The UK’s New Surveillance Law: Security Necessity or Snoopers’ Charter?

On January 1st, the United Kingdom began the implementation of the Investigatory Powers Act, widely considered the most comprehensive—and intrusive—surveillance law in the Western world. The Act authorizes government access to bulk datasets such as travel logs, financial transactions, biometrics, the interception of digital communications data, the hacking of devices, and requires the retention of browsing history by Internet service providers.

Advocates argue the law gives UK intelligence agencies and law enforcement the tools necessary to address threats ranging from serious criminal activity to international terrorism and malicious cyber activity in the digital age, all while providing the necessary assurances of democratic oversight and privacy protections.

Critics, on the other hand, have dubbed the Act the “Snoopers’ Charter,” asserting the law retroactively legalizes invasive mass surveillance that could have a chilling effect on freedom of expression under the veneer of democratic accountability—all while undermining some key tenets of cybersecurity.

The Act received overwhelming support from the UK parliament and was signed into law last November with little public commotion. But what is the motivation behind the law and what does it actually entail? Why has the Act received strong criticism from civil liberties groups and private industry alike?

Much of the Act essentially consolidates—with some remnants left in parallel—already active digital intelligence gathering authorities and clearly codifies them together, rather than relying on separate legislative provisions under which the intelligence agencies and law enforcement previously acted.

The provisions in the Act seek to give the UK intelligence activities, revealed by NSA contractor Edward Snowden in June 2013, solid legal footing for their continued practice. This is particularly the case for Tempora, a program run by the Government Communications Headquarters (GCHQ), the UK’s signals intelligence service. As part of Tempora, the GCHQ taps underwater fiber-optic cables to collect, in bulk, Internet and telephone metadata—the who, when, where, and how of communications data—as well as probe unencrypted content through deep packet inspection tools. The process is known as “upstream collection” and is also conducted by the National Security Agency (NSA) as authorized by Section 702 of the Foreign Intelligence Surveillance Act (FISA).

Sir David Omand, the first UK Security and Intelligence Coordinator and former Director of the GCHQ, suggests the targets of government surveillance will be “those who pose serious harm to society,” including terrorists, cyber criminals, organized crime syndicates, and child abuse networks, in which the exploitation of bulk digital data—“especially patterns and associations of communications data—has become an indispensable tool for law enforcement and the intelligence agencies.”

Omand also argues “the Act adds significant new safeguards for privacy,” that ensure “the algorithms and selectors [the GCHQ] apply to their bulk access to data streams, such as bearers on international cables, [are] sufficiently discriminating that what the human analyst gets to see is only ‘necessary and proportionate’ to their authorized mission.”

Privacy advocates disagree. Gus Hosein, the Executive Director of Privacy International, argues the Act is “a draconian and expansive piece of surveillance legislation that no other liberal democracy has had the gall to attempt,” and after a series of criticisms over its potential for privacy intrusion, “the Home Office responded by merely adding one instance of the word ‘privacy’ to the bill,” which spans over 300 pages.

While many of the provisions under the Act were previously operating on legal (if dispersed and controversial) grounds, there are also new authorities granted. New safeguards protect journalists and their confidential sources by requiring a judicial commissioner’s approval before obtaining communication records—previously obtainable without independent oversight.

At the same time, other new authorities increase the government’s reach. The Act demands Internet service providers record and maintain the connection history of all their customer’s devices for 12 months, including a list of all domain names—not specific websites—a user visits, the messaging platforms used, and even connections to remote servers for automated updates. Moreover, all of this data would then be accessible to law enforcement without a court order or warrant. Not only is this an immensely expensive requirement for service providers, but critics point to the clear potential for a chilling effect on freedom of expression.

The government can also serve companies a “technical capability notice,” whereby companies could be required to remove electronic protections applied to any communications or data—such as encryption—to help address the phenomenon of criminals and terrorists “going dark.” The law also criminalizes “unauthorized disclosures” regarding information related to surveillance orders, effectively gagging companies and consumers from viable methods of recourse.

Tech giants like Facebook, Google, Microsoft, Twitter, and Yahoo have criticized this provision on grounds that it could weaken encryption technology, which could push customers to resort to third-party unverified encryption and undermine overall cybersecurity. The UK asserted in its most recent National Cyber Security Strategy a desire to cultivate domestic encryption technology “developed in the UK, by British Nations,” in what seems to be an attempt to facilitate a UK-specific backdoor for law enforcement into encrypted devices and communications.

But perhaps most disconcerting for the privacy conscious, the Act allows law enforcement and tax investigators to conduct equipment interference and computer network exploitation—meaning hack—targeted phones and computers with government approval, while intelligence agencies can conduct large-scale “foreign-focused” hacks of devices simply to identify “targets of interest.” Hosein points out just how intrusive hacking can be: “When deployed against an individual’s computer or telephone, it can achieve results more intrusive than the cumulative actions of targeting an individual by bugging his house, searching his premises and possessions, and intercepting his communications, reviewing all letters and diaries, and putting a tracking device on him.”

Internationally, the U.S. Department of Justice recently made changes to Rule 41 of the Federal Rules of Criminal Procedure, giving the FBI similar authorities to hack multiple devices under a single warrant, while China has gone even further in asserting its sovereignty over cyberspace with its newly authorized Cybersecurity Law.

But for all its criticisms, why has the UK’s Investigatory Powers Act—something Omand describes as “one of the most examined pieces of legislation in the modern age”—passed with such strong support in the UK’s parliament? Part of the reason is seemingly less about the actual provisions within the law, or the threats they seek to mitigate, but rather the public deliberation it took to reach an agreement. Omand suggests “the scale of the change for the intelligence agencies should not be underestimated,” as the “UK government had to admit doing—and place restrictions on—activities such as ‘equipment interference,’ or hacking into devices used by their targets, and data mining bulk personal databases.”

It seems that UK citizens are more willing to authorize sweeping surveillance powers when the deliberations over authorities are clear and transparent—effectively creating a democratic license to continue.

Levi Maxey is a cyber and technology producer at The Cipher Brief. Follow him on Twitter @lemax13.