Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Connectivity

New U.K. Surveillance Law Will Have Worldwide Implications

Even if you don’t live in Britain, the U.K.’s new “Snooper’s Charter” is worth watching. It could inspire other democratic nations to adopt aggressive surveillance policies.

Civil rights advocates are up in arms over a sweeping new digital surveillance law in the United Kingdom, and not just because they say it intrudes on the privacy of people in the U.K. Some worry that the law sets an example other democratic nations will be tempted to follow.

The legislation, which passed in late November and replaced the old surveillance law at the beginning of this year, is called the Investigatory Powers Act (or, by its critics, the “Snooper’s Charter”). It enshrines broad new authority for U.K. law enforcement and intelligence agencies to conduct online surveillance, hack into devices deemed relevant to investigations, and make technology companies provide access to data about their users—even by forcing them to change the design of products. It also gives investigators the authority to use these powers in “bulk,” meaning they can access large data sets that may include information about people not relevant to investigations. They can even hack into devices owned by people who are not suspects in a crime.

Opponents take issue with many parts of the legislation, but the most high-profile fight is over a new authority for the government to compel Internet service providers to retain “Internet connection records”—including websites visited or mobile apps used, the times they were accessed, and the duration of use—for up to 12 months for all their customers. Investigators won’t need a warrant from a judge to access this data. “There is no state in the Western democratic world that has anything similar,” says Eric King, a visiting lecturer on surveillance law at Queen Mary University of London and former deputy director of Don’t Spy on Us, a coalition of nongovernmental organizations that advocates for surveillance reform.

The U.K. has been pioneering government-imposed data retention (though it has already been common in authoritarian countries). In 2006, it was instrumental in crafting an EU regulation that required member states to store their citizens’ telecommunications data for a minimum of six months. In 2014, however, the EU’s highest court ruled that the regulation violated privacy rights. Since then, the U.K. has failed to create a data retention regime that has stood up in court.

Brazil and Australia have also recently instituted data retention laws. The U.S. has not, but the U.S. Department of Justice has advocated for mandatory data retention before, as have members of Congress. After the Snowden revelations, President Obama issued a policy directive limiting bulk data collection by the federal government itself. But Donald Trump could rescind that or work with Congress to require Internet service providers to retain data so investigators could access it later—a step that would be modeled on the U.K. legislation. “If the Trump administration wants to expand its surveillance powers, or seek sanction for more aggressive use of its existing powers, it could unfortunately point to the U.K.’s new law as precedent,” says Camilla Graham Wood, Privacy International’s legal officer.

Internet service providers already can and do log information about the websites you visit. In the EU the law requires them to get rid of it once it’s not needed. Outside the EU, the amount of time that ISPs retain data varies, and few publicize that information. Time Warner Cable in the U.S. states that it retains IP address logs for up to six months.

Like the ones that came before it, the U.K.’s new data retention requirement could have a hard time surviving the courts, at least as long as the nation remains part of the European Union. Last month, the European Court of Justice ruled that “general and indiscriminate” data retention, as opposed to targeted retention for the purpose of solving a serious crime, violates European privacy law. The ruling doesn’t bode well for the new surveillance law, according to Paul Bernal, a lecturer in information technology, intellectual property, and media law at the University of East Anglia School of Law in the U.K. “There’s going to be a lot of legal fighting over that during the next year or so,” he says.

But even if the provision on data retention is struck down or scaled back, opponents of the measure are alarmed. The say that powers introduced by the bill put the U.K. and nations that may follow its lead on the wrong course for a free and open digital society. Britain’s broad new authority would set a dramatic precedent, says Danny O’Brien, international director for the Electronic Frontier Foundation. Companies would be forced to conduct surveillance or break the privacy protections of devices and services, and they would be compelled to keep those steps secret.

“The idea that you can own and control your own device ceases to become a possibility” if the government can ask for it to be reëngineered to strip away privacy, he says. Compelling a company to weaken or break a privacy tool like encryption would require a warrant. But if the British government could force companies to remain silent in these cases, it would likely prevent the kind of public debate that occurred in the U.S. after the FBI tried to compel Apple in 2016 to write code that would crack open an encrypted iPhone.

Tech Obsessive?
Become an Insider to get the story behind the story — and before anyone else.

Subscribe today

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Connectivity

What it means to be constantly connected with each other and vast sources of information.

Want more award-winning journalism? Subscribe and become an Insider.
  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

    Bimonthly digital/PDF edition

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special interest publications

    Discount to MIT Technology Review events

    Special discounts to select partner offerings

    Ad-free web experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning print magazine, unlimited online access plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

  • Insider Online Only {! insider.prices.online !}*

    {! insider.display.menuOptionsLabel !}

    Unlimited online access including articles and video, plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.