Internet service providers will be forced to keep records of the websites customers visit under an ‘intrusive’ law which has given the state unprecedented new surveillance powers.
The Investigatory Powers Act – given Royal Assent by Parliament yesterday – allows security services to use electronic snooping tactics to deal with crime and terrorism, but also includes widespread data collection and extends to instant messaging platforms, potentially including the likes of WhatsApp, which uses end-to-end encryption.
Although the most intrusive powers will require the final oversight of a senior judge, privacy campaigners and legal experts have branded the Act “extreme” and compared Britain to totalitarian regimes.
Jim Killock, Executive Director of Open Rights Group, said: “Amber Rudd says the Investigatory Powers Act is world-leading legislation.
“She is right, it is one of the most extreme surveillance laws ever passed in a democracy. Its impact will be felt beyond the UK as other countries, including authoritarian regimes with poor human rights records, will use this law to justify their own intrusive surveillance regimes.
“Although there are some improvements to oversight, the Bill will mean the police and intelligence agencies have unprecedented powers to surveil our private communications and Internet activity, whether or not we are suspected of a crime.”
“Theresa May has finally got her snoopers’ charter and democracy in the UK is the worse for it.”
In recent weeks 130,000 people have signed a parliament petition calling for the Bill’s repeal which means parliament must consider debating it again.
A ruling by the Court of Justice of the European Union, expected next year, may mean that parts of the Bill are shown to be unlawful and need to be amended.
The Act introduces one special power which has attracted particular criticism. So-called ‘Internet Connection Records’ will be accessible by law enforcement and the intelligence agencies to “disrupt terrorist attacks and prosecute suspects”. The Government insists the ICRs – which will be kept for a maximum of 12 months – will not be a ‘full internet browsing history’ but instead will be a record of the services a person has connected to, which can provide ‘vital investigative leads’.
However Big Brother Watch says ICRs will “include your customer account information, detail of the device you are using, IP address, the date and time of your browsing, how much data you download or share, who you are connecting with and what devices you connect to”.
Such information could then be used to reveal our “health and finances, our sexuality, race, religion, age, location, family, friends and work connections”, as well as thoughts and anxieties people may be reluctant to share with others.
They say basic browsing history is considered ‘personal data’ and any intrusion into it could potentially breach Articles 8 and 10 of the Human Rights Act, namely a right to privacy and freedom of expression.
The UK Government has insisted the IPA will be subject to “strict safeguards” and “world-leading oversight”, including a ‘double lock’ a (judicial sign off on a Secretary of State warrant) for the most intrusive powers. When asked to define what those ‘most intrusive’ powers would be a Home Office spokeswoman confirmed to FutureScot they would cover scenarios where security services were seeking to intercept phone communications or ‘interfere’ with such equipment. She said the double lock would not apply to ‘access to communications’.
Chris Yiu, Uber’s General Manager in Scotland, wrote in a blog: “I always wondered what it would feel like to be suffocated by the sort of state intrusion that citizens are subjected to in places like China, Russia and Iran. I guess we’re all about to find out.”
Home Secretary Amber Rudd said: “This government is clear that, at a time of heightened security threat, it is essential our law enforcement, security and intelligence services have the powers they need to keep people safe.
“The internet presents new opportunities for terrorists and we must ensure we have the capabilities to confront this challenge. But it is also right that these powers are subject to strict safeguards and rigorous oversight.”
Some of the provisions in the bill will require extensive testing and will not be in place for some time. The Home Office is developing plans for implementing the provisions in the bill and will set out the timetable in due course.
This will be subject to detailed consultation with industry and operational partners. In the meantime, the government will commence the provisions in the bill required to replace the Data Retention and Investigatory Powers Act 2014 (DRIPA) which sunsets on 31 December.
Stay up to speed on Scottish tech news