British police and intelligence agencies would be able to access a record of any UK citizen's website visits under draft legislation presented to Parliament on Wednesday.
The Investigatory Powers Bill (PDF), drafted by British Home Secretary Theresa May, covers a wide spectrum of government surveillance activities, including the bulk collection of data, the interception of communications, and the hacking and bugging of electronic equipment. Because of its scope, the bill could affect every British citizen and every Internet service provider and communications company operating in the UK. That includes US companies like Apple, Google and Facebook, all of which operate messaging services the government could potentially request access to.
Much of the bill would enshrine in law activities that were previously carried out covertly by the GCHQ and other intelligence agencies until they were made public by former US National Security Agency contractor turned whistle-blower Edward Snowden.
Proponents say the bill would tie together and update the UK's surveillance laws, several of which predate widespread Internet use, and ensure that police and security agencies can protect the nation against terrorism and serious crime. Critics, however, have dubbed the bill the "Snooper's Charter," calling it a serious threat to privacy rights.
The bill is the latest development in the global debate over security and privacy in the Internet era, which kicked into high gear in 2013 when Snowden leaked secret NSA documents to journalists.
Under the proposed legislation:
- Telecommunications companies would be required to store for 12 months the details of every website visited by every UK citizen. Police, security services and other public bodies would have access to the information. The draft legislation says the records would include websites that people visit but "would not reveal every Web page that they visit or anything that they do on that Web page."
- The power of intelligence services to collect personal communications data in bulk would be written into law for the first time.
- Security services and police could legally hack into computers and bug phones. Companies operating in the UK, including those based abroad, would be legally obliged to help them do this.
- Warrants authorised by ministers to let agencies intercept communications would need to be authorised by a panel of seven judicial commissioners, who'd have the power of veto. There would be exemptions for "urgent" cases, or situations that can wait no longer than five days.
- A senior judge would take up the newly created position of investigatory powers commissioner, replacing the current system, which is run by three independent oversight commissioners.
- The prime minister would have to be consulted if a Parliament member's personal communications were to be intercepted.
Missing from the bill was an expected ban on encryption, which private messaging services such as Facebook's WhatsApp and Apple's iMessage can use to make messages unreadable by anyone but the recipient. But in certain cases companies may still feel pressure to decrypt messages.
The bill's backers promised that safeguards would be written into law governing requests for data from journalists, lawyers and others in sensitive professions.
May told Parliament that allowing police to examine a list of the websites someone has visited would be similar to having them look over an itemised phone bill.
But the director of rights organisation Liberty, Sami Chakrabarti, called the draft legislation "a breathtaking attack on the Internet security of every man, woman and child in our country."
Open Rights Group, an organisation devoted to human rights in the digital age, also expressed concern.
"At first glance, it appears that this bill is an attempt to grab even more intrusive surveillance powers and does not do enough to restrain the bulk collection of our personal data by the secret services," the group's executive director, Jim Killock, said in a statement.