Surveillance law: Revised bill adds privacy safeguards

Person on a laptopImage source, PA
Image caption,
The government says new surveillance powers are needed to fight crime and terror

The Home Office has tightened up privacy safeguards in proposed new spying laws - but police will get more power to see internet browsing records.

The Investigatory Powers Bill will force service providers to store browsing records for 12 months.

It will also give legal backing to bulk collection of internet traffic.

The Home Office was forced to revise the draft bill after concerns by three committees of MPs it did not do enough to protect privacy and was too vague.

Home Secretary Theresa May said the revised bill, published on Tuesday, reflected many of these concerns, and was "both clearer and stronger in protecting privacy".

For Labour, shadow home secretary Andy Burnham welcomed the stronger safeguards but said the party "will not be rushed" into reaching a judgement on the bill as "it has major implications for privacy and how we are governed and policed".

He said areas of potential disagreement concerned "the most intrusive powers" and "the widening of access to Internet Connection Records".


The bill expands the purposes for which police can obtain internet connection records, which are details of the websites and online applications people use. It says they can be acquired for a "specific investigation" provided it is "necessary and proportionate". This clause was not contained in the draft legislation.

Police will also get the power to hack into computers and smart phones - so called "equipment interference" - normally reserved for the security services, when there is a "threat to life" situation, such as locating a missing child. This is an extension of police powers in the draft legislation.

Ministers say the new powers are needed to fight terrorism, but internet firms have questioned their practicality - and civil liberties campaigners say it clears the way for mass surveillance of UK citizens.

Jim Killock, executive director of the Open Rights Group, said: "On first reading, the revised Bill barely pays lip service to the concerns raised by the committees that scrutinised the draft Bill.

"If passed, it would mean that the UK has one of the most draconian surveillance laws of any democracy with mass surveillance powers to monitor every citizen's browsing history."

Ministers want the new bill to become law by the end of the year, citing the urgent demands of national security and crime prevention.

'Double lock'

Service providers, such as BT or Sky, will be required to store the internet connection records - what services a device connects to - for everyone in the UK for a year so that police can access them.

The bill also aims to put on a firmer legal footing the collection by the security services of large amounts of email and other data in the UK and personal details held on databases, potentially including bank or medical records.

The new legislation will also give legal backing to the hacking of smart phones and computers by the security services.

Extra safeguards in the revised bill include:

  • Making clear all interception warrants must be subject to a "double-lock" of ministerial and judicial approval
  • Security services, as well as the police, will have to obtain a senior judge's permission before accessing communications data to identify a journalist's source
  • Clearer safeguards for legally privileged communications
  • A warrant will be required if the UK wants foreign agencies to intercept communications in the UK
  • A time limit on the examination of personal information downloaded from databases

The home secretary said two recommendations from the committees scrutinising the legislation had been rejected.

The government will continue to use the protection of Britain's "economic well-being," when linked to national security, as a justification for spying operations.

And it will continue to allow UK spies to hack into foreign computer networks, under so-called "bulk equipment interference warrants," something Theresa May says is a "a key operational requirement for GCHQ".

Image source, PA

Analysis by BBC Home Affairs Correspondent Danny Shaw

When the draft legislation was published last November, police were concerned about a rather large gap.

Although they would have had powers to find out if a suspect was visiting illegal websites, downloading abuse images or accessing terrorist material, they wouldn't get details of other online activity which might be relevant to their investigation.

So, a travel website a drug trafficker books tickets on would have been out of bounds, as would a banking website used by a fraudster to transfer money.

The new Bill attempts to plug those gaps.

But in doing so it's left a far broader range of internet services which the law enforcement and intelligence world will be able to see than was the case before.

In a written statement unveiling the bill, Mrs May said: "The government is not seeking sweeping new powers.

"Rather the Bill ensures that the security and intelligence agencies and law enforcement continue to have the powers they need to keep us safe against a backdrop of an increasingly complex, serious and unpredictable threat.

"The Bill provides the public and Parliament with greater confidence that there are robust measures in place to ensure that the powers are subject to world-leading safeguards."

The "bulk collection" of internet traffic, which came to light following revelations by US whistleblower Edward Snowden, will also continue although there will be more safeguards.

A warrant from the home secretary will be required for officers to access the content of emails - and a new Investigatory Powers Commission would be able to veto such requests.

The Home Office says the new legislation also addresses concerns expressed by Apple and other tech giants about encryption, which protects messages from being hacked.

Image source, EPA
Image caption,
Mrs May says the changes are needed to keep pace with technological advances

The tech giants feared being forced to fit "back doors" to their devices or make other changes to encryption that would compromise their customers' security.

Officials said the revised version of the Investigatory Powers Bill would put beyond doubt that companies can only be asked to remove encryption that they themselves have applied, and only where it is "practicable" for them to do so.

Paul Bernal an IT law lecturer at the University of East Anglia, said at first glance it did not seem as if the industry's main concerns had been addressed.

"I suspect the tech companies will remain unconvinced," he told BBC News.

"The encryption parts remain too open - as I read them, a 'technical capability notice' could still be used to demand a back door, resulting in a fight over what is 'practicable'. "