Investigatory Powers Bill and how it could affect UK Tech

The Investigatory Powers Bill, controversially nicknamed the Snooper’s Charter, passed into law in late November 2016, giving the government unprecedented level s of access to state surveillance in the UK.

Critics have been very vocal about the bill calling it an ‘absolute disgrace to both privacy and freedom’ in a petition asking the UK government to repeal its new Investigatory Powers Act which amassed more than 206,300 signatures.  Despite a large proportion of the public finding the legislation to be a gross invasion of privacy, and a potential victim of a data leak or hack waiting to happen, the government insists the bill is required to fight terrorism.

The chairman of the Internet Service Provider’s Association (Ispa) spoke to the BBC last year about his concerns, “you can try every conceivable thing in the entire world to [protect it], but somebody will still outsmart you.  Mistakes will happen. It’s a question of when. Hopefully it’s in tens or maybe a hundred years. But it might be next week.”

The bill will act as a replacement for the expiring Data Retention and Investigatory Powers Act (Dripa), passed in 2014, which had often been misused in the past.

An FOI request made by the Liberal Democrat’s shows councils have previously used the act for trivial information, such as, car clocking, dog fouling and even dog barking. The Liberal Democrat Shadow Home Secretary Brian Paddick said: ‘Spying on the public should be a last resort not an everyday tool.’

‘As with any legislation, there is a significant risk that authorities will use powers in a way that Parliament never intended. That is why it is vital we have proper oversight in place that ensures any surveillance is targeted and proportionate.’

What does this mean for you?

• Web and phone companies (CSPs) will be required to store the browsing history of all customers for 12 months for access by police, security services and other public issues upon issue of a warrant. This will come into force before the end of the year and will detail the date, time and duration of these actions. The act has faced fierce opposition and backlash for enabling public bodies to grant themselves access to details of internet usage and telephone calls without suspicion of crime or independent sign-off.
• Blogger Chris Yiu compiled a list of the 48 organisations and departments that will be able to access the browsing records of individuals without a warrant. This list includes various police, military, and government departments as well as Food Standards Agency and the Gambling Commission.
• Security services and the police now have new powers to acquire and analyse large quantities of data in bulk, such as, NHS health records, in some cases without a warrant.
• For the first time, the law will allow security agencies and law enforcement to hack into computers, phones and networks to eavesdrop on communications with a warrant.

What can this mean for the UK Tech sector?

When the bill was first introduced by Theresa May in 2012, it saw a strong pushback from modern tech companies: Google, Microsoft, Facebook, Twitter, and Yahoo who proposed to  “reject any proposals that would require companies to deliberately weaken the security of their products via backdoors, forced decryption, or any other means.”

The bill has retained the legal basis to force companies to create a backdoor to encryption for services, such as, WhatsApp, iMessage and Facetime. Apple has openly criticised the bill cautioning that “a key left under the doormat would not just be there for the good guys. The bad guys would find it, too.” The government is, nevertheless, required to gain a warrant in order to obtain access to any such back doors. However, the bill has shed no light on exactly how the government plans to tackle end-to-end encryption. Theresa May said in a statement to the House of Commons that the government has no intentions of weakening or banning encryption, but the law will place requirements on tech companies to hand over the encrypted date when necessary in an unencrypted fashion.

Tech Companies have voiced their concerns about the extraterritorial nature of the law, which will force foreign companies with British consumers to comply, even if their home countries have conflicting laws, as the US currently does.