Security

U.K. Users’ Online Activity To Be Logged Under New Surveillance Law

Comment

Image Credits:

The U.K. government has today published a draft bill setting out new surveillance powers that if passed into law will allow the security and intelligence agencies to more deeply probe Brits’ digital activity by requiring U.K. ISPs keep a log of all the websites visited by Internet users over the past 12 months.

Brits’ media consumption habits, banking activity, political affiliations, health concerns, sexual proclivities and more could all potentially be inferred from state mandated Iogging of Internet activity under the proposed new legislation.

The Investigatory Powers Bill was introduced to Parliament by Home Secretary Theresa May earlier today, who said the government hopes to have an amended bill introduced next spring, following a Parliamentary and committee scrutiny process — with the aim of getting a final bill onto the statue books before the end of 2016.

Speaking in Parliament ahead of May, Prime Minister David Cameron said the new powers are required to help the police and security services combat crime in an era of social media.

May went on to describe the aim of the bill as being to draft a new law “consolidating and updating our investigatory powers, strengthening the safeguards and establishing a world leading oversight regime”.

The government confirmed its intention to legislate to plug what it termed “capability gaps” in law enforcement and security agencies’ intelligence gathering abilities in the digital era back in May. It is tabling legislation now with a view to replacing DRIPA — aka the existing ’emergency’ surveillance legislation which was rushed through Parliament back in 2014, and which has a sunset clause meaning it will expire at the end of 2016.

DRIPA was criticized both for the draconian data capture powers it afforded, and also for the unseemly haste with which it was railroaded through Parliament — allowing no time for proper Parliamentary scrutiny. The Investigatory Powers bill will at least get the latter, with a special committee of MPs due to pore over its detail in the coming months.

Despite criticisms of the potential chilling effect on the U.K. tech sector of draconian state surveillance powers, at a time when European institutions have generally been seeking to roll back data retention capabilities and bolster privacy protections for individuals in the post-Snowden era, the U.K. government is nonetheless pushing ahead with a bid to cement and expand the powers of the surveillance state by enshrining mass surveillance as ‘due process’ for domestic intelligence agencies and proposing what critics have dubbed another ‘Snooper’s Charter’.

The government has of course been attempting to spin otherwise — by, for example, claiming mass surveillance (euphemistically referred to as “bulk collection”) is “proportionate and necessary” in today’s modern digital era, and explicitly stating it is not seeking to ban encryption. Albeit that any ban on encryption would likely be impossible to enforce — especially without international agreement, given how much technology is developed and distributed by non-U.K. companies.

On the encryption point, earlier this year Cameron had made comments widely interpreted as an intention by a future Conservative majority government to outlaw the technology. In the event today’s draft bill does not apparently seek to explicitly outlaw encryption but May said the requirement that is currently in secondary legislation — “that those companies that are issued with a warrant should take reasonable steps to be able to respond to that warrant in unencrypted form” — is being brought “onto the face of the legislation”.

So it remains to be seen whether a company that runs a service under end-to-end encryption and then, if served with a warrant, fails to deliver unencrypted data because they are unable to do so is considered to be breaking U.K. law or not.

On this front, clause 189(4)(c) also appears pertinent — as it sets out that specific obligations on “relevant operators” can include: “obligations relating to the removal of electronic protection applied by a relevant operator to any communications or data” — which appears to suggest a requirement that companies are able to remove encryption when asked. But of course encryption that can be removed is not end-to-end encryption (a technology the U.K. government recently described as “alarming”).

“But we are not banning encryption,” claimed May in Parliament. “We recognize that encryption plays an important part for people in keeping their details secure.”

(It also appears the government recognizes that encryption can play an important role in its new legislation being perceived as more moderate than it could otherwise have been… )

May went on to emphasize that other contentious measures — included in the earlier 2012 Communications Data bill (also dubbed a Snoopers’ Charter), which failed to pass Parliament — have been dropped.

“The draft bill we are publishing today is not a return to the draft Communications Data bill of 2012. It will not include powers to force U.K. companies to capture and retain third party Internet traffic from companies based overseas; it will not compel overseas communications service providers to meet our domestic retention obligations for communications data,” she said.

Despite this, the requirement that Internet and phone companies retain data on the websites users have visited for a full 12 months remains a huge and intrusive expansion of state surveillance powers. Civil rights organization Big Brother Watch sums up this data as “the what and how of the way we live our lives”.

May said it is not a full browsing history, in the sense of logging every click of and page visited by an Internet user, but rather will be a timestamped record of the primary website URL visited. Which still of course generates a hugely intrusive personal history of U.K. web users — or at least those who don’t actively seek to avoid this state-mandated dragnet by using a VPN/proxy, such as the Tor browser, to protect their privacy, or running other obfuscation technologies to muddy the waters of their Internet activity.

The provision is described as an “Internet Connection Record” (ICRs) in the bill, and May likened it to “the modern equivalent of an itemized phone bill”. However it’s clear that far more activity now occurs digitally than does or ever did via voice calls — so the comparison is a stretch.

“Some have characterized this power as law enforcement having access to people’s full web browsing histories. Let me be clear: this is simply wrong,” said May. “[It] is a record of every communication service that a person has used, not a record of every webpage they have accessed.”

Requests for this data from law enforcement agencies would be “for the purpose of determining whether someone had accessed a communications website, an illegal website or to resolve an IP address where it is necessary and proportionate to do so in the course of a specific investigation”, she added. “Strict limits will apply to when and how that data can be accessed.”

Quite how the bulk collection of U.K. users’ Internet browsing activity will be squared with European data protection legislation, currently being drafted with a new data protection directive set to be introduced later this year — which may place competing requirements on ISPs when it comes to user data retention — remains to be seen. (Assuming, of course, the U.K. does not vote to leave the EU in its referendum next year.)

A new criminal offence of “wilfully or recklessly acquiring communications data”, carrying a maximum two-year prison sentence, is being created with the aim of discouraging access abuse of these ICRs. However, given how many data breaches are perpetrated by hackers already — such as the recent data breach of UK ISP TalkTalk, with police arresting several teenagers on suspicion of being behind that attack — it remains to be seen how much of a disincentive a two-year jail sentence is. Not to mention how securely ISPs will store this sensitive data.

Raising the latter point in Parliament, Shadow Home Secretary Andy Burnham noted that the Home Secretary’s introductory speech had referenced how some 90 per cent of commercial organizations have experienced a data breach, and went on to query whether there might not therefore be risks to storing U.K. citizens’ website access data — asking specifically whether it will not therefore be stored in “anonymized form” to safeguard the privacy of the public from hack attacks.

May sidestepped this question, reiterating only that more powers are needed by law enforcement to combat cybercrime. “I think it’s very simple, that as criminals are moving into more online crime that actually we need to make sure that our law enforcement agencies have the power to be able to deal with that cybercrime,” she said.

Police will require warrant authorization to access ICR data, while local councils will be explicitly banned from accessing it. But even with the check of a warrant, the U.K. government affording law enforcement access to web browsing data remains exceptional when compared to powers afforded to police in the U.S. and elsewhere in Europe.

Existing rules allowing U.K. police forces to access communications metadata without a warrant remain unchanged. Earlier this year Big Brother Watch published data obtained via FOI detailing the extent of police forces’ comms data requests in that regard — with some 733,000 requests made by domestic U.K. police forces over a three year period, between 2012 and 2014.

On judicial oversight for signing off surveillance warrants — a key recommendation of the independent terrorism legislation reviewer, David Anderson, in his report this summer — the Home Secretary is proposing a third way, with senior ministers and judges both involved in sign off. She referred to this as a “double lock”, claiming it offers “both the reassurance of democratic accountability and judicial accountability”.

“As now the Secretary of State will need to be satisfied that an activity is necessary and proportionate before a warrant can be issued but in future the warrant will not come into force until it has been formally approved by a judge,” she said. “This will place a double lock on the authorization of our most intrusive investigatory powers.”

Anderson’s recommendation that the power to sign off warrants be taken away from ministers and handed over to judicial oversight entirely has, however, been rejected — leaving the U.K. still somewhat at odds with other ‘Five Eyes’ allies and countries elsewhere in Europe where judges are solely responsible for authorizing surveillance.

Commenting on this aspect of the bill, Ben Emmerson, the UN special rapporteur on counter terrorism and human rights, argued that the U.K. will remain out of step with international standards if judges are not fully empowered to sign off warrants.

“Prior authorisation by an independent and impartial judiciary is an essential safeguard. Empowering judges to weigh the balance between the competing interests at stake would bring the UK legislation into full compliance with the requirements of international law, and in particular Article 17 of the International Covenant on Civil and Political Rights. Judicial review after the event is better than no judicial review at all, but it falls short of the requirement to place the power to issue a warrant into the hands of an independent judge, which is where it belongs,” he wrote.

It is also noteworthy that it does also remain possible under the current draft bill for a senior minister to rubberstamp warrants on their own.

May clarified that it would be possible for the Home Secretary to authorize an “urgent warrant to come immediately into effect”, to avoid too much delay being caused by her double lock — with the warrant then subsequently reviewed by the panel of judges to determine whether the warrant should continue or not. However she added that in “most circumstances” there would be a double authorization for warrants.

Screen Shot 2015-11-05 at 8.32.43 AM

Another portion of the draft bill involves clarifying oversight rules for surveillance powers. A senior judge will be appointed as the overseeing commissioner, said May.

“I am clear we need a significantly strengthened regime to govern how these powers are authorized and overseen. So we will replace the existing oversight with a powerful and independent Investigatory Powers Commissioner. This will be a senior judge, supported by a team of expert inspectors with the authority and resources to effectively and visibly hold the intelligence agencies and law enforcement to account,” she told Parliament.

More broadly, the bill seeks to enshrine mass surveillance as a lawful modus operandi for U.K. security and intelligence agencies that have already been using such digital dragnets for years, enabled by a lack of scrutiny and via arcane existing investigatory legislation (such as RIPA and section 94 of the Telecommunications Act 1984).

The ability for police and security agencies to use hacking (aka “equipment interference”) as an investigatory tool is also being enshrined in law.

The bill refers to “bulk data” as “a vital tool in discovering new targets and identifying emerging threats”. And says a “clear statutory framework” will be provided for “all of the bulk powers available to the security and intelligence agencies”, in addition to introducing “robust, consistent safeguards across all of those powers”.

Responding to the draft bill in a blog post, the government’s independent terrorism legislation reviewer said the best thing about the bill is the light finally being shone onto the operations of the U.K.’s security apparatus.

“For the first time, we have a Bill that sets out, for public and political debate, the totality of the investigatory powers used or aspired to by police and intelligence agencies,” writes Anderson, going to list some examples.

“Not everyone will be happy about those powers.  It will now be for Parliament to decide whether they are justified.  That is the way things should be in a democracy — but rarely are at the moment, anywhere in the world.  Whatever the content of the eventual UK law, it will no longer be possible to describe it as opaque, incomprehensible or misleading.”

 

More TechCrunch

Expedia says Rathi Murthy and Sreenivas Rachamadugu, respectively its CTO and senior vice president of core services product & engineering, are no longer employed at the travel booking company. In…

Expedia says two execs dismissed after ‘violation of company policy’

When Jeffrey Wang posted to X asking if anyone wanted to go in on an order of fancy-but-affordable office nap pods, he didn’t expect the post to go viral.

With AI startups booming, nap pods and Silicon Valley hustle culture are back

OpenAI’s Superalignment team, responsible for developing ways to govern and steer “superintelligent” AI systems, was promised 20% of the company’s compute resources, according to a person from that team. But…

OpenAI created a team to control ‘superintelligent’ AI — then let it wither, source says

A new crop of early-stage startups — along with some recent VC investments — illustrates a niche emerging in the autonomous vehicle technology sector. Unlike the companies bringing robotaxis to…

VCs and the military are fueling self-driving startups that don’t need roads

When the founders of Sagetap, Sahil Khanna and Kevin Hughes, started working at early-stage enterprise software startups, they were surprised to find that the companies they worked at were trying…

Deal Dive: Sagetap looks to bring enterprise software sales into the 21st century

Keeping up with an industry as fast-moving as AI is a tall order. So until an AI can do it for you, here’s a handy roundup of recent stories in the world…

This Week in AI: OpenAI moves away from safety

After Apple loosened its App Store guidelines to permit game emulators, the retro game emulator Delta — an app 10 years in the making — hit the top of the…

Adobe comes after indie game emulator Delta for copying its logo

Meta is once again taking on its competitors by developing a feature that borrows concepts from others — in this case, BeReal and Snapchat. The company is developing a feature…

Meta’s latest experiment borrows from BeReal’s and Snapchat’s core ideas

Welcome to Startups Weekly! We’ve been drowning in AI news this week, with Google’s I/O setting the pace. And Elon Musk rages against the machine.

Startups Weekly: It’s the dawning of the age of AI — plus,  Musk is raging against the machine

IndieBio’s Bay Area incubator is about to debut its 15th cohort of biotech startups. We took special note of a few, which were making some major, bordering on ludicrous, claims…

IndieBio’s SF incubator lineup is making some wild biotech promises

YouTube TV has announced that its multiview feature for watching four streams at once is now available on Android phones and tablets. The Android launch comes two months after YouTube…

YouTube TV’s ‘multiview’ feature is now available on Android phones and tablets

Featured Article

Two Santa Cruz students uncover security bug that could let millions do their laundry for free

CSC ServiceWorks provides laundry machines to thousands of residential homes and universities, but the company ignored requests to fix a security bug.

1 day ago
Two Santa Cruz students uncover security bug that could let millions do their laundry for free

TechCrunch Disrupt 2024 is just around the corner, and the buzz is palpable. But what if we told you there’s a chance for you to not just attend, but also…

Harness the TechCrunch Effect: Host a Side Event at Disrupt 2024

Decks are all about telling a compelling story and Goodcarbon does a good job on that front. But there’s important information missing too.

Pitch Deck Teardown: Goodcarbon’s $5.5M seed deck

Slack is making it difficult for its customers if they want the company to stop using its data for model training.

Slack under attack over sneaky AI training policy

A Texas-based company that provides health insurance and benefit plans disclosed a data breach affecting almost 2.5 million people, some of whom had their Social Security number stolen. WebTPA said…

Healthcare company WebTPA discloses breach affecting 2.5 million people

Featured Article

Microsoft dodges UK antitrust scrutiny over its Mistral AI stake

Microsoft won’t be facing antitrust scrutiny in the U.K. over its recent investment into French AI startup Mistral AI.

1 day ago
Microsoft dodges UK antitrust scrutiny over its Mistral AI stake

Ember has partnered with HSBC in the U.K. so that the bank’s business customers can access Ember’s services from their online accounts.

Embedded finance is still trendy as accounting automation startup Ember partners with HSBC UK

Kudos uses AI to figure out consumer spending habits so it can then provide more personalized financial advice, like maximizing rewards and utilizing credit effectively.

Kudos lands $10M for an AI smart wallet that picks the best credit card for purchases

The EU’s warning comes after Microsoft failed to respond to a legally binding request for information that focused on its generative AI tools.

EU warns Microsoft it could be fined billions over missing GenAI risk info

The prospects for troubled banking-as-a-service startup Synapse have gone from bad to worse this week after a United States Trustee filed an emergency motion on Wednesday.  The trustee is asking…

A US Trustee wants troubled fintech Synapse to be liquidated via Chapter 7 bankruptcy, cites ‘gross mismanagement’

U.K.-based Seraphim Space is spinning up its 13th accelerator program, with nine participating companies working on a range of tech from propulsion to in-space manufacturing and space situational awareness. The…

Seraphim’s latest space accelerator welcomes nine companies

OpenAI has reached a deal with Reddit to use the social news site’s data for training AI models. In a blog post on OpenAI’s press relations site, the company said…

OpenAI inks deal to train AI on Reddit data

X users will now be able to discover posts from new Communities that are trending directly from an Explore tab within the section.

X pushes more users to Communities

For Mark Zuckerberg’s 40th birthday, his wife got him a photoshoot. Zuckerberg gives the camera a sly smile as he sits amid a carefully crafted re-creation of his childhood bedroom.…

Mark Zuckerberg’s makeover: Midlife crisis or carefully crafted rebrand?

Strava announced a slew of features, including AI to weed out leaderboard cheats, a new ‘family’ subscription plan, dark mode and more.

Strava taps AI to weed out leaderboard cheats, unveils ‘family’ plan, dark mode and more

We all fall down sometimes. Astronauts are no exception. You need to be in peak physical condition for space travel, but bulky space suits and lower gravity levels can be…

Astronauts fall over. Robotic limbs can help them back up.

Microsoft will launch its custom Cobalt 100 chips to customers as a public preview at its Build conference next week, TechCrunch has learned. In an analyst briefing ahead of Build,…

Microsoft’s custom Cobalt chips will come to Azure next week

What a wild week for transportation news! It was a smorgasbord of news that seemed to touch every sector and theme in transportation.

Tesla keeps cutting jobs and the feds probe Waymo

Sony Music Group has sent letters to more than 700 tech companies and music streaming services to warn them not to use its music to train AI without explicit permission.…

Sony Music warns tech companies over ‘unauthorized’ use of its content to train AI