it's a bit like saying that the post office should scan all your letters and note down who you were sending to/receiving from just so the police can look back over them incase they thought maybe you had commited a crime but were a bit to lazy to investigate you.

But don't worry they wouldn't ever use the information to track down people who have undisirable interests like hardcore pron, people that like to drink or people that disagree with illegal wars...

Funny how the powers of Britiain and the USA were all up for liberating Iraq and not Burma though isn't it...

<wonders>

Is there someone who works in government who is also inextricably linked to phorm?

</wonders> (ah - look - wonders DO cease)

Oh great, another reason to be using encrypted tunnels over the internet!

ISP's are going to need some huge Hard disks for this one, oh and how do they plan to implement it anyway?

This is just another close phorm thing.

JUST PHUCK OFF GORDON BROWN TEXTURE LIKE SUN.

For once (and only once) I actually feel quite sorry for the ISPs in this case. They're being asked to retain data in order to conform to a bullshit law, that will fall on it's at ass at the first hurdle.

There's no way any of the data collected here would be any use what-so-ever in a court of law.

Data Integrity,

Multiple user accounts

Unprotected Networks

Compromised machines/botnets

All very good reasons for data submitted in a case to be nullified. Just because the TCP/IP packets went via a user’s router/phone line, does not mean the user is a dirty terrorist!

Quite frankly some of the recent laws inducted in this country, in the name of terrorisism, are just laughable.

Paris cos she can sniff my packets anyday

...But what constitutes usage? Are we talking about a report that looks like this:

10:00: Line up

12:37: Line down: Downstream 74324Kb Upstream 4256Kb

13:00: Line up

etc etc

or this:

10:00: Line up

10:01: GET http://www.swedish-fanny.com/spanking/newlyillegalporn.htm

etc??

I know that my ISP don't even do the latter, let alone keep it

I know the article said usage not content but under which category do URLs fall..? Using an SSL tunnel to do everything is looking more and more appealing. I just switched from a mainstream ISP to a very much forever-phorm-free ISP to avoid exactly this.

'We're only doing what Europe told us.'

Which will be lapped up by the likes of the Mail (assuming it can divert itself from the catastrophic effect of falling house prices on Brad and Angelina), ensuring the government takes none of the blame for a massive intrusion on our privacy.

Jacqui Smith won't mention it was her office that instigated of the proposals in the first place.

Let's do the same.

In case you're implyinf that the only reason it's been preserved from Neo-Con intervention is any *lack* of energy reserves.

It is interesting to note that Burma hasn't, as far as I recall, been implicated in supplying ordnance to terrorist organisations or in wars of aggression against her neighbours. Nor has there been any sign of them seking to procure chemical and biological warfare agents (even a decade ago).

Besides, we beat the Commies in the jungle of Burma in the 50s.

I am Fed up with this countries BIG BROTHER games.

"mandate the keeping of information on a user's activity but not the content of any communications"

I wonder how they'll do that? We are so screwed.

<cynic>

...well, you see, it's the same as Zimbabwe. Or Dahfor. No oil.

</cynic>

The way things are going, soon it'll be time for all our brave lads (and lasses) to come charging home and liberate *us*.

All in the name of protecting me...gee thanks, dont i get a say.

Of course real criminals will do their dirty work from WiFi hotspots anonymously...

Good job GPS is not widespread, otherwise we would all be tracked, just in case one of us is a terrorist, "for our own good"

I guess with Freedom of Information act we can all make a request to ISP for all such information

"The Home Office would not release details of the Bill and how it would work"

If it's going to be a law, then surely it'll be written down there for anyone to see. Or is it one of those "Unwritten" laws?

How is this logging supposed to work?

Even just logging HTTP requests is likely to result in pretty large amounts of data needing to be kept. But surely this is not enough - what about email headers? What about HTTPS headers... Hmm. What about any packet headers that may be part of a P2P transfer... Ouch!

I can see that it would be very interesting to send a Data Protection Act "Subject Access Request" to my ISP.

Being as I run my own mailserver and send emails direct with SMTP does that make me my own ISP ?

Penguin ! pah where's OS mascots from the one's I use !

http://en.wikipedia.org/wiki/BSD_Daemon

http://cm.bell-labs.com/plan9/glenda.html

http://en.wikipedia.org/wiki/Puffy_(mascot)

People from most walks of life laid down thier lives to help maintain our freedom during the First and Second world War.

Now thanks to the idiots in power those freedoms are slowly being eroded in the idea that they will maintain our current level of freedoms. They keep using the excuse only the guilty will have anything to fear which is trumpeted by all the nutcases walking the street next to you.

If we are to maintain our levels of freedom the restraints do not need to be put on us but put on the politicians and government.

Long Live Guy Fawkes.

"The internet log retention orders will also mandate the keeping of information on a user's activity but not the content of any communications"

...so all they can store is the fact that you were on the internet. Any data about the sites you visited is surely the 'content' of your 'communications' (http request headers etc.)?

The EU directive was 'policy laundered' (look it up in Google). After being initially rejected by the UK parliament, the government pushed it through the European Commission.

So this "law" is completely & deliberately anti-democratic. In a just world the politicians and lobbyists responsible for doing this would go to prison.

http://www.privacyinternational.org/article.shtml?cmd%5B347%5D=x-347-496240

Right up their street, then they can also make it non anonymous and make even more money!

It was another Tony Blair idea, log everyones communications then if you need to get a warrant, you can effectively backdate the warrant and go fishing in the logs back in time to before the warrant was issued.

Germany has overturned this EU law as unconstitutional and Gordo does not have a mandate to rule.

I was wondering the same thing. I don't think that HMG/EU has any real idea of how the internet works. As well as issues regarding home SMTP servers their is the issue of email accounts that a based off-shore. They can lay well beyond the reach of such measures. This is only going to catch the unorganised crims at the inconvienence, and cost, of the ISPs. Though I guess we'll end up paying in the end.

I'd like to see how Tiscali build this cost into their pricing model that struggles with such things as the iPlayer :)

Snooping on a person's Internet usage can tells you a huge amount of information about their life. You'll know who they communicate with, where they shop (and even what they buy), where they go (if they use map sites and/or research places) and when they do all of these things.

I absolutely refuse to be spied on this much. It's just not acceptable.

Alan, that seemed to be a bad URL...

Your requested host "www.swedish-fanny.com" could not be resolved by DNS.

How many others tried it...;-)

Do they define what an ISP is? I run a mail and webserver which I and several friends and family have accounts on. This is "Internet Service" which I provide. does this law apply to me? do I need to start keeping a lot more mail logs or what?

Yes the data "could" be used to investigate crime; it "could" be used to detect crime; it "could" be used to prosecute crime; it "could" even be used to protect the public. However, they don't have the resources to investigate, detect & prosecute criminal activity with existing level of information; would adding more data make the job easier or more difficult?

Call me cynical, but I think it more likely that the government will simply trawl through the data and end up with stats that have little to do with the original purpose of the project. But of course, they will have lots of lovely information on who you call and where you surf, so they could sell that information to marketing companies. This could be quite a significant revenue stream in the future.

It would also require the telcos to allocate more resources for storage of the information; and who is going to pay for the additonal resources required? Ulitimately, it will be the customer (i.e. you and I).

Most of this sort of additional law is nothing to do with making life better for the public or easier for the authorities; it's about certain public servants being seen to be "doing something".

We're not the ones who need to know why this is bad. We already know why this is bad.

Go tell everyone else.

Either that, or start running Tor exit nodes. I'm pretty sure you could remove all web browsers from your computer but one hard-coded to use Tor, so there is NO way HM Govt, or ISPs can say that YOU were using YOUR connection for THAT illegal activity.

Either that, or familiarise yourself with some Pink Floyd; "Did you exchange a walk on part in the war for a lead roll in a cage?"

The police can't check all the CCTV tapes now. When will they be able to grep though terrorbytes[1] of ISP logs?

[1] Not a speling error. That's the satire.

I'll think you'll find that was mostly true of Saddam, he wasn't in anyway aligned with Osama and his crowd, indeed he probably disliked them just as much.

As for the chemical weapons, it didn't seem to bother us much at the time he actually had them and was using them, indeed i'd say we were quite happy for him to poision 1000's of Iranians. Also by all accounts our universities supplied him with alot of know-how and our companies probably supply alot of the equipment to produce those weapons in the first place.

The truth is Burma wouldn't be worth it, after all its only poor people suffering, also its a prime environment for asymetrical warfare (jungle), which large armies find rather difficult to win.

Or even go one step further and use an IronKey USB drive with its on-board Firefox and Tor, so you don't even have any suspcious software installed on your PC.

It would be useful for an investigation of a crime to know who was using which IP address when. Since ISPs do things like setting caps on usage, they'd also have records of data volume.

Anything more than this can shove up the quantity of data to infeasible levels.

I think we're at the "Don't Panic, Yet!" stage. But we need to know just what the law will require (and so do the ISPs).

surely any terrorist using the internet is going to do so utilising encryption in some form, anything i download from usenet is encrypted, im pretty sure someone downloading the idiots guide to nuclear weaponry.pdf or whatever they do is going to do the same,

You'd think 42 days would be long enough...

BTW, Tom Welsh, that would be funny if it weren't so tragic.

PH, because Jacqui Smith makes her look so intelligent.

Customer : What happen ?

ISP : Somebody set up us.

Customer : We get signal.

ISP : What!

Customer : Main screen turns on.

ISP : It's pron!!

HMGOV : How are you gentlemen !!

HMGOV : All your database are belong to us.

HMGOV : Mwahahaha!

This bill doesn't appear to cover Internet services, only connection providers. So I imagine there will be lots of new encrypted proxy services springing up that run over SSL and let users request web pages where the URLs are encrypted and not kept in the http header making it impossible for ISPs to log where you've been apart from the name of the proxy service.

What's not clear is what details of your emails the ISP will have to retain? Would they log the to, from and subject headers? Even that is way too confidential, especially for businesses who are involved with commercially sensitive projects, or individuals emailing about very personal matters.

Yeah http://www.swedish-fanny.com doesn't resolve. http://www.swedishfanny.com on the other hand does...... :P

It's early in the life of this draft bill, details are @ http://www.commonsleader.gov.uk/output/page2461.asp#make_comment

"

Consultation

The Government plans to publish this Bill in draft for pre-legislative scrutiny later this year. The draft Bill will then be made available on www.homeoffice.gov.uk. In the meantime, any comments or questions about these proposals should be directed to CommsData@homeoffice.gsi.gov.uk.

"

Why Paris, well she is an Internet Superstar after all.

oh, don't get too excited though... :)

"swedishfanny.com for sale

as seen on Ali-G

all offers considered

send an email to - swedishfanny_at_ethicalhack.org"

"so all they can store is the fact that you were on the internet"

Thats going to be interesting for them - the last time I turned off my router was during a power cut back in 2007.

That said, people are being amusingly hysterical. ISPs already keep this info for their own records, the only difference now is that they can't claim to accidentally 'lose' data when under investigation.

Kontiki, used by the BBC for iPlayer, as well as Sky and channel 4 for their on demand TV, is about to create some huge P2P logs.

Perhaps this wasn't the most well thought out plan.......

The telephone industry already keeps records of time, duration, location, volume and number called. The telephone firms need this for billing purposes. We can easily understand the usefullness of this usage data when trying to track criminals, identify associates or locate missing people.

How do you map this onto IP communications in a way that is both useful and affordable? An obvious minimum is time line went active, IP address assigned, duration and data volume. The trouble is, ISPs don't need all this for billing purposes. They may aggregate the data volume for capped services. But the IP address isn't needed for billing. So the first challenge was simply to get the ISPs to retain details of DHCP leases and line up/down activity. The aim is to ensure a minimum set of data is retained by all ISPs. And retained for long enough to be useful.

Other types of record will depend on what services the ISP provides. The Home Office know that they will be unsuccessful if they require large amounts of new data to be collected. For example, most mailers automatically keep logs. But these logs are recycled after a few days. The aim is to ensure that any data that is collected is retained for long enough to be useful.

Assuming that all details are to be retained, how much data will each botnet-owned pc generate? Does a call to sync with a time server need to be logged and retained? Ping? traceroute? nimda worms?

For a decent sized ISP, this is going to generate terrabytes of completely useless garbage.

Assuming you would like some privacy and the government is going to ask the ISP to retain every HTTP get or post (among other data), I would imagine the way to hide your activity is to flood your link with lots of automated requests (at random times), a bit like a small web spider. You don't even have to receive all the data, just get a page and traverse all the links, not necessarily getting all the data, apart from a new destination page. If enough people do it I would imagine the data collected would soon be far far to much to process.

All your database all your database all your database are belong to us!

heh heh hehhhh

I'm off to start scanning all your letters - enjoy. HMGOV

The solution to this and the problems with iplayer is to do away with ISPs.

We're all sitting out as nodes connected to the net with 1 crappy link - that goes against the design of the internet. We should be part of it and that means being able to take any route to the destination, be that down the adsl line or over wireless to other local routers.. and then either down their connection or hop to another wireless... like explained in this spoof http://www.londonlx.com/thechip.html

Apart from that it's just another law they're putting in without looking into the ramifications of the implementation.... need to get this government out before they scorch the earth!

"keeping of information on a user's activity but not the content of any communications".

DNS requests? Are they logged? What if I use another DNS server?

POP3 requests - that would possibly reveal my name and definitely my password at logon. I know it says no data but, how useful is the knowledge that I connected to a pop3 server without knowing who I was receiving from? I think it will follow that to,from,subject will be kept

SMTP - same problem.

HTTP requests - that would reveal possibly DOB and other stuff from facebook like sites (in the data if it was also captured, or just the fact that I visited there points to the fact I have a facebook account and gives the username so that can be looked at) In any case, if the ISP does not use a proxy and I use an external DNS, they will have to be sniffing everything that comes and goes.

HTTPS requests? That would reveal who I bank with

And all in one place, tied up neatly with a big pink bow and my name on it. Oh how happy that makes me. Thanks again GB and his dangerously IT illiterate cronies.

Even Paris wouldn't sniff *everything* that comes and goes...

Several commentators seem to be still sleepwalking. See, e.g., Bill Thomson http://news.bbc.co.uk/2/low/technology/7226016.stm

"According to the Interception of Communications Commissioner, Sir Paul Kennedy, over 250,000 requests for access to this [communications traffic] data were made in the first nine months of 2007, an appalling extension of the state's powers of surveillance, and one that few of us are aware of.

And nearly 800 separate bodies can ask to see some or all of it. "

"The laws order the retention of who called whom, when and for how long but not the content of phone calls. The internet log retention orders will also mandate the keeping of information on a user's activity but not the content of any communications."

I do a lot of my work through a server abroad the client software I use applies encryption on the traffic. So my ISP would be able to tell that I am logging in to that server on a regular basis. So what? unless they start to analyse the content of the traffic or use spyware on my computer how are they suppose to have any information about my activity unless they analyse the content of the communication? My online activities and work are perfectly legal - but I see no reason for why criminals and especially terrorists would not use VPN and foreign servers for their online activities. This government order seems to be another one which is meaningful and will only annoy ordinary users - It appears to me that none but the most ignorant criminal and terrorist would be succesfully traced by this governmental order.

But then maybe this is only the first step towards an organised universal "phorming" of all UK netusers?

Would it now be possible to get a FOI request to see all the websites MPs have visited?

By the way, it will include URLs. They will say it's not keeping the content of your communications but that will just be to stop people from reading the text of the bill where it does do really.

I'd welcome any tried and tested options for securely going about my business on the internet. I've tried anonymous proxy lists ( all down ), Tor ( too fiddly ) TorPark ( now Xerobank and chargable ) and none of them are reliable or fast enough to be practicle. I don't see how using an encrypted VPN will work as it has to have an endpoint, and that endpoint will be tracked.

I don't necessarily want it to be easy, but easier would be nice.

PH because she's easy.

...will be knocking on your door next. Roll on revolution. Incidentally, I just found this place on the web - http://www.kindlyfoxtrotoscar.com by googling 'fuck phorm'. Seems to be a global unpopularity poll thingie - and both Phorm and its CEO are on there!

And now I'm coming over all Wolfie Smith.

....c..nail -> head

.......open post

.......go record = 1

.......do while .not. EOF

..........replace "cynic" with "realist"

.......enddo

.......close post

...believe me Lyndon, some of us are going to go out of our way to do just that all by ourselves ;o)

...coming over Wolfie Smith ???? peweuch - you really should be ashamed of yourself AC

Icon, for AC ;o)

No efforts can be spared in the war on illegal cockle picking.

And all an ISP has to do is use some arcane encoding followed by an even arcaner compression algorithm, and just hand the tapes over in that form. The law says (or will say) they have to provide the info, but probably not in what form, nor that the ISP is required to disentangle encoding and compression. "But Sergeant Plod of the Thought Police, the methods we use are widely understood and employed world-wide. We're not responsible for your underpaid drones' inability to suss them."

Maybe.

Penguins can dream, after all.

Why is there no screwball icon??? Ballmer will have to do.

So, in December 2009, Knacker knocks on my door and starts asking questions about emails I sent in January 2009, which will mostly have been long ago deleted and certainly forgotten. I am at an age when friends and family are pushing three score years and ten and, while not dropping like flies exactly, I have noticed a tendency for my address list to shorten every month. Like so much bodged legislation, WE end up having to prove our innocence instead of Knacker having to prove our guilt. e.g. the new law about tools ''likely'' to be used in connexion with computer crime. Like, err, computers?

"According to the Interception of Communications Commissioner, Sir Paul Kennedy, over 250,000 requests for access to this [communications traffic] data were made in the first nine months of 2007,... And nearly 800 separate bodies can ask to see some or all of it. "

1000 requests a day? Either GCHQ or someone has an automated request for access system running, feeding some neural network or something to find "cells". Or there are several hundred different people daily making requests, since you then have to sift the data for information - but what information, and to what end? Looks suspiciously like abuse by jobsworth with access and nothing better to do then snooping on some neighbours or the spouse. It couldn't possibly be SOCA or the Good Cops spying on the Bad Cops, could it; not with nearly 798 other bodies also with thumbs in the pie.

How exactly are the IPS going to secure this data? That's the question I would like answered first.

Let's assume they have some nous, and they use a hardware one way data tap. But how is the system to be secured after that, and whilst this is not using deep packet data inspection, it still could be used to supply unwanted advertisements or data mining, so what is the penalty for misuse?

How are they going to say the data captured is valid, who is going to witness all this data, which could easily be altered with the flick of a well placed command.

And say, I don't want them to do this, I could just get a server in another regime, and proxy through it (increasing net traffic, and making the environment a little less green). And what is to say the people who are engaged in naughty activities won't think of using a proxying server themselves?

Yet again another dumb law, by the technically challenged that won't solve anything or make the world a better place but instead just acts as potential nuisance and pushes the cost of using the internet up.

Seriously we need an organization for Information Technology in the United Kingdom, we just have completely technologically inept people involved in making IT law in the UK. Where is our writers union?

And frankly the people currently behind all of this should be named and shamed, at the moment it appears to be some nameless faceless committee, we should know what gives them the necessary knowledge to make these alterations to the legal system when it involves information technology.

If it is the home office then it is Jacqui Smith, perhaps not only does she not feel safe when walking the London streets at night, the poor petal feels somewhat intimidated by the internet.

Well Jacqui Smith, your decisions are certainly not inspiring confidence in me that the net will be a better place; after you have mangled it up, dropping wiretaps in left right and center, and compiling spurious data stores of dubious quality all ripe for the picking by the bad guys.

So you log all of this data. You need it for a trial. The isp sends it over. They send every thing over.You now have a 2 gig data file of text. How do you find what you are looking for.

It like this you are suing company A over issue C. You give them a subpoena for any relevant documents on issue C. What you get is every document that ever mentions issue C. You have the smoking gun but they sent you is over 50,000 pages. Will you find it in time for the trial ??

There'd be little point with turning this into law if they didn't at least log the URLs we're visiting (arguably not content) - a bit worrying when people claim that ISPs are already logging the necessary information.

I guess now we know why the Home Office didn't see a problem with Phorm.

A copy of the EU directive which in article 5 specifies what data is to be retained is here.

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:EN:HTML

From reading apparently relevant portions of http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:EN:HTML

(its a very dry document) it would appear that this is about formalizing the retention of data concerning the identification of users from their IP addresses. It does not appear to legislate for the retention of DNS requests, or any communications addresses other than the addressing and identification properties of the named services of e-mail and internet telephony.

This at least is all the directive requests whether that is all that is in the final bill presented to parliament of course is another matter, the details of which are at this point is as clear as mud.

However exactly how some of the things required by this legislation are going to be accomplished should provide some amusement for those not involved in it and some headaches for those that are.

"the date and time of the log-in and log-off of the Internet e-mail service or Internet telephony service, based on a certain time zone"

So someone is going to have to be responsible for supplying this information.

If its the ISP's they will have to process the data packets to login servers for voice over IP services to obtain address information, they will have to support all voip protocols, and have the cooperation of the voip service providers in keeping synchronized and updated with version changes to the protocols and access to any encryption technology that is used.

If its the voip service providers themselves its hardly going to be comprehensive, I just did a quick voip service search and found 30 of them on the first page many of which were in the US.