On Tuesday, the UK is due to pass its controversial new surveillance law, the Investigatory Powers Act, according to the Home Office.
The Act, which has received overwhelming support in both the House of Commons and Lords, formally legalizes a number of mass surveillance programs revealed by Edward Snowden in 2013. It also introduces a new power which will force internet service providers to store browsing data on all customers for 12 months.
Civil liberties campaigners have described the Act as one of the most extreme surveillance laws in any democracy, while law enforcement agencies believe that the collection of browsing data is vital in an age of ubiquitous internet communications.
“The Investigatory Powers Act 2016 will ensure that law enforcement and the security and intelligence agencies have the powers they need in a digital age to disrupt terrorist attacks, subject to strict safeguards and world-leading oversight,” a statement from the Home Office reads.
Much of the Act gives stronger legal footing to the UK’s various bulk powers, including “bulk interception,” which is, in general terms, the collection of internet and phone communications en masse. In June 2013, using documents provided by Edward Snowden, The Guardian revealed that the GCHQ taps fibre-optic undersea cables in order to intercept emails, internet histories, calls, and a wealth of other data.
The Act also covers “bulk equipment interference,” which is the UK government’s term for mass hacking.
Screenshot of this reporter’s browsing history, when Motherboard collected browsing data in the style of the Investigatory Powers Act. GIF by author
Previously, these sort of powers were handled under other surveillance laws dating from the mid-1980s and early 2000s. Now, they will fall under the Investigatory Powers Act.
“Instead of reining in the unregulated mass surveillance practices that have for years been conducted in secret and with questionable legal authority, the IPA now enshrines them in law,” Caroline Wilson Palow, general counsel at activist group Privacy International, told Motherboard in a statement.
The UK is also introducing a new mass surveillance power, with the creation of so-called internet connection records (ICRs): records of the internet service a specific device has connected to, which will be created and stored by internet service providers. These records will include visited websites, messaging platforms like WhatsApp, or potentially even the connection your computer makes to a remote server when updating its software.
Such ICRs won’t include which specific page of a website a user visited, but rather the “front-page”. (For example, your ICRs may say that you visited vice.com, but it apparently won’t say which particular article).
Many law enforcement agencies will be able to access this data, but so will lots of other, less obvious public bodies, including the Food Standards Agency, and some National Health Service Trusts.
In a piece of written evidence, UK law enforcement bodies say that the Act will help to link an individual to an account or action; establish a person’s’ whereabouts; figure out how suspects are communicating, and “observe online criminality.”
The National Crime Agency did not respond to a request for comment. A Home Office spokesperson told Motherboard in a phone call that the Act will be coming into force “in due course.”