Latest in Cybersecurity

Image credit:

UK Investigatory Powers Bill: what you need to know

Shares
Share
Tweet
Share
Save

The UK government has put forward a bill today that forces internet service providers (ISPs) to keep a record of the websites their customers have visited for up to 12 months. These "internet connection records" (ICRs) could then be requested by law enforcement, security and intelligence agencies to identify which services a person or device has been accessing. It would not reveal every webpage they've browsed -- the current understanding, as set out in David Anderson's recent review of surveillance laws, is that it would cover google.com or bbc.co.uk, but nothing beyond the first forward slash.

The proposed measure is a significant extension of the UK's surveillance powers. Since the Counter-Terrorism and Security Act 2015, providers have been required to retain data that could link specific devices and their usage to IP addresses. In practice, this includes communications data related to internet access services -- home broadband, mobile internet and WiFi -- and internet-enabled communication services, such as email and IM. The retention of so-called "web logs," however, is currently prohibited.

If the Draft Investigatory Powers Bill is passed, ICRs will be treated as communications data; a term used to describe the circumstances (who, when, where and how) of your messages. It's contextual information, rather than the content of the messages themselves -- so it doesn't cover what you actually wrote or said. At the moment, communications data can be requested by around 600 organisations (local authorities make up much of this number) for various reasons, such as national security, detecting crime and safeguarding the British economy. The new bill states, however, that ICRs will be off-limits to local authorities.

A 'double-lock' safeguard for intercept warrants

The draft bill is designed to explain and simplify the patchwork of existing surveillance laws, including the Regulation of Investigatory Powers Act 2000. Many of the definitions surrounding data types, for instance, are now outdated, so this is a chance to clarify what they mean and exactly what's accessible to different parts of the government. The home secretary Theresa May also wants to introduce new safeguards recommended in Anderson's review. Under the proposals, the government will create a new Investigatory Powers Commissioner (IPC) to keep its actions in check. It will be a senior judge supported by judicial commissioners, who will be responsible for approving interception warrants -- requests to uncover the content of people's messages. At the moment, only a sign-off from the Secretary of State or a Scottish Minister is required. The proposals would therefore introduce a "double-lock" mechanism to ensure that each request is necessary and proportionate. Exceptions would be allowed for "urgent cases," but most of these would still require an authorisation from a judicial commissioner within five working days.

Clarifying existing surveillance powers

May's proposed legislation also clarifies MI5, MI6 and GCHQ's bulk data collection capabilities for the first time, as well as their ability to use "equipment interference powers" -- hacking computers, phones and other devices. These are covered in previous laws, such as the Telecommunications Act 1984 and the Intelligence Services Act 1994, but this new bill proposes additional safeguards -- bulk warrants, for instance, would be limited to the security and intelligence agencies, and authorised only for national security reasons.

The draft bill is seen by many as a spiritual successor to the Draft Communications Data Bill, commonly known as the Snoopers' Charter, that was introduced in 2012. The legislation never came to pass, and while web logs were part of its proposals, there were other elements that aren't in today's draft bill. These include, for instance, a requirement for ISPs to retain third-party data -- in other words, messages sent over a network, covering services (usually outside the UK) which have refused to hand over its users' data.

Regardless, privacy advocates will see this new bill as a worrying expansion of the government's powers. For now it's a draft, and there will be a consultation period in the coming weeks and months. A revised bill will be introduced sometime in the new year, so critics have until then to voice their concerns and rally support from the public.

[Image Credit: Isabel Infantes/EMPICS Entertainment]

From around the web