Last week, the Investigatory Powers Bill received Royal Assent and became the Investigatory Powers Act 2016:
A Bill to make provision about the interception of communications, equipment interference and the acquisition and retention of communications data, bulk personal datasets and other information; to make provision about the treatment of material held as a result of such interception, equipment interference or acquisition or retention; to establish the Investigatory Powers Commissioner and other Judicial Commissioners and make provision about them and other oversight arrangements; to make further provision about investigatory powers and national security; to amend sections 3 and 5 of the Intelligence Services Act 1994; and for connected purposes.
The Act makes broad provisions to track what you do online, being described as the most intrusive system of any democracy in history and a privacy disaster waiting to happen and something myself and others have complained about previously. Amongst a raft of new surveillance and hacking powers, it introduces the concept of an internet connection record (ICR): a log of which internet services — such as websites and instant messaging apps — you have accessed. The government has emphasised repeatedly that ICRs contain “only” metadata, not content; but retaining metadata is potentially far more intrusive than retaining content: metadata is already categorised, which makes it much easier to aggregate and cross reference. Furthermore, once ICRs exist, they could be the perfect career- or even life-threatening blackmail material — the timestamped domain of every website or service you have ever accessed.
So who can access my data? The Act makes clear that a warrant will not be necessary for named authorities to access ICRs: all that is required is sign-off by a “designated senior person”. That means not only will the police get to approve their own access, but the complete list of organisations whom have the power to access your ICRs is much longer that you may expect (as set out in Schedule 4 of the Act and originally highlighted by Chris Yiu):
- Police force maintained under section 2 of the Police Act 1996
- Metropolitan police force
- City of London police force
- Police Service of Scotland
- Police Service of Northern Ireland
- British Transport Police Force
- Ministry of Defence Police
- Royal Navy Police
- Royal Military Police
- Royal Air Force Police
- Security Service
- Secret Intelligence Service
- GCHQ
- Ministry of Defence
- Department of Health
- Home Office
- Ministry of Justice
- National Crime Agency
- Her Majesty’s Revenue and Customs
- Department for Transport
- Department for Work and Pensions
- An ambulance trust in England
- Common Services Agency for the Scottish Health Service
- Competition and Markets Authority
- Criminal Cases Review Commission
- Department for Communities in Northern Ireland
- Department for the Economy in Northern Ireland
- Department of Justice in Northern Ireland
- Financial Conduct Authority
- A fire and rescue authority under the Fire and Rescue Services Act 2004
- Food Standards Agency
- Food Standards Scotland
- Gambling Commission
- Gangmasters and Labour Abuse Authority
- Health and Safety Executive
- Independent Police Complaints Commissioner
- Information Commissioner
- NHS Business Services Authority
- Northern Ireland Ambulance Service Health and Social Care Trust
- Northern Ireland Fire and Rescue Service Board
- Northern Ireland Health and Social Care Regional Business Services Organisation
- Office of Communications
- Office of the Police Ombudsman for Northern Ireland
- Police Investigations and Review Commissioner
- Scottish Ambulance Service Board
- Scottish Criminal Cases Review Commission
- Serious Fraud Office
- Welsh Ambulance Services National Health Service Trust
While it is may seem necessary for governments and agencies to demand these types of powers under the guise of national security or to be able to stop illegal online activities that operate on an international scale, bulk collection and storage will create an attractive target for malicious actors, massively increasing the risk that your personal data will end up compromised. ICRs will be created and held by ISPs, but accessible by government agencies through centralised software; notwithstanding the fact that this single portal would be a tempting target for those wishing to gain access to the information stored in the UK’s ICRs, the track record of the companies involved here is not good, as recent breaches at TalkTalk, Vodafone, O2, and Three show.
This is an issue of digital rights and civil liberties. It seems inevitable that the law will be challenged in the courts, and that it will end up before the Court of Justice of the European Union (CJEU); based on previous rulings, it’s likely that the CJEU would strike down the Act. Whether the UK government will pay any attention increasingly depends on what happens with Brexit.