icra
icra copied to clipboard
brett-lempereur
Only web-page level data?
I don't actually know the scope of the bill, so I could be mistaken about this, but ICRA only seems to be logging web pages visited. Wouldn't the government additionally have access to info about all requests made from the browser, and include images, javascript and other resources loaded from third party domains?
This shows the data available without a warrant. Data about which webpages are visited require a warrant.
You can see some third party sites being referenced when a website is connected to.
This issue can probably be closed, I guess.
I agree, there are two ways of looking at this though. On the one hand, it would clutter the UX with information that's less interesting than the websites I'm deliberately browsing. On the other, it would provide a better approximation of the type and quantity of information CSPs will be dealing with.
It could be achieved by hooking into some of the other Chrome WebNavigation callbacks, and I could broadcast that information on a separate topic (something like Browsing/[ID]/Resources). I'd need to give people access to the MQTT server, which I'm happy to do, but the free tier of the CloudMQTT broker is quite limited -- ten clients maximum, heavy restrictions on the amount of data. If I can beg, borrow, or steal another broker I can add this to the client and give documentation on how to connect to the broker and do something with the data.
That might limit adoption from others wishing to contribute their browsing data to the ICRA front page, who would be identified to some degree by the metadata they give within the chrome extension, i.e. work-mac or desktop-pc so would have to be optional if it were to be implemented.
Although a "I have a warrant" that links to a page with the full paths adds a feature to the ~~voyeuristic~~ demonstrable power of collecting web browsing history.
This shows the data available without a warrant. Data about which webpages are visited require a warrant
My point was that a resource loaded from a third party server could seem to come under the broad definition of a separate "Internet Connection Record" as defined by the draft bill:
47.(6) In this section “internet connection record” means data which— (a) may be used to identify a telecommunications service to which a communication is transmitted through a telecommunication system for the purpose of obtaining access to, or running, a computer file or computer program, and (b) is generated or processed by a telecommunications operator in the process of supplying the telecommunications service to the sender of the communication (whether or not a person). -- https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/473770/Draft_Investigatory_Powers_Bill.pdf
Say I visit http://blog.example for the purpose of obtaining a blog post (or, computer file). That blog post hotlinks to a photo on http://flickr.com, which my browser then goes and retrieves, for the purpose of obtaining a photo (or, computer file). Have I then created one Internet Connection Record, or two? If two, then both should be recorded by ICRA.
Now say that instead of hotlinking the image, that blog post just includes a hyperlink to the photo, which I click. Even if the scenario above is only counted as one Internet Connection Record, surely if I manually click this link to the Flickr image I've connected to a separate telecommunications service and now I'm definitely creating two Internet Connection Records?
The problem is that (AFAIK) my ISP can't easily tell the difference between these two scenarios, they're both requests to an image/jpeg on Flickr with a Referer header which points to the blog post.
By the way, I should say that I hope this kind of issue is the discussion you were hoping to generate with this project. One of the big problems with the Bill is that the terminology is so loosely defined as to be unimplementable, even if there was a justification for it to exist (which I don't believe there is)
I see where you were you were going with this now- although I skipped over the java script requests (sorry). I thought you were alluding something like:-
- Connect to outlook.com
- icra shows live
- icra shows all other domains in the requests, i.e. skype, ms, live, etc
- icra shows live
Which it does already but with specific page urls.
You're right about the language of the bill which makes it difficult to implement, whilst being somewhat trivial to subvert for tech savvy folks. In all technicalities, a CSP could be any wifi provider (for example), heck if one is running a webserver then it could be argued that linking to off-site sources means your a CSP, ¯_(ツ)_/¯.
as a complete newbie to this type of conversation, topic and country (the world of coding) I would appreciate any guidance, input, education around how to keep (or attempt to keep) the world at large including all "educated & knowledgable" peoples out of my life and computer if it is even possible.... Education beginning.... consider me pre-school.... I know what the computer is and how to use it for my purposes..... programing is a language I know exists but what it says nada.... so attempting to install the code here I am at a loss....
