. government and other governments around the world. WikiLeaks is essential for its fearless dedication in defending these sources and publishing their truths. These bold and courageous acts spark accountability, can transform governments, and ultimately make the world a better place.

In addition to urging the public to stand in solidarity with Snowden and other whistleblowers, many of the artists are calling on fans to watch CitizenFour, and are raising awareness of the Courage Foundation's whistleblower defense efforts, which fundraises for the legal and public defense of whistleblowers and campaigns for the protection of truthtellers and the public's right to know generally.

The statement was signed by:

Udi Aloni, Pamela Anderson, Anthony Arnove, Etienne Balibar, Alexander Bard, John Perry Barlow, Radovan Baros, David Berman, Russell Brand, Victoria Brittain, Susan Buck-Morss, Eduardo L. Cadava, Calle 13, Alex Callinicos, Robbie Charter, Noam Chomsky, Scott Cleverdon, Ben Cohen, Sadie Coles, Alfonso Cuaròn, John Deathridge, Costas Douzinas, Roddy Doyle, Bella Freud, Leopold Froehlich, Terry Gilliam, Charlie Glass, Boris Groys, Michael Hardt, P J Harvey, Wang Hui, Fredric Jameson, Brewster Kahle, Hanif Kureishi, Engin Kurtay, Alex Taek-Gwang Lee, Nadir Lahiji, Kathy Lette, Ken Loach, Maria Dolores Galán López, Sarah Lucas, Mairead Maguire, Tobias Menzies, M.I.A., W. J. T. Mitchell, Moby, Thurston Moore, Tom Morello, Viggo Mortensen, Jean-Luc Nancy, Bob Nastanovich, Antonio Negri, Brett Netson, Rebecca O’Brien, Joshua Oppenheimer, John Pilger, Alexander Roesler, Avital Ronell, Pier Aldo Rovatti, Susan Sarandon, Peter Sarsgaard, Assumpta Serna, Vaughan Smith, Ahdaf Soueif, Oliver Stone, Cenk Uygur, Yanis Varoufakis, Peter Weibel, Vivienne Westwood, Tracy Worcester and Slavoj Zizek

Recently, Verizon was caught tampering with its customer's web requests to inject a tracking super-cookie . Another network-tampering threat to user safety has come to light from other providers: email encryption downgrade attacks. In recent months, researchers have reported ISPs in the US and Thailand intercepting their customers' data to strip a security flag--called STARTTLS--from email traffic. The STARTTLS flag is an essential security and privacy protection used by an email server to request encryption when talking to another server or client. 1

By stripping out this flag, these ISPs prevent the email servers from successfully encrypting their conversation, and by default the servers will proceed to send email unencrypted. Some firewalls, including Cisco's PIX/ASA firewall do this in order to monitor for spam originating from within their network and prevent it from being sent. Unfortunately, this causes collateral damage: the sending server will proceed to transmit plaintext email over the public Internet, where it is subject to eavesdropping and interception.

This type of STARTTLS stripping attack has mostly gone unnoticed because it tends to be applied to residential networks, where it is uncommon to run an email server 2 . STARTTLS was also relatively uncommon until late 2013 , when EFF started rating companies on whether they used it . Since then, many of the biggest email providers implemented STARTTLS to protect their customers. We continue to strongly encourage all providers to implement STARTTLS for both outbound and inbound email. Google's Safer email transparency report and starttls.info are good resources for checking whether a particular provider does.

The SMTP protocol, the underpinning of email, was not originally designed with security in mind. But people quickly started using it for everything from shopping lists and love letters to medical advice and investigative reporting, and soon realized their mail needed to be protected from prying eyes. In 1991, Phil Zimmerman implemented PGP , an end-to-end email encryption protocol that is still in use today. Adoption of PGP has been slow because of its highly technical interface and difficult key management. S/MIME , with similar properties as PGP, was developed in 1995. And in 2002, STARTTLS for email was defined by RFC 3207 .

While PGP and S/MIME are end-to-end encryption, STARTTLS is server-to-server. That means that the body of an email protected with, e.g. PGP, can only be read by its intended recipient, while email protected with STARTTLS can be read by the owners of the sending server and the recipient server, plus anyone else who hacks or subpoenas access to those servers. However, STARTTLS has three big advantages: First, it protects important metadata (subject lines and To:/From/CC: fields) that PGP and S/MIME do not. Second, mail server operators can implement STARTTLS without requiring users to change their behavior at all. And third, a well-configured email server with STARTTLS can provide Forward Secrecy for emails. The two technologies are entirely compatible and reinforce each other. The most secure and private approach is to use PGP or S/MIME with a mail service that uses STARTTLS for server-to-server communication.

There are several weak points in the STARTTLS protocol, however. The first weakness is that the flag indicating that a server supports STARTTLS is not itself encrypted, and is therefore subject to tampering, which can prevent that server from establishing an encrypted connection. That type of tampering is exactly what we see today. EFF is working on a set of improvements to STARTTLS, called STARTTLS Everywhere , that will make server-to-server encryption more robust by requiring encryption for servers that are already known to support it.

It is important that ISPs immediately stop this unauthorized removal of their customers' security measures. ISPs act as trusted gateways to the global Internet and it is a violation of that trust to intercept or modify client traffic, regardless of what protocol their customers are using. It is a double violation when such modification disables security measures their customers use to protect themselves.

British intelligence services can access raw material collected in bulk by the NSA and other foreign spy agencies without a warrant, the government has confirmed for the first time.

GCHQ's secret arrangements for accessing bulk material are revealed in documents submitted to the Investigatory Powers Tribunal, the UK surveillance watchdog, in response to a joint legal challenge by Privacy International, Liberty and Amnesty International. The legal action was launched in the wake of the Edward Snowden revelations published by the Guardian and other news organisations last year.

The government's submission discloses that the UK can obtain unselected -- meaning unanalysed, or raw intelligence -- information from overseas partners without a warrant if it was not technically feasible to obtain the communications under a warrant and if it is necessary and proportionate for the intelligence agencies to obtain that information.

The rules essentially permit bulk collection of material, which can include communications of UK citizens, provided the request does not amount to deliberate circumvention of the Regulation of Investigatory Powers Act (Ripa), which governs much of the UK's surveillance activities.

And the Police...

From bigbrotherwatch.org.uk
See Spying on phone calls and emails has doubled under the coalition from telegraph.co.uk

Big Brother Watch has published a report highlighting the true scale of police forces' use of surveillance powers.

The report comes at a time when the powers have faced serious criticism, following revelations that police have used them to access journalists' phone records.

The research focuses on the use of 'directed surveillance' contained in the controversial Regulation of Investigatory Powers Act (RIPA) by police forces; a form of covert surveillance conducted in places other than residential premises or private vehicles which is deemed to be non-intrusive, but is still likely to result in personal information about the individual being obtained.

Although the report details how directed surveillance powers were authorised more than 27,000 times over a three year period, police forces are not compelled to record any other statistics; therefore we cannot know the exact number of individuals that these authorisations relate to.