Berners-Lee Says No To Internet Snooping

Jack Spine writes "The inventor of the World Wide Web has pointed out some of the dangers of deep packet inspection. Sir Tim said that ISPs 'snooping' on data was similar to the interception of mail. 'This is very important to me, as what is at stake is the integrity of the internet as a communications medium,' Berners-Lee said on Wednesday. TBL's comments come as the UK government is gearing up to intercept all web communications in the UK through the Intercept Modernisation Programme, and echo comments he made last year about Phorm."

Inventor of the world wide

[ericrost]

The inventor of the world wide what?

Re:

[Anonymous Coward]

I accidentally the whole world wide. Is this bad?

pants

[Anonymous Coward]

world wide pants!

Re:Inventor of the world wide

[Godwin O'Hitler]

Its a typo. It should read "word wide". TBL invented the word "wide" because prior to then most things were narrow.

Re:

[vishbar]

There's a goatse joke to be made here. I'm just not quite sure what it is.

Re:

[Obfuscant]

The inventor of the world wide what?

Not the world wide what, the world wide has. If you elide the prepositional (of) clause, you get "The inventor pointed out...".

Re:

[ccguy]

The inventor of the world wide what?

You'll probably find it interesting that google returns more than 500 entries for Berners-Lee goatse.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

The promise of the internet is free and open data. Encryption is anti-everything the internet is about.

The real death of the internet was ~10 years ago, when anonymous posting disappeared.

Re:

[Anonymous Coward]

Well that's the thing. Anonymous posting provided one form of security that's no longer feasibly available. Encryption allows better privacy. As more and more cultures/subcultures/thought-pattern-sharers participate on the web, conflicts and clashes are more and more likely to happen. Opportunistic encryption, as long as it is controllable, will make the web a mutual haven for all cultures. One community can keep their convos/files/culture to themselves, while others can still broadcast theirs. The he

Re:The dream of encryption

[lenski]

the promise of the internet is free and open communications.

What we do with our data is entirely up to us, and nobody else. Not "the government", not ISPs. This includes encrypting whatever is being transmitted.

You may share any paper, report, program, comment that is yours to publish. Some communications using the Internet should be more like a phone conversation (before USAPATRIOT stupidity), in which a modicum of privacy is a reasonable presumption.

Re:The dream of encryption

[ClosedSource]

"The promise of the internet is free and open data."

I thought the promise of the internet was free porn.

Seriously, it started as a government program and open and free communications was not the goal.

Re:The dream of encryption

[icebike]

PGP keys only help with email.

Far better to move the entire web to ONLY ssl based servers, (after fixing ssl of course).

Re:

[Sloppy]

PGP keys only help with email.

Far better to move the entire web to ONLY ssl based servers, (after fixing ssl of course).

And the way to fix SSL, is to switch to using PGP keys [gnu.org].

Re:The dream of encryption

[Creepy Crawler]

Where have YOU been living?

1. I have _multiple_ active GPG keys. All Ubuntu has GPG on them by default.
2. I use TOR regularly, which uses multiple levels of encryption.
3. I use HTTPS sites regularly. Not the old dinky 40bit keys either.
4. My filesystem on my laptops are encrypted via DM_CRYPT and Luks.
5. Every machine I communicate with has SSH. Therefore, I also have encrypted data tunnels for everything.
6. I use W.A.S.T.E.

Yeah. That whole encryption thing died out a while back. Uh huh.

Re:The dream of encryption

[FooAtWFU]

Weirdo.

Re:The dream of encryption

[Creepy Crawler]

What do you mean "Weirdo"?

Anybody that uses a Unix based system (BSD, Linux, Solaris) all use a variant of OpenSSH.
Anybody that buys stuff on the net uses 128bit SSL.
Even that child porn dude that's in the supreme court knew enough to use TrueCrypt.

Or even another encryption used: WEP and WPA. There's 2 very standard, "non-weird" encryptions. They just arent terribly strong.

Re:

[Amazing Quantum Man]

Apparently, you've turned off your sarcasm detector.

Re:

[Logic and Reason]

Ooh, a sarcasm detector. That's a real useful invention.

Re:

[xmundt]

Greetings and Salutations..
Hum...this looks like an excellent proof of the observation that inability to detect sarcasm is an early sign of dimentia.
          G,D, R
          Dave Mundt

Re:

[sortius_nod]

It did, you just bought the Vista version...

A slashdot poster would like to use sarcasm.

[Cancel] [Allow]

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Creepy Crawler]

What you underlaid was the idea that encryption is just a "Big Red Flag" saying something good is in here. Well, of course. It all comes down to that idea of plausible deniablity.

If you use full disk encryption, its to encrypt my business and personal information. You prepare this partition as if somebody will look at it. The FDE is "just for looks". On the FDE level, you have most of your computing environment. You have your games, function apps, system stuff, database with receipts and business purchases.

Re:

[Hordeking]

Where have YOU been living?

1. I have _multiple_ active GPG keys. All Ubuntu has GPG on them by default. 2. I use TOR regularly, which uses multiple levels of encryption. 3. I use HTTPS sites regularly. Not the old dinky 40bit keys either. 4. My filesystem on my laptops are encrypted via DM_CRYPT and Luks. 5. Every machine I communicate with has SSH. Therefore, I also have encrypted data tunnels for everything. 6. I use W.A.S.T.E.

Yeah. That whole encryption thing died out a while back. Uh huh.

We Await Silent Tristero's Empire.

Re:

[bob.appleyard]

Back in your bin

Re:

[knewter]

Is W.A.S.T.E. still under active dev? I used that thing for around a year after aol killed it in ~2003/4, and then me and my cousin stopped sharing files as frequently (really the only person I shared files with via WASTE)

Re:

[pilgrim23]

Ha! I always send text written with an Enochian font (look it up) after first translating into Voynich script! Now if only I could figure out how to decode it I would be able to read this shopping list....

Re:

[Raul Acevedo]

Wow, clearly your individual example shows that every human being in existence does exactly the same thing. You really showed the parent poster he's been living under a rock...

Re:The dream of encryption

[0100010001010011]

Because most of us came to this realization: http://xkcd.com/538/ [xkcd.com] or the fact that 90% of it doesn't matter.

All of my Tax documents and other financial stuff is on a 256-bit encrypted disk image. But why the hell do I need to encrypt the message to my mom about my Easter plans? Furthermore, how do I explain to someone that just learned to use a computer that Obama wants to know if it's going to be Ham or Turkey.

And the last time I planned something big and illegal we sure as hell didn't EMAIL each other about it, we met in person. (3 friends of mine all worked at Taco Bell through High School. Summer before college we planned a heist of the flags off the top. I still have a flag I fly on Rugby trips with the Taco Bell Dog.)

Re:The dream of encryption

[Red Flayer]

Because most of us came to this realization: http://xkcd.com/538/ [xkcd.com] or the fact that 90% of it doesn't matter.

The problem with the xkcd cartoon is that it only applies if whoever wants your information knows that you have it.

The point of general encryption is that fishing expeditions are impossible... so the "juicy" stuff that would warrant attention from the powers that be is hidden in the morass of all the other encrypted data.

Yes, a ten-dollar hammer can be used to get my keys from me... but how do you know I've got the goods if you've never been able to read anyone's data?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

but how do you know I've got the goods if you've never been able to read anyone's data?

Just another use for a ten dollar hammer. Only people with something to hide use encryption and those packet headers weren't pointing to amazon.com. So that makes you a suspect and the shmuck at the other endpoint too.

People tend to forget how much 'intelligence' can be gleaned from communications even though the content of the communications are encrypted. It doesn't take deep packet inspection to map interrelationships

Re:The dream of encryption

[TrekkieGod]

Because most of us came to this realization: http://xkcd.com/538/ [xkcd.com] or the fact that 90% of it doesn't matter.

All of my Tax documents and other financial stuff is on a 256-bit encrypted disk image. But why the hell do I need to encrypt the message to my mom about my Easter plans?

Because if somebody's watching you send all those messages to your mom about Easter plans and then suddenly see encrypted traffic, they're going to know that the encrypted traffic must have been special and then come after you with the wrench?

Re:The dream of encryption

[0100010001010011]

The world has moved beyond simply sending encrypted e-mails back and forth. Steganography, torrents, tor, etc.

If I REALLY wanted to coordinate killing the president or something big. I'd probably use YouTube or Craigslist where the Signal to Noise is infinitely small. I'd embed an encrypted stegano message inside video of a guy lighting farts on fire or 'casual encounter' ad. Heck, put up some eBay listings with big pictures. How do you know that latest version of Heroes you downloaded from Bit Torrent doesn't have a 5MB image embedded in it with the President's route on some foreign trip?

How about those Spam messages that look like a ton of gibberish, do you know they're not some secret code?

I'm sure if a few Slashdoters put their minds to it, they could come up with a bit more ingenious ways of sending messages than 'plain text' encrypted PGP e-mails.

The next terrorist isn't going to suddenly start sending encrypted messages from a normal account.

Re:

[debrain]

Wtf? I for one am not "the next terrorist." This isn't about trying to do anything illegal, it's about privacy. If I'm trying to send my lawyer some confidential files I don't want to direct him to find some image on facebook. I want to send him the file. And I want the communication to look no different than any other message I send him or my mother.

I understand the GP's point to be that this invasion of privacy proposed by the U.K. government isn't an effective way to prevent, deter or intercept terrorist communications (i.e. because steganographic techniques on other sites such as YouTube and eBay would be considerably more effective).

Re:

[tsotha]

Bah. The Secret Service has a pretty easy job for the next four years. The president has the ultimate assassination insurance - Joe Biden.

Re:

[AmiMoJo]

Actually, there is a much easier way to defeat what the UK government is planning to do. The key is that they require the ISPs to do all the logging, so if you run your own SMTP server or use one in a safe country (e.g. Russia) they they don't get to monitor you.

Sure, your communications are not encrypted, but most people don't have PGP and wouldn't know how to use it anyway. It also breaks web mail (now there's a feature I'd like to see for gmail, don't know how it would work securely though). If you use T

Re:

[broken_chaos]

Encryption works for very important data (that you would die to protect), less important data transferred over a network (moderately important e-mails), and unimportant data as a form of misdirection (if everything is encrypted, no one can tell what's important or not).

Full disk encryption, while nice, is not a protection for your data from someone who really wants it, unless you will die to protect it. It is protection from casual thieves for things like passwords, credit card data, personal information (y

Re:The dream of encryption

[Sloppy]

A lot of very foolish people have overgeneralized the point of that cartoon.

The $5 wrench attack does work to defeat encryption, but it only works when someone is specifically interested in you.

The bad guys cannot put a $5 wrench on the backbone and slurp up everything. The only way they can do that, is if people agree to not encrypt.

If you encrypt, you defeat massive-scale surveillance. And you are not defeating a theoretical attack; you're not even defeating a plausible attack. You defeat an attack that the US government is known to be using.

You don't need to read phrack or 2600 to know about this; read the New York Times or turn on your TV and watch Frontline. Get your head out of the sand.

Re:

[severoon]

If I suddenly had a need to send something encrypted, but I didn't want it to appear encrypted, I would take the encrypted block and bury it steganographically in an image attached to the email, an image relevant to the innocuous message about Easter dinner that is in the body of the message...like a picture of a ham or something.

In fact, I suspect that most of the innocuous-looking traffic that's flying around the web right now is actually bearing a different encrypted message to the intended recipient as

Re:

[Sloppy]

If I suddenly had a need to send something encrypted, but I didn't want it to appear encrypted, I would..

You've already lost me at the premise. Why wouldn't you want it to appear encrypted? Ideally, everything you ever do should be encrypted.

How do we know everyone's not already encrypting everything worthy of being encrypted?

That's really obvious: Because some people are still using plaintext for some things, and some people (such as Berners-Lee) are complaining about internet snooping.

When you forwa

Re:The dream of encryption

[Sloppy]

But why the hell do I need to encrypt the message to my mom about my Easter plans?

Because I might be looking for houses to burgle on Easter.

Because privacy should be the default. Instead of asking why your plans should be secret, ask why your plans should be public. It's just as legitimate of a question.

And the last time I planned something big and illegal we sure as hell didn't EMAIL each other about it, we met in person.

Good for you. But there's more to life than planning crimes, and there are other threats than government law enforcement (they just happen to be the most high-profile). I know some people think that the only purpose of the internet is for pedophiles to trade porn, but really, people do have other uses for it. Most of those uses are nobody else's business. If you wanted the world to know your Easter plans, you could have posted them to Usenet. Instead, you chose email.

Re:

[noidentity]

And the last time I planned something big and illegal we sure as hell didn't EMAIL each other about it, we met in person. (3 friends of mine all worked at Taco Bell through High School. Summer before college we planned a heist of the flags off the top. I still have a flag I fly on Rugby trips with the Taco Bell Dog.)

Even better, you posted about it on Slashdot!

Re:

[kinnell]

But why the hell do I need to encrypt the message to my mom about my Easter plans?

For the same reason people feel the need to send most written letters in envelopes rather than on postcards.

Re:

[VeNoM0619]

And the last time I planned something big and illegal we sure as hell didn't EMAIL each other about it, we met in person. (3 friends of mine all worked at Taco Bell through High School. Summer before college we planned a heist of the flags off the top. I still have a flag I fly on Rugby trips with the Taco Bell Dog.)

But then you posted it on the net bragging about it... so you just technically submitted your confession. Let's hope this doesn't bite you in the ass now. Even if it does, maybe then you will understand a few things a bit better.

Privacy for the rest of us

[schwaang]

Encryption gives a sometimes false sense of security, and the technology is a hassle. It's better to reinforce societal expectations for privacy where it is due, and let social mechanisms (like laws and market reputation) do the job.

Consider e.g. that if you use https from your workplace and see the happy little lock icon in FF or IE, you probably feel safe.

But some workplaces insert a proxy in between you and gmail (or what have you), having stuffed the proxy's certificate on your (their) work machine through local policy. Unbeknownst to you, your employer then sees the communication which you thought was totally private. Now imagine if an ISP could do that and get away with it.

The point is that even if you do *care*, the technology is hard to keep track of, and there is an arms-race ladder of one-upmanship that makes this a never-ending game, which some nerds can win, and most of us will lose.

What will really keep you safe is to stand up for a reasonable expectation of privacy where it should exist, and create norms and laws that protect this. Saying "NO" to Phorm or other invasions by ISPs is part of that approach, and creates legal and commercial consequences that are more effective than asking every grandma to mess with PGP.

Re:

[Lord Ender]

Key exchange is hard.

If we had signed DNS, and DNS started distributing X.509 certificates ("type CERT queries"), then secure email really would hit the mainstream.

Re:The dream of encryption

[Sloppy]

Now, the majority of even the hard-core geeks no longer have much interest in encryption.

Then they're not hard-core geeks.

Geez, they're not even soft-core geeks. In December 2005, paranoid what-if rants about theoretical risks, became mainstream knowledge. If you're awake (geek or not), you know we have to start encrypting.

Re:

[geekgirlandrea]

We never went anywhere. I still read Applied Cryptography from time to time. I also:

• Run a private XMPP server for me and my girlfriend which only accepts SSL connections.
• Operate a tor exit.
• Attach a PGP signature to every e-mail I send.
• Still think anonymous digital cash schemes are a really cool idea.

The problem is mostly that there are so few other people who seem to care. I send a digital signature on every e-mail, but as far as I know no one ever verifies it. I've sent and received maybe two *enc

Re:

[chappel]

I've played around with FireGPG to encrypt gmail via firefox, and it's pretty cool, but I've been really disappointed at the total lack of gpg/pgp client software for 'smart' phones - I've got a work issued Blackberry with no gpg options, and I haven't had any luck finding anything that will run on an iPhone or android, either. What's up with that? Anybody know of a way to encrypt gmail (or anything else, for that matter) on a smartphone? I love 'email in my pocket' and would gladly start encrypting most

At this point does it need to be said?

[Anonymous Coward]

Encrypt everything. Even if you have no reason to, encrypt everything, because someday it might bite you in the ass.

Re:

[Shakrai]

Even if you have no reason to, encrypt everything, because someday it might bite you in the ass.

Like when you forget your encryption key ;)

Re:

[Boomerang Fish]

Yeah, I used to do this...

Then I lost the key due to a hard drive and floppy disk failure within the same week (wow, that dates this a bit...)

Now I have these wonderful encrypted documents that contain proof of alien intervention with the history of our planet and I can't get at it anymore...

D*MN YOU GRAYS!!!

--
I drank what?

Re:At this point does it need to be said?

[Obfuscant]

Now I have these wonderful encrypted documents that contain proof of alien intervention with the history of our planet and I can't get at it anymore...

Just mail a copy of each one to yourself at another account and someone will decrypt them for you. I can't tell you who, I've already told you too much and I'm afraid awi3qu91 108OI)

[NO CARRIER]

Re:At this point does it need to be said?

[Obfuscant]

Not because it will bite you in the ass, but because by encrypting everything you 1) give them more stuff to look at and if they are looking at you they aren't looking at me, and 2) it won't be obvious that you are trying to hide something when you DO encrypt that particularly incriminating file. They'll have to spend time decrypting your email to Mom as well as the picture of cousin Julie when she was 4.

Re:

[element-o.p.]

I'd encrypt everything simply to protest the big-brother mentality that seems to be taking over here in the U.S. >:]

Freedom to Conspire

[MarkvW]

Which side are you on: CONTROL or KAOS? That is the question. The Government can only answer that question if it can intercept your communications. Are you going to let them? Can you stop them? Do you care?

All I can say is that you should Get Smart!

This is good

[damburger]

People like Sir Tim need to speak out on such issues, because their contributions to science and technology are touted by our leaders as 'proof' of Britain being a modern, forward thinking society - rather than the withered, reactionary, largely technophobic old empire we in fact are.

About mail

[rogere]

Is normal paper mail 'snooped' nowadays? Big box mail usually is, but envelopes? Sensible question, but if it is... in that sense snooping packets would make sense.

bad long-term solution

[a2wflc]

When governments start snooping on everything they make it harder to snoop on criminals in the future. This makes lots more people want secure networks, which makes more people create tools to make it easy to send/receive encrypted data, which makes even the people who don't know about the issues aware of the issues and tools. Once the tools/protocols become normal, police won't be able to snoop on suspected criminals even with a court order because everything is encrypted.

That'll just make them pass more laws and restrict ISPs so that unsnoopable content isn't allowed. Which will make people start creating stenogrphy tools so things look snoopable, which will make other people aware of the issues and wonder why the gov't is so concerned and start using them.

Then people start using those tools and snooping becomes more expensive (trying to detect stenogaphy) and still useless. But it will get lots of otherwise innocent people in trouble for using encryption or stenography to do something unimportant like send email to their mother.

If police stick to treating everyone as innocent until they had a valid reason to think otherwise and then got a court order they will have a lot more ability to snoop in the future.

Post office also ask about the content in mail

[Anonymous Coward]

>> Sir Tim said that ISPs 'snooping' on data was similar to the interception of mail

Actually, if you think about it, the Post Office also ask about the _type_ of content in your mail: document (letter) ? CD/books ? or fire arms ? ;-)

i admit Post office does not read the words in your letter.

He's lying!

[KiwiCanuck]

Everyone knows Al Gore invented the www. ~:-)

TBLs personal view

[Anonymous Coward]

Sir Tim, posted his personal view to #swig on irc.freenode.net [1]

http://www.w3.org/DesignIssues/NoSnooping.html

[1] http://swig.xmlhack.com/2009/03/11/2009-03-11.html#1236787895.276276

I'd like to know

[Slumdog]

What Al Gore thinks of this.

Obscure reference

[ClosedSource]

That's like asking Al's father what he thinks of the CHP or state troopers.

Heh.

[Kingrames]

The internet then defiantly turned around and screamed, "YES!"

This is intellectually dishonest.

[rindeee]

Even thinking that this is reasonable is amazingly foolish. If you are concerned that Internet snooping is a problem, then the solution isn't to demand that it not take place. The solution is to nullify it. You can only be assured that it won't happen if it cannot (technically) reasonably happen.

Write to your MP

[AlexanderHanff]

Good to see Slashdot has finally picked this up. I sent them the press release about the event last week and as one of the organisers of the event and founder of NoDPI.Org I am pleased to say the event went incredibly well and the press coverage has been amazing. Now would be a good time for people in the UK to write to their MP's directly to discuss the event and make it clear to them that you expect them to research the issue for the purpose of parliamentary debate or you will not be voting for them in

What's in YOUR packet...???

[bratwiz]

So does anybody believe they don't already do that here in the U.S.A?

Re:

[mcgrew]

Dude, there are these things here at slashdot called "journals" [slashdot.org] where you can post any damned fool thing you want without wasting your sock puppet's karma on needless "offtopic" mods.

I usually write about hookers and other women (oddly, people actually read them!). You could post your Israel trolls.

Re:

[Philip K Dickhead]

Yeah.

But... FP! ;-)

Re:

[mcgrew]

I never could understand why everyone wanted to drink that frosty piss. There were times I'd have something funny or informative to say, and got modded down (initially, anyway) just because it was FP.

I hate getting first post.

Re:What a fucking fantasy land Sir Timmy lives in.

[Timosch]

So basically the consequence of what you're saying is "Ban encryption, because those bloddy terrorists/chinese spies/pedophiles/software pirates might use it to do something evil"? Yeah, good idea. Tomorrow on CNN: Door locks banned. They prevent police from entering criminals' homes, police say.

Re:

[rogere]

Is this a reply for another parent? I'm not implying anything, I want to know if there are countries where envelope mail is opened for 'snooping'.

Re:

[Timosch]

Yes, it's a reply to somebody else who has been modded -1, so you don't see his comment. Hence my comment appears to be a reply to yours although it isn't. Weird but true :-)

Re:

[GPLDAN]

Did I say ban encryption? No, I don't think I did.

Investigate encrypted IP streams from US IP ranges to Chinese ones? You betcha.

Re:

[geekgirlandrea]

So helping Chinese people get around the Great Firewall should get you investigated by a bunch of Gestapo wannabes? That's idiotic.

Re:

[GPLDAN]

You have no idea how the world works.

Re:

[DMUTPeregrine]

Lack of QoS is not a good thing. I want routers to respect the IP TOS field. It's there for a reason. Lack of non-standard QoS is the bad thing. With QoS I can use bittorrent and play games at the same time, without it there's no prioritization and the game lags. It's the deep-packet inspection that's intrusive crap.