Since the Snowden revelations, it is not news to anyone that GCHQ and other government agencies are spying on UK citizens’ online activities.
Whatever you may feel about government snooping, it could be argued that all the Investigatory Powers Act has changed is to formalise what the UK government was already doing, and put more structure and control around it.
However, there is one huge issue that I and other technologists have complained about from the beginning of the consultative process, although the complaints have fallen on deaf ears. That is the ability for the government to force internet service providers (ISPs) and other tech companies to keep a year’s worth of records about ALL of our surfing habits – every UK citizen and resident.
The requirement is, in theory, for them to keep details of the pages we visit and other “communications data”, but not the “content” of those pages – although any technologist will tell you that the distinction between the two is becoming increasingly blurred. Either way, they will hold a vast amount of sensitive data about all of us – business and personal, like who you bank with, who your energy provider is, what email service you use, who you send emails to and how often, and so on.
Some may object to the government having all this data on privacy grounds, others may feel that this is OK if it helps law enforcement and security services identify and catch more baddies.
But my concern is more practical than political. This storage of our personal data only gives the massive cybercrime industry more opportunity to steal it, and places an increased burden on ISPs to protect it. High-profile data leaks occur all too often, so why put more data at risk? Especially after the revelations about TalkTalk, one of the ISPs that will need to store the data. The government’s advisers claim that there will be very strict controls on the storing and security of the data. But I for one feel very nervous about that.
I also continue to have four other issues with the Act that have not adequately been addressed in its passage through parliament, despite lots of lobbying:
1) Backdoors. Although Theresa May, in announcing the new bill as Home Secretary, said there would be no requirement on technology companies to provide access to their customers’ encrypted data, no mention of this was made in the Act itself.
In fact there is no mention of encryption at all – the government has tried to duck the issue. Sophos remains vehemently opposed to backdoors: read about it here.
2) Weak definitions mean that it is open to very broad interpretation. The requirements apply to something rather harmlessly and quaintly referred to as a “telecommunications operator”. This, as you chase the circular legalese definitions, can mean any company that enables data to pass between two or more computers as long as one is used in the UK – meaning pretty much any technology company. We don’t think this is the intent of the Act – we think that it is intended to apply to ISPs and providers of email, instant messaging service and so on – but it is sloppy drafting that could be horribly abused in future.
3) Judicial Commissioners – will they have the relevant knowledge? The suggestion is that they be appointed from a pool of people such as retired judges. Retired judges are hardly people famed for their understanding of complex technology. Would this really be a safeguard from rogue officers extracting way more personal data than they should and using it for nefarious means?
4) Disadvantage to the UK. The unfair disadvantage to UK-based ISPs still seems to apply despite claims to the contrary after the committee review stage. Section 262 clearly defines “telecommunications operator” as applying to those operating systems based in the UK. Whatever the law says, it is hard to see how the government will enforce it on companies like Whatsapp or Google who operate their communications services entirely outside the UK.