In an echo of Australia's new mandatory data retention scheme, the UK Government introduced draft legislation on Wednesday that would allow British police and intelligence agencies to access a record of any UK citizen's website visits.
The Investigatory Powers Bill (PDF), drafted by British Home Secretary Theresa May, covers a wide spectrum of government surveillance activities, including the bulk collection of data, the interception of communications, and the hacking and bugging of electronic equipment.
Because of its scope, the bill could affect every British citizen and every Internet service provider and communications company in the UK. But the changes wouldn't just affect UK-based companies; the bill also includes provisions for foreign companies operating in the UK. That includes US companies like Apple, Google and Facebook, all of which operate messaging services the government could potentially request access to.
The bill is the latest development in the global debate over security and privacy in the Internet era. The focus on government surveillance kicked into high gear in 2013 when former US National Security Agency contractor turned whistle-blower Edward Snowden leaked secret NSA documents detailing these secret practices to journalists.
Since then, Australia has, requiring telcos and ISPs to open up phone and internet records to government agencies. The UK has also dipped its toes into data retention, though its Data Retention and Investigative Powers Act (known as DRIPA) was ruled unlawful by the UK's High Court of Justice in July this year.
But Britain's government agencies, including the Government Communications Headquarters (the UK equivalent of ASIO), have a long track record when it comes to digital surveillance. In 2013, Snowden leaked details of GCHQ's surveillance practices to The Guardian, including reports that it collected and stored phone and internet traffic records and shared the information with the NSA.
Much of the new Investigatory Powers bill would enshrine in law these kinds of activities that were previously carried out covertly.
Proponents say the bill would tie together and update the UK's surveillance laws, several of which predate widespread Internet use, and ensure that police and security agencies can protect the nation against terrorism and serious crime. Critics, however, have dubbed the bill the "Snooper's Charter," calling it a serious threat to privacy rights.
Under the proposed legislation:
- Telecommunications companies would be required to store for 12 months the details of every website visited by every UK citizen. Police, security services and other public bodies would have access to the information. The draft legislation says the records would include websites that people visit but "would not reveal every Web page that they visit or anything that they do on that Web page."
- The power of intelligence services to collect personal communications data in bulk would be written into law for the first time.
- It would be written into law that security services and police could hack into computers and bug phones. Companies operating in the UK, including those based abroad in countries such as the US and Australia, would be legally obliged to help them do this.
- Warrants authorised by ministers to let agencies intercept communications would need to be authorised by a panel of seven judicial commissioners, who would have the power of veto. There would be exemptions for "urgent" cases, or situations that can wait no longer than five days.
- A senior judge would take up the newly created position of investigatory powers commissioner. This role would replace the current system, which is run by three independent oversight commissioners.
- The prime minister would have to be consulted if a Parliament member's personal communications were to be intercepted.
Missing from the bill was an expected ban on encryption, which private messaging services such as Facebook's WhatsApp and Apple's iMessage can use to make messages unreadable by anyone but the recipient. But in certain cases companies may still feel pressure to decrypt messages.
Journalists, lawyers and others in sensitive professions have been promised that safeguards will be written into law governing requests for their data. Australia's data retention laws faced similar scrutiny around its protections for journalists, leading the Government to includeto access journalists' metadata.
Home Secretary Theresa May told Parliament that allowing police to examine a list of the websites someone has visited would be similar to having them look over an itemised phone bill.
But the director of rights organisation Liberty, Sami Chakrabarti, called the draft legislation "a breathtaking attack on the Internet security of every man, woman and child in our country."
Open Rights Group, an organisation devoted to human rights in the digital age, also expressed concern.
"At first glance, it appears that this bill is an attempt to grab even more intrusive surveillance powers and does not do enough to restrain the bulk collection of our personal data by the secret services," the group's executive director, Jim Killock, said in a statement.