Surveillance law will force companies to retain customers' web surfing history

New law also puts bulk data collection and hacking by law enforcement on clear legal footing -- but the stance on encryption remains unclear.
Written by Steve Ranger, Global News Director
The biggest new power for the UK state is the retention of customer web usage data.
Image: Shutterstock
The UK government has published the draft version of a new surveillance law that will require internet companies to store their customers' web surfing data for a year.

The new legislation also puts the powers of police and intelligence services to hack into a suspect's computers on a clear legal footing, and details the government's capabilities for collecting bulk data about internet users. But it still leaves the use of strong encryption as a grey area for internet companies.

The draft Investigatory Powers Bill aims to replace the UK's patchwork of laws covering surveillance with one law that is easier to understand and which includes better oversight.

The government said the draft bill offers additional oversight of the way police and intelligence agencies gather information. For example, by introducing a 'double-lock' for interception warrants, once a warrant to intercept communications is signed by a minister, it cannot come into force until it has been approved by a judge.

But the biggest addition to the surveillance powers of the state is the requirement for communications companies to retain records of how customers have used the web.

The bill describes this requirement as the retention of internet connection records, or ICR. Currently there is no requirement for communications companies to store this data, and so law-enforcement agencies can often only paint a fragmented intelligence picture of a known suspect.

The government said an ICR is a record of the internet services a specific device has connected to, "such as a website or instant-messaging application".

It insisted: "An ICR is not a person's full internet browsing history. It is a record of the services that they have connected to, which can provide vital investigative leads. It would not reveal every web page that they visit or anything that they do on that web page."

The government said such data is needed to establish what services a known suspect or victim has used to communicate online, allowing investigators to request more specific communications data, or to establish whether a suspect has been involved in online crime.

However, such data will be extremely sensitive: communications companies will have to improve their track record around protecting customer data to make sure it cannot be exposed by hackers.

The draft law also clarifies how intelligence agencies gathers 'bulk data' -- the collection of large volumes of data that are likely to include communications or other data relating to terrorists and serious criminals. But it will also contain information about unrelated individuals.

The new law will also make clear when what it calls 'equipment interference' -- otherwise known as hacking -- is permitted by police or spies looking for data.

It notes: "Equipment interference plays an important role in mitigating the loss of intelligence that may no longer be obtained through other techniques, such as interception, as a result of sophisticated encryption."

There was much speculation that the draft bill would be a first step towards banning the use of strong or end-to-end encryption. However, the government has said: "The draft bill will not impose any additional requirements in relation to encryption over and above the existing obligations."

But the existing legislation requires communications companies to have the ability "to remove any encryption applied" by them to customers' communications and data, although this requirement has not been applied to companies that provide end-to-end encrypted services, even though the legislation has been in place for some years.

It is unclear how this measure applies to end-to-end encryption where companies do not necessarily have the ability to decrypt communications -- especially when many of the firms offering such services are outside of the UK.

The Independent Reviewer of Terrorism Legislation, David Anderson, who described the existing surveillance laws as obscure and incomprehensible in a report earlier this year, today said the best thing about the new bill is that it puts Parliament in charge.

"For the first time, we have a Bill that sets out, for public and political debate, the totality of the investigatory powers used or aspired to by police and intelligence agencies," he said, including some that have only recently become public.

He said that while not everyone will be happy about those powers, it will now be for Parliament to decide whether they are justified: "Whatever the content of the eventual UK law, it will no longer be possible to describe it as opaque, incomprehensible, or misleading."

But privacy campaigners Privacy International warned that it is "disingenuous" for the government to say that the bill does not contain new powers.

"Existing law does not permit the government to hack into our computers and retain records of all our internet communications. No other government in the world has legislated for bulk hacking. No other government has legislated to retain all our internet records. Other governments around the world will follow the UK's lead; Britain must not send them in the wrong direction."

Consultation on the draft bill will take place over the coming months, with a revised bill due to be introduced to Parliament in the New Year.

More stories on security and surveillance

Editorial standards