Civil rights advocates are up in arms over a sweeping new digital surveillance law in the United Kingdom, and not just because they say it intrudes on the privacy of people in the U.K. Some worry that the law sets an example other democratic nations will be tempted to follow.
The legislation, which passed in late November and replaced the old surveillance law at the beginning of this year, is called the Investigatory Powers Act (or, by its critics, the “Snooper’s Charter”). It enshrines broad new authority for U.K. law enforcement and intelligence agencies to conduct online surveillance, hack into devices deemed relevant to investigations, and make technology companies provide access to data about their users—even by forcing them to change the design of products. It also gives investigators the authority to use these powers in “bulk,” meaning they can access large data sets that may include information about people not relevant to investigations. They can even hack into devices owned by people who are not suspects in a crime.
Opponents take issue with many parts of the legislation, but the most high-profile fight is over a new authority for the government to compel Internet service providers to retain “Internet connection records”—including websites visited or mobile apps used, the times they were accessed, and the duration of use—for up to 12 months for all their customers. Investigators won’t need a warrant from a judge to access this data. “There is no state in the Western democratic world that has anything similar,” says Eric King, a visiting lecturer on surveillance law at Queen Mary University of London and former deputy director of Don’t Spy on Us, a coalition of nongovernmental organizations that advocates for surveillance reform.
The U.K. has been pioneering government-imposed data retention (though it has already been common in authoritarian countries). In 2006, it was instrumental in crafting an EU regulation that required member states to store their citizens’ telecommunications data for a minimum of six months. In 2014, however, the EU’s highest court ruled that the regulation violated privacy rights. Since then, the U.K. has failed to create a data retention regime that has stood up in court.
Brazil and Australia have also recently instituted data retention laws. The U.S. has not, but the U.S. Department of Justice has advocated for mandatory data retention before, as have members of Congress. After the Snowden revelations, President Obama issued a policy directive limiting bulk data collection by the federal government itself. But Donald Trump could rescind that or work with Congress to require Internet service providers to retain data so investigators could access it later—a step that would be modeled on the U.K. legislation. “If the Trump administration wants to expand its surveillance powers, or seek sanction for more aggressive use of its existing powers, it could unfortunately point to the U.K.’s new law as precedent,” says Camilla Graham Wood, Privacy International’s legal officer.
Internet service providers already can and do log information about the websites you visit. In the EU the law requires them to get rid of it once it’s not needed. Outside the EU, the amount of time that ISPs retain data varies, and few publicize that information. Time Warner Cable in the U.S. states that it retains IP address logs for up to six months.
Like the ones that came before it, the U.K.’s new data retention requirement could have a hard time surviving the courts, at least as long as the nation remains part of the European Union. Last month, the European Court of Justice ruled that “general and indiscriminate” data retention, as opposed to targeted retention for the purpose of solving a serious crime, violates European privacy law. The ruling doesn’t bode well for the new surveillance law, according to Paul Bernal, a lecturer in information technology, intellectual property, and media law at the University of East Anglia School of Law in the U.K. “There’s going to be a lot of legal fighting over that during the next year or so,” he says.
But even if the provision on data retention is struck down or scaled back, opponents of the measure are alarmed. The say that powers introduced by the bill put the U.K. and nations that may follow its lead on the wrong course for a free and open digital society. Britain’s broad new authority would set a dramatic precedent, says Danny O’Brien, international director for the Electronic Frontier Foundation. Companies would be forced to conduct surveillance or break the privacy protections of devices and services, and they would be compelled to keep those steps secret.
“The idea that you can own and control your own device ceases to become a possibility” if the government can ask for it to be reëngineered to strip away privacy, he says. Compelling a company to weaken or break a privacy tool like encryption would require a warrant. But if the British government could force companies to remain silent in these cases, it would likely prevent the kind of public debate that occurred in the U.S. after the FBI tried to compel Apple in 2016 to write code that would crack open an encrypted iPhone.