IPAct – Controversial New UK ISP Internet Snooping Bill Becoming LAW

Broadband ISPs and mobile operators will tonight offer a collective sigh after the Investigatory Powers Bill effectively achieved Royal Asset to become an Act. The new law will force providers into logging a big slice of your Internet activity, irrespective of whether or not you’re even suspected of a crime.

At present ISPs need to see a warrant before logging what customers do online (for up to 12 months) and related logs are also extremely basic. By comparison the new law introduces a system that will require ISPs to store comparatively detailed Internet Connection Records (e.g. the websites / servers you’ve visited) for all their customers and this will also be accessible without a warrant (summary).

The recent Code of Practice suggested that an ICR’s “core information” will most likely include a customer’s “account reference, a source [Internet Protocol] and port address, a destination IP and port address and a time/date” (details), but some providers may be expected to collect more data than this if they can.

However a full interception warrant will still be required to obtain the most detailed information (e.g. the content of your communications), but even without one the ISP would still need to record your basic activity via ICRs (these will be stored for a period of 12 months) and that’s neither easy nor cheap to do.

Overly Simplified Interpretation of an ICR Log

A lot of people do however see the new law as a useful, maybe even necessary, tool for helping to combat the very real threat from terrorism and serious online crime. Meanwhile others fear that such monitoring goes too far (i.e. an invasion of privacy that could easily be abused), giving the UK one of the most extreme state surveillance laws of any Western democracy.

Jim Killock, Open Rights Group, said:

“The IP Bill will put into statute the powers and capabilities revealed by Snowden as well as increasing surveillance by the police and other government departments. There will continue to be a lack of privacy protections for international data sharing arrangements with the US. Parliament has also failed to address the implications of the technical integration of GCHQ and the NSA.

While parliamentarians have failed to limit these powers, the Courts may succeed. A ruling by the Court of Justice of the European Union, expected next year, may mean that parts of the Bill are unlawful and need to be amended. ORG and others will continue to fight this draconian law.”

Big question marks also remain over the fundamental issue of cost (ISPs will have to foot some of the bill) and technical feasibility, with every ISP predicting that the Government’s estimate of +£175m is well below the reality (here). As a result consumers may end up paying a higher price for broadband in order to help support it.

Some companies will also have to effectively seek approval from the Home Office if they wish to create new products, services or re-brand their business, which is understandable for administrative / operational reasons (certain changes might affect the data gathering), but at the same time it’s an ugly burden to place on any business.

It’s also not just the security services that will have access to ICRs, with the Department for Transport / Health, HMRC, NHS, Food Standards Agency, Gambling Commission and various other public authorities also being able to request the data (see the full list); except local authorities and council officials, who will NOT be permitted access.

On top of that the law also gives the security services new powers to hack computers and other electronic devices (GCHQ had previously been doing this covertly). The law may also make it difficult to offer secure / encrypted end-to-end communication services because companies will face legal pressure to hand over related comms data (example).

Recent Amendments

Thankfully there have been a few improvements to the IPBill since it was revised, again, at the end of last year. The government has introduced a new privacy clause, although this only aims to make it “clear that warrants or other authorisations should not be granted where information could be reasonably obtained by less intrusive means“.

Journalists have also been granted a bit of extra protection and a Judicial Commissioner will be required to consider the “overriding public interest” when authorising the use of Communications Data. In keeping with that the commissioner will also more generally be able to scrutinise the decision to issue a warrant, not just the process.

Meanwhile MPs will be protected from snooping and only the Prime Minister can explicitly approve an interception of their communications (note: doctors and lawyers etc. will also get some protection). Similarly trade union activities cannot be considered sufficient reason for investigatory powers to be used. One rule for them, another for the rest of us. Quite how ISPs will be expected to accurately identify all these exceptions is not clear (i.e. they might still have to log the data, even if the information itself won’t be requested).

Elsewhere ISPs have also been told that they won’t have to retain or disclose “third party data“, unless the operator retains it for its own business purposes. In this context, third-party data means communications data processed by the operator for the purpose of routing communications within an electronic communications network.

Some other changes have also been made in order to make it harder for Internet data to be requested on adults suspected of only minor crimes, although there are plenty of caveats to this (clause 59.5) and as such the supposed limitation is actually rather weak.

Various other changes have also been made, but most of them are small and none of them really tackle the overriding concern about a system that snoops on every one of its citizens, not to mention the technical and cost challenges of actually making that work.

We should also add that it will now be an offence if a person in a public authority unlawfully obtains communications data.

Conclusion

Today’s outcome was perhaps a forgone conclusion, not least since both the Conservative and Labour Parties have repeatedly spent the best part of the past 8 years trying, and often failing, to get similar legislation passed into law. In that climate no amount of opposition from the Liberal Democrats, SNP or smaller parties would make a dent.

On top of that the related Data Retention and Investigatory Powers Act 2014 (DRIP) is due to expire at the end of 2016 and must be replaced before that deadline. But it should be noted that the DRIP Act only came into existence because the previous Regulation of Investigatory Powers Act 2000 was declared “invalid” after the European Court of Justice ruled (here and here) that it breached the “fundamental right to respect for private life and the fundamental right to the protection of personal data” (EU Charter of Fundamental Rights).

Furthermore there’s also the rather big caveat of whether any of this will actually help. The security services are already overloaded with data and simply making the haystack bigger doesn’t necessarily help to find the needle. Harvesting such a large amount of information will also become a tempting target for hackers and state sponsored espionage, which is particularly worrying given the increasingly long history of major data breaches.

On top of that the usefulness of the data is another issue, particularly since any half-witted terrorist or criminal can easily mask themselves behind encrypted connections or services that may also exist in other countries (away from UK law) and thus retain no logs.

Likewise Internet connections are often shared and thus identifying who is actually using the service at any one time remains very difficult without traditional surveillance (i.e. a man on the ground), but that doesn’t mean to say that a court wouldn’t misconstrued an ICR and blame the connection owner for a crime, even if they’re innocent.

The new law effectively creates a system that monitors everybody and threatens the erosion of privacy, which is a founding tenant of most democracies because it helps to shield the people and political opponents from abuse by Governments that hold too much power.

Suddenly the inside jokes you share with friends online, your search history and the fact that somebody on your connection may have once visited an illegal website (on purpose or by accident, ICRs can’t tell the difference), all of this becomes a weapon that could be used against you.

No doubt some will say that the new law merely serves to make legal what the Government’s spying agency (GCHQ) has already been doing in private for several years, which is true up to a point. But we’ve never had a system that forces ISPs to retain a complex log of all your online activity and to then store / provide it without a warrant, which carries with it a certain chill.

NOTE: Strictly speaking the IPBill is not quite yet an Act (Law), but it has today completed the final passage through both the House of Lords and Commons. As a result the only remaining step is a formality, which means getting the Queen to sign a piece of paper. For all intents and purposes this is now the Investigatory Powers Act.