The logical end point, if you think it through, is scary for technology. There will be a battle for a time where legislators play cat and mouse with technology and privacy companies. But as each new hole appears, they'll invent new laws to close them off. This wouldn't be so bad except for the problem that encryption is math and short of making math illegal there will always be a hole. Factor in steganography and it just gets worse.
But this doesn't mean that technology wins. Rather, it makes the loss even worse, because it means the laws will ultimately have to be defined in reverse - rather than outlawing encryption, they will have to outlaw inability to decrypt. That is, it will be the end user's responsibility to ensure that authorities can decode data you transmit. Transmission of undecryptable data will be a crime, in and of itself.
Apart from the obvious dystopian consequences, this will impact progress in technology tremendously - suddenly it won't be possible to just invent a new data format or protocol any more. Doing so will put you at extreme risk of being interpreted as sending unauthorised encrypted data. So data formats will have to be registered - to send data in a new format you will first have to register a codec with the government and probably yourself have to be licensed. This will have a severe chilling effect on innovation. Software development, already dominated by tech behemoths, will become completely out of reach of small development teams simply because the regulatory burden is so high.
It's a depressing picture but given the trends of late I don't really see it going any other way. Only some extreme swing back towards individual rights over rights of the state will change its direction. But terrorism seems to have set in as a permanent tool for governments to grind away at individual rights.
Yes, that's a step towards it. But at least the person has to be a "suspect" in another crime (however low the bar for that is) and an explicit demand has to be made for the key. Not that it does a lot of good since anybody can become a suspect and the demand for the key is retrospective to when you weren't a suspect.
Suspect of being Muslim, wearing a beard and using an ISP that the public hasn't heard of that isn't price competitive is more than enough for a media hatchet job. How low does the bar have to be?
This should be the preserve of Uganda and N Korea.
I really don't think that having to be a suspect is in ANY way meaningful, since there is absolutely no bar to being a suspect. It is perfectly reasonable to state "we have no idea who did this so every UK resident is a possible suspect".
> Software development, already dominated by tech behemoths, will become completely out of reach of small development teams simply because the regulatory burden is so high.
It might sound OT to bring up TPP in a discussion like this, but please hear me out: It's important to block broad international agreements like TPP because it creates competition among nations that would protect us from the dystopia you describe.
Let's say one nation, Uruguay, says "you know what ? Encryption is fine. And btw we're funding 1gb cheap fiber to everyone in our biggest city". Something like that could attract swarms of techies. Which would cause larger nations to think twice before their valued tech talent packs up and moves to escape their surveillance state.
I know not everyone can pack up and go, but the competition and fear of just how many might leave would be enough to keep even rich nations in check. But if something like TPP goes though, they can point to all its provisions and say "boo hoo, you're shitting on trade deals by allowing encryption, now we're going to bully your whole nation with economic sanctions"
Let's say one nation, Uruguay, says "you know what ? Encryption is fine. And btw we're funding 1gb cheap fiber to everyone in our biggest city". Something like that could attract swarms of techies.
It could, but it probably won't, because hardly anyone is going to move to a new country just so they can enjoy encryption and fast web browsing...and I say that as someone who has moved internationally 6 times.
Look, your argument is fundamentally weak - we can generalize and say big countries are bad because it eliminates competition between smaller jurisdictions, therefore federalism is bad. And indeed, the notion that federalism is bad (or at least damn risky) is partly why the USA has ~3000 county governments despite the manifest inefficiency involved.
Your error is in assuming that competition is always beneficial. As we can see in the US, counties and states frequently pass laws that reduce rather than enhance freedom. So while I wouldn't want you to construe this as an endorsement of the TPP in particular, I reject your claim that any kind of trade agreement is necessarily destructive of freedom.
Besides, your notion of comeptition as unalloyed good is easy enough to subvert. Uruguay sets up the world's freest internet? Denounce Uruguay as a haven for cyber-criminals and impose penalties on unverified connections from there. Despite the fact that it makes the digiterati uncomfortable, things like child porn and terrorism are genuine problems that impact the lives of real people when allowed to operate unchecked. This isn't a 'think of the children' argument; I personally know people who were trafficked for sex and child porn as small children and who suffer from serious dysfunction as adults because of this. Their liberty and safety shouldn't be considered acceptable sacrifices on the altar of your liberty and safety; there are valid reasons to delegitimize some kinds of commercial traffic.
While it is true that people (besides the very rich and very desperate) usually don't try and migrate to escape laws, corporations do it all the time and think about it proactively. It is particularly easy for technology companies to say, great I'll do all my hosting in Uruguay instead of Britain, make my terms of service under Uruguayan law, etc.
If Uruguay becomes a criminal sanctuary--then sure maybe it will be ostracized internationally--but as long as law abiding, upright business people have legitimate business there its more enlightened policy will make others think twice about enacting less enlightened ones and give companies some options. Moreover, it gives companies tied to Britain a strong incentive to advocate for a reasonable policy so they are not placed at a competitive disadvantage.
This doesn't mean that lawmaking has to be a false choice between anarchy and totalitarian surveillance, just that the OP's point that more variance in jurisdictions, the higher the pressure on the least permissive to mitigate the worst excesses is a real phenomenon.
I agree in principle but in practice this doesn't seem to be working out terribly well lately. Money generally trumps scruples on any even slightly complex issue that can't be reduced to slogans.
Good thing there are laws against rape and mass murder.
> hardly anyone is going to move to a new country just so they can enjoy encryption and fast web browsing
You can't know that, not until we live in an age where the mere act of communicating is a crime. Thats taking surveillance state to a new level. I'm sure some people wont even care, just like how many Britons dont apparently care about their new big brother laws, but there will always be people who care about their natural rights.
Laws against rape and murder facilitate the prosecution of those crimes, but not necessarily the investigation. Furthermore, the trade in child porn is not legally the same as the crime of rape, but does have measurable negative effects.
As for people moving, I certainly can know that if we're talking about existing and imminently foreseeable conditions. That you need to posit a completely alternative reality where the act of communicating is a crime suggests your argument is fundamentally weak. I'm pointing out the demonstrable lack of interest under current and historical conditions. Available evidence suggests that people are pretty attached to places and prefer to undertake clandestine activity rather than just up and go somewhere else short of a stark existential risk.
Do I know this to be true in the epistemological sense, of course not. Am I pretty damn sure about it in an empirical sense, yes I am. I've moved repeatedly and feel little or no emotional attachment to my birth family - in fact the farther away from them the better I like it. But this is really really unusual. the vast majority of people are intensely concerned with maintaining their family ties even at significant economic/political cost. Just because I don't share that mindset doesn't mean I can blind myself to it.
The US has at least one mechanism against that: the first amendment. Content and format are both matters of speech, so the choice of format and the decision to broadcast noise as a statement are both protected.
I expect that will come under attack, but it's a very fundamental part of US law used unambiguously. So we might also see civil war 2 before they get that legally changed.
It took great effort to get crypto even recognized under the first amendment -- the USGov kept insisting that source code was not speech. In the 1990s it was against the law to let foreign nationals have access to the source code to DES. If you had folks from overseas in your organization, technically you couldn't let them see the source for crypto in your product (e.g., you had to wall off pieces of your repositories, and many companies did).
We could see a return to this. Don't take it for granted.
Or by printing it in a book. There's LOTS of reluctance to ban actual, physical books in the US (and plenty of reasons that any ban would be struck down).
That said, up to the mid 90s it was theoretically against the law to show a foreign national a printed-out copy of DES. Crazy. I think it was published in magazines . . .
I don't believe enough people would care enough about it to start a civil war. I think what needs to happen is, instead of going into IT management at 40, where we do more harm than good anyway, we start running for office until the government is full of experienced tech people.
This! And talk to your representative / MP / whatever and tell them how important this is. Often they just don't know and they hear <SCARY THINGS> from people who have control+profit based agendas.
They'll get around it on a technicality. Just like NSA did with the 4th Amendment. "Yeah, sure we capture US citizens' data, but we don't do it on US soil and use another moniker (GCHQ) so its ok. Not our fault AT&T routed your call outside of constitutional jurisdiction!".
I'm expecting something like, "Yeah, sure you can have your 1st amendment, you just have to give us the keys if we ask or you get charged with destroying evidence/obstruction of justice which together carry more time than almost whatever possible illegal activity your encrypted traffic could have been concealing.
The first amendment itself won't be overturned, but they very well may try to exclude cryptography as a form of protected speech. The federal government never wanted to allow it in the first place, they just realized how difficult it would be to put the genie back in the bottle. A Trump-chosen Supreme Court could very well make rulings that weaken or even entirely do away with this protection.
There was a round of this fought in the US over the "clipper chip" technology in the 90s.
I've been wondering about the interaction of technologies like this with DRM technologies; what if I send HDCP-over-TCP? What if ISIS start using Macrovision on their jihadi videos?
Historically browsers for distribution outside the USA were required to be limited to 40-bit crypto.
"(About Netscape) The "International Edition" had its effective key lengths reduced to 512 bits and 40 bits respectively (RSA_EXPORT with 40-bit RC2 or RC4 in SSL 3.0 and TLS 1.0). Acquiring the 'U.S. domestic' version turned out to be sufficient hassle that most computer users, even in the U.S., ended up with the 'International' version, whose weak 40-bit encryption could be broken in a matter of days using a single personal computer." (Wikipedia - https://en.wikipedia.org/wiki/Export_of_cryptography_from_th...)
In fact, strong crypto was only allowed in 2000. Only 16 years ago!
I don't think that there's any public actor you can say is definitely not at risk of attack.
Edit: this is probably a good opportunity to remind people to donate to the Open Rights Group, who are the UK counterpart to the EFF and already actively opposing this and other bad laws.
I'm sure they will, but it's too easily answerable - open source browsers without the back doors will be trivial for end users to build. So again, it'll come back to criminalising what end users do, because in the end only restrictions on the end user can stop them using their own resources to build things.
> Software development, already dominated by tech behemoths, will become completely out of reach of small development teams simply because the regulatory burden is so high.
I think what will prevent the above from happening is inability of government to enforce laws on the books, people disregard for those laws and the fact that technology experiments are often positive sums games where Google, Microsoft and Oracle stand to lose more by blocking entry to small players through regulatory mechanisms.
If we look at the majority of tech law suites we can easily observe that there is no clear winner and either parties seem to have achieved only small term gains.
But I most certainly see that government will successfully kill innovation when it comes to heavily regulated industries such as education, drugs, medicine and biotech.
This may be a stupid question but I've got to ask because I'm not 100% sure. Is there no practical way data can be sent and received anonymously? If no one, except the people trying to communicate, knows who encrypted or decrypted anything, how could they enforce such a law? Since a well encrypted message should be safe to broadcast, it can be sent to the whole world with only the intended recipients being able to decrypt it. Even if it's inconvenient to coordinate such a thing, I'm sure the perverts and terrorists would deal with it if they had to.
Once upon a time, we imagined a cypherpunk future, where speech was free and the internet was the great frontier of autonomous anonymity.
It turns out, though, that we leave fingerprints on everything we touch. And many of the conveniences and indeed basic user experience we've come to expect leave plenty of markers of who we are for anyone who might be listening. This makes it easy for hacker news to remember who I am, and easy for advertisers to target ads, and governments to track individuals.
So yeah, tools exist, sort of, but require a lot of inconvenience. We've seen instances of ISPs inserting their own cookies on headers of outgoing customer traffic, meaning there are still times when your precautions don't matter at all. When I've thought about totally anonymous internet usage, my guess is that you need to go buy a fresh laptop with cash, and then only use it on large public networks, with good encryption...
Yes, it is possible, if your attacker isn't too powerful. However, there will be a lot of tradeoffs and the software is not quite finished yet.
The software which is currently closest to this is ricochet [0] which communicates directly between Tor hidden services. Since there is no central server, there is no one to record metadata (at least in a trivial fashion). However there is still a lot of work left to do before ricochet is something that could be mainstream. Also, some metadata can be leaked, such as when one is online, and (until proposal 224 is out) how much people are communicating based on the number of lookups on the hidden service directories corresponding to the service (since there is no randomness in the system yet, afaik, you can brute force values to get into the right place in the ring. I haven't read the Tor specifications in a while tho, so I may be wrong)
You could also use some sort of mixnet system, although you would probably end up leaking who is sending messages to their ISP. To stop the ISP from determining when, you could send o constant stream of encrypted traffic, although that would be inefficient. (I need to read more research on this)
However, weather people will actually use these systems is in entirely different problem.
because when you send messages, they go from your computer to your ISP, then to the internet. so anyone watching you at the ISP level sees you sent something.
Then, it depends where you sent it. Email goes to one person, so receipt of the message is seen on their ISP's side.
Yes the encrypted message is safe to be sent to the whole world, but there is no single public folder for "the whole world". That would be too many files. In order for the receiver to find what they wanted, they would have to browse the public folder to find what they needed, and this act of browsing strips the anonymity away.
The other problem is that you have to exchange the decryption keys with the person you intend to communicate with. You either need to physically give/mail them to the recipient (loss of anonymity in the case of mail), or else you need to exchange them electronically, which usually requires an A<->B exchange, or you can post your public key and let the recipient find it.
Basically, if you are a government watching all the communication from above, you can usually tell what path information takes, even if its posted publicly.
Yes the encrypted message is safe to be sent to the whole world, but there is no single public folder for "the whole world". That would be too many files.
I think USENET and nntp came really close to fulfilling most of "single public folder for the whole world", but unfortunately has fallen out of popular use (and it needs to be popular enough to increase the anonymity) because it wasn't walled-garden enough to make money from.
Couldn't bad players just send and receive through other peoples connections, maybe even pretend to be someone else on purpose, in order to get them arrested? It's pretty trivial to jump on someone's wi-fi, and use throw away emails.
I think it depends on what you do with someone else's connection. A criminal could definitely get an innocent person's house raided, but cops aren't stupid either. If they do their homework first and see Aunt Mildred only goes to facebook and cooking-network.com, and suddenly she's sending death threats to public officials, they might knock on her door and politely ask to put a wifi surveillance device in her home to pinpoint the intruder's signal.
Sure you could steal signals or go to starbucks (which has cameras of course ) a few times and maybe get away with it, but to do it reliably, on demand, is very difficult.
There's stuff there about cryptography too, but the logging is about metadata.
For metadata things are the opposite of your logic. It is always accessible. Whatever protocol you create to hide it, will have holes; Math dictates it.
"To ensure they do not succeed, we do not comment publicly on the methods or capabilities available to the security and intelligence agencies."
Oh but you don't need to, because it's obvious. All my encrypted traffic to my overseas based VPN will be logged (legal). Then you'll demand my keys so that you can decrypt it. If I don't or can't comply then I will be - by definition - a criminal and potentially a terror suspect.
Which is why 'just use a VPN' is not really a satisfactory response to this kind of legislative landscape. Just doing so paints a target on you.
Which is not to say I don't appreciate the VPN providers stepping up, the more VPN users there are the more expensive it is to persecute them individually.
> All my encrypted traffic to my overseas based VPN will be logged (legal). Then you'll demand my keys so that you can decrypt it.
If the VPN connection uses ephemeral keys (IIRC, at least IPSEC, SSH, and TLS 1.3 always use ephemeral keys, while older TLS uses them when possible), by then it's too late: the keys are gone.
You can imagine someone being locked up for this though. If you are required by law to decrypt your data, and you chose technology that does not allow this, then that's on you. To use an analogy, if you choose to ride a bike that doesn't have lights, and then get pulled over for riding without lights, the lack of lights is not a defense because you were required to have them in order to be on the road at night.
If any person with the appropriate permission under Schedule 2 believes, on reasonable grounds—
(a)that a key to the protected information is in the possession of any person,
(b)that the imposition of a disclosure requirement in respect of the protected information is—
(i)necessary on grounds falling within subsection (3), or
(ii)necessary for the purpose of securing the effective exercise or proper performance by any public authority of any statutory power or statutory duty,
(c)that the imposition of such a requirement is proportionate to what is sought to be achieved by its imposition, and
(d)that it is not reasonably practicable for the person with the appropriate permission to obtain possession of the protected information in an intelligible form without the giving of a notice under this section,
the person with that permission may, by notice to the person whom he believes to have possession of the key, impose a disclosure requirement in respect of the protected information.
If the technology by implementation never gives you the keys and doesn't retain them, then there can't be a reasonable belief that you're in possession of the keys, so the requirement fails at the first hurdle.
I can see one of those situations where you get held indefinitely because they obviously cannot charge you but don't want to let you go to a) prove a point and b) hopefully let the law "catch up" to this situation.
Cool. Now all I have to do is prove that to the satisfaction of the investigation while they crawl all over the rest of my life looking for clues as to what it is I'm so keen on hiding. The process is the punishment.
I wonder if we can mitigate this by rolling keys regularly. Daily perhaps? As far as I know there's no requirement to store encryption keys personally, only to give up the keys on request if available. Something that you can't do if you never store them on physical media.
Guess we're about to find out. The current government (albeit with a different (arguably more liberal) PM) has already revealed it has a desire to criminalise any crypto it can't decrypt. Because paedos and terrorists. That kind of legislation seems a natural outgrowth of this, once they find a 'think of the children' case to use as leverage. That's why we worry about the 'thin end of the wedge'.
If this was currently being developed in the UK, my money would be on illegal.
Thankfully it's a well-known concept now, and a foreign-invented technology you need to interoperate with the rest of the world.
Nothing stops them from throwing the law at you though, even if they know if won't work. You literally can't be punished as a prosecutor for anything less than deliberately throwing the trial for money. If they feel they won't win they'll intentionally ruin your life anyways.
If you can prove (on the balance of probabilities) that you don't have the key - because it doesn't exist or otherwise - then you are not guilty of the offence. Of course, that's not entirely straightforward.
Is it too late to return 2016? It's clearly defective.
How long until...
"Anexprogrammer was clearly a suspect individual. He used A&A, a UK ISP, widely considered sympathetic to terrorism under the thin guise of blogging about preserving privacy. The ISP has even provided information on how their users may circumvent the law and expressed the opinion it was a bad idea!
It gets steadily worse, Anexprogrammer often used a VPN, from an overseas company who made a feature of logging nothing, another technique widely used by terrorists to evade our beloved leader's protections. He even admitted to viewing online pornography, illegal in the UK, where performers appeared to be actually enjoying themselves.
He was also suspected of being a believer in climate change and is known to have signed a petition against fracking. The 20 year maximum security sentence for illegal circumvention of logging is considered lenient."
May the "one bad actor" that goes in there and gets the entire database please dump the histories of the politicians asap?
In fact, it's already possibly (and easy) to obtain the un-anonymized browsing history of millions of people. I was part of a (journalistic) team that got their hands on a free sample from a company that offers "website traffic analytics", and which uses browser extensions as well as mobile apps as their main surveillance tools.
The data set contained the complete browsing history of almost 3 million German Internet users, and except for a few popular sites (like Facebook), no URL cleaning/anonymization was performed at all.
So here we have a single provider that is able to capture the browser traffic of 5 % of the population already, and is ready to disseminate this data to anyone who can pay the price (even giving out months of data for free). As there are dozens more companies that collect data using a variety of ways, it wouldn't be surprising to me if you could stitch these individual data sets together to get the traffic of > 50 % of all Internet users, without having any central point of data collection.
So although the government is a real threat to citizens privacy, unregulated private actors are much more dangerous in my opinion.
So although the government is a real threat to citizens privacy, unregulated private actors are much more dangerous in my opinion.
Companies don't have a monopoly on violence and complete control over you life as governments do, also, they are not unregulated or above the law - this company for example is probably breaking several laws. Spy agencies on the other hand, regularly break laws with impunity or have the laws rewritten to allow unlimited storage (as recently in the UK).
Governments are a much bigger worry when it comes to saving internet history as they have greater capabilities for capture and storage, and a simple policy change in 20 years could make everyone who visited a certain site a criminal liable to deportation or imprisonment.
> So although the government is a real threat to citizens privacy
That's not privacy which is under threat any more. Say you visit a website of random content in January. Website goes out of business, someone else buys the domain and puts flagged content on it in September.
Now... how do you prove you were visiting a different site? Trigger an archive.org call on each and every site I visit? Dig up domain name changes? I've been dealing with DNS for 10+ years and I have no idea how to dig up historical domain owners, especially not with the hide options.
Concerning historical domain data, there are several vendors (e.g. Domaintools) that provide this kind of information, and domain registrar information usually contains the registration date for the domain, so proving it was a different site is possible.
You're absolutely right though that it's highly problematic if we use automated tools to analyze this kind of data, as many people can end up in the wrong category due to either flawed analysis methods or faulty data.
Again I'd say that currently the greater threat comes from private companies that will use this data to build "shady" rating systems which will affect the daily lives of many people, without giving these people a chance to verify or oppose the data being used against them.
Or what if someone, say on an innocent blog, places an invisible iframe pointing to a flagged website? Now every visitor has that website in their logs without ever willingly visiting the URL and seeing any of the content.
Which is why the measure used for criminal law is beyond reasonable doubt: if there is no other evidence than an historic visit to a domain that the police can't show contained criminal content then there's not going to be a conviction (indeed the CPS wouldn't even entertain carrying such a case). If on looking at your hard drive the police then find a cache of content supporting criminal activity you're certainly going to have a hard time if you're innocent.
Do you know of any UK caselaw covering situations where people were convicted on the basis of having visited a particular domain and no corroborating evidence was found? Would be interested in reading how that went down.
1. It wouldn't be hard to pollute the logs with noise, and
2. At the ISP level there's no distinction between "browsing a website" and accessing the URL unknowingly.
So let's assume no one will monitor these logs to fight thoughtcrime in real time, and it'll only be analyzed once someone becomes a suspect in a criminal investigation. Would it present as valuable evidence considering the points above?
As to your question: no I don't, but it isn't unheard of for law enforcement around the globe to set up honeypots. But then again there's no need to look into ISP logs because they control the server.
Some portion of people who choose to install a browser extension being traceable is worlds different from the government mandating that ISPs track all internet activity of all U.K. citizens.
But most people don't know what happens to their data, and many don't even know that they're being tracked when the opt in to provide "anonymized usage statistics".
Of course it's a completely different if the government forces total surveillance, but the impact on people's privacy can be just as bad or even worse.
Well, if memory serves, for the most part haven't most terrorist attacks been coordinated over either completely open channels or over non-technical channels? If I remember correctly, the Bin Laden operations were orchestrated via sneakernet, the more recent attacks in France were orchestrated with check-out aisle cell phones.
The technical difficulties law enforcement faces with terrorism and crime isn't that criminals are upping the ante with complex and difficult to penetrate technology; it's that they're methods are a needle in a haystack, ubiquitous devices and protocols that apparently law enforcement is just having difficulty filtering. Remembering back to a lecture I attended from an officer explaining the technological issues used in modern harassment and abuse cases, often times stalking would be achieved by purchasing a check-out aisle cellphone with a cheap plan, registering it with family tracking from the provider, then putting the phone into Do Not Disturb and hiding it in the victim's car or day bag, using the tracking to get an idea of where the victim went.
Sneakernets and system abuses like this are clever enough certainly, but they're not high-tech solutions for criminal activities. Most of the time just looking at a person's facebook account is enough to get the information you need to do something malicious to them or their property, and terrorists seem well aware of the ease by which they can operate in plaintext or on just normal phone calls. I don't recall any stories about terrorists using an IRC channel, for example, they're just using what they'd normally use.
Most of the surveillance security actions strike me as purely theatre - there's a difficult problem and a convenient scape goat, so rather than do the hard work, law enforcement and governments rely on a scapegoat. Unscrupulous tech vendors abuse law enforcement/government's lack of knowledge and pressure from the public to sell security snake-oil, promising them the answer to keep the people safe.
There probably is a good future where technology does help stop terrorists and criminals, but right now, they're not doing anything special or unique, just different than we're expecting, and apparently that's more than enough.
> Well, if memory serves, for the most part haven't most terrorist attacks been coordinated over either completely open channels or over non-technical channels? If I remember correctly, the Bin Laden operations were orchestrated via sneakernet, the more recent attacks in France were orchestrated with check-out aisle cell phones.
We have no way of knowing. There hasn't been a repeat attack at the scale of 9/11 to date in the US, which either means that people aren't trying or the security services are very effective. Since terrorist organization have been encouraging crazy lone-wolf type people to commit random attacks, that suggests to me that the security services are effective.
All security/law enforcement operations are about managing risk. Criminals and other "opponents" find weaknesses quickly -- remember the early 2000s popularity of Nextel and Boost Mobile devices among drug dealers. Even something as ridiculous and expensive as TSA serves a function... getting contraband on an airplane is a riskier proposition now. You don't need 100% effectiveness -- in a 9/11 type scenario a 40% effective screening process would have likely discovered some conspirators.
IMO, attacking the law enforcement surveillance creep is the wrong approach. That's a symptom of a larger problem, which is this global instability kicked off by Bin Laden and his ilk. That's the disease, and the only way to address surveillance is to attack those political problems and get back to a more balanced system.
I remember after the Paris attacks hearing about how messages could be sent via game console networks, or even non-verbally in the online multiplayer games themselves.
Yeah the weird thing is, despite being easy to circumvent these sort of measures are often very effective! So long as using a VPN requires any baseline of knowledge, technical skill and effort, I expect 90%+ of criminals won't do it.
I've been nursing a theory for a long time that modern society has an accidental saving grace. And that is, if you're competent, its usually better to just not commit crime. Think about it - any criminal can learn lockpicking today via the internet, but few do. Why? Because if you're capable of investing time and energy into honing a skill, you may as well do something above board. Don't break and enter - become a locksmith instead. Don't manage a team of criminals - become a manager at a company. It pays better. Its less risky. There's more services and social support available. You won't go to jail. You can have friends who aren't criminals.
And because of that the people who are left committing the vast majority of crime do so in part because they're not good at long term planning. Which is something law enforcement takes complete advantage of. So, almost no petty criminals are going to know about VPNs. They aren't going to commit to a monthly subscription to a VPN provider. They won't set up a PP2P tunnel on their phone and laptop. Why? Again because if they knew to do that sort of stuff they could probably hold down a stable job in low level tech support.
Obviously there's exceptions to this, but the bread and butter of law enforcement isn't bank heists. Its someone who's drunk. Its someone who smashed a window and stole some money because they want to get high. Or stole a phone out of someone's hand and ran off with it. Or went out with the boys to beat someone up "who had it coming".
When the (then) Australian minister for communication introduced record keeping laws for ISPs he told people they can bypass it a number of ways. Lots of people were confused by that - but it makes sense. The aim isn't to record data from us, or from our community. They don't care about taxpayers who are gainfully employed. The point is to make it easier to catch that asshole who beat up his girlfriend then bragged about it to his friends on facebook.
And as a result, probably the most annoying thing we can do for law enforcement is introduce apps like Signal and the TOR browser. Stuff that makes it dead simple for anyone to maintain their privacy - you just have to use a different messenger.
(Edit: Re-watched the interview where Turnbull described how to bypass the retention bill and he wasn't as enthusiastic as I remember.)
I would argue that the notion of "crime" is typically biased by the observed criminal acts. For example, criminal theft is usually thought to be some form of robbery, including everything from bank robberies to residential break-ins. However, wage theft, consisting of employers illegally withholding wages, is more than 2.5 times larger than all robberies combined [1].
It isn't that smart criminals don't exist. Rather, smart criminals don't fit our mental image of "criminals", which makes it harder to target laws against it.
> Rather, smart criminals don't fit our mental image of "criminals", which makes it harder to target laws against it
I would argue that it has nothing to do with the laws; they're breaking the same laws as everybody else. It's that our justice system, at least in the US, incentivizes law enforcement to focus on easier prey. Smart criminals will probably defend themselves in court and be more likely to be privy to the tricks that police use. It's much easier for them to just arrest a poor person and threaten to throw them in jail for months behind bail that they can't afford unless they plead guilty to something they obviously didn't do. Most poor people will just take the plea, because they can't afford to miss work and lose their job while they wait for their day in court. NYPD in particular are notorious for this.
> the people who are left committing the vast majority of crime do so in part because they're not good at long term planning.
Maybe. But your data could well be flawed. You've only got to watch any of these police shows on TV, and you'll see them pick up a drug dealer because he's driving a car with no insurance, or not wearing a seatbelt, or any number of other minor transgressions. I saw one the other day where a guy yelled obscenities at the officers as he drove past, which caught their attention and caused them to recognise that he was a banned driver. That's just a special kind of stupid.
If these are the guys getting caught, then the most obvious way to not get caught is to dress smartly, drive an insured and roadworthy car at a sensible speed, and generally blend in to the thousands of commuters that take to the road every day.
Equally, while the dumb criminals will look at the new bill and not be too concerned because they don't plan that far ahead, the smart ones have already been using VPNs for years. The really smart ones aren't even using commercial VPN providers - they're using offshore VPS services with a prepaid VISA, and a script to set up OpenVPN in a couple of seconds, so they can rotate providers and destroy the VPS every couple of months or so.
I also see this in my friends that do dumb stuff for their income. Most of them are flat out stupid and the rest are only able to think about the next few days.
TV isn't a good representation of most of it - it rarely shows how little profit drug dealers actually clear, for example.
> I've been nursing a theory for a long time that modern society has an accidental saving grace. And that is, if you're competent, its usually better to just not commit crime.
This is an odd comment. Clearly the mechanism you describe is correct, but there's literally nothing accidental about it at all. The entire stated purpose of the criminal justice system is to create a set of incentives sufficient to ensure this calculus applies.
I fail to see how placing an entire population's electronic communication under surveillance is a proportionate response to this kind of 'low hanging fruit' offender.
This is a great response. And arguably, the argument.
A friend of mine is a policeman, and says exactly that. MOST criminals have a level of ineptitude that allows them to get caught. Except this isn't being sold as "we want to catch the guy who beats his wife". And if it were, why not just install a 'telescreen' in everyone's house and catch them in the act?
Regarding the _encouraging people_ to get a VPN, that shouldn't be the default. The police were already in a position where they can monitor anyone they suspect of a crime. This targets _everyone_, with the false promise of safety.
Adding to that, when you couple this with Claire Perry pushing (_again_) for 'adult' sites requiring 'age verification', you're on a very slippery slope.
> I've been nursing a theory for a long time that modern society has an accidental saving grace. And that is, if you're competent, its usually better to just not commit crime. Think about it - any criminal can learn lockpicking today via the internet, but few do. Why?
Because it's easier to crack open a window someone left unlocked.
> Stuff that makes it dead simple for anyone to maintain their privacy - you just have to use a different messenger.
Assuming (caveat: big assumption) a legitimate implementation, I bet WhatsApp is the big frustration in the UK - it was already hugely popular here before it went end-to-end encrypted.
> When the Australian minister for communication introduced record keeping laws for ISPs he encouraged people to bypass it using VPNs. Said thats what he was doing.
Do you have a source for that? If true I find it very bizarre.
> “If on the other hand I communicate with you via Skype for a voice call or Viber, send you a message on WhatsApp or Wickr or Threema or Signal or Telegrammer — there’s a gazillion of them — or indeed if you make a FaceTime call, then all that the telco can see, insofar as it can see anything, is that my device has had a connection with the Skype server or the WhatsApp server; it doesn’t see anything happening with you.
> “There are always ways for people to get around things, but of course a lot of people don’t, and that’s why I’ve always said the data retention laws, the use of metadata, is not a silver bullet. It’s not a 100% guarantee. It is one tool in many tools.”
To make you censor yourself so they don't have to. Same deal with the porn one. There was a piece by Alec Muffet not so long ago discussing the consultation process for age verification. All those involved knew that the headline group (teenagers) the law was supposed to protect were by far the most likely to circumvent the measures, so any such system is essentially not fit for its stated purpose.
Even if the intent is to play well with the authoritarian and/or socially conservative portions of the electorate, the effect will still be self censorship.
My SO and I both have to undergo enhanced disclosure and barring service checks on a regular basis for our jobs, one of which is in education. The UK Department of Education just effectively prevented Milo from speaking at his old school 'because extremism'. So how should I be feeling right now about following links from Reddit or other forums discussing US electoral politics that might lead to Breitbart? What if there's another situation like Sad Puppies vs the Hugos and I'm trying to get a picture of what's going on and I click on a link to find a Vox Day equivalent? Did I just endanger one of our prospects for future employment? Hard to say. Will using a VPN service get us tagged as 'something to hide' and affect our eligibility to work with children and vulnerable adults? Don't know. Worth betting someone's career on?
I can't work out the purpose. It feels scary and Orwellian but I don't know why they want to collect all this data. Who benefits?
In a totalitarian regime it makes sense because you can use it to prevent political opposition. But in this case, it's a democratic government that can easily be voted out. It doesn't help anyone cling to power.
Maybe I'm over-thinking, but I can't work out the point.
> The group of individuals handling this data are more than likely to be bureaucratically appointed rather than democratically elected.
Exactly what I was going to reply. There is no need for any conspiracy theories to acknowledge that in almost any democratic states of these days "states within a state" exist when it comes to surveilance and intelligence services. While political function owners come and go with each election, those organisations seem to be more structural conservative following agendas which reach beyond any legislative period.
The point is the legislations are written by people who are often technologically inept and from a political culture of placing their own opinions above the advice of the experts.
You also see the same nonsensical policies on other topics like global warming, gun control (in the US), the war on drugs, and weird alternative treatments available on the NHS.
A publicity stunt so, come the next election, said government can leverage what the masses might see as a good/harmless idea. The minority of people who know better won't be statistically significant when it comes to the polls.
Democracies can fail, for example the recent rise of Erdogan. Asshats in power want democracy to fail because when it does they will be the ones in power.
Even if only for tactical reasons, it's better to treat this as a well-intentioned mistake, and not as a vast conspiracy to round up dissenters etc.
Taking that point of view, the argument is that there's a subset of criminals that are stupid, or make mistakes. For people who've bought into the "nothing-to-hide" mindset, even a tiny chance to catch a few criminals is enough, because there's precisely zero on the other side.
So the task is: a clearly articulated argument for why privacy is important. I'm not saying someone should leak all the porn-URLs visited from Parliament, but it wouldn't hurt. Although some PG13 reasons may be even more helpful with the conservative crowd: "Prime witness in mafia trial killed after location revealed in log leak"...
The "rounding up dissenters" argument should still be in there – as "we're creating tools that a less benevolent government could exploit." C.f.: Trump/muslims, the Dutch (Danish?) burning their register of Jews
They're not looking for actual terrorists or criminals. They're looking for people like Occupy Wall Street protesters, who actually pose a threat (ie. redistribution of wealth) to those in power. Then as soon as they do something like pirate a movie, they can be thrown in jail (ie politically neutered).
This is correct. Every serious criminal won't use a VPN or other obvious crypto, because this paints a big target on your back signalling you want to hide something. A serious adversary will, as you say, use a pre-arranged innocent vocabulary that is virtually impossible to detect, or just communicate face-to-face or via written notes delivered by a messenger.
Oh and by the way, remember to buy lettuce today ;) ;)
Terrorists also have mothers, and eat apple pie. This is not about terrorists; this is about frustrated law enforcement who seek to break privacy to facilitate their efforts. When we see it that way, we see the emotional rhetoric for what it is - scaremongering to make enforcement simpler.
To me, even bigger problem is a general fact that a large majority of people easily agree to restrict liberties (some of them hard won) because "terrorists can also do this". A more defensible argument would be "outlaw X if a fraction of law abiding citizens snagged would be tiny".
I would be curious though how big a majority would still support the logic that "we should restrict/track any X if X helps terrorists", if the question were to be posed cleanly (i.e., without scaremongering examples on the same page). If the problem is presentation, not internal beliefs the pendulum may swing back sooner rather than later.
Drugs, child porn (sometimes even adult porn), and terrorism seem to be the most-used arguments for authoritarianism. Unfortunately they are also quite convincing in the "you have nothing to hide" sense.
That's true, but on the other hand their assertion is also true - terrorists (both political and paramilitary) do attempt to exploit the infrastructure of an open society, and government (qua public agency) does have a legitimate interest in frustrating some kinds of criminal traffic.
You try running a government and explaining to people that the price of liberty is putting up with a certain level of terrorism and child porn every year. You won't stay in power long if you do. (Mind, I'm not endorsing this new law, which I think is awful. I'm just taking issue with your objection to the political reasoning, and saying that it's self-defeating.)
The problem with these systems is regardless of the efficacy, they are incredibly difficult to dismantle and easy to re-purpose with the stroke of a pen.
And these "tech-savvy" people are dreaming if they think that access to VPN services from the UK will remain legal in the UK, esp. after a naughty person or two is shown to have used one to commission a crime. It won't happen quickly, but #include frog_boiling.h.
VPN isn't even that good of a protection anymore when all countries the traffic goes through log it and cooperate.
VPN providers would have to introduce a random delay for their users, otherwise looking at all the exact times along the way gives a pretty good idea who accesses what.
The most scary thing for me is that both political left and political right is nowadays for increasing surveillance - and there is no one in opposition.
Except probably for Pirate parties, which are mostly irrelevant.
> The most scary thing for me is that both political left and political right is nowadays for increasing surveillance
Right, because like many important but sparsely discussed issues this one doesn't fit into the left-right distinction. Unfortunately there are still many voters who like to compress the issues down to a single scalar value so they can place themselves on some easy-to-understand axis.
Break away from it. State involvement in economic policy is only one of many issues to consider when voting for a government.
I used to think that. They say they are against it. When given an opportunity to actually fight it in the past they rolled over and did very little (essentially asking for minor tweaks).
Liberal Democrats are bench warmers and when they are moved into play they can't execute anything - for example their drugs minister Norman Baker did nothing along the lines what Liberal Democrats preach. They are a political laughing stock and nobody takes them seriously.
They're not looking for actual terrorists, otherwise the SMS's would have triggered a response. They're looking for people like Occupy Wall Street protesters, who actually pose a threat (ie. redistribution of wealth) to those in power.
Brian K. Vaughan's comic Private Eye [1] foreshadows what might happen if this dataset is breached. The premise is the digital cloud "bursts" - all private data is suddenly dumped and searchable - forcing people to completely abandon their identities and assume new ones - changing their name, appearance, re-starting their careers, etc.
When you consider this in the context of technologies like Voco [2] and Face2Face [3] that can fabricate a speech or make a fake "hot mic" video from a public figure, it makes you wonder if we'll ever be able to prove things are __true__ in the future, and what the value of our identity is if it can be shattered beyond repair due to negligence from a third party. What do we do then? How do you cryptographically sign yourself?
Pardon my extreme language but Fuck! How on earth do bills like this come to pass without uproar widespread enough to quash it.
Shit like this seriously makes me want to give up on the internet and walk away from it despite it having been my lifeline and the foundation of my income since I was in my teens almost 30 years ago.
The reason such bills get proposed and passed is because, broadly speaking, they are popular with the electorate or at least not unpopular.
The reason they are not unpopular, the root problem, is because the downsides are perceived as theoretical and in the future whereas the upsides are seen as real and in the present. Put simply the arguments against look like this:
Oppose this bill because the government COULD abuse it and PROBABLY will abuse it in future
i.e. it's all vague arguments about probabilities, and the arguments for it look like this:
Support this bill because it WILL help the fight against terrorists and paedos right now
For better or worse the British government has a relatively high level of trust amongst the British people. There is no British constitution and we can now see how a minority of the population is trying to convince Parliament to override the results of an actual referendum on the grounds that people are too stupid to rule themselves, so must be dictated to by small enclaves of their betters. That attitude is widespread, even if it is kind of dumb - MPs are just ordinary people too, after all, it's not like there's any filter on them beyond voting. But given that the governmental "elite" imposing its own morality and wisdom on the majority is practically a sexual turn-on for non-trivial numbers of voters, this kind of thing shouldn't surprise us.
We can and probably should argue that this trust is misplaced. There's plenty of evidence of that, along with the fact that surveillance is invariably paired with secrecy so it's hard for people to judge whether the government can be trusted to begin with. But that's why such bills happen.
The solution is probably not VPNs. Ultimately in a fight between internet technologists and lawmakers, sufficiently determined lawmakers will always win: China proves this. The UK's lawmakers may not be sufficiently determined but if they are the only solution is to continue making the argument to the electorate that the government cannot be trusted with such powers, and that they won't help fight terrorists and paedos anyway.
Pointing out that Trump now controls the NSA might be a good start.
I'm not sure if there's any truth to these anecdotes, quite probably not but I feel they're particularly poignant given the situation:
When the U.S. first decided to send man to the moon, they spent billions of dollars inventing a pen that would write in zero gravity. Meanwhile the Russians used a pencil.
Again with the race for hacking computers in the Russian Embassy to spy on the Russians, instead of spending billions of dollars securing their computers in a cyber arms race, they switched to typewriters.
I find the simplicity in their solutions to these problems remarkably satisfying.
It is this simplicity that calls me to just say fuck it, if you're going to act like that, I'm just not playing any more. I'll go do something else interesting that doesn't involve you.
> Shit like this seriously makes me want to give up on the internet and walk away from it
You echo my thoughts exactly - I've recently been thinking about moving to a small town north of where I currently live, where land prices are cheap, and you can get 10 acres for nothing. Bad part - little to no internet access.
That works if you can make that 10 acres work for you... I've been trying that model for the last little while on top of my full time job. I can tell you from first hand experience that while it may be rewarding, the amount of work and money it takes to get those 10 acres working for you is not trivial and has the serious probability of burning you out before you make it. I wouldn't recommend doing this on top of a full time job if time is of the essence. It's probably something you'd want to do over the period of a couple of years because trying to get 10 acres working for you inside of a year is an insane amount of work - it's literally more than a second full time job. I know this, because that's exactly what I've been doing for the last 9 months.
The shitty internet access will be beyond frustrating at first. Again, speaking from first hand experience, you will become accustomed to it and find workarounds. I sometimes think that not having any internet access at all would be easier than dealing with the outages that I deal with on a weekly basis. Eventually you stop caring about it and think fuck it, I'll just do something else with my time, read a book, go out on your land, learn useful things like small engine repair or carpentry or whatever...
Not having Internet and TV can be frustrating and boring at first, but finding hobbies and learning skills to fill that time instead can be extremely good for your confidence and your soul.
I know this is a late reply and such - but my first modem was a 300 baud screamer (heh) - so a slow connection could look fast to me otherwise (not as fast as what I have currently, tho).
As far as getting 10 acres to work for me - well, I wasn't thinking that route (ie - farming). More just doing odd jobs to make the tax payment; I'm pretty good with mechanically inclined stuff - I also can work a welder, plasma cutter, grinder, etc. Or - maybe I could get a cheap 3D printer and/or laser cutter and do stuff with that.
Everything else would be completely paid off, and otherwise I'd be off-the-grid (electric from solar/wind, water from a well, then a septic tank - I guess I might have to budget for maintenance of that stuff, too).
I'm thinking, though, I might still be able to commute into jobs - where I'm thinking about locating isn't too far away from work - though it'd be a long commute (50-75 miles each way).
Assuming you can't block a VPN connection since business use them, how would this work? I assume at some point you simply ban HTTPS or non-public connections, or require government certs to be the only ones used (I think Turkey or some similar country is looking at this) so MITM can be done. Of course once you stick your foot into security, all the bad folks out there will take advantage, and their goes your financial industry and more. It's a stupid idea all around but the dolts in charge seem to either not care or don't understand. Also calling all of your citizens terrorists is a nice touch.
How is this surveillance system supposed to work? Logging DNS requests? How feasible would it be to get everyone to look up every domain on the Internet and DDOS this surveillance system?
There doesn't seem to be a technical definition of an 'Internet Connection Record', but from the factsheet[1], they:
"are records of the internet services that have been accessed by a device. They would include, for example, a record of the fact that a smartphone had accessed a particular social media website at a particular time."
and:
"ICRs do not provide a full internet browsing history. The ICRs do not reveal every web page that a person
visited or any action carried out on that web page."
How this will work in practice is anyones guess at the moment - every time I think of something short of logging every packet header sent/received in the UK (which leads to a staggering amount of data needing to be logged), I think of things that would slip though (and therefore wouldn't fulfil the first statement)...
That'd work fine for HTTP(S) data, I suspect the data capture would have to be done at the IP level by default, with per-protocol filters on top to capture additional data. Which is going to add complexity to the data capture equipment, plus an ongoing maintenance cost to keep on top of new/updated protocols.
I can't see the current government accepting the possibility that the Internet Bad Guys(tm) could just use a different protocol and avoid all logging.
The thing I don't get about the UK is that they have very pervasive surveillance set up both online and in the real world, yet anyone can buy a mobile phone and a prepaid SIM at some random Tesco's and pay with cash without giving their name or ID.
Why do they keep allowing this? Other countries have always required presenting ID to buy a SIM. It's a surveillance measure that's presumably quite effective, but also far less invasive than this law and others.
Bullies are cowards. That lesson from school is generally true for bullies in real world too.
Government is just that coward bully. True that US government's tyranny has been rise year on year under leadership of presidents of all political stripes and yet it has meant zilch for either their political goals states good objectives.
All the recent wars by US government have been massive and spectacular failures, fight against terrorism has only created far more threats, people's approval of drug legalization is all time high, gays are safest they have ever been and it is easiest to get almost any kind of gun illegally than in past.
Politicians are very eager to control you life but they are so incompetent with that power that eventually it would not matter. The only problem I see that increasing government spending which will slow down US economy.
One option is to hide your internet history, the other is to automate it (including signing up for and logging in to sites you don't necessarily visit) so that your machine is logging 24/7 and your small portion gets lost in the haystack
Logging discovers who visited a specific "bad website" - the fact there might be 10,000 "good websites" in your history is essentially irrelevant. If you visited the bad one then you'll get flagged as a user of the "bad website".
This is not true, for instance say you're an oppressive government and have a method to decrypt encryption type X (https, E2E encryption or what-have-you). There's only so many times you can use your decryption alg for evil purposes before someone leaks that you have it. Https is infinitely better than http, E2E encryption is infinitely better than nothing.
Your "fake" traffic would have to very closely match your non-fake traffic otherwise it could be easily filtered out. And I'm not just talking about User-Agent headers.
Features like "You are currently logged in from 5 different devices" are event log-driven.
Unfortunately, this level of security and consumer protection is only found in top-tier online services.
Service providers can spin this "compliance" measure into a "benefit" for their customers/users. The net result, more users will disable or report rogue sessions.
Having visited England recently, despite the surveillance engine being prepped in the US, the contrast of the extent and the lack of rights and legal means in the UK to protect the people from bad laws like this was palpable. So look at it this way, at least you don't live there.
If we keep headed in the same direction though it won't be long before we forget all the reasons for the American Revolution and let the globalists convince us to rejoin the empire cough the commonwealth again.
Of course, any American who advocates for such a thing is traitorous, and should have the full weight of the law brought down on them.
I don't know, maybe I'm crazy and I'm the only one who thinks oaths mean anything these days.
I will say this though, beware the Rhodesians and their round tables.
The monarchy had repeatedly violated the patriots (uncodified) constitutional rights, their common law rights, and their natural rights. The legal debate became the American Revolution, and America won. Furthermore, many of the sons of liberty had never signed or taken oaths of allegiance to the monarchy.
Some of them did take oaths of allegiance though, so you actually touch upon a very interesting subject that I think would be worth having a more nuanced conversation about. So thanks for spurring me to think further on the matter.
So far, the main thing I can think of is that part of the oaths of allegiance include duty, not just to the monarch but to the laws which create that monarch, therefor I find the view of the The European Court of Human Rights retrospectively insightful in that it ruled that the oath of allegiance to a reigning monarch is "reasonably viewed as an affirmation of loyalty to the constitutional principles which support... the workings of representative democracy in the respondent State."
Now, if you want to advocate against the constitution, as long as it is just speech, that is legal (as long as you are simply a citizen and haven't taken an oath), but I would agree it is treacherous, but not traitorous or treasonous. The second speech becomes action, particularly to assist a foreign entity in that venture though, it does become treason. I highly disagree with the sedition laws which violate the first amendment and have been so harshly abused even in the modern era, so I am ignoring those for the sake of conversation.
You said you "don't want to join any empire, but I would advocate for globalism, which I don't believe is the same thing as imperialism." I would simply say I think you are wrong and provably so on this point, in that the current trend of globalism is indeed an imperial globalism.
That being said, I will admit that I have often had the conversation about the utopic version of globalism, but it is important to differentiate between that imagined ideal which I think you might be referring to, and the reality of the current global geo-political movement of globalism (which is quite different from the economic fact of globalism, which I don't think is up for dispute).
If you want, I am willing to expand on the more technical reasons I think that current global is imperial globalism.
I wish I could edit my gp comment, because I was obviously wrong to say : "Of course, any American who advocates for such a thing is traitorous, "
> The Investigatory Powers Bill provides law enforcement and the security and intelligence agencies with the powers they need to protect the UK and its citizens from terrorists and serious criminals.
But how it is going to protect the UK from funny criminals?
But this doesn't mean that technology wins. Rather, it makes the loss even worse, because it means the laws will ultimately have to be defined in reverse - rather than outlawing encryption, they will have to outlaw inability to decrypt. That is, it will be the end user's responsibility to ensure that authorities can decode data you transmit. Transmission of undecryptable data will be a crime, in and of itself.
Apart from the obvious dystopian consequences, this will impact progress in technology tremendously - suddenly it won't be possible to just invent a new data format or protocol any more. Doing so will put you at extreme risk of being interpreted as sending unauthorised encrypted data. So data formats will have to be registered - to send data in a new format you will first have to register a codec with the government and probably yourself have to be licensed. This will have a severe chilling effect on innovation. Software development, already dominated by tech behemoths, will become completely out of reach of small development teams simply because the regulatory burden is so high.
It's a depressing picture but given the trends of late I don't really see it going any other way. Only some extreme swing back towards individual rights over rights of the state will change its direction. But terrorism seems to have set in as a permanent tool for governments to grind away at individual rights.