THE BRITISH GOVERNMENT on Wednesday published a proposed new law to reform and dramatically expand surveillance powers in the United Kingdom. The 190-page Investigatory Powers Bill is thick with detail and it will probably take weeks and months of analysis until its full ramifications are understood. In the meantime, I’ve read through the bill and noted down a few key aspects of the proposed powers that stood out to me — including unprecedented new data retention measures, a loophole that allows spies to monitor journalists and their sources, powers enabling the government to conduct large-scale hacking operations, and more.
In the days prior to the publication of the Investigatory Powers Bill, the British government’s Home Secretary Theresa May claimed that the law would not be “giving new powers to go through people’s browsing history.” However, the text of the bill makes clear that this is precisely what the government is trying to do.
Under the proposed law, Internet companies in the U.K. would be forced to record and store for up to 12 months logs showing websites visited by all of their customers. The government has tried to present this as “not a record of every web page” accessed (emphasis added). This is technically true, but it’s also extremely misleading. The logs will show every web site you visited — for example, bbc.com — as opposed to the specific pages on that website, for example, bbc.com/news.
This information, especially when accumulated over a period of a year, would still be highly personal, potentially revealing your political preferences, sexuality, religion, medical problems, and other details that could be used to draw inferences about your private life.
The attempt to obtain this power is a politically radical move. As far as I am aware, no other Western democracy has implemented a nationwide data retention regime that encompasses all citizens’ annual web browsing habits. The British government says the data will only be looked at to determine, for example, “whether someone [has] accessed a communications website [or] an illegal website.” But there are only limited safeguards in place to ensure these conditions are not breached by overzealous authorities. Police will be able to access the records without any judicial approval; a person’s website browsing records can be obtained after a “designated senior officer” grants an authorization.
Notably, British surveillance agency Government Communications Headquarters, or GCHQ, already has systems it uses to sweep up and monitor people’s website browsing histories in bulk, as The Intercept reported in September. You can make it much harder for the government and Internet companies to monitor your browsing habits by adopting the anonymity tool Tor.
The draft bill includes a welcome safeguard that will force police to obtain judicial authorization if they are seeking to use metadata to identify a journalist’s confidential sources. However, the provision protecting journalists from arbitrary police spying contains a gaping loophole that exempts British intelligence agencies, meaning they still have carte blanche to monitor journalists’ communications without any judicial approval. The law will also ensure that the surveillance is kept secret from journalists and their legal representatives, unlike the stronger system that is in place in the United States for journalists when it comes to government surveillance.
The British government claims that new measures contained in the bill amount to “world-leading oversight.” Unfortunately, this is nonsense. While it is true that the proposed law would to some degree strengthen the extremely lax surveillance safeguards currently in place in the U.K., the changes would not amount to the creation of a world-leading system.
Warrants for the interception of the content of communications are presently signed off by a government minister; under the new legal regime, the government minister would sign off the warrant and then it would go to a “judicial commissioner” (likely a current or former judge) who would review it and decide whether to grant final approval.
This additional layer of judicial scrutiny on its face seems like a significant change, but in practice, as some British legal experts have pointed out, it is not clear whether the judicial commissioner would have a great deal of power to properly scrutinize or formally “authorize” the warrants in anything other than a supervisory role. Moreover, the government minister would retain the power to bypass the authority of the judicial commissioner if there were deemed to be an “urgent need” to approve a warrant.
A section of the bill proposes new powers to allow police to perform what is euphemistically termed “equipment interference.” In normal language, this means hacking. In recent years, British authorities have been very anxious about adopting hacking techniques, fearing that such methods could violate the U.K.’s computer misuse laws. However, under the powers contained in the new surveillance law, police would be handed the authority to launch hacking operations in cases involving “serious crime” and where a judicial commissioner approves a warrant that has already been signed off by a senior officer.
Notably, the bill also contains a clause designed to allow British spy agencies to perform “bulk equipment interference” — in other words, large-scale hacking of computers or phones to covertly collect data or monitor communications. Prior to the Edward Snowden disclosures, it would have been unthinkable for the British government to admit that it performed any kind of hacking, so to see powers for this tactic formalized in such a way is quite remarkable. It represents an attempt to institutionalize, broaden, and perhaps in some cases even retroactively legalize the tactics the agencies have been deploying in recent years on dubious legal footing under cover of secrecy.
The bill includes a clause that seeks to criminalize any “unauthorized disclosure” by telecommunications employees of any details about government surveillance. The clause appears designed to stifle leaks and deter whistleblowers. A breach of this section of the proposed law would result in a 12-month jail term and a fine.
In the lead-up to the publication of the bill, there was speculation that the British government may try to impose a ban on strong encryption. The bill does not seek to ban encryption, but it does make clear that the government will have powers to serve companies with a “technical capability notice” for the “removal of electronic protection applied by a relevant operator.” The government says this measure does not go beyond the powers it already has to compel Internet companies to remove encryption from communications or data they process. But the phrasing of the technical capability clause is vague and it remains unclear whether it could in practice be used to attempt to force companies to place surveillance backdoors in their encryption products — such as, for instance, smartphone apps offering encrypted chats.
In September, The Intercept reported that British spy agency MI5 was conducting extensive domestic surveillance within the U.K. as part of a program named DIGINT. But the publication of the Investigatory Powers Bill brought with it the first official confirmation: The British government admitted that MI5 has been involved in bulk surveillance of domestic communications.
Announcing the proposed new law on Wednesday, the home secretary referred to the “use of bulk communications data” in relation to a domestic terrorist plot that was said to have been aimed at the London Stock Exchange. The bulk surveillance was authorized under the Telecommunications Act, a 1984 law that has been used to secretly obtain communications from companies when doing so is deemed to be “in the interests of national security or international relations.”
If the new Investigatory Powers Bill is passed into law, it will replace this power, ensuring that the bulk domestic surveillance continues unabated.
Top photo: Matt Cardy/Getty Images