The UK's new web snooping rules are still taking shape: while the legislation governing it -- the Investigatory Powers Act -- became law late last year, there is still much left unresolved.
The Investigatory Powers Act represents a major extension of the surveillance power of the state. It requires internet companies to keep customers' web-surfing history for 12 months.
It also gives spying agencies and police powers to conduct mass hacking of IT infrastructure, PCs, smartphones, and other devices and was described by NSA-contractor turned whistleblower Edward Snowden as "the most extreme surveillance in the history of western democracy".
The government has argued that the new legislation is needed to update and clarify the powers of police and intelligence agencies and said the legislation received "unprecedented scrutiny" from politicians -- and passed with cross-party support. And it has also received praise for increasing clarity around government surveillance powers.
While the legislation received royal assent in November last year, it actually takes rather longer for such a significant piece of legislation to be fully in place.
Earlier this month Lord Justice Fulford was appointed the first Investigatory Powers Commissioner, who will oversee the use of Investigatory Powers by public authorities. The Home Office said he will take on the statutory functions of the IPC "in due course".
The government has also launched a consultation on five key draft codes of practice to cover areas including interception of communications, 'equipment interference', bulk communications data acquisition, bulk personal datasets, and national security notices.
The draft Codes of Practice aim to set out the detail of how the powers in the legislation can be used (if you want to comment, you've got until 6 April to respond) and are designed as a guide to the agencies that are allowed to use the powers.
One of the more controversial elements covered in the consultation is 'equipment interference', or the ability of spy agencies, police, and others to hack into devices or tech infrastructure to find information or conduct surveillance.
The consultation notes this equipment could include traditional computers or "computer-like devices such as tablets, smart phones, cables, wires and static storage devices", which could be hacked either from afar or by direct physically contact. Attacks could range from simply using someone's password to gain entry, to complicated attacks using zero-day exploits.
"Equipment interference operations vary in complexity. At the lower end of the complexity scale, an equipment interference agency may covertly download data from a subject's mobile device when it is left unattended, or an agency may use someone's login credentials to gain access to data held on a computer.
"More complex equipment interference operations may involve exploiting existing vulnerabilities in software in order to gain control of devices or networks to remotely extract material or monitor the user of the device."
The draft code includes some suitably James Bond-style examples to illustrate why the capabilities are needed.
"A military base is situated in a specific location known to be the centre for intercontinental ballistic missile research being undertaken by a country with hostile intentions against the UK. In order to track how the research is evolving and what types of systems are being developed, equipment interference is used to gather intelligence from that specific location," it explains at one point.
Much of the burden that the new act creates will fall on ISPs and tech companies.
"As a comprehensive and complex piece of legislation that puts on a legislative footing existing and new capabilities, we understand that the implementation of the Investigatory Powers Act will be in stages. While the Bill received some scrutiny as it passed through the parliamentary process, a large amount of detail will be left to codes of practice and secondary legislation," said Andrew Kernahan from the Internet Services Providers' Association ISPA UK.
"It is important that in implementing the legislation, the Home Office does so in as open and transparent manner as possible, one that includes robust checks and balances and safeguards. The legislation itself limits what a CSP can and can't reveal in a number of areas, but our members treat the balance between privacy of their customers and lawful requirements very seriously," he said.
One thing missing is a draft code of conduct on one of the most controversial aspects of the legislation: the retention of communications data which is now going to be published for consultation "in due course", according to the government. That likely means the retention of internet communications records, one of the key parts of the the law, has been delayed.
That's because late last year the European Court of Justice ruled that "general and indiscriminate retention" of internet browsing and email was unlawful, which means that the part of the legislation around the bulk collection of internet browsing records could be open to a legal challenge.
Civil liberties campaign group Liberty is challenging the "bulk" surveillance powers contained in the law, and has already applied to the High Court for permission to proceed in its legal challenge to lead to a judicial review of the law.
Privacy International is another campaign group, which has ongoing challenges in the UK and Europe to bulk communications data, bulk personal datasets, interception, and hacking.
Millie Graham Wood, legal officer at Privacy International, said there are plenty of potential ramifications from the Investigatory Powers Act: "Concerns about secret law developing behind closed doors, companies being gagged from revealing what they are being compelled to do, how Brexit will impact on the direction the UK takes in relation to mass surveillance and whether we lose out on protections that Europeans benefit from."
She said that while the UK has said it will comply with EU regulations, such as the General Data Protection Regulations, because to not do so would have a negative impact on the UK tech industry, how they intend to do that is unclear, as is whether it will restrain mass surveillance.
The equipment interference powers are another cause for concern. "Hacking, as undertaken by any actor, including the state, fundamentally impacts on the security of computers and the internet.
"It incentivises the state to maintain security vulnerabilities that allow any attacker -- whether GCHQ, another country's intelligence agency or a cyber criminal -- potential access to our devices. When deployed against networks or in 'bulk', hacking can undermine the security of all our communications, including those that form the core of financial transactions. These security concerns affect all communication service providers and the consumers who use their services," she warned.
The data collection elements are also a worry: "The sheer volume of retained data will be huge and be incredibly revealing. It will also be a honeypot for cybercriminals. Should we be worrying about when the next hack or data leak will be?"
She added: "Individuals will consequently face a reduction in their privacy and security, which could undermine trust in the entire communications system. The internet offers a democratic space in which personal exploration, growth, change and development is possible, and without trust in the systems that enable such exploration, such positive growth is curtailed."
Read more on web surveillance
- The government's encryption plans remain impossible to decipher
- The new art of war: How trolls, hackers and spies are rewriting the rules of conflict
- Inside the secret digital arms race: Facing the threat of a global cyberwar
- Surveillance laws need rethink, but bulk collection of web data will continue
- The undercover war on your internet secrets: How online surveillance cracked our trust in the web
- The impossible task of counting up the world's cyber armies
- Encryption: More and more companies use it, despite nasty tech headaches