Using the Investigatory Powers Act of 2016, it has been reported that a recent government test of tracking users’ web histories has been helped by two ISPs.
The Investigatory Powers Act
The Investigatory Powers Act 2016 (also known as the ‘Snooper’s Charter’) became law in the UK in November 2016. It was designed to extend the reach of state surveillance and requires web and phone companies (by law) to store everyone’s web browsing histories for 12 months and to give the police, security services, and official agencies access to that data when requested. The Charter also means that security services, government agencies and police can hack into computers and phones to collect communications data in bulk and that judges can sign off police requests to view journalists’ call and web records.
Back in December 2018, human rights group Liberty won the right to a judicial review into the Investigatory Powers Act 2016. It was decided that there must be suspicion of a serious crime (one with a 12 month or more sentence) for the government agencies and police to request browsing history records.
The records of ‘metadata’ that ISPs/telecoms companies are required to collect and store about users are called Internet Connection Records (ICRs). These show which websites a person has visited, the relevant IP addresses, and how much data they download, but do not show which pages within a website that a person visited.
The latest trial of the new powers under the Act is reported to have involved the Home Office, the National Crime Agency, and two unnamed ISPs. The ISPs involved cannot identify themselves because the law prevents them from disclosing the existence of a data retention notice to anyone else. Reports indicate that the trial is small in scale and is still in its early stages.
The trial has brought criticism that has highlighted the many issues around collecting data about everyone’s web activities. For example:
– Privacy. The blanket mass collection of Internet histories in the hope that something will be found in it seems like an unnecessary level and type of surveillance that impacts on privacy.
– Compromising the role and values of ISPs. Commercial companies such as ISPs that need to protect customers are being made to act as an extension of government agencies, thereby being forced to compromise their role in a way that may erode customer trust.
– Security. Storing browsing histories for a year has raised concerns about how securely they are stored and what extra level of risk this poses to customers.
– Transparency. The law does not allow the disclosure of which ISPs are involved in the test, plus it is not clear how often this could happen, or whether it is necessary or proportionate.
– Oversight. There have been questions about who/what is overseeing the process. This has led to the Investigatory Powers Commission announcing plans to appoint 13 judicial commissioners for independent oversight of any surveillance.
What Does This Mean For Your Business?
The popular justification for the introduction of the Investigatory Powers Act (Snooper’s Charter) was to improve UK’s ability to spot and foil potential terror plots, and a qualification for agencies requesting a user’s browsing records/history should be suspicion of a serious crime. With a lack of transparency and questions about oversight, this has increased mistrust about what could be happening under this law and how the vast majority of law-abiding people are still essentially under surveillance while ISPs (with whom customers may think they have a normal business arrangement) are obliged by law to secretly pass customer data to government and law enforcement agencies. While national defence matters are important, for some, the Investigatory Powers Act feels a bit too much like ‘Big Brother’. Some people argue that if a person has nothing to hide, they have nothing to worry about while others argue that this attitude simply gives the green light to the erosion of hard-fought rights that could have consequences for everyone further down the line.