UK surveillance law marks a 'worse than scary' shift

The newly passed "Snooper's Charter" means British police and intelligence agencies will soon be able to see every website that everyone in the UK visits.

Katie Collins Senior European Correspondent
Katie a UK-based news reporter and features writer. Officially, she is CNET's European correspondent, covering tech policy and Big Tech in the EU and UK. Unofficially, she serves as CNET's Taylor Swift correspondent. You can also find her writing about tech for good, ethics and human rights, the climate crisis, robots, travel and digital culture. She was once described a "living synth" by London's Evening Standard for having a microchip injected into her hand.
Katie Collins
8 min read
Gerald Hoberman, UIG via Getty Images

The UK has taken a deep plunge into surveillance with a far-reaching new law.

The problem, say critics, is that it goes too deep and too far.

The Investigatory Powers Act 2016 officially became law on Tuesday, after being passed by the House of Lords last month. Often referred to as the Snooper's Charter, the legislation has been a year in the making and offers unprecedented new powers to police and spy agencies in the UK for keeping tabs on British citizens.

It was written, as is common for surveillance proposals in Western democracies including the Patriot Act in the US, in the name of counter-terrorism. Internet rights groups, however, counter the bill means privacy is dead for internet users in the UK.

"The internet presents new opportunities for terrorists and we must ensure we have the capabilities to confront this challenge," Home Secretary Amber Rudd said in a statement. "It is essential our law enforcement, security and intelligence services have the powers they need to keep people safe."

The bill legalizes the global surveillance activities, including bulk data collection and hacking, that the UK has conducted more or less in secret for years. It also requires internet and phone companies to store communications data generated by email, apps and internet use for 12 months and make that information accessible to police and security services.

What do the proponents say?

Those supporting the bill argue it's essential to helping keep the UK secure. It "will underpin the work of law enforcement and the security and intelligence agencies for years to come," said UK Prime Minister Theresa May. "It is their license to operate -- with the democratic approval of Parliament -- to protect our national security and the public's safety."

Enlarge Image

Theresa May started pushing for harsher surveillance laws long before she became prime minister.

WPA Pool/Getty Images

A report conducted in August by Independent Reviewer of Terrorism Legislation found there was no reasonable alternative to the Snooper's Charter. The government, they said, had to pass legislation to replace the Data Retention and Investigatory Powers Act 2014 (DRIPA), which lets security services access internet and phone records, before it expires on December 31.

The opposition Labour party argued for concessions to the bill, but ultimately supported it. In total, 444 MPs voted in favor of the bill in the House of Commons in June. Only the Liberal Democrats, the Scottish National Party, the Green Party and a few other small parties voted no, representing 69 votes. In the House of Lords, the bill passed 226-186.

What do the critics say?

Earlier this year, Joseph A. Cannataci, the UN special rapporteur for privacy, called the bill "worse than scary" and encouraged the government to rethink its "disproportionate, privacy-intrusive measures such as bulk surveillance and bulk hacking."

US-based tech companies, including Apple, Microsoft, Google, Facebook and Twitter, also urged the government not to push it through. "To the extent this could involve the introduction of risks or vulnerabilities into products or services, it would be a very dangerous precedent to set," Facebook, Google, Microsoft, Twitter and Yahoo said in a December 2015 joint statement included in written evidence.

Brexit Minister David Davis called the UK's refusal to spend more time debating the details of the bill "a missed opportunity."

Privacy advocates were more direct in expressing their disapproval of the decision, issuing statements under the banner Don't Spy On Us. Jim Killock, executive director of Open Rights Group, called it "a surveillance law that is more suited to a dictatorship than a democracy."

Edward Snowden, the world's most famous whistleblower, said, "The UK has just legalized the most extreme surveillance in the history of western democracy. It goes farther than many autocracies."

Critics have drawn links between Snowden's 2013 revelations and the IP bill, as the law seeks to legitimize many of the surveillance activities he made public. But the origins of the legislation predate Snowden.

How did we get here? The slow creep toward more surveillance

The Snooper's Charter has been a long time coming.

In 2012, when she was Home Secretary -- responsible for all UK internal affairs, including counter-terrorism -- May proposed the Draft Communications Data Bill (also nicknamed the Snooper's Charter). It would have required internet service providers (ISPs) and mobile networks to maintain a detailed database of customer activities for 12 months, including email correspondence and browsing histories.

It attracted widespread criticism from internet rights and privacy groups, and the Liberal Democrats ultimately blocked the bill.

When the Conservative party was elected in 2015, May, still Home Secretary under Prime Minister David Cameron, revived the legislation but rebranded it as the Investigatory Powers bill and threw in some new ideas. That led to the current Snooper's Charter.

Now that it has Royal Assent (a formality, the final step before a bill becomes law in the UK), the Snooper's Charter is a done deal. This is what it means for UK citizens and the wider world.


Be careful where you tread: Your journey through cyberspace is being tracked.

Moment Editorial/Getty Images

Your browsing history has nowhere to hide

On a day-to-day basis for UK residents, the government's rule about keeping records of internet access is the biggie. It means:

  • ISPs and mobile phone providers will keep a record of every website visit of anyone using a British network for up to a year. That include sites visited through mobile browsers and phone apps (like Facebook) -- but not individual web pages. So there would be a record of you visiting cnet.com, for example, but not of any news articles you read or videos you watched.
  • The data will be stored by the network that collected it, but police and many government departments will be able to use a central search tool to find and access those records. The list of who will be able to see your internet history includes nearly 50 organizations.
  • Searches of that data will be conducted at the discretion of the police and will be overseen by a specially trained supervising officer only. There will be no judicial oversight.
  • The only way to avoid your internet history being stored is to use a proxy or virtual private network (VPN). (See here for more on VPNs.)

Critics point to historic examples of police abusing access to databases containing information about members of the public. Others worry that the UK will target specific groups, citing claims about institutional racism that even the head of the Met Police has admitted have "some justification."


The Snooper's Charter legitimizes hacking and data collecting tactics used by GCHQ.

David Goddard/Getty Images

Hacking, bulk data interception and collection by the state

Through Snowden and rights organizations like Privacy International, we know British intelligence services have engaged in bulk data interception and collection and hacking in secret for years, sometimes in violation of human rights laws. But now as part of the IP bill, these activities have legal backing.

The bill provides a clear framework for using equipment interference to conduct mass surveillance and collect communication data in bulk. This is one part of the legislation that affects people living outside the UK.

"Instead of reining in the unregulated mass surveillance practices that have for years been conducted in secret and with questionable legal authority, the IPA [Investigatory Powers Act, as the bill is set to be known] now enshrines them in law," said Privacy International's Caroline Wilson Palow.

More hacking and decryption ... but by the tech companies themselves

Before the first draft of the bill was published, it was expected the UK would try to place an outright ban on encryption, a method for scrambling personal information so it's protected. The government didn't, but instead insisted that companies decrypt technology when it orders them to and when it's "practicable."

What that means is that security services and police will now legally be able to hack into computers and bug phones. Companies operating in the UK, including those based abroad, are required to help them do this.

Remember Apple's spat with the FBI over unlocking an iPhone earlier this year? The UK government will now be able to order companies to decrypt or hack into accounts and devices, just as the FBI tried to do with the iPhone tied to the San Bernardino terrorist shooting.


The world's largest tech companies aren't keen on the new legislation.

James Martin/CNET

The major difference is that anytime the government orders a company to decrypt data, it will also issue a gag order to stop the company from talking about it. This means that unlike the Apple versus FBI situation, which played out in public view, everything will happen behind closed doors.

The bill also requires companies to inform the government about security features on new products before they are released, so police can still intercept data.

Warrants, oversight and a 'double lock'

The IP bill stipulates that for hacking or surveillance activities beyond checking out people's browsing histories, law enforcement and intelligence agencies will need a warrant.

The government is keen to emphasize the Snooper's Charter has vastly improved safeguards for hacking or bulk data collection.

The main thing to know is that a new "double lock" requires joint permission from the secretary of state and an individual judicial commissioner before warrants can be issued. There will also be a new investigatory powers commissioner who will oversee surveillance activities.

Even so, critics are worried that other countries could follow in the UK's footsteps in terms of surveillance without putting in place any safeguards at all -- or abusing them, even if they do.

Said Killock of Open Rights Group,"It is likely that other countries, including authoritarian regimes with poor human rights records, will use this law to justify their own intrusive surveillance powers."

When does the law take effect?

Enlarge Image

"Theresa May has finally got her Snooper's Charter," said Jim Killock from Open Rights Group.

Christopher Furlong/Getty Images

The law comes into effect in 2017, just as the DRIPA legislation expires.

The Snooper's Charter will likely be challenged in the courts and could end up being scrutinized by the Court of Justice of the European Union (that is, as long as the UK is a member of that body).

An online petition to repeal the IP bill has garnered more than 100,000 signatures, which means that the UK Parliament will have to consider the bill for debate. Parliament could ignore calls for a debate, but that might undermine public confidence in the bill, said Killock. "A debate would also be an opportunity for MPs to discuss the implications of various court actions, which are likely to mean that the law will have to be amended."

In the meantime, this is the time for anyone affected by the bill to get their internet activities in order. For those concerned about their privacy, that may mean signing up to use a VPN. Or you can sit tight and hope you don't attract any undue attention.

The bottom line, though, is that if the government has enough reason to suspect you of something, they may seek a warrant to conduct more intrusive surveillance -- VPN or no. Even if you think you've got nothing to hide, the IP bill is now a reminder that someone might still be watching.