Beware! UK Gov’t Can Now Record Your Chats Under New ‘Snooper’s Charter’
You have been warned now. Police are now officially able to hack into your phones and check your browsing history after the Snoopers’ Charter came into force in the United Kingdom on Friday.
The law – officially called the ‘Investigatory Powers Bill’ – forces electronic data to be stored by app companies for 12 months, which can be subsequently collected by law enforcement.
While critics have cited it as an attack on privacy, the Home Office believes the charter is essential for combating terrorism and organised crime.
The IP bill forces electronic data to be stored by app companies (including Facebook, Whatsapp, Twitter etc) for 12 months, which can be subsequently collected by law enforcement.
The legislation replaces the Regulation of Investigatory Powers Act, which several local authorities have been accused of abusing to snoop on people feeding pigeons and failing to clear up dog mess.
After more than 12 months of debate, jostling and a healthy dose of criticism, the UK’s new surveillance regime has officially become a law.
Both the House of Lords and House of Commons recently passed the IP Bill – the biggest overhaul of surveillance powers for more than a decade – and it has received Royal Assent.
Ahead of its Royal Assent, home secretary Amber Rudd said: “This Government is clear that, at a time of heightened security threat, it is essential our law enforcement, security and intelligence services have the powers they need to keep people safe.
“The internet presents new opportunities for terrorists and we must ensure we have the capabilities to confront this challenge. But it is also right that these powers are subject to strict safeguards and rigorous oversight.
“The Investigatory Powers Act is world-leading legislation that provides unprecedented transparency and substantial privacy protection.
“I want to pay tribute to the independent reviewers, organisations, and Parliamentarians of all parties for their rigorous scrutiny of this important law which is vital for the safety and security of our families, communities and country.”
First introduced by then-Home Secretary Theresa May in November 2015; the Act was passed by the House of Lords in November, after they backed down on an amendment that would have forced the press to pay court costs for both parties in any case involving allegations of phone or email hacking, even if they were completely spurious.
One peer said it would have ‘chilled’ journalism and stopped papers writing about figures such as ex-BHS boss Sir Philip Green.
The following day the Lords accepted defeat in what will be seen as a victory for Press freedom.
Aside from the controversy surrounding its morality, the charter’s effectiveness has also been questioned, with Virtual Private Network software already being highlighted as a potential way for internet users of getting around it.
Using a VPN means data will be scrambled and protected from the company that provides the connection.
In China VPNs are routinely used by expats to avoid Beijing’s rigid control of the internet, which involves blocking news websites like the BBC, anything which might be remotely critical of the Chinese Communist Party, and porn websites.
Here’s a reminder of what the ‘Snooper’s Chaerter includes:
For the first time, security services will be able to hack into computers, networks, mobile devices, servers and more under the proposed plans. The practice is known as equipment interference and is set out in part 5, chapter 2, of the IP Bill.
This could include downloading data from a mobile phone that is stolen or left unattended, or software that tracks every keyboard letter pressed being installed on a laptop.
“More complex equipment interference operations may involve exploiting existing vulnerabilities in software in order to gain control of devices or networks to remotely extract material or monitor the user of the device,” a draft code of conduct says.
The power will be available to police forces and intelligence services. Warrants must be issued for the hacking to take place.
For those not living in the UK, but who have come to the attention of the security agencies, the potential to be hacked increases. Bulk equipment interference (chapter 3 of the IP Bill) allows for large scale hacks in “large operations”.
Data can be gathered from “a large number of devices in the specified location”.
A draft code of practice says a foreign region (although it does not give a size) where terrorism is suspected could be targeted, for instance. As a result, it is likely the data of innocent people would be gathered.
Security and intelligence agencies must apply for a warrant from the Secretary of State and these groups are the only people who can complete bulk hacks.
To help oversee the new powers, the Home Office is introducing new roles to approve warrants and handle issues that arise from the new powers. The Investigatory Powers Commissioner (IPC) and judicial commissioners (part 8, chapter 1 of the IP Bill) will be appointed by Theresa May, or whoever the serving prime minister is at the time.
The IPC will be a senior judge and be supported by other high court judges. “The IPC will audit compliance and undertake investigations,” the government says.
“The Commissioner will report publicly and make recommendations on what he finds in the course of his work,” guidance on the original bill says (page 6). “He will also publish guidance when it is required on the proper use of investigatory powers.”
Under the IP Bill, security services and police forces will be able to access communications data when it is needed to help their investigations. This means internet history data (Internet Connection Records, in official speak) will have to be stored for 12 months.
The who, what, when, and where will have to be stored. This will mean your internet service provider stores that you visited WIRED.co.uk to read this article, on this day, at this time and where from (i.e. a mobile device). This will be done for every website visited for a year.
Web records and communications data is detailed under chapter 3, part 3 of the law and warrants are required for the data to be accessed. A draft code of practice details more information on communications data.
Bulk data sets
As well as communications data being stored, intelligence agencies will also be able to obtain and use “bulk personal datasets”. These mass data sets mostly include a “majority of individuals” that aren’t suspected in any wrongdoing but have been swept-up in the data collection.
These (detailed under part 7 of the IP Bill and in a code of practice), as well as warrants for their creation and retention must be obtained.
“Typically these datasets are very large, and of a size which means they cannot be processed manually,” the draft code of practice describes the data sets as. These types of databases can be created from a variety of sources.
More on the IP Bill
During the past 12 months, WIRED has covered the passage of the IP Bill through parliament. Here’s some more reading on the bill’s journey from WIRED and beyond:
– Full bill as passed by House of Lords: read more
THE PUBLIC AUTHORITIES THAT CAN ACCESS ICRS
- Metropolitan police force
- City of London police force
- Police forces maintained under section 2 of the Police Act 1996
- Police Service of Scotland
- Police Service of Northern Ireland
- British Transport Police
- Ministry of Defence Police
- Royal Navy Police
- Royal Military Police
- Royal Air Force Police
- Security Service
- Secret Intelligence Service
- Ministry of Defence
- Department of Health
- Home Office
- Ministry of Justice
- National Crime Agency
- HM Revenue & Customs
- Department for Transport
- Department for Work and Pensions
- NHS trusts and foundation trusts in England that provide ambulance services
- Common Services Agency for the Scottish Health Service
- Competition and Markets Authority
- Criminal Cases Review Commission
- Department for Communities in Northern Ireland
- Department for the Economy in Northern Ireland
- Department of Justice in Northern Ireland
- Financial Conduct Authority
- Fire and rescue authorities under the Fire and Rescue Services Act 2004
- Food Standards Agency
- Food Standards Scotland
- Gambling Commission
- Gangmasters and Labour Abuse Authority
- Health and Safety Executive
- Independent Police Complaints Commissioner
- Information Commissioner
- NHS Business Services Authority
- Northern Ireland Ambulance Service Health and Social Care Trust
- Northern Ireland Fire and Rescue Service Board
- Northern Ireland Health and Social Care Regional Business Services Organisation
- Office of Communications
- Office of the Police Ombudsman for Northern Ireland
- Police Investigations and Review Commissioner
- Scottish Ambulance Service Board
- Scottish Criminal Cases Review Commission
- Serious Fraud Office
- Welsh Ambulance Services National Health Service Trust