The UK government has the power to look at your browsing history. Someone might be doing it right now, as you read these words.
The extreme, unprecedented surveillance powers that are now law in the UK make citizens most spied upon people in the entire world.
The Investigatory Powers Act doesn’t stop at just watching you browse, though. It could allow the government to break encryption on the services you use. It lets them legally hack or destroy your devices, and spread malware on your phone — even if you’re not suspected of any crime.
Using data from your phone, it can track your location, record the apps you use, and see when you were online.
The Snoopers’ Charter is some of the most extreme legislation in the world, yet the UK public remains indifferent
If this alarms you, it should. The Investigatory Powers Act is extreme.
Bulk data collection has been ruled unlawful by the European Courts of Justice. And yet it’s happening to you. Right now. Only the people who are using a VPN are immune to this draconian and frightening new law.
If you haven’t acted to protect your privacy, here’s why you should start.
But I’ve Got Nothing to Hide!
The Investigatory Powers Act attracted little criticism among the general UK population.
Most of us tend to assume that we have nothing to hide.
But if you believe that, you’re putting a lot of trust in the people that are combing through your data.
We know that at least 16,000 people have access to your browsing history. It would be very easy for any one of those people to:
- Use a weak password that can be hacked in minutes.
- Accidentally store a screenshot of your data on their unlocked PC.
- Export your data and attach it to an unsecure email.
- Have a snoop through your browser history if they happen to live next door.
Remember: the people looking at your data are, on the whole, not security cleared, and they don’t need external authorization.
Let’s say that your kids are researching the history of race relations in America. A few KKK-related websites appear as the government looks at your data.
- Would you be comfortable with that data being tied to your phone number?
- How would you feel if that information was leaked to your employer?
You may trust the laws that are in place to protect your privacy. That’s great. But what if those laws are repealed, and users of particular messaging apps were picked out as potential troublemakers?
What if the current government is voted out and replaced by one that’s more authoritarian?
In countries like Turkey and Egypt, ordinary people are arrested for the things they write on Facebook. Sometimes, police literally visit their home and frogmarch them out.
These laws leave us vulnerable not only to potential future authoritarian governments but to hackers
And if the government has a backdoor into an encrypted messaging service, then there’s a good chance that a hacker somewhere has figured out how to use it as well. That’s a whole other world of risk.
There are certainly legitimate concerns about the use of encryption in terrorist communication, and this is sometimes used as a reason for surveillance. But the same surveillance can easily be used to target activists, human rights campaigners, and people who fall out with someone that has access to their private data
What They Know About You
The Investigatory Powers Act has also been dubbed a “privacy disaster waiting to happen.”
That should give you a clue as to how much of your data is being held.
A “privacy disaster waiting to happen”.
The technical systems that support the Investigatory Powers Act are not yet in place, and it seems that some of the organizations using them have not yet been briefed.
But we do know what the Act allows the government to collect, which includes:
- Sites that you visit
- Apps that you use
- Services that your devices connect to
- Time and date of access
- Your location
It will all be stored in a system that the Act calls a Request Filter. This is essentially a massive searchable database. Nobody needs to sign off on access to it. Organizations can effectively authorize themselves to use it.
So the door is open for any Tom, Dick, or Harry to go snooping through your file.
Your data is stored in a massive searchable database that permits cross-reference by the authorities
The way the data is stored means that it could be cross-referenced. For example, if you are in the vicinity of a crime, and you use the same encrypted messenger as the criminals, police could theoretically pick you out as a person of interest.
Legally, the Act says that the Request Filter can only be used in 3 situations:
- Identifying you as the sender of a message
- Identifying the apps or services you are using
- Finding out whether you’re doing anything illegal
This sounds fine in practice, but we have extensive examples of data like this being misused, such as:
- Spying to find out if a 3 year old was due to go to the ‘wrong’ school
- Watching people secretly to see when they put their rubbish out
- Covertly monitoring people on sick leave
- Putting fishermen under surveillance to see what they were catching.
All these examples are from a report in 2009. There have been thousands more since.
In a separate case, a Ministry of Defence policeman was fired for using surveillance data without permission to snoop on the footballer Paul Gascoigne.
People are nosey. They just can’t resist taking a look.
In theory, if your employer has Request Filter permission, they could dig through your browser history and see what mental health conditions you’ve been researching.
The potential for abuse by individuals is absolutely chilling.
Your disgruntled next-door neighbor might have a casual look at the Request Filter to see what dirt they can dig on your private life. And so on, and so on.
Mistakes happen, too. In March 2017, more than 74 million records were leaked. That figure demonstrates just how badly equipped many organizations really are when it comes to privacy. Remember all the lost CDs and thumb drives?
What About Backdoors?
Encryption is supposed to prevent unauthorized access to data. With end-to-end encryption in an app like WhatsApp, only the sender and recipient can read the messages.
A backdoor is a way to bypass encryption secretly, and this is now legal under the Investigatory Powers Act.
The word “backdoor” isn’t used in the Act. Instead, the wording states that the UK government can demand “technical changes” to services behind the scenes.
To use a hypothetical example, this could mean that Apple’s strong iMessage encryption is disabled for government snoopers. Apple would theoretically have to keep this secret from its users.
Or it could mean that businesses storing files in the cloud compromise clients’ intellectual property.
This isn’t just a privacy issue for individuals like you and me. It raises huge questions for businesses that sometimes have security promises woven into their contracts.
The implications of the IPA go beyond individuals and cause problems for business.
And if word got out that a particular service had implemented of these backdoors at the behest of the government, users would almost certainly flee, putting that business at risk of closing down.
Recent terrorist attacks have highlighted the use of apps like WhatsApp, and MPs are starting to talk about banning or compromising them to stop terrorists talking. But putting backdoors into these apps won’t keep us safer. Terrorists will just switch to another method of communication. Or use an app that they’ve developed themselves, which is reasonably simple to achieve.
How to Protect Yourself From The #IPAct
There are certainly legitimate reasons to be concerned about terrorist activity. But there are legitimate reasons for individuals to access questionable content sometimes too.
Mass surveillance is not the answer.
If everybody is being watched constantly online, journalists’ sources could be at risk. Researchers could find themselves targeted. People with children could be held accountable for the content of their school projects.
The consequences of this are huge. And they should scare you.
But there’s nothing to stop you fighting back:
- Install a VPN from a trusted, non-UK provider. If you are very concerned about privacy, we recommend choosing a provider that does not log anything about your online activity. For everyday, non-sensitive internet use, a provider that logs only session metadata is acceptable.
- Use encrypted email. It’s not as difficult as it looks, and you may not even need to change your email address.
- Use encrypted messaging.
- Install an offline messenger app. Offline messengers use peer-to-peer Bluetooth and WiFi to transmit messages. The more people that use it, the more distance the messenger can cover. Offline messengers are useful for protests, festivals, private discussion in public, or when networks go down during internet blocks. Download and install something like FireChat (Android/ iOS), and get your friends and family to do the same.
- Get involved. Check out the work that’s being done by the Electronic Frontier Foundation, Privacy International, and the Open Rights Group.
It’s too late to stop the Investigatory Powers Act, but we may still see legal challenges against it. For now, your VPN will protect you against the some of the devastating privacy infringements within it.