The UK's far-reaching surveillance bill is now all but law

The Investigatory Powers Act will become the government's new guide to lawful mass surveillance.


A sweeping new surveillance regime is to be enshrined in UK law in the coming weeks, after the Investigatory Powers Bill passed through the House of Lords yesterday. All that's now required for the bill to become the Investigatory Powers Act is the Queen's approval, a formality known as royal assent. The controversial bill was first put forward this time last year, when primary author and now Prime Minister Theresa May was Home Secretary. The legislation consolidates various existing powers and introduces several fresh and far-reaching ones to become the UK government's new guide to lawful mass surveillance.

One of the headline powers included in the IP Bill is the requirement for communications service providers -- think ISPs and mobile carriers -- to collect and store Internet Connection Records (ICRs) for 12 months. And provide government agencies access to them, of course. Simply put, ICRs are data related to your online activity, but not the specifics. These include top-level domains, but not the individual pages you visited (so,, but not the articles that you read). ICRs also cover the who, when, where and how of online communications, logging all the data relevant to, say, a WhatsApp session, but not the content of that conversation itself. That would be a hard ask anyway, since WhatsApp (like many other messaging services) is end-to-end encrypted.

ICR retention will affect everyone, and it's one of the key intrusive powers included in the IP Bill. It could be some time before your ISP is physically capable of capturing and storing your browsing history and other online activity, though. Various communications providers warned the government early on that creating the systems to make this happen would be both technically challenging and extremely expensive.

There are many, many more Orwellian powers afforded to the government under the IP Bill, such as untargeted bulk surveillance, including the interception of communications (aka the content). Some of these surveillance tactics have been in use for, well, we don't really know how long. For example, the UK government's first admission of engaging in state-sponsored hacking, known in legislese as equipment interference, came with the publication of the IP Bill. In the post-Snowden era, the IP Bill is the government's way of legitimising and being transparent about the surveillance it undertakes, while detailing the safeguards in place that are intended to stop the abuse of such powers.

The legislation has been divisive since it was first published. Many interested parties, from communications service providers to tech companies and members of sensitive professions have spoken negatively of a number of proposals. The bill has also been debated at length by various committees, the House of Commons and most recently, the House of Lords. Organisations like Big Brother Watch and Privacy International have been in staunch opposition of the bill, arguing that the whole process has focused on ironing out the finer details of the bill, and that the fundamental breaches of privacy contained within have been largely ignored.

Not that it matters all that much now, as the Investigatory Powers Bill will almost certainly receive royal assent and become law before the end of the year. Just in time, too -- as far as the government's concerned, anyway -- since the Data Retention and Investigatory Powers Act currently in force will expire at the end of the year, after being ruled unlawful by the UK's High Court last summer.