The King officially gave his final approval: the controversial reform to the UK’s Investigative Powers Act (IPA) is all set to become law. The government seeks to widen its digital surveillance capabilities “to protect the British people” in spite of technological change. Technologists and digital rights experts foresee a rather different outcome, however, reminiscent of a privacy nightmare.
The so-called “Snooper’s Charter” is already highly controversial, experts say, and these amendments are seen as “significant privacy-weakening changes.” Worse still, this reform isn’t the only legislative effort to broaden the UK’s surveillance laws. With two more proposals on the table and the danger of the Online Safety Bill’s new powers looming in the background, it looks like we are only at the tip of the UK Surveillance State iceberg—which not even security software like VPN services can shield us from.
“From a civil society perspective, the IPA and its amendments are a problem because they enable suspicionless mass surveillance. From an Internet perspective, the danger of these laws is that they give the government the power to introduce (or preserve) systemic vulnerabilities in communication services on which we all depend,” Robin Wilton, Director at the Internet Society, told me.
What’s the Investigatory Powers Act reform all about?
Officially introduced into the House of Lords during the latest King’s speech in November, the amendments to the already infamous 2016 Investigatory Power Act gives authorities more control over citizens’ data and the platforms they use.
Legislators agreed to expand the definition of Bulk Personal Datasets (BPDs) by creating a new category of personal data that law enforcement can gather when “the individual has low to no reasonable expectation of privacy.” The likes of CCTV footage or images posted to social media are examples of the data that falls within this category and subject to lower safeguards.
According to Wilton, though, there is no such thing as personal data with no privacy implications. He believes this “redefining work” is rather a way to expand the data the government can access, to the detriment of people’s privacy. BPDs have indeed formed a “largely opaque part of the UK security services’ data collection regime for years,” he said, due to a lack of transparency on how this information is collected and used.
“For the Government to be weakening the safeguards for personal data, in an era when we know that data mining and machine learning are constantly finding new ways to interpret and act on personal data, is irresponsible, and dangerously short-sighted,” Wilton added.
Authorities will also be permitted to access internet connection records to surveil suspects and identify who connects to what app or website, at what time, and so on. Agencies can already access this data under specific criteria—for example, when the person of interest’s identity is known—but the changes widen the purpose. That’s something the Director of privacy advocacy group Big Brother Watch, Silkie Carlo, described as “generalized surveillance,” Politico reported.
While legislators eventually added a ‘triple-lock’ authorization process for surveilling parliamentarians in the latest round of talks, the now agreed Bill remains pretty much the same as its early versions.
Weaker privacy isn’t the only casualty of the IPA’s reform, either. Experts warn that the changes may eventually compromise Britons’ data security. That’s because, under the agreed amendments, tech companies must seek approval from the Home Office before adding new security or privacy features, encryption included.
Talking to the Financial Times in November, Signal CEO Meredith Whittaker described the law as a “bellicose proposal” that “will make it nearly impossible for any service to operate with integrity in the UK.” CEO and CO-Founder of UK-based encrypted service provider Element, Matthew Hodgson also expressed his concerns. He told TechRadar, “When pairing this with the new requirement to not introduce changes during a review process, we’re essentially looking at companies being prevented from changing their own products.”
The government argues these measures are necessary to prevent companies from designing services that may prevent lawful access to users’ information. Yet, technologists claim this will actually undermine our online safety.
Commenting on this point, Andrew Sullivan, President and Chief Executive Officer of the Internet Society, told me: “You shouldn’t have vulnerable systems if you know about them. If you know that there’s a problem, you should tell people. Writing legislation that allows the government potentially to drag its heels if they have some reason to do so, it’s bad for everybody.”
Did you know?
After harsh criticism from the tech world, the UK government eventually admitted the Online Safety Act’s Clause 122 cannot currently be enforced as the client-side scanning technology needed for this isn’t available right now. What’s deemed as the ‘spy clause’ wasn’t completely removed from the law, but rather postponed until it is “technically feasible” to deploy.
Sullivan believes legislators might have taken inspiration from large intelligence agencies that generally exploit product vulnerabilities to access people’s communication and other data. “The challenge with this sort of approach is that there’s essentially no way to know who else knows about this vulnerability,” he added.
Digital rights groups, cryptographers, academics, VPN, and encrypted messaging app providers are also worried the IPA amendments may be used together with the new provisions under the Online Safety Act to obtain greater control over public communications.
The law, which finally received Royal Assent in October 2023, especially attracted harsh criticism for its efforts to weaken encryption for enabling authorities to access, collect, and read anyone’s conversation to facilitate the hunt for illegal materials linked, for example, to children’s sexual abuse or terrorism.
Preventive surveillance
Contrary to what its name suggests, also the second version of the Data Protection and Digital Information Bill (DPDI2) looks like everything but good news for people’s privacy.
After officially being presented in March 2023, 26 privacy advocate groups—including Open Rights Group, Privacy International, Liberty, Big Brother Watch, and Index on Censorship—signed an open letter warning the proposed changes would create “a greatly weakened data protection structure” instead.
Things got far worse last November, though, as Sunak and his ministers also added new powers to spy on Brits’ bank accounts as a means to clamp down on financial frauds. This means that instead of the Department for Work and Pensions requesting each benefit claimant’s account details if they suspect wrongdoings, banks will be expected to run blank monthly checks.
“Such proposals do away with the longstanding democratic principle in Britain that state surveillance should follow suspicion rather than vice versa and it would be dangerous for everyone if the government reverses this presumption of innocence,” said Carlo from the Big Brother Watch, adding that the government should probably be better off investing money to help people in need instead of spying of them.
Many politicians are speaking out against extended welfare surveillance powers (see video below). Yet, the Department for Work and Pensions is already hiring up to 25 covert surveillance officers to snoop on benefit claimants, raising concerns among other employees—the Big Issue reported.
Please watch this 🧵 of videos from today’s EXCORIATING speeches in parliament shaming the government’s attempt to spy on all our bank accounts.The media has barely reported this as the Govt is quietly rushing in these powers – but parliamentarians are fuming. Must watch! https://t.co/KMsI2oizazApril 22, 2024
Then, in an effort to clamp down on shoplifters, the government also plans to invest over £55 million in expanding facial recognition systems across England and Wales. This investment follows what’s known as Project Pegasus, under which some of the UK’s biggest retailers like Marks & Spencer, Boots, and Primark already run their CCTV images via police databases using facial recognition technology.
Again, civil societies have been very critical of this proposal. Facial recognition is, in fact, well-known to be way far from flawless.
Carlo deemed the government’s plan an “abysmal waste of public money on dangerously authoritarian and inaccurate facial recognition surveillance.”
“Criminals should be brought to justice—but papering over the cracks of broken policing with Orwellian tech is not a solution. Live facial recognition may be commonplace in China but these Government plans put the UK completely out of sync with the rest of the democratic world,” she added.
A land grab
With the general elections scheduled for later this year, the current UK government is trying to push as many laws as possible before its mandate is up—and, as we have seen, more surveillance and investigative powers are a pressing front.
However, according to the Internet Society and other experts, politicians seem to miss the point when it comes to the tech world. Similar to the Online Safety Act and online child sexual abuse, there are no quick and convenient fixes to systemic social and economic problems. Likewise, enforcing these might weaken the country as a tech hub while bad actors find other ways to keep committing crimes.
All in all, Wilton believes this rash of laws is rather a “land grab” than anything else. “Just as framing the anti-encryption debate in terms of child abuse is intended to toxify any opposition to it, so this legislative program will toxify any future attempts to repeal surveillance laws—assuming, of course, that a future Government would want to repeal them,” he told me.
“After all, as Snowden clearly demonstrated, the Blair and Brown Governments were every bit as keen on surveillance as the current one.”