'Snoopers law creates security nightmare'

  • Published
Data centreImage source, Thinkstock
Image caption,
The UK's internet service providers will need to install new equipment to log their customers net habits

The Investigatory Powers Bill will get royal assent on Tuesday. More than 130,000 people have signed a petition calling for it to be scrapped.

Tim Berners-Lee has said it creates a "security nightmare".

Edward Snowden has described it as the most extreme surveillance in the history of Western democracy.

But soon records of every website and messaging service UK-based citizens visit from any device will be retained for a year by communications companies.

So, all of those protests will have been in vain.

The petition in particular comes much too late, having been started after the bill had passed through all of its parliamentary stages.

The fact that it has attracted more than 100,000 signatures means that it will get debated in Parliament - but there seems little chance of ministers taking any more notice than they did of the call for an exploration vessel to be named Boaty McBoatface.

The question is why the bill sailed through with very little opposition, apart from that of the Liberal Democrats, SNP and a few questions from peers. It seems that privacy campaigners, the internet service providers (ISPs) and the wider technology industry failed to get politicians to share their concerns.

Sir Tim Berners-Lee: Dark, dark days

Image source, Getty Images

The inventor of the world wide web answered three questions about the new law:

What is your view of this legislation now that it has passed?

This snoopers charter has no place in a modern democracy - it undermines our fundamental rights online. The bulk collection of everyone's internet browsing data is disproportionate, creates a security nightmare for the ISPs who must store the data - and rides roughshod over our right to privacy. Meanwhile, the bulk hacking powers in the Bill risk making the internet less safe for everyone.

You previously tweeted "dark, dark days" about the bill passing. But early in November you told the Today Programme: "I feel it's important that we strengthen the accountability provisions." Was that strong enough - and do you regret not shouting louder?

Well, there's been sustained opposition to the Bill at almost every stage of its development. I spoke out about it strongly when it was first floated in May 2015, and as the Bill went through parliament, technology businesses united in opposition to it, civil society (including the Web Foundation) was strongly critical and a number of committees tasked with reviewing the Bill made sweeping criticisms.

So yes, now that the Bill has passed, I am left wondering what more I could have done personally, but government does seem to have been determined to railroad the Bill through, despite opposition from many diverse quarters.

Why do you think MPs didn't listen to opponents of the bill?

This Bill has come at an unprecedented time. Brexit - and other global political developments - have taken up the bulk of MPs time and attention in the past 18 months.

MPs were asked to review an incredibly complex Bill with over 500 pages of supporting documents in a tight timescale while other seismic political events were unfolding around them. The fact that most MPs are not technologists likely also played a role - they may simply not have understood just how intrusive the laws they were considering were.

However, public outrage and legal challenges are building around the Bill, meaning the story isn't over yet. A petition to repeal the Bill has reached over 100,000 signatures in just a few days, meaning Parliament must consider debating it again. I strongly urge them to do so.

Meanwhile, multiple legal challenges to the provisions around data retention and bulk hacking are making their way through the courts, and seem to have a good prospect of success, meaning the Bill may soon need to be amended.

Perhaps MPs were distracted, first by Brexit, than by Donald Trump's victory. But it seems this was never an issue that filled their postbags and inboxes.

In the past, two of the most passionate campaigners against mass surveillance were the Conservative MP David Davis and Labour's Tom Watson. They joined forces two years ago to take the government to court over mass surveillance - but this time things were different.

Image source, PA/Reuters
Image caption,
David Davis and Tom Watson had criticised surveillance plans in the past

David Davis is now in the government as Brexit Secretary, while Tom Watson is Labour's deputy leader, and both swung behind their parties' positions on the bill.

I talked to James Blessing, chairman of the Internet Service Providers Association, about why its campaign had failed.

He told me that for years, opponents had in fact won, making successive governments abandon mass surveillance plans.

"This bill is a zombie, which has been rearing its head in one form or another since 2007. This time it's alive," he said.

He explained that the ISPA had been a witness in front of three different select committees and found MPs generally pretty ignorant about the technology issues.

What is inside the Investigatory Powers Act?

Image source, Getty Images

The most contentious part of the forthcoming law is a requirement that communication providers keep a log of their customers net browsing behaviour for a year.

This will involve ISPs keeping a record of what websites - but not specific web pages - and chat apps their customers made use of and when.

Dozens of different bodies, ranging from the police to the Food Standards Agency, will be able to request access to this information without requiring a warrant.

There has been concern that the system is open to abuse, as the requests will not be vetted by an independent body. Moreover, the database presents a tempting target for hackers.

Much of the rest of the law aims to provide legal backing to cyber-operations already being carried out by the UK's security services.

It also introduces a new "double lock" for the most intrusive types of surveillance, such as hacking a target's smartphone or PC to see the messages they are sending.

Even if ministers have given approval for such an intercept warrant, a panel of judges will also have to approve the matter.

The authorities must also obtain a senior judge's permission before accessing communications data to identify a journalist's source.

And new criminal offences have been created to punish those that misuse the surveillance powers.

"The internet presents new opportunities for terrorists and we must ensure we have the capabilities to confront this challenge," said Home Secretary Amber Rudd.

"But it is also right that these powers are subject to strict safeguards and rigorous oversight."

Nevertheless, the committees had taken the campaigners' arguments on board, making 96 recommendations for changes to the legislation - nearly all of which had been ignored.

I put it to him that the reason why the campaigners had failed and MPs had felt able to vote the bill through was that the general public had bought the argument of the security agencies.

People were more worried about the threat from terrorists and criminals than they were about any implications for their personal privacy.

He conceded that was the case. "The public will believe the simple version of the truth - 'If you've got nothing to hide, you've got nothing to fear,'" he said.

"And that will be true until it affects them."

Image source, Reddit
Image caption,
VPNs are already advertising their services off the back of the new law

What happens next? Well, the minority who do care about mass surveillance - and smarter criminals - will probably resort to using VPNs ( virtual private networks) to mask their internet activity.

The rest of the population will not notice anything - unless someone manages to find a way of hacking into what is going to be a very valuable data collection.