Both sides of the House appeared to agree on 4 November that the draft Investigatory Powers Bill was “neither a snooper’s charter nor a plan for mass surveillance”.
It’s certainly true that some of the more ridiculous proposals, such as the banning of encryption, don’t appear in the document. However, the act of clarifying the innumerable grey areas within existing surveillance legislation, drawn up well before the age of social media, was always going to provoke criticism from privacy campaigners.
So, what data are we all generating, and who will have access to it?
Communications data: where, when and how I’m communicating, and with whom
The companies which provide our communications “may be required” to retain this kind of information for up to 12 months and make it accessible to law enforcement, security and intelligence agencies “for a specific statutory purpose”. Crucially, the draft Bill explains that the previous definitions of communications data, drawn up when internet usage was still in its relative infancy, “will be updated to reflect changes in the way people communicate”. The implication is that this extends beyond telephone calls.
Internet connection records: which online services I’m using
The Bill introduces an obligation to internet access providers to retain details of which online services and apps we’ve accessed. So there will be no in-depth catalogue of your online activity, but if law enforcement agencies suspect that you’ve used a particular communications service or an illegal website, they can be informed.
Intercepted data: what I’m saying to other people
The content of your emails and private messages can be read in very limited circumstances. Nine intercepting authorities (including the security and intelligence agencies) can apply for a warrant if it’s believed to be in the interests of national security or for the prevention and detection of serious crime. The request has to be signed off by the Home Secretary or a Scottish minister, and then approved by a Judicial Commissioner – the so-called “double lock”.
Bulk data: large volumes of communication data, mainly international
The definition of bulk data seems to have been left intentionally vague; security and intelligence agencies can apply for a warrant to intercept communications “to acquire intelligence relating to individuals outside the UK.” But the Bill also adds: “Interference with the privacy of persons in the UK will be permitted only to the extent that it is necessary for that purpose” – wording that will hardly reassure privacy campaigners.
How concerned should we be?
This draft Bill has been presented as a concerted attack on criminal activity, but methods of covering our online tracks such as TOR and VPNs (virtual private networks) are well-known, and are used regularly by all kinds of people for perfectly legal purposes. As for the rest of us, we’ll now be generating data that companies are obliged to store, and the recent TalkTalk debacle demonstrated that warrants are not always required to access that information. So regardless of governmental assurances, the draft Bill raises a number of concerns, even for law-abiding citizens.