Tag Archives: Investigatory Powers Act

The CIA Dark Triad – Windows, macOS & Linux

According to the WikiLeaks Vault 7 dump the CIA deploys malware that includes the capability to hack, remotely view and/or clone devices running the Windows, macOS, and Linux operating systems.

This seems to suggest that the agency has no problem bypassing encryption, proxies, VPN and that Tor anonymity is a myth.

This does not mean that each of the point solutions offering a product under each of the above headings have been compromised. Rather it means that the OS level hack capability of the CIA – as seen on iOS and Android – means that they can gain full control of the device and render any point solution counter measures moot.

Therefore they subvert the platform which by extension means that anything that is running on the platform is subverted.

Tablet, laptop, smart-phone, AV device – it seems they are all fair game and in that case so is everything that you do on them.

You have been warned.

You are being watched.

ENDS

The Regional Subjectivity of Crime & The Tests for Guilt

A definitive statement as to what constitutes Crime has successfully evaded scholars. But one thing that they all seem to agree on is that “A person is never punished merely for wrong thinking or evil thoughts”.

“Thought Crimes” Orwell style are not offences (Or are they?).

In an age of Mass Surveillance, Kinematic Fingerprinting & Emotion Detection, Mass Data Retention & the Investigatory Powers Act and Alphabet Agency Profiling based on Digital Activities, is that still the case?

Certainly there are many examples of arrest and detention for “thinking” a certain way. But that’s not for here at this time.

Rather than examining the definition of crime in a particular country I think it is more interesting to examine it in the global context. The majority of people tend to assume that Crime and Punishment can be generally assumed to be similar everywhere that they travel to.

As someone with a wanderlust tendency who has “walked the Earth” I can assure you that is not the case.

A Moving Goalpost

The definition of “Crime” in a society has always been influenced by the prevailing norms that exist at any particular time amongst a group of people living together as a community.

Personal feelings, religious beliefs, preferences, tastes, experiences, economic expediency or laws based based on the personal opinions of a “leader” have been the motivations that translated into local laws that criminalised some acts and did not consider other acts as “criminal”.

A Simple Analogy: The Attitude to Cannabis in the USA

In 2017 I guess the simplest analogy would be the different attitude to marijuana in the United States. The use, possession, sale, cultivation, and transportation of cannabis is illegal under federal law in the United States but individual States are permitted to conditionally decriminalise cannabis for recreational or medical use.

Cannabis is listed at a Federal level as a Schedule I substance under the Controlled Substances Act of 1970 and is classified as a Schedule I drug. The DEA defines this classification as a substance that has a high potential of being abused by its users and has no acceptable medical uses.

So there exists a contradictory attitude of Federal versus certain State laws regarding the exact same matter – in the former it is a “crime”, in the latter it is not – in some States.

The Definition of Crime

“There is no one word in the whole lexicon of legal and criminological terms which is so elusive of definition as the word crime” (McCabe 1983:49)

It reminds me of the first thing that we were thought during my time as an Economics student – namely, that the study of Economics was an “inexact social science”.

Inexact laws that contain in their antecedents vague ceteris paribus (“all other things being equal”) conditions and “facts” based on local beliefs or tendencies do not constitute definitions.

The different definitions of crime and the vastly different tariffs which certain criminal offences attract are therefore, for the most part best understood in the context of the culture, religious practices and societal “norms” of the region or country that are being examined (excluding the universally abhorred offences – but irritatingly that is not always the case either).

Examples:

  • Judicial Corporal Punishment in Saudi Arabia for Possession of Alcohol (Flogging);
  • Mandatory death penalty for drug trafficking in Singapore;
  • Filipino President Rodrigo Duterte’s state sanctioned vigilante murders of suspected drug dealers;
  • The universal application of sharia (Islamic law) by certain countries;
  • The acceptance of sharia in some secular European countries as the basis for divorce, inheritance and other personal affairs of their Islamic population;

Looking around Google I came across the following definition of crime which was not accredited:

“Harmful act or omission against the public which the State wishes to prevent and which, upon conviction, is punishable by fine, imprisonment, and/or death. No conduct constitutes a crime unless it is declared criminal in the laws of the country. Some crimes (such as theft or criminal damage) may also be civil wrongs (torts) for which the victim(s) may claim damages in compensation.”

Types of Crime (In the Republic of Ireland) 

* A crime is defined in law in the Republic of Ireland as an act which may be punished by the State. The way in which a criminal offence is investigated and prosecuted depends on the type of crime involved. For these purposes criminal offences may be described in different ways such as:

  • Summary offences
  • Indictable offences
  • Minor offences
  • Serious offences
  • Arrestable offences

* Citizens Information. (19 July 2016). Classification of crimes in criminal cases. Journal, [online] Volume(Issue), P1. Available at: URL [Accessed 25th February. 2017].

The Test for “Guilt”

However, the mental state as well as the physical elements of a crime are key parts of establishing the guilt of a person committing an offence. In order for a person to be guilty of an offence there must be coincidence between two key concepts, that of “Mens Rea” and “Actus Reus”:

  • Mens Rea dictates that there must be a guilty mind, moral culpability and a blameworthy state of mind;
  • Actus Reus concerns itself with with the physical elements of the crime and excludes the mental element;

For guilt to be established then the two concepts must be coincidental “happening or existing at the same time”.

The latin phrase “Actus Non Facit Reum, Nisi Mens Sit Rea” translates as “An act does not itself constitute guilt unless the mind is guilty”.

REFERENCES

Naidoo, Jadel. 2016/2017. Diploma in Criminology Class Notes. Dublin Business School 1 (1) 1-14;

Penrose, Graham, AirGap Anonymity Collective (16 January 2017). Mass Surveillance & The Oxford Comma Analogy. Blog [online] Available at: URL [Accessed 25th February. 2017].

Penrose, Graham, AirGap Anonymity Collective (3 January 2017). Orwell 4.0: The Stealth Advance of Kinematic Fingerprinting & Emotion Detection for Mass Manipulation. Blog [online] Available at: URL [Accessed 25th February. 2017].

Penrose, Graham, AirGap Anonymity Collective (21 November 2016). NSA, GCHQ, The Five Eyes Handing Ireland Cyber-Security Opportunity. Blog [online] Available at: URL [Accessed 25th February. 2017].

Penrose, Graham, AirGap Anonymity Collective (29 October 2016). Ireland is NOT a Privacy Advocate. Blog [online] Available at: URL [Accessed 25th February. 2017].

Hausman, Daniel M. 1984. Causal Priority. Noûs, 18 (2): 261-279.

Hausman, Daniel M. 1998. Causal asymmetries. Cambridge: Cambridge University Press.

Citizens Information. (19 July 2016). Classification of crimes in criminal cases. Journal, [online] Volume(Issue), P1. Available at: URL [Accessed 25th February. 2017].

ENDS

Silencing the Canary & The Key Powers & Reach of The IPA

Please Note: This post is not an advertisement for or an endorsement of ProtonMail 

The Investigatory Powers Bill (IPB) was approved by the UK Parliament and after receiving Royal Assent this week will become The Investigatory Powers Act (IPA) coming into force in 2017. The law gives broad new powers to the UK’s intelligence agencies (GCHQ, MI5, MI6) and law enforcement.

In theory, companies offering encryption services, that are not based in the UK, do not fall under the jurisdiction of the IPA – but that is not actually the reality. Strong encryption isn’t just important for privacy, but also key to providing security in the digital age.

Laws like the IPA pose an unprecedented threat to democracy, and are strikingly similar to surveillance laws from totalitarian states but there are tools today that can help protect your digital rights.

Below is a short summary of the most relevant points of the IPA which was written by ProtonMail, a Swiss based firm that offers encrypted email services. The key powers of the Investigatory Powers Act are:

(Start of ProtonMail Summary – Paraphrased)

Retention of Internet browsing records for 1 year

This is in our opinion the worst part of the law. Imagine your browsing history for the entire past year accessible to the government or police without a warrant. This would allow the construction of detailed profiles on every citizen, and categorization based on political views, personal beliefs, and much more. All UK communication service providers (so Internet providers, phone companies, email providers, etc), will be required to retain 1 year of your internet connection records in a central database. This database includes what sites you visited, when you visited the site, for how long, who you called, who you emailed, etc. All of this data will be stored in a central database accessible to the government and law enforcement. More troubling is that no warrant or judicial oversight is required to gain access to this database, the police will have sole discretion to decide when they need to access this database.

Bulk collection of communications data

British communications providers will be required by law to assist in intercepting communications data in relation to an investigation. So far, foreign companies are not required to comply, but as we will discuss below, there are some caveats to this.

Breaking Encryption

Communication providers will be mandated by law to remove encryption whenever it is “practical”. The law is particularly dangerous because it doesn’t well define what is the meaning of “practical”, which means this can be subject to the government’s interpretation.

Enforcement of gag orders

When a communications provider receives a request for data, it is not permitted to reveal that the request took place. Under the IPA, it is now a criminal offense for either the communications provider, or somebody working for the provider, to reveal a data request. Thus, if the powers of the IPA are abused, a whistleblower would be committing a criminal offense by revealing the abuse.

Impact of the IPA outside of the UK

In theory, the IPA only applies to UK companies, but today with the rise of large multinational tech companies, even non-UK companies can be pressured to comply if they have a significant UK presence and employees in the UK.

Since any such requests will happen behind the scenes, we will never know if foreign companies do comply with the IPA. Since the UK is a member of the Five Eyes network, along with the USA, Canada, Australia, and New Zealand, the intelligence scooped up by the IPA will also be shared with US intelligence so UK residents could find their private data being shared beyond UK borders.

Encrypted email accounts can protect your email communications from being intercepted or read by government agencies. The rest of your online activities can also be protected. In particular, using VPN services that don’t have a physical presence in the UK, and also using apps like Signal for text messaging, or Tresorit for file sharing.

Most importantly, everyone needs to spread the word that more surveillance and less encryption isn’t the solution to today’s security challenges.

(End of ProtonMail Summary)

Silencing the Canary 

A warrant canary is a colloquial term for a regularly published statement that a service provider has not received legal process that it would be prohibited from saying it had received. The canary is a reference to the canaries used to provide warnings in coal mines, which would become sick before miners from carbon monoxide poisoning, warning of the danger.

Once a service provider does receive legal process, the speech prohibition goes into place, and the canary statement is removed. Warrant canaries are often provided in conjunction with a transparency report, listing the process the service provider can publicly say it received over the course of a particular time period.

A company might issue a semi-annual transparency report, stating that it had not received any national security letters in the six month period. NSLs under the Patriot Act come with a gag, which purports to prevent the recipient from saying it has received one. (While a federal court has ruled that the NSL gags are unconstitutional, that order is currently stayed pending the government’s appeal). When the company who is in receipt of an NSL issues a subsequent transparency report without that statement, the reader may infer from the silence that the company has now received an NSL.

The IPA has a different approach to this Silencing the Canary: the lawfulness of the U.K. Investigatory Powers Bill’s secrecy provisions under the ECHR .

END

My Privacy Lobotomy or How I Learned to Stop Worrying & Love the IP Act

(Please Note: This post is a partial reblog. The re-blogged bits are all the bits under the Malcolm Tucker “grenade app” GIF – Featured Image “Bring me Corbyn, Solo & the Wookie” (Credit to @Trouteyes on Twitter))

After weeks of posting hysterical objections to and concerns about the Investigatory Powers Act I now realise that I was worrying needlessly. It suddenly occurred to me that the Investigatory Powers Act is nothing that I should worry about at all. This radical change of heart came as a result of the following statement from the Home Office which Dave Howe on Peerlyst kindly sent to me:

“The safeguards in this Act reflect the UK’s international reputation for protecting human rights. The unprecedented transparency and the new safeguards – including the ‘double lock’ for the most sensitive powers – set an international benchmark for how the law can protect both Privacy and security.”

This is the civil servant who issued the statement:

author

The patronisingly misleading statement has caused me to make an immediate and unconditional U-Turn on my previous opinion of the legislation.

I am now immensely grateful to Theresa May and everyone who had a part in authoring this document. Hopefully it will soon take it’s rightful place alongside the Magna Carta and the Bill of Rights as milestones in the relentless march toward a privacy protected, liberty guaranteed and freedom based utopia.

tucker

Hardly Anyone Has Access To All My Data

Access to my internet connection records is set out in Schedule 4 of the Act and it only says that the following forty plus departments and about 600,000 government employees can mine my private life:

  • Metropolitan Police force
  • City of London Police force
  • Police Forces maintained under section 2 of the Police Act 1996
  • Police Service of Scotland
  • Police Service of Northern Ireland
  • British Transport Police
  • Ministry of Defence Police
  • Royal Navy Police
  • Royal Military Police
  • Royal Air Force Police
  • Security Service
  • Secret Intelligence Service
  • GCHQ
  • Ministry of Defence
  • Department of Health
  • Home Office
  • Ministry of Justice
  • National Crime Agency
  • HM Revenue & Customs
  • Department for Transport
  • Department for Work and Pensions
  • NHS trusts and foundation trusts in England that provide ambulance services
  • Common Services Agency for the Scottish Health Service
  • Competition and Markets Authority
  • Criminal Cases Review Commission
  • Department for Communities in Northern Ireland
  • Department for the Economy in Northern Ireland
  • Department of Justice in Northern Ireland
  • Financial Conduct Authority Fire and rescue authorities under the Fire and Rescue Services Act 2004
  • Food Standards Agency
  • Food Standards Scotland
  • Gambling Commission
  • Labour Abuse Authority
  • Health and Safety Executive
  • Independent Police Complaints Commissioner
  • Information Commissioner
  • NHS Business Services Authority
  • Northern Ireland Ambulance Service Health and Social Care Trust
  • Northern Ireland Fire and Rescue Service Board
  • Northern Ireland Health and Social Care Regional Business Services Organisation
  • Office of Communications Office of the Police Ombudsman for Northern Ireland
  • Police Investigations and Review Commissioner
  • Scottish Ambulance Service Board
  • Scottish Criminal Cases Review Commission
  • Serious Fraud Office
  • Welsh Ambulance Services National Health Service Trust

Hackers

Bulk surveillance of the population and dozens of public authorities with the power to access your internet connection records is a grim turn of events for a democracy.

Unfortunately, bulk collection and storage will also create an irresistible target for malicious actors, massively increasing the risk that your personal data will end up in the hands of:

  • People able to hack / infiltrate your ISP
  • People able to hack / infiltrate your Wi-Fi hotspot provider
  • People able to hack / infiltrate your mobile network operator
  • People able to hack / infiltrate a government department or agency
  • People able to hack / infiltrate the government’s new multi-database request filter

If the events of the past few years are anything to go by, it won’t take long for one or more of these organisations to suffer a security breach. Assuming, of course, that the powers that be manage not to just lose all of your personal data in the post.

So – nothing to worry about at all.

END