Archive for the ‘UK Government Censorship’ Category

Read more sstech.htm at MelonFarmers.co.uk

Russell Haworth, CEO of Nominet, Britain’s domain name authority has outlined the UK’s stance on maintaining UK censorship and surveillance capabilities as the introduction of encrypted DNS over HTTPS (DoH) will make their job a bit more difficult.The authorities’ basic idea is that UK ISPs will provide their own servers for DNS over HTTPS so that they can still use this DNS traffic to block websites and keep a log of everyone’s internet use. Browser companies will then be expected to enforce using the governments preferred DoH server.

And Google duly announced that it will comply with this censorship request. Google Chrome will only allow DoH servers that are government or corporate approved.

Note that this decision is more nuanced than just banning internet users from sidestepping state censors. It also applies to users being prevented from sidestepping corporate controls on company networks, perhaps a necessary commercial consideration that simply can’t be ignored.

Russell Haworth, CEO of Nominet explains:

Nominet Firefox and Google Chrome — the two biggest web browsers with a combined market share of over 70% — are both looking to implement DoH in the coming months, alongside other operators. The big question now is how they implement it, who they offer to be the resolvers, and what policies they use. The benefit offered by DoH is encryption, which prevents eavesdropping or interception of DNS communication. However, DoH raises a number of issues which deserve careful consideration as we move towards it.

Some of the internet safety and security measures that have been built over the years involve the DNS. Parental controls, for example, generally rely on the ISP blocking particular domains for their customers. The Internet Watch Foundation (IWF) also ask ISPs to block certain domains because they are hosting child sexual abuse material. There may also be issues for law enforcement using DNS data to track criminals. In terms of cyber security, many organisations currently use the DNS to secure their networks, by blocking domains known to contain malware. All of these measures could be impacted by the introduction of DoH.

Sitting above all of these is one question: Will users know any of this is happening? It is important that people understand how and where their data is being used. It is crucial that DoH is not simply turned on by default and DNS traffic disappears off to a server somewhere without people understanding and signing up to the privacy implications. This is the reason what we have produced a simple explainer and will be doing more to communicate about DoH in the coming weeks.

Nominet DoH demands

DoH can bring positive changes, but only if it is accompanied by understanding, informed consent, and attention to some key principles, as detailed below:

Informed user choice:

users will need to be educated on the way in which their data use is changing so they can give their informed consent to this new approach. We also need some clarity on who would see the data, who can access the data and under what circumstances, how it is being protected and how long it will be available for.

Equal or better safety:

DoH disrupts and potentially breaks safety measures that have built over many years. It must therefore be the responsibility of the browsers and DoH resolvers who implement DoH to take up these responsibilities. It will also be important for current protections to be maintained.

Local jurisdiction and governance:

Local DoH resolvers will be needed in individual countries to allow for application of local law, regulators and safety bodies (like the IWF). This is also important to encourage innovation globally, rather than having just a handful of operators running a pivotal service. Indeed, the internet was designed to be highly distributed to improve its resilience.

Security:

Many organisations use the DNS for security by keeping suspicious domains that could include malware out of networks. It will be important for DoH to allow enterprises to continue to use these methods — at Nominet we are embracing this in a scalable and secure way for the benefit of customers through our cyber security offering.

Change is a constant in our digital age, and I for one would not stand in the way of innovation and development. This new approach to resolving requests could be a real improvement for our digital world, but it must be implemented carefully and with the full involvement of Government and law enforcement, as well as the wider internet governance community and the third sector.

A Google developer has outlined tentative short term plans for DoH in Chrome. It suggest that Chrome will only allow the selection of DoH servers that are equivalent to approved non encrypted servers.

google chrome logo This is a complex space and our short term plans won’t necessarily solve or mitigate all these issues but are nevertheless steps in the right direction.

For the first milestone, we are considering an auto-upgrade approach. At a high level, here is how this would work:

  • Chrome will have a small (i.e. non-exhaustive) table to map non-DoH DNS servers to their equivalent DoH DNS servers. Note: this table is not finalized yet.

  • Per this table, if the system’s recursive resolver is known to support DoH, Chrome will upgrade to the DoH version of that resolver. On some platforms, this may mean that where Chrome previously used the OS DNS resolution APIs, it now uses its own DNS implementation in order to implement DoH.

  • A group policy will be available so that Administrators can disable the feature as needed.

  • Ability to opt-out of the experiment via chrome://flags.

In other words, this would upgrade the protocol used for DNS resolution while keeping the user’s DNS provider unchanged. It’s also important to note that DNS over HTTPS does not preclude its operator from offering features such as family-safe filtering.

Advertisements
Read more uk_internet_censors.htm at MelonFarmers.co.uk

avms 2019 Requirements for Video Sharing Platforms in the Audiovisual Media Services Directive

The Audiovisual Media Services Directive (AVMSD) is the regulatory framework governing EU-wide coordination of national legislation on all audiovisual media. The government launched a consultation on implementing the newly introduced and amended provisions in AVMSD on 30 May, which is available here .

One of the main changes to AVMSD is the extension of scope to cover video-sharing platforms (VSPs) for the first time. This extension in scope will likely capture audiovisual content on social media sites, video-sharing sites, pornography sites and live streaming services. These services are required to take appropriate measures to: protect children from harmful content; protect the general public from illegal content and content that incites violence or hatred, and; respect certain obligations around commercial communications.

The original consultation, published on 30 May, outlined the government’s intention to implement these requirements through the regulatory framework proposed in the Online Harms White Paper . However, we also indicated the possibility of an interim approach ahead of the regulatory framework coming into force to ensure we meet the transposition deadline of 20 September 2020. We now plan to take forward this interim approach and have written to stakeholders on 23 July to set out our plans and consult on them.

This open letter and consultation sent to stakeholders, therefore, aims to gather views on our interim approach for implementing requirements pertaining to VSPs through appointing Ofcom as the national regulatory authority. In particular, it asks questions regarding:

  • how to transpose the definition of VSPs into UK law, and which platforms are in the UK’s jurisdiction;

  • the regulatory framework and the regulator’s relationship with industry;

  • the appropriate measures that should be taken by platforms to protect users;

  • the information gathering powers Ofcom should have to oversee VSPs;

  • the appropriate enforcement and sanctions regime for Ofcom;

  • what form the required out of court redress mechanism should take; and

  • how to fund the extension of Ofcom’s regulatory activities from industry.

Read more gcnews.htm at MelonFarmers.co.uk

The Prisoner - The Complete Series DVD The government writes:

A new call for evidence will explore the role of government and the private sector in the development of digital identities – the way people prove they are who they say they are using digital technology – and seek views on how to achieve higher levels of trust between the public and organisations checking their identities.

Err…how about making it totally illegal for organisations to use sensitive data. How about no more government laws that let age verification providers do what the fuck they like with your porn browsing data? No more ‘voluntary standards’ governing the keeping of porn browsing data?

The government continues:

With people increasingly required to prove their identity to access services, whether it is to buy age-restricted items on and offline or make it easier to register at a new GP surgery, these plans aim to help make doing so easier and more secure.

By cutting down on the need for physical documents, which could be misplaced or stolen, they also aim to reduce fraud. Reports suggest that unlocking the value of digital identity could add 3 per cent to UK GDP by 2030 – positioning the country as a world-leading place to develop cutting-edge innovation.

Recent figures show identity fraud is a growing problem across the UK and last year the fraud prevention service Cifas reported 189,000 incidents of identity theft.

Err… so how is it going to make it safer to put all your ID eggs in one basket and pass the basket around to all and sundry.

The government continues:

A small pilot scheme will be launched to help people speed up their applications for services, for example applying for a credit card, by allowing organisations to digitally check their identity using British passport data, where they have used this to register for government services. It will begin with companies who currently provide digital identity services to Government.

Individuals applying to access selected services online could have their identity verified this way if they choose to. The scheme will then be opened up to a small cohort of additional private sector companies for use across a range of services.

Err… like Facebook, Google, Cambridge Analytica, Ashley Madison, Pornhub…

The government continues:

No organisation would be given access to government-held data under these proposals, identity providers would simply get a yes or no as to whether the document was validly issued, and no personal data not already provided by the individual would be used or shared.

Any new solutions will be compliant with recently strengthened data protection laws and set out requirements for the secure transfer of data. There will be no central identity database and individuals will be in control of their personal data.

The pilot scheme will also test if there is a market for these new types of digital identity checking services.

Read more uk_internet_censors.htm at MelonFarmers.co.uk
ICO’s Data Protection Training
The Pavlov Method
nodding dog
 ☑  Yes I won’t read this message. and yes you can do what the fuck you like with my porn browsing data
 ☑  Yes please do, I waiver all my GDPR rights
 ☑  Yes I won’t read this message. and yes, feel free to blackmail me
 ☑  Yes you can do anything you like ‘to make my viewing experience better’
 ☑  Yes, no need to ask, I’ll tick anything

With callous disregard for the safety of porn users, negligent lawmakers devised an age verification scheme with no effective protection of porn users’ identity and porn browsing history.The Government considered that GDPR requirements, where internet users are trainer to blindly tick a box to give consent to the internet companies doing what the fuck they like with your data. Now internet users are well conditioned like Pavlov’s dog to tick the hundreds of tick boxes they are presented with daily. And of course nobody ever reads what they are consenting to, life’s too short.

After a while the government realised that the total lack of data protection for porn users may actually prevent their scheme form getting off the ground, as porn users simply would refuse to get age verified. This would result in bankrupt AV companies and perverse disinsentives for porn websites. Those that implement AV would then experience a devastating drop off in traffic and those that refuse age verification would be advantaged.

So the government commissioned a voluntary kitemark scheme for AV companies to try and demonstrate to auditors that they keep porn identity and browsing history safely. But really the government couldn’t let go of its own surveillance requirements to keep the browsing history of porn users. Eventually some AV companies won the right to have a scheme that did not log people’s browsing history, but most still do maintain a log (justified as ‘fraud protection’ in the BBFC kitemark scheme description).

well Now it appears that those that try to avoid the dangers of AV via VPNs may be not s safe as they would hope. The Henry Jackson Society has been researching the VPN industry and has found that 30% of VPNs are owned by Chinese companies that have direct data paths to the Chinese government.

Surely this will have extreme security issues as privately porn using people could then be set up for blackmail or pressure from the Chinese authorities.

The government needs to put an end to the current AV scheme and go back to the drawing board. It needs to try again, this time with absolute legal requirements to immediately delete porn users identity data and to totally ban the retention of browsing logs.

Anyway, the Henry Jackson Society explains its latest revelations:

henry jackson society logo Chinese spies could exploit Government’s new porn laws to gather compromising material on businessmen, civil servants and public figures, say think tanks.

They say Chinese firms have quietly cornered the market in technology that enables people to access porn sites without having to register their personal details with age verification firms or buy an age ID card in a newsagent.

The new law require those accessing porn sites to prove they are 18 but the checks and registration can be by-passed by signing up to a Virtual Private Network (VPNs). These anonymise the location of a computer by routing its traffic through a server based at remote locations.

It has now emerged through an investigation by security experts that many of the VPNs are secretly controlled by Chinese owned firms 203 as many as 30% of the networks worldwide.

It means that a VPN users’ viewing habits and data can not only be legally requested by the Chinese Government under its lax privacy laws but the VPNs could themselves also be state-controlled, according to the Adam Smith Institute and Henry Jackson Society.

Sam Armstrong, spokesman for the Henry Jackson Society, said:

A list of billions of late-night website visits of civil servants, diplomats, and politicians could 203 in the wrong hands — amount to the largest-ever kompromat file compiled on British individuals.

Those in sensitive jobs are precisely the types of individuals who would seek to use a VPN to circumvent the trip to the newsagent to buy a porn pass.

Yet, the opaque ownership of these VPNs by Chinese firms means there is a real likelihood any browsing going through them could fall into the hands of Chinese intelligence.

Read more uk_internet_censors.htm at MelonFarmers.co.uk
ICO’s Data Protection Training
The Pavlov Method
nodding dog
 ☑  Yes I won’t read this message. and yes you can do what the fuck you like with my porn browsing data
 ☑  Yes please do, I waiver all my GDPR rights
 ☑  Yes I won’t read this message. and yes, feel free to blackmail me
 ☑  Yes you can do anything you like ‘to make my viewing experience better’
 ☑  Yes, no need to ask, I’ll tick anything

Digital Minister Margot James has apologised for the six-month delay on the so-called porn block, which had been due to take effect today (16th July). It is designed to force pornography websites to verify users are over 18.

But the law has been delayed twice – most recently because the UK government failed to properly notify European regulators. James told the BBC:

I’m extremely sorry that there has been a delay. I know it sounds incompetent. Mistakes do happen, and I’m terribly sorry that it happened in such an important area,

Of course the fundamental mistake is that the incompetent lawmakers cared only about ‘protecting the children’ and gave bugger all consideration to the resulting endangerment of the adults visiting porn sites.

It took the government months, but it finally started to dawn on them that perhaps they should do something to protect the identity data that they are forcing porn users to hand over that can then be pinned to their porn browsing history. They probably still didn’t care about porn users but perhaps realised that the scheme would not get of the ground if it proved so toxic that no one would ever sign up for age verification at all.

Well as a belated after thought the government, BBFC and ICO went away to dream up a few standards that perhaps the age verifiers ought to be sticking to try and ensure that data is being kept safe.

So then the whole law ended up as a bag of worms. The authorities now realise that there should be level of data protection, but unfortunately this is not actually backed up by the law that was actually passed. So now the data protection standards suggested by the government/BBFC/ICO are only voluntary and there remains nothing in law to require the data actually be kept safe. And there is no recourse against anyone who ends up exploiting people’s data.

The Open Rights Group have just written an open letter to the government to ask that government to change their flawed law and actually require that porn users’ data is kept properly safe:

The Rt Hon Jeremy Wright QC MP Secretary of State for Digital, Culture, Media and Sport

Re: BBFC Age Verification Privacy Certification Scheme

Dear Secretary of State,

open rights group 2016 logo We write to ask you to legislate without delay to place a statutory requirement on the British Board of Film Classification (BBFC) to make their privacy certification scheme for age verification providers mandatory. Legislation is also needed to grant the BBFC powers to require compliance reports and penalise non-compliant providers.

As presently constituted, the BBFC certification scheme will be a disaster. Our analysis report, attached, shows that rather than setting out objective privacy safeguards to which companies must adhere, the scheme allows companies to set their own rules and then demonstrate that these are being followed. There are no penalties for providers which sign up to the standard and then fail to meet its requirements.

The broadly-drafted, voluntary scheme encourages a race to the bottom on privacy protection. It provides no consistent guarantees for consumers about how their personal data will be safeguarded and puts millions of British citizens at serious risk of fraud, blackmail or devastating sexual exposure.

The BBFC standard was only published in April. Some age verification providers have admitted that they are not ready. Others have stated that for commercial reasons they will not engage with the scheme. This means that the bureaucratic delay to age verification’s roll-out can now be turned to advantage. The Government needs to use this delay to introduce legislation, or at the least issue guidance under section 27 of the Digital Economy Act 2017, that will ensure the privacy and security of online users is protected.

We welcome the opportunity to bring this issue to your attention and await your response.

Yours sincerely,

Jim Killock Executive Director Open Rights Group

Read more parl.htm at MelonFarmers.co.uk

online id card Despite concern among some groups of witnesses, a shift in approach in the UK Government’s position seems on the horizon. The Minister for Digital and the Creative industries, for example, implied support for a universal digital ID in a recent interview with The Daily Telegraph in 2019:

think there are advantages of a universally acclaimed digital ID system which nowhere in the world has yet. There is a great prize to be won once the technology and the public’s confidence are reconciled.

On 11 June 2019, DCMS and the Cabinet Office announced their intentions to launch a consultation on digital identify verification in the coming weeks. The following actions were set out:

  • A consultation to be issued in the coming weeks on how to deliver the effective organisation of the digital identity market.

  • The creation of a new Digital Identity Unit, which is a collaboration between DCMS and Cabinet Office. The Unit will help bring the public and private sector together, ensure the adoption of interoperable standards, specification and schemes, and deliver on the outcome of the consultation.

  • The start of engagement on the commercial framework for using digital identities from the private sector for the period from April 2020 to ensure the continued delivery of public services.

Single unique identifiers for citizens can transform the efficiency and transparency of Government services. We welcome the Government’s announcement in June 2019 that it will consult shortly on digital identity. While we recognise that in the UK there are concerns about some of the features of a single unique identifier, as demonstrated by the public reaction to the 2006 Identity Card Act, we believe that the Government should recognise the value of consistent identity verification. The Government should facilitate a national debate on single unique identifiers for citizens to use for accessing public services along with the right of the citizen to know exactly what the Government is doing with their data.

Offline Comment: Privacy International explains some of the reasons why this is a bad idea

14th July 2019. See article from privacyinternational.org

privacy international logo The debate shouldn’t be about having insight into how your identifier is used. It should be about making sure that identifiers are never usable.

After all, any unique identifier will not be limited to government use. Whether through design or commercial necessity, any such number will also find it’s way into the private sector. This was another fear highlighted in the mid-2000s, but it has played out elsewhere. For example, the Indian Supreme Court, in their ruling on the Aadhaar system that provided a unique number to more than a billion people, that there were dangers of its use in the private sector: Allowing private entities to use Aadhaar numbers will lead to commercial exploitation of an individual’s personal data without his/her consent and could lead to individual profiling.

Given everything that’s happened since, the 13 years since the 2006 ID Card Act (that was repealed in 2010) can seem like a lifetime. But it’s clear that the concerns expressed then remain prescient now. Now that we know so much more about the risks that the exploitation of people’s data plays – and the targeting, profiling and manipulating of individuals and groups – we should be even more fearful today of such a system than we were a decade ago. Furthermore, it’s been shown that we do not need such a unique identifier for people to securely access government services online, and it’s on such concepts we must build going forward.

See the full article from privacyinternational.org

10th July 2019. See article from ispa.org.uk and article from techdirt.com

villain The villains of ISPA have withdrawn their nomination of the heroic Mozilla as an internet villain. ISPA writes:

Last week ISPA included Mozilla in our list of Internet Villain nominees for our upcoming annual awards.

In the 21 years the event has been running it is probably fair to say that no other nomination has generated such strong opinion. We have previously given the award to the Home Secretary for pushing surveillance legislation, leaders of regimes limiting freedom of speech and ambulance-chasing copyright lawyers. The villain category is intended to draw attention to an important issue in a light-hearted manner, but this year has clearly sent the wrong message, one that doesn’t reflect ISPA’s genuine desire to engage in a constructive dialogue. ISPA is therefore withdrawing the Mozilla nomination and Internet Villain category this year.

TechDirt noted that the ISPA nomination was kindly advertising Mozilla’s Firefox option for DNS over HTTPS:

ISPA nominated Mozilla for the organization’s meaningless internet villain awards for, at least according to ISPA, undermining internet safety standards in the UK:

Of course Mozilla is doing nothing of the sort. DNS over HTTPS not only creates a more secure internet that’s harder to filter and spy on, it actually improves overall DNS performance, making everything a bit faster. Just because this doesn’t coalesce with the UK’s routinely idiotic and clumsy efforts to censor the internet, that doesn’t somehow magically make it a bad idea.

Of course, many were quick to note that ISPA’s silly little PR stunt had the opposite effect than intended. It not only advertised that Mozilla was doing a good thing, it advertised DNS over HTTPS to folks who hadn’t heard of it previously. Matthew Prince P (@eastdakota) tweeted:

Given the number of people who’ve enabled DNS-over-HTTPS in the last 48 hours, it’s clear @ISPAUK doesn’t understand or appreciate @mmasnick’s so-called “Streisand Effect.”