While you’re reading this article, the UK Government has the ability to access web browsing history, crack encryption on apps, hack devices, spread malware and pinpoint user location. These acts may sound like science fiction, but they are a stark reality in an interconnected society currently under the Investigatory Powers Act – or the Snoopers’ Charter as it’s more commonly known.
The extreme surveillance legalized by the Snoopers’ Charter has been described as a privacy disaster waiting to happen.
Written into the law books on November 26 2016, the Investigatory Powers Act (or IPA) gives UK police and security agencies the right to gather phone and internet communication records of citizens. Collectable information includes websites, applications installed on devices, services they connect to, time and date of access, and user location. Under government proposals, all of this data will be stored in a “Request Filter”, a searchable database that is believed to be accessible by over 16,000 government and public sector employees – who may not necessarily have security clearance.
Internet service providers must keep records of the websites and services viewed by every customer across a 12-month period. Law enforcement and government bodies can access and analyze this information after getting a warrant. But what’s particularly alarming is that the information of everyday people is being kept on file whether or not they’ve actually broken any laws.
Police also have the legal means to bug computers and mobile phones as part of their investigations. When served with a warrant, companies are expected to assist officials by cracking encryption on messaging services. In cases of serious crime, security agencies can even obtain bulk communication records such as NHS patient data.
Cracking down on the law
Digital rights group the Open Rights Group is currently challenging the UK government in European court over this ability to collect vast amounts of data in order to trawl it for suspicious behavior.
“The impact on consumer trust in state surveillance agencies will prove corrosive,” says Jim Killock, executive director at the Open Rights Group. “We need the use of data to be targeted, and omit surveillance of the vast majority of innocent citizens. Until the British government gets the balance right, we will continue to challenge UK law in the courts.”
Other campaigners are taking the Act to court too. In January 2018, a case led by Labour deputy leader Tom Watson and human rights charity Liberty saw significant aspects of the Act ruled unlawful by the UK Court of Appeal.
Judges said the Act was “inconsistent with EU law” because it allowed police officers to collect sensitive data about citizens without adequate oversight and suspicion of serious crime. The high court soon intervened, giving the government six months to rewrite the controversial legislation.
That ruling has resulted in several amendments being made to sections of the 2016 Act concerned with the collection of communications data, location data and traffic data. Internet privacy lawyer Graham Smith explains that mandatory data retention is now limited to suspicion of “serious crime” – newly defined as that which would attract a prison sentence of 12 months instead of six – and that a new independent body called the Office for Communications Data Authorisations must first approve disclosure of data when requests are not related to national security. OCDA is expected to come into operation in April.
Liberty has since won the right to challenge the Act’s provisions for bulk surveillance in High Court, which should take place later this year.
Violation of human rights
As the Act stands, it would have a far-reaching impact on people’s online privacy, even beyond government snoops. “The records ISPs would have to keep create a huge pool of data about citizens’ online activities and makes them accessible to a wide range of public bodies,” says Robin Wilton, technical outreach director for identity and privacy for the Internet Society. “All this could become an attractive target for hacking, insider attacks, or unauthorized use – which would not only violate users’ privacy but could also put them at risk of criminal activity.”
Brad Poole, consumer privacy advocate at VPN provider HideMyAss, believes the IPA is a significant misappropriation of power and shatters the tenets of privacy for the individual. “Privacy is an indispensable human right that must be defended. We have a very real privacy problem in the UK.”
British mass surveillance practices have previously faced scrutiny in Europe. Last September, the European Court of Human Rights (ECtHR) concluded the UK’s “bulk interception regime” as set out by the Regulation of Investigatory Powers Act (Ripa) violated the privacy rights of citizens.
The landmark case was filed in 2013 by fourteen human rights groups, including Liberty, Privacy International and Big Brother Watch. The judgment is not yet final, pending a decision on whether it will be referred to the ECtHR’s highest court, its Grand Chamber.
But in the interim since that case was raised, IPA has been signed in – and the Act replicates a signifiant portion of Ripa that was ruled unlawful.
The Brexit question
With Britain just a few months away from leaving the European Union, will privacy campaigners face greater hurdles in their quest to take the UK government to task?
Currently, UK citizens are protected by the Charter of Fundamental Rights of the European Union and the Court of Justice of the EU. Upon Brexit, Brits will lose the CFREU and the CJEU as a set of laws and an institution under which their fundamental rights can be enforced.
But that doesn’t necessarily rule out continued legal battles on the continent, thanks to the European Convention on Human Rights, which qualifies every individual’s right to privacy.
This treaty, established after the second world war, is enforced by the ECtHR, and could allow the UK to be taken to European court if it is found to violate its obligations.
“Brexit may in due course affect the degree to which EU law is relevant. However, it will not affect the relevance of European Court of Human Rights decisions,” says Smith.
If there’s one thing certain, it’s that the fight against the Investigatory Powers Act has only just begun. “It’s possible we will see cases brought to test the powers exercised under the Act, and the governance structures that supposedly ensure that those powers are safely used, such as the warrant mechanism and independent review [of requests for data],” Poole says.
Whatever happens, politicians, lawmakers and privacy organizations appear poised to keep pressuring the UK government to rewrite the Snoopers’ Charter until it puts the rights of its citizens first.