The home secretary, Theresa May, has unveiled the draft Investigatory Powers Bill, which aims to revamp the law governing how the government, police and spy agencies may tap into people’s internet traffic.
It includes a provision for communications service providers to retain records of which websites internet users have visited and provide access to their equipment for accessing communications under equipment interference warrants, which will need to be authorised by a judical commissioner.
May said: "If someone has visited a social media website, an internet connection record will only show that they accessed that site, not the particular pages they looked at, who they communicated with or what they said. It is simply the modern equivalent of an itemised phone bill."
Following Edward Snowden's revelations, the draft bill makes explicit provision for all of the powers available to the security and intelligence agencies to acquire data in bulk. This covers overseas and UK communications, a contentious issue for civil liberties groups.
In the draft bill, the home secretary will have to approve class-based warrants for a period of six months if it is necessary and proportionate for the agency to have access to bulk datasets. As with interception and equipment interference authorisations, a judicial commissioner will need to approve the warrant.
Responding to the announcement of the draft Investigatory Powers Bill, Shami Chakrabarti, director of Liberty, said: "After all the talk of climbdowns and safeguards, this long-awaited bill constitutes a breath-taking attack on the internet security of every man, woman and child in our country.
"We must now look to Parliament to step in where ministers have failed and strike a better balance between privacy and surveillance."
Read more about privacy and security
- There is a lot of work to be done in building trust and accountability in the wake of the Snowden revelations, says former MI5 director.
- Plans for powers to allow intelligence agencies to monitor electronic communications must be carefully thought through.
Collecting internet data in bulk
GCHQ said it can touch a few percent of the internet by surveying all signal environments. It then aims to process 10% of what it sees and tries to discard as much as possible. It also collects metadata and some content. Such data is used by the agency to track international criminals and terrorists. But it is almost impossible to separate out global internet traffic from UK-only traffic.
Graham Smith, a lawyer at Bird & Bird, said: “Google searches go back and forth in and out of the UK, so GCHQ ends up with a mixed pool of internal and external communications.”
It is this pool of internet traffic that GCHQ uses to "fish" for suspect activity, he said.
In a blog post commenting on the inclusion in the draft bill for the authorities to gain access to people's internet browsing history, Smith wrote: "One thing is certain: we can't simply analogise this to keeping a log of which telephone number you called, where and when. This is a record of how we live our digital lives."
GCHQ cannot target people known be in the British Isles without special permission but, according to Smith, they also scoop up metadata where legal restrictions do not apply. He said: “Metadata off smart phones is incredibly rich.”
Banning end-to-end encryption did not make it into the draft bill. GCHQ regards any backdoors on strong security as undermining internet services. Arguably, this also undermines the agency’s ability to target suspects, who may migrate from popular social media sites to more obscure darknet services.
Antony Walker, deputy CEO of TechUK, said: "The government has been at pains to stress that it is not seeking a ban on end-to-end encryption and that communications services providers will be required to take reasonable steps to made data available under warrant. This looks like a good outcome for ensuring the cyber security of individuals, businesses and the UK as a whole. However, much will depend on the interpretation of what is reasonable."
Bulk data collection and capturing which sites people have visited will require the IT industry to work with government agencies. In a previous Computer Weekly article covering the proposals for the draft bill, Julian David, director general at TechUK, wrote: “The tech industry wants to work with government to develop new legislation that is effective, proportionate, rooted in the rule of law and technologically feasible.
"In addressing the challenges of modern communications through the Investigatory Powers Bill, the UK has the opportunity develop world-leading standards of authorisation, oversight and transparency, creating legislation that is emulated around the world. It is an opportunity we must grasp together.”
ISPA, the internet service providers' association, noted that some of the provisions in the draft bill were extensions of existing powers, such as the inclusion of a "request filter" and how internet connection records are defined.
ISPA secretary general Nicholas Lansman said: "ISPA welcomes the attempt to modernise and clarify the law. We will work with government to ensure that the bill provides ISPs with a clear and stable legal framework that balances necessary powers with oversight whilst minimising the impact on business."