After a year of debate, the British government’s Investigatory Powers Act – derided by critics as a ‘snooper’s charter’– has been given the royal assent that makes it law.
To the government, the IP Act makes legal a series of vital oversights necessary for intelligence and police services to contain a rising volume of terrorism and organised, stealthy criminality.
To its political and civil liberties foes, it is at best the most intrusive piece of surveillance legislation ever passed in the UK and, at worst, a template other governments will use to carry out similar activities against their own citizens.
A third perspective held by some in the tech industry is that whatever its merits or flaws, aspects of it probably won’t work anyway.
Largely forgotten in all this are ordinary internet users who must feel caught in a web of argument and counter-argument, unsure what to make of it all.
The IP Act includes big provisions, the most discussed of which is that service providers will have to keep a record of their customers’ web browsing history and phone calls for 12 months.
From December 31 (the date the current Data Retention and Investigatory Powers Act 2014 expires), if you visit a website, the broadband provider will record its domain.
A long list of agencies will be able to look at this record in addition to the police and intelligence services and “bulk collection” powers mean that users won’t have to be suspected of anything for this to happen.
That’s a red flag to privacy campaigners because they interpret it to mean that innocent citizens will be watched.
If police go a stage further and obtain a warrant from the home secretary (co-authorised by judges in a “double lock” arrangement), they will also be able to conduct “equipment interference” against suspects’ computers, in other words hack them.
That covers the interception of all actual communications including emails, actual phone calls and SMS messages.
Some of the IP Act’s powers already exist under existing laws stretching back decades so in a sense it is cleaning up and making explicit provisions already in use.
The larger question is whether ordinary citizens should have privacy concerns.
According to Amber Rudd, home secretary (pictured):
This government is clear that, at a time of heightened security threat, it is essential our law enforcement, security and intelligence services have the powers they need to keep people safe.
The counter-argument is that in trying to do this the IP Act goes too far.
Sophos’s vice-president of product management John Shaw remained concerned about practicality:
What we should be more nervous about is the potential for a hacker to break into the store of data held by your ISP and sell it on.
The glaring example of that was the data breach that affected large ISP TalkTalk in 2015, he said.
He also worried about the expertise of the judicial commissioners, the burden on UK ISPs as opposed to foreign providers and the careless ambiguity of the Act’s use of the term “communication provider,” which could in theory refer to almost any technology firm based in the UK.
What about encryption?
Although [now prime minister] Theresa May, as home secretary, said there would be no requirement on technology companies to provide access to their customers’ encrypted data, no mention of this was made in the bill itself.
Encryption is, of course, only one of several evasions criminals can use to beat surveillance which raises the question of what the IP Act will, ultimately, achieve.
Will it end up as a giant system for pointlessly monitoring blameless citizens while tech-savvy criminals surf invisibly?