UK surveillance powers explained
- 5 November 2015
- From the section UK
A new law setting out what powers the UK state will have to monitor communications between citizens has been unveiled. What are the key elements of the Investigatory Powers Bill?
What does this bill do?
The Investigatory Powers Bill aims to completely overhaul the laws governing how the state, police and spies can gather private communications or other forms of data to combat crime, terrorism and other threats to national security and the UK's economic wellbeing.
Both security chiefs and privacy campaigners agree the current rules are completely out of date and last year a massive review of powers by an independent watchdog called for a complete rethink.
How do agencies collect data at the moment?
There are two basic types of information they collect:
- Communications data - this is information about the manner in which a communication has happened, including a record of a phone call or the sending of an email.
- The content of those communications - what the person actually said or sent - such as the conversation of the phone call or words in an email.
Existing law is complicated, buried in different Acts and ambiguous. Very few people outside of the intelligence agencies properly understand it - and most of it was written in the pre-internet era. For instance, the public did not know until the publication of this bill that MI5 not only has permission to scoop up and analyse "bulk data" from the internet - but that permission comes under legislation passed before the invention of the world wide web.
What new powers are being proposed?
Communications firms - such as your broadband or mobile phone providers - will be compelled to hold a year's worth of your communications data. This new information will be details of services, websites and data sources you connect to when you go online and is called your "Internet Connection Record". For instance, it could be your visit to the BBC website from a mobile phone at breakfast and then how you used an online chat service at lunch. It does not include the detail of what you then did within each service. There is no comparable legal duty to retain these records in the rest of Europe, the USA, Canada or Australia - this appears to be a world first.
In simple terms, police say they want to be able to get at these records, going back a year, so that if they get a lead on a suspect, they can establish more about their network or conspiracy.
Under existing law, agencies can already ask firms to start collecting this data - but they can't access historic information because companies don't keep it. Police argue that this means many investigations into crime with an online element go cold because they can't link activity to specific people or devices.
How do these powers compare to those that already exist?
Police or other agencies can already access communications data such as historic phone bills - but there is a ban on them asking firms to hold and hand over information detailing which online services have been used.
What other powers are covered by the bill?
The bill brings together all other investigatory powers which involve intrusion into communications or private lives, including:
- The interception and reading of communications - this can only be carried out if approved in person by the Home Secretary.
- "Interference" with computers - including hacking - to acquire information or for some other investigative reason.
- A legal obligation on companies to assist in these officially sanctioned hacking operations.
- The collection of massive amounts of internet or phone data so that it can be later sifted looking for leads and patterns of criminality.
Does the bill outlaw encryption?
No. The legislation includes an existing power to compel a company in the UK to hand over an encryption key so that scrambled messages can be read - where there is a legal reason for the police or other agencies to access that message. This could include, for example, asking a company to help unscramble chat messages which may reveal where a missing person - or their kidnapper - can be found.
However, this legal duty cannot be imposed on overseas companies, such as Apple, that use a form of encryption which they say they cannot themselves breach.
What safeguards will there be against abuses?
Ministers are proposing a new "investigatory powers commission" led by senior judges.
- They will act as a "double lock" on interception warrants. When a minister signs off an application to monitor communications, the operation won't begin until the commissioners have also agreed. Critics say this is insufficient - but the government says it's an unprecedented level of oversight seen nowhere else in the world.
- The commission will take over inspecting the secret workings of MI5 and other agencies.
- Finally, the IPC will be expected to be public and explain how powers are used.
If the new commission finds a serious error in how powers have been used, the Investigatory Powers Tribunal, a special semi-secret court, could then rule that the targeted individual has the right to know.
While councils can request some communications data, they will be banned from accessing internet connection records. A new offence of unlawfully accessing internet data will be created - and it will also be a crime for someone who works for a communications firm to reveal data has been sought.
|DECRYPTING SPOOKS: A SIMPLE GUIDE TO THE LANGUAGE USED BY INTELLIGENCE AGENCIES|
|Communications Data||Any message or information transmitted over the net is contained inside a wrapper that says who sent it, to whom, when, how and so on. Communications data is the wrapper - a bit like an envelope, but with more information.|
|Content of communications||The actual words or information transmitted - such as the contents of your email, text message or old-fashioned letter in the envelope.|
|Communication Service Providers||The people that connect you to the modern world - including your mobile phone provider and home broadband company.|
|Communications Platforms||The companies you use to go about your business once you've been connected to the modern world by the CSPs - for instance Facebook and Google.|
|Bulk Data and TEMPORA||All the raw data that can be gathered from the internet's key connections as it flows in and out of the UK. If you send it down a pipe overseas, it can in theory be captured. The Edward Snowden leaks revealed the UK bulk data programme is called TEMPORA|
|PRISM||Another Snowden leak. PRISM is the American programme under which its National Security Agency collects information sent by foreigners via US-based online services|
|Intelligence sharing||When two agencies, such as those in the UK and USA, share intelligence each has gathered. This can be a legally grey area if an agency receives information relating to one of its country's citizens which it would not be able to access without a warrant.|
|Interception warrants||When the UK's intelligence and security agencies want to intercept, read or listen in to a target's communications - over and above collecting basic communications data, they ask the Home Secretary to sign a warrant giving them legal permission to do so.|
|Computer Network Exploitation||Hacking - by whatever means.|
|Internet Connection Records||Intelligence community jargon for browsing history|
|Collateral Intrusion||When an agency targets a suspect, they can end up collecting lots of information about entirely innocent people around them. This is collateral intrusion and it is a legally grey area if steps have not been taken to protect legitimately private information.|
Jargon buster: Click here to see the confusing terminology clarified