The important question, only important question IMHO, is how they handle positives. Do they go all guns blazing and arrest the person on the spot? Or do they use a restrained approach and first nicely ask the person if they have any ID, etc? That's the important bit.
Regulation of Investigatory Powers Act 2000 means authorities can request encryption keys (passwords) from you and you can't say no.
Investigatory Powers Act 2016 literally nicknamed Snoopers' Charter. Means ISPs keep all your traffic for minimum a year, police are given access to it, but politicians are exempt and need a warrant to have their data viewed?!?!?
UK police have been rolling out Live Facial Recognition in London and Wales for the last few years. Seven new regions are being added. 10 new vans coming in.
Supermarkets are using facial recognition to keep a database of people they deem criminals.
UK tried to make Apple put in a backdoor to its encrypted storage. Apple removed the ability for UK citizens to use that feature.
Online Safety Act forced online services to implement age verification for "adult" content. Many niche forums closed down because they would face large fines and jail time if they didn't comply. Larger businesses offloaded this requirement onto third party companies so now if you want to see "adult" content online you need to share your face or bank details or government ID with a random third party likely from a different country.
None of the major political parties care about digital rights and in fact want MORE surveillance.
> None of the major political parties care about digital rights and in fact want MORE surveillance.
This is because most of the public don't care about those rights either, and are entirely happy with surveillance. You've got nothing to hide right? If you don't the government to know what you're looking at its probably because you're a paedo, or maybe a terrorist. Maybe even both.
Its not the government who need to be convinced on this, it's the general public, and currently there's not really anyone out there explaining how you can't have a backdoor that only the government and good guys will be able to use.
No, the IPA 2016 does not require all ISPs to retain copies of all traffic for one year. There are already enough bad things to say about that act without making shit up.
Those 'niche' forums you mention are explicitly excluded from the Act.
Apple made the change to advanced security in advance of the bill being finalised, now the government has gone in another direction.
All the online safety act does is implement online the law as it stands IRL. British folk have been using the same ID verification systems to validate identity for nightclub admission, passport applications, driving licence applications, benefits claims, state pension claims, disclosure and barring checks, tax filings, mortgage deeds, security clearances, job applications, and court filings since 2016.
All the reaction is just pearl clutching - 5 million checks a day are being performed, the law itself is wildly popular with 70% support amongst adults after implementation.
There are three levels of checks - IAL1 (self-asserted, low confidence), IAL2 (remote or physical proof of identity), and IAL3 (rigorous proof with biometric and physical presence requirements).
IPA 2016 affords police access to your domain history, not content history, provided police can obtain a warrant from a senior High Court Judge. The box which stores the data is at ISP level and is easily circumvented with a VPN, or simply not using your ISP's DNS servers.
IPA 2016 doesn't exempt politicians from surveillance. It includes specific provisions for heightened safeguards when intercepting their communications. The Act establishes a "triple-lock" system for warrants targeting members of a relevant legislature, requiring approval from the Secretary of State, a Judicial Commissioner, and the Prime Minister. This heightened scrutiny is in recognition of the sensitivity involved in surveilling politicians, particularly given the surveillance of Northern Irish politicians and others in the 1950s, 60s, 70s, and 80s.
Part III of the Regulation of Investigatory Powers Act 2000 (in force 1 October 2007), and Schedule 7 of the Terrorism Act 2000 provides powers over encryption keys/passwords etc. Section 49, RIPA can be used to force decryption, Section 51 to supply keys or passwords. These are identical to powers the police have IRL over safes, deposit boxes etcetera, and the penalty for non-compliance is identical.
You cannot use encryption or passwords to evade legal searches with a scope determined by a court on the basis of evidence of probable cause shown to the court by the entity requesting the search. A warrant from the High Court is required for each use.
Notable cases:-
- Blue chip hacking scandal - corrupt private investigators were illegally obtaining private information on behalf of blue chip companies.
- Phone hacking scandal - corrupt private investigators were illegally hacking voice mail on behalf of newspapers.
- Founder of an ISP using his position to illegally intercept communications and use them for blackmail.
> Those 'niche' forums you mention are explicitly excluded from the Act.
No, they are not.
> Our research indicates that over 100,000 online services are likely to be in scope of the Online Safety Act – from the largest social media platforms to the smallest community forum. We know that new regulation can create uncertainty – particularly for small organisations that may be run on a part time or voluntary basis.
Yes, they are in scope but a "small community forum" has nothing to do but to fill and keep a few self-assessments just in case. There is no requirement to implement age verification across the board (hence why current official guidelines target only porn sites in relation to age verification).
You are being facetious as "priority illegal contents" are the sort that are the ones that are obviously very unlikely to be encountered on a "normal" small community forum. So this is no more than a box-ticking exercise, really.
Regarding age verification, the OSA is explicit states that if you ban all such content in your T&Cs you do NOT need to have age verification.
I take it you didn't read your own link, the language used is "services".
If you happen to be running the UK panty wetters forum from your own server, then you have a problem, but grandma Jessie's knitting circle is explicitly not in scope.
YOUR link goes on to say
>the more onerous requirements will fall upon the largest services with the highest reach and/or those services that are particularly high risk.
Even if your forum falls in scope, you're only required to do a risk assessment, if at that stage you are likely to have a lot of underage users, then there might be an issue.
However, if you're not an adult site, you only need to comply by providing the lowest level of self certified check. Handily, most of the big forum software providers have already implemented this and offer a free service integration.
> I take it you didn't read your own link, the language used is "services".
I do love it when people lie and then try to get sassy when called out.
> Even if your forum falls in scope, you're only required to do a risk assessment, if at that stage you are likely to have a lot of underage users, then there might be an issue.
I also like it when people who accuse others of not reading prove themselves incapable of reading - as pointed out below, what I linked is required regardless of the assumed age of your userbase.
All positives are verified by humans first before action is taken, all the system does is flag positives to an operator. Once verified, then the action movie starts.
Match quality below 0.64 is automatically discarded >0.7 is considered reliable enough for an enquiry to be made.
So far ~1,035 arrests since last year resulting in 773 charges or cautions, which is pretty good when you consider that a 'trained' police officer's odds of correctly picking a stop and search candidate are 1 in 9.
In the UK you don't have to provide ID when asked, appropriate checks are made on arrest, and if you lied you get re-arrested for fraud.
The system has proved adept at monitoring sex offenders breaching their licence conditions - one man was caught with a 6-year-old when he was banned from being anywhere near children.
Before anyone waxes lyrical about the surveillance state and the number of CCTV cameras, me and the guy who stabbed me were caught on 40 cameras, and not a single one could ID either of us.
> "In the UK you don't have to provide ID when asked"
Well if you are suspected of a crime they can arrest you if you refuse to identify yourself. I 'suspect' that being flagged by this system counts as such if you match someone who is wanted or similar.
You can't make an arrest on the basis of refusal to verify identity, unless a specific law is in play, or the Police officer has proof you are lying.
If the police have probable cause to suspect you've committed an actual crime, then you have to ID yourself, you are entitled to know what crime you are suspected of. Yes, facial recognition does count, but it has to be a high confidence match >0.7, verified by a police officer personally, after the match is made, and verified again on arrest.
If you are suspected of Anti-Social Behaviour then you have to ID (Section 50 of the Police Reform Act)
If you are arrested, then you have to provide your name and address (Police and Criminal Evidence Act 2000).
If you are driving, you have to ID (Section 164 of the Road Traffic Act).
Providing false information or documents is a separate criminal offence.
Essentially, police can't just rock up, demand ID, and ask questions without a compelling reason.
> You can't make an arrest on the basis of refusal to verify identity, unless a specific law is in play, or the Police officer has proof you are lying
> If the police have probable cause to suspect you've committed an actual crime, then you have to ID yourself, you are entitled to know what crime you are suspected of
It's always been my impression that this kind of ambiguous phrasing combined with the power imbalance gives the public absolutely no protection whatsoever. Let's say you don't want to provide ID: the copper could come up with some vague excuse for why they stopped you / want your ID. Good luck arguing with that
>the copper could come up with some vague excuse for why they stopped you / want your ID.
In which case, their sergeant will tear them a new one, right after the custody sergeant has finished tearing their own hole because the careers of both of those people rely on supervising their coppers and supervising their arrests. If the custody sergeant has to release someone because the copper can't account for themselves, that is a very serious matter. The sergeant's can smell a bad arrest a mile away.
The copper has to stand up in a court of law, having sworn an oath, and testify on the reasonable suspicion or probable cause they had. If they are even suspected of lying, that's a gross misconduct in a public office investigation.
Assuming they weren't fired over that, any promotion hopes are gone, any possibility of involvement in major cases or crime squads, hope of a firearms ticket, advanced driving, or even overtime are gone. Their fellow officers will never trust them to make an arrest again.
It's not consequence free, I'm not saying it doesn't happen, or that some officers rely on you not knowing your rights, but it is a serious matter.
Then what happens if you don't have ID on you (which, for now, is entirely legal in the UK)? What if you're hours from home? Do you then need to completely cancel your day to spend it with the cops instead satisfy some shit algorithm that misidentified you as some known threat? What if you refuse to cooperate because you have better things to do than waste your time with the police? I'm sure that'll go well for you.
What if your child falls victim to a false identification, and then given that children are far less likely to have some form of ID on them than adults, they're stuck for much longer?
Do you trust the British police to take good care of your child? Or will they strip-search her and threaten her with arrest like they did with the then-15-year-old Child Q because they decided that she "smelled of weed"?
Do you really want more unnecessary interactions with the police for yourself or those you care about when your "suspicious behaviour" was having an algorithm judge that your face looked like someone else's?
It's also worth noting that if you are arrested for a serious offence your DNA and biometrics will taken and held for ever even if you are release without charge and the real perpetrator latter convicted.
In the eyes of the law you will be innocent but you'll still be treated like a criminal.
The same could accidentally happen for a minor offence too.
West Yorkshire, West Mids, The Met and Great Manchester Police have all made admin "mistakes"[1] where they failed to delete DNA evidence since the Protection of Freedoms Act 2012 came into force.
No one has been sanctioned or fined for those mistakes.
You might not think being on that list matters but during the good ol' days of the 1980s innocent trades union activists were placed on a secret list by the Met's Special Branch and that list passed potential empoyers to bar them from getting jobs.
Again, no one punished for that and if it's happend once it can happen again.
See the Scott Inquiry for details.
1. These scare quotes are because I don't beleive this always happens through incompetence. I'm not saying it's always the case but some of the time the police are just ignoring the rules because the rules have no teeth.
On arrest, you're required to provide your name and address, not proof. For the absolute majority of UK adults, it takes exactly 2 minutes to verify that data against public records - passport, driving licence, council tax, voter registration.
Lying in that situation is a separate criminal offence all of its own.
>satisfy some shit algorithm that misidentified you as some known threat
Matches with a confidence rating of <0.64 are automatically deleted >0.7 is considered reliable enough to present to a human operator, and before any action is taken a serving police officer must verify the match, and upon arrest verify the match against the human.
>What if your child falls victim to a false identification
The age of criminal responsibility is 10, and absent any personal identification parental identification is the standard everywhere.
>15-year-old Child Q
The good old slippery slope fallacy. Both the officers who strip searched that child were fired for gross misconduct. North of 50,000 children are arrested each year and this happened once.
>Do you really want more unnecessary interactions with the police for yourself or those you care about when your "suspicious behaviour" was having an algorithm judge that your face looked like someone else's?
Thing is 12 months on, 1035 arrests, over 700 charges, and that hasn't happened because the point of testing the scheme thoroughly was to stop that from happening.
A constable is not going to be scanning the faces everyone going to Wembley in one night. Even 100 constables looking at faces entering faces going to Wembley is not going to scan everyone and recognise someone they know from a wanted poster (of maybe a couple hundred faces in their head).
The Met have already lied about the scale of false positives[0] by nearly 1000x, and it's not obvious how much better it will get. With the current tech, this rate will get worse as more faces are being looked for. If it's only looking for (I'm guessing) a thousand high-risk targets now and the rate is 1/40, as more and more faces get searched for this problem gets exponentially worse as the risk of feature collisions rise.
Of course, it'll also disproportionately affect ethnic groups who are more represented in this database too, making life for honest members of those groups more difficult than it already is.
The scale is what makes it different. The lack of accountability for the tech and the false confidence it gives police is what makes it different.
"The Metropolitan Police say that around one in every 33,000 people who walk by its cameras is misidentified.
But the error count is much higher once someone is actually flagged. One in 40 alerts so far this year has been a false positive"
These are 2 different metrics that measure 2 different things and so they are both correct at the same time. But I must say I am not clear what each exactly means.
Again worth mentioning something I've mentioned in other comments, and it's enormously obvious: There's a massive differene between unluckily being misindentified by some random copper who needs to get his memory or eyesight checked, and the percentage of false positives that's nearly guaranteed from a mass digital facial rec surviellance system working around the clock on categorizing millions of faces all over the country. The first is a bit of bad luck, the second will likely become pervasive, systemic and lead to assorted other shit consequences for many people being cross-checked and categorized in all kinds of insidiuous ways
You raise a good point that if the system wrongly ID you once it means that you're probably liable to be flagged every time you walk past one of those vans...
I think it's almost inevitable. The very nature of the bureaucratic procedures that grow up around these sorts of flag lists is that effort tends to accumulate at those points, right or wrong, and your being listed on them becomes almost self-reinforcing through bureaucratic inertia and over-caution, mixed with laziness about investigating if their own systems are wrong and repairing the problem.
The important question, only important question IMHO, is how they handle positives. Do they go all guns blazing and arrest the person on the spot? Or do they use a restrained approach and first nicely ask the person if they have any ID, etc? That's the important bit.