The Investigatory Powers Bill – dubbed the Snooper's Charter by critics – will be signed into UK law by the end of 2016. It will enhance the spying powers open to police, intelligence agencies and public bodies and will provide strong legal backing for "bulk" collection (and hacking) of communications.
That means metadata about your phone calls, text messages, internet browsing histories, voice-call records and social media conversations will be stored by communications providers for at least 12 months and handed over to law enforcement and security services upon request.
It also will result in bulk interception of communications, bulk hacking and the collection of bulk personal datasets being given legal backing. Essentially, it legalises the slew of spy programmes that have been used by GCHQ, MI5 and MI6 for years without parliamentary oversight.
The proposals, spearheaded by current UK Prime Minister Theresa May, aim to bring together a number of separate and outdated laws – including the Regulation of Investigatory Powers Act and the Telecommunications Act 1984 – under one piece of central legislation.
Yet the proposals have been roundly criticised by technology firms, human rights groups and even internal government groups. The UK's own Intelligence Committee said the bill was rushed and lacked clarity. The Open Rights Group said the proposals were "draconian." Privacy International said it signified a "grim watershed moment" for personal privacy.
Bulk Collection & Interception
One of the most shocking aspects of the Snowden disclosures from 2013 was the sheer amount of information being collected in bulk by security agencies, including the National Security Agency (NSA) and Government Communications Headquarters (GCHQ). Outed spy programmes, including Prism, XKeyscore and Tempora, we discovered, allow spies to sift through vast amounts of communications data.
The Investigatory Powers Bill aims to legalise most of this bulk collection of phone records, web data and personal messages − be it email or text. In each case, "metadata" will be retained – this is the "who, when, where and how" info of a communication but not its content.
The bill features both bulk interception and bulk collection. The first involves "intercepting international communications as they travel across networks" and the second is data that is "obtained from communications service providers."
If the collection of metadata and not content appears to be a welcome compromise, think again. Metadata "can reveal a lot more about the content of your calls than the government is implying," the Electronic Freedom Foundation (EFF) claims, adding that it "provides enough context to know some of the most intimate details of your lives."
The collection of internet data – internet connection records (ICRs) in the bill – will be opened up to the police and intelligence services. They will be stored by internet providers – think TalkTalk, Virgin or BT – for at least a year and will include metadata, such as when you visited a website, at what time and from what computer.
In short, ICRs will list all your internet activity. Every website you visit and smartphone app you access. According to Big Brother Watch, the collection of this content "can reveal more about us than we realise."
It said: "They can reveal our health and finances, our sexuality, race, religion, age, location, family, friends and work connections. They can also reveal our internal thoughts, anxieties and desires, information we won't even share with the people we trust the most."
Agencies like GCHQ and MI6 will be given legal authority to hack into targeted computer systems as part of investigations. Called "equipment interference" by in the Investigatory Powers Bill, it warrants both physical hacking (downloading data from a device in procession) and covert interference (extracting data remotely).
"At the lower end of the scale, an equipment interference agency may covertly download data from a subject's mobile device when it is left unattended, or an agency may use someone's login credentials to gain access to data held on a computer," states the Code of Practice. "More complex equipment interference operations may involve exploiting existing vulnerabilities in software in order to gain control of devices or networks to remotely extract material or monitor the user of the device."
"We question whether hacking can ever be a legitimate form of state surveillance," said Privacy International. "The logging of keystrokes, tracking of locations, covert photography and video recording of the user and those around them enables intelligence agencies and the police to conduct real-time surveillance."
Bulk Personal Datasets
Bulk personal datasets (BPD), often overlooked, include banking data, travel information, passport scans, medical documentation and hospital records "about a wide range of individuals, the majority of whom are not of direct intelligence interest." In many cases, they are "too large to be manually processed."
Conservative MP David Davis previously told the UK joint committee: "This is very intrusive information for a state to hold. We are pretty sure they have all the communications data, they have got flight data, they have almost certainly got financial data, and they may well have Automatic Number Plate Recognition data."
MI5 argues that BPDs – stored in searchable databases – are used to "understand a subject of interest's behaviour and connections, and to quickly exclude the innocent." Critics point out that for this approach to work everything has to be collected on a massive scale, leading to very real privacy concerns.
The government maintains that Parliament will have greater oversight than ever before – however, to be fair, the bar was fairly low to begin with. In March this year, Theresa May claimed the bill had been changed to strengthen the powers of an oversight commissioner and to introduce enhanced safeguards around interception warrants.
"The commissioner will have a clear mandate to inform Parliament and the public about the need for, and use of, investigatory powers. The commissioner will report publicly and make recommendations on the findings that emerge in the course of his or her work," the UK government has said. Additionally, the updated system boasts a so-called "double-lock" on warrant authorisation, alongside the need for the prime minister to be consulted before the interception of particularly sensitive communications.
In August, a 200-page report was released by David Anderson QC, the UK's former Independent Reviewer of Terrorism Legislation, which effectively green-lit the bulk surveillance proposals. He concluded there was 'no viable alternative' to the current spying regime.
With current surveillance legislation – the Data Retention and Investigatory Powers Act 2014 – set to expire on 31 December this year, the Investigatory Powers Bill is now expected to gain Royal Assent and be signed into law well in advance of that date.
What does the future hold?
"The passing of the IP Bill will have an impact that goes beyond the UK's shores," said Jim Killock, executive director of the Open Rights Group. "It is likely that other countries, including authoritarian regimes with poor human rights records, will use this law to justify their own intrusive surveillance powers."
"While parliamentarians have failed to limit these powers, the courts may succeed," he continued. "A ruling by the Court of Justice of the European Union, expected next year, may mean that parts of the Bill are shown to be unlawful and need to be amended."
Meanwhile, Paul Bernal, a leading privacy and human right expert, told IBTimes UK the introduction of the surveillance law could be "easily misused" by future governments and unexpected political change.
"The rapidity of recent political change, from Brexit to the election of Trump, should alert us to the danger," he said. "These powers are actually better suited for monitoring and controlling political dissent than catching criminals and terrorists − they're ideal for an authoritarian clampdown should a government wish to do that. A future government might well."
More UK surveillance coverage:
- Snoopers' Charter spy law could be 'badly misused' by a future government expert warns
- GCHQ and MI5 'illegally' collected bulk data on UK citizens for 'over a decade'
- GCHQ spies given enhanced hacking powers — what are they and should we be worried?
- William Hague: There's 'no right to absolute privacy' for British citizens