The Investigatory Powers Act – or Snoopers’ Charter – is some of the most extreme mass surveillance legislation in the world. If you are in the UK, you owe it to yourself to understand its impact on you and your family. This guide tells you what you need to know – including how to fight back and reclaim your privacy.
The UK government has the power to look at your browsing history. Someone might be doing it right now, as you read these words.
The extreme, unprecedented surveillance powers that are now law in the UK make citizens most spied upon people in the entire world.
The Investigatory Powers Act doesn’t stop at just watching you browse, though. It could allow the government to break encryption on the services you use. It lets them legally hack or destroy your devices, and spread malware on your phone — even if you’re not suspected of any crime.
Using data from your phone, it can track your location, record the apps you use, and see when you were online.
The Snoopers’ Charter is some of the most extreme legislation in the world, yet the UK public remains indifferent
If this alarms you, it should. The Investigatory Powers Act is extreme.
Bulk data collection has been ruled unlawful by the European Courts of Justice. And yet it’s happening to you. Right now. Only the people who are using a VPN are immune to this draconian and frightening new law.
If you haven’t acted to protect your privacy, here’s why you should start.
The Investigatory Powers Act attracted little criticism among the general UK population.
Most of us tend to assume that we have nothing to hide.
But if you believe that, you’re putting a lot of trust in the people that are combing through your data.
We know that at least 16,000 people have access to your browsing history. It would be very easy for any one of those people to:
Remember: the people looking at your data are, on the whole, not security cleared, and they don’t need external authorization.
Let’s say that your kids are researching the history of race relations in America. A few KKK-related websites appear as the government looks at your data.
You may trust the laws that are in place to protect your privacy. That’s great. But what if those laws are repealed, and users of particular messaging apps were picked out as potential troublemakers?
What if the current government is voted out and replaced by one that’s more authoritarian?
These laws leave us vulnerable not only to potential future authoritarian governments but to hackers
And if the government has a backdoor into an encrypted messaging service, then there’s a good chance that a hacker somewhere has figured out how to use it as well. That’s a whole other world of risk.
There are certainly legitimate concerns about the use of encryption in terrorist communication, and this is sometimes used as a reason for surveillance. But the same surveillance can easily be used to target activists, human rights campaigners, and people who fall out with someone that has access to their private data
The Investigatory Powers Act has also been dubbed a “privacy disaster waiting to happen.”
That should give you a clue as to how much of your data is being held.
A “privacy disaster waiting to happen”.
The technical systems that support the Investigatory Powers Act are not yet in place, and it seems that some of the organizations using them have not yet been briefed.
But we do know what the Act allows the government to collect, which includes:
It will all be stored in a system that the Act calls a Request Filter. This is essentially a massive searchable database. Nobody needs to sign off on access to it. Organizations can effectively authorize themselves to use it.
So the door is open for any Tom, Dick, or Harry to go snooping through your file.
Your data is stored in a massive searchable database that permits cross-reference by the authorities
The way the data is stored means that it could be cross-referenced. For example, if you are in the vicinity of a crime, and you use the same encrypted messenger as the criminals, police could theoretically pick you out as a person of interest.
Legally, the Act says that the Request Filter can only be used in 3 situations:
This sounds fine in practice, but we have extensive examples of data like this being misused, such as:
All these examples are from a report in 2009. There have been thousands more since.
In a separate case, a Ministry of Defence policeman was fired for using surveillance data without permission to snoop on the footballer Paul Gascoigne.
People are nosey. They just can’t resist taking a look.
In theory, if your employer has Request Filter permission, they could dig through your browser history and see what mental health conditions you’ve been researching.
The potential for abuse by individuals is absolutely chilling.
Your disgruntled next-door neighbor might have a casual look at the Request Filter to see what dirt they can dig on your private life. And so on, and so on.
Mistakes happen, too. In March 2017, more than 74 million records were leaked. That figure demonstrates just how badly equipped many organizations really are when it comes to privacy. Remember all the lost CDs and thumb drives?
Encryption is supposed to prevent unauthorized access to data. With end-to-end encryption in an app like WhatsApp, only the sender and recipient can read the messages.
A backdoor is a way to bypass encryption secretly, and this is now legal under the Investigatory Powers Act.
The word “backdoor” isn’t used in the Act. Instead, the wording states that the UK government can demand “technical changes” to services behind the scenes.
To use a hypothetical example, this could mean that Apple’s strong iMessage encryption is disabled for government snoopers. Apple would theoretically have to keep this secret from its users.
Or it could mean that businesses storing files in the cloud compromise clients’ intellectual property.
This isn’t just a privacy issue for individuals like you and me. It raises huge questions for businesses that sometimes have security promises woven into their contracts.
The implications of the IPA go beyond individuals and cause problems for business.
And if word got out that a particular service had implemented of these backdoors at the behest of the government, users would almost certainly flee, putting that business at risk of closing down.
Recent terrorist attacks have highlighted the use of apps like WhatsApp, and MPs are starting to talk about banning or compromising them to stop terrorists talking. But putting backdoors into these apps won’t keep us safer. Terrorists will just switch to another method of communication. Or use an app that they’ve developed themselves, which is reasonably simple to achieve.
There are certainly legitimate reasons to be concerned about terrorist activity. But there are legitimate reasons for individuals to access questionable content sometimes too.
Mass surveillance is not the answer.
If everybody is being watched constantly online, journalists’ sources could be at risk. Researchers could find themselves targeted. People with children could be held accountable for the content of their school projects.
The consequences of this are huge. And they should scare you.
But there’s nothing to stop you fighting back:
It’s too late to stop the Investigatory Powers Act, but we may still see legal challenges against it. For now, your VPN will protect you against the some of the devastating privacy infringements within it.