As expected, on Wednesday last week Home Secretary of the ruling UK Conservative Party government, Theresa May, unveiled sweeping plans to grant the UK government unprecedented legal powers to spy on the personal web browsing history of every UK citizen (while at the time awarding itself the legal right to intercept internet communications from anywhere around the world!).
Key points of the proposal include:
ISPs will be required to keep “internet connection records” of every customers’ internet activity for a minimum of 12 months
May stridently asserts that claims this will give police access to users' full internet history are “simply wrong”, as only the web domains visited will be recorded, and not the individual web pages within that domain, or any conversations held.
However, with this data the government will be able easily to determine what kind of porn you like, whether you are cheating on your partner, your political and religious affiliations, what your hobbies and pastimes are, and more.
After all, it does not take a mind-reader to guess the political leanings of a regular visitor to the www.greenpeace.org website, or that a married individual who frequents a dating website is being unfaithful (or wants to be!). The fact that the individual web pages looked at on those websites are not recorded hardly matters!
The legalization of mass government spying
The government freely admits the new law formalizes something that has been going on in secret since (at least) 2001. Supporters argue that by making this mass surveillance explicit, it brings the operation under a “legal framework”, and therefore provides some form of oversight and accountability to it.
What no-one seems to be asking is whether such mass intrusion into the privacy of each and every UK citizen can ever be justified in the first place. The government is framing the issue as one of privacy vs security, and May made some vague and unsubstantiated assertions that surveillance has prevented a number past terrorist attacks.
Even if true, the question we need to ask ourselves is “do we want to live in a society where we sacrifice our freedom, trusting a government that has proven time and again that it simply cannot be trusted to protect us, because we are scared of bogeymen and terrorists?” If so, then the terrorists have already won.
The way to fight terror to be not terrified, and to cling ever harder to our society’s hard-won ideals of freedom and tolerance, for which Britain is justly famed. By giving in to our fear, and becoming an intolerant big-brother society, we lose everything worth preserving.
Interestingly, the Bill also grants the UK government the explicit legal right to spy on all data passing through fiber-optic cables entering and exiting the UK (again this is something that is known to happen covertly already).
This effectively means that the UK government is granting itself the right to spy on everyone on the planet, regardless of nationality. Equally interestingly, not a single foreign government has complained about this…
Police, security organizations, and other government bodies will be able to access stored logs without a warrant
Local councils have for some reason been singled out as an exception and require a warrant, but as the current bill is based on the old RIPA legislation, the list of government services that will likely be able to access everybody’s highly personal records is staggeringly long, and includes bodies such as the Department of Health, HM Revenue and Customs, the Postal services Commission, the NHS ambulance service Trust, the Scottish Ambulance Service Board, and many more.
Despite May’s talk of “double-lock” oversight, there will be no effective oversight for access to this incredibly huge and sensitive trove of personal data.
Given that all this data is to be stored by telecoms companies, whose track record of keeping such data secure is hardly reassuring, it is probably safe to assume that every hacker and tech-savvy criminal will also quickly have access to this information.
“Double-lock” oversight over “intercepts”
Under the proposals, ministers can authorize “intercepts”, which then require “judicial approval” before they can be put into effect. This is what May refers to as a “double-lock”.
Given that there is explicitly no oversight over just about every random government department having full access to every citizen’s internet and phone records, this must presumably refer real-time monitoring (aka “bugging”) of communications, breaking into people’s houses, infecting laptops with malware, and other highly invasive TAO style operations.
What “judicial oversight” actually means, however, is that a group of retired (not serving, as this would constitute a severe conflict of interests) judges who are hand-picked by the government and will not have the technological expertise or understanding of covert surveillance necessary to make informed decisions, will effectively rubber-stamp ministerial edicts.
The role of these “judges” will therefore simply be to ensure that the correct procedures have been followed (and even here ministers can delay this minimal judicial oversight for 5 days simply by declaring the case “urgent.”)
As an almost meaningless sop to those in professions such journalism, medicine and law, ministers will have to spell out the protections afforded to sensitive information when investigating members of such professions.
Rather than provide reassurance, the proposals instead make it clear that contrary to what British people have always taken for granted, there is no such thing “privileged” or “confidential” conversations between MPs and constituents, between doctors and patients, or between lawyers and clients.
Legal requirement for overseas companies to co-operate in decrypting users’ data
With deceptively bland title of “Maintenance of technical capability notice,” Section 189 of the Bill requires all companies operating in the UK (even if not UK companies) to comply with UK government demands, as long as "it is (and remains) practicable for those relevant operators to comply with those requirements."
This almost certainly means that the government will try to force tech companies to introduce back doors into their encrypted products (while at the time making it a criminal offense for anyone involved to reveal the existence of those backdoors, under any circumstances (Section 190(8))! Dear God.
The only silver lining to this frankly shocking attack on privacy and personal freedom is that is difficult to conceive of international tech companies complying with such ridiculous over-reach. Given that companies such as Apple and Google have robustly resisted similar demands by their own government, it seems very unlikely that they will just roll over to the UK government.
How this will play out remains to be seen, but it seems probable that this clause, which is causing a great deal of concern among tech companies, will be dropped as part of a strategic ”softening” on the government’s position, designed to help push the proposals through Parliament.
The Investigatory Powers Bill is the greatest assault on British freedom since the Nazis tried to invade the country in World War 2. Yet instead of picking up arms to defend our freedom, the British public appears utterly complacent.
We have been sold hook, line and sinker on the false narrative that mass surveillance over every aspect of our personal lives is necessary to keep us safe, rather than being the precursor to an all-powerful, intolerant, right-right State that it is.
The “Snoopers Charter” will not make us safer; it will make us more vulnerable to government oppression, while at the same time doing absolutely nothing to deter the “bad guys”.
Preston Byrne is general counsel for Eris Industries, a blockchain-based startup which moved from the UK to the US following Prime Minister David Cameron’s remarks over banning strong encryption earlier this year. I will leave you with his words,
“This legislation will not address the problem it’s designed to solve. Terrorists will go dark using off-the-shelf software like GPG and Tor, at the same time as ordinary people and businesses are placed in serious jeopardy because all of their own data is stored somewhere in a way which can be compromised.
Businesses already fail to secure user data today, as seen by the TalkTalk hack. The same applies to governments, as we saw with the US Office of Personnel Management hack where data on every American government worker with a security clearance was stolen by hackers widely believed to be state-sponsored.
Nothing in this bill ensures the security of that data, either. Instead it turns every business providing telecommunications in or to the United Kingdom into an attack vector. The best way to guarantee the safety of user data is for it to not exist. Our national security will be significantly enhanced if we store less data, not more, and increase the use of strong cryptography, rather than reducing it.”