Bulk data collection and retention isn’t the sexiest topic. Trying to get people excited over end-to-end encryption and the streamlining of British communication laws is no easy feat. Trying to do it when the threat of terrorism falls at its doorstep is even more difficult.
Following the Paris attacks last November, six in 10 Britons said they supported the government’s draft Investigatory Powers bill, which would expand the scope of the surveillance state. Yet the same poll found that 67 percent of people didn’t trust broadband providers to keep their data.
It’s a stark juxtaposition, because requiring broadband providers to keep their data is exactly what the IP bill proposes, suggesting many people don’t understand just what the law would mean for them.
The IP bill is the successor to the government’s previously proposed surveillance bill, derisively referred to as the Snoopers’ Charter. That law was roundly criticised as intrusive and overreaching, with it widely reported that such popular apps as SnapChat and WhatsApp could’ve potentially been banned. That no longer seems the case, but the bill still has far-reaching consequences including the creation of what NSA whistleblower Edward Snowden has said will be “the most intrusive and least accountable surveillance regime in the West.” The parliamentary select committee charged with scrutinizing the legislation is due to make recommendations next month after only three months.
Ridiculous. Committee scrutinising massive Investigatory Powers Bill given just 2 weeks to hear witnesses. Govt turning it into rubber stamp
— Paul Strasburger (@LordStras) November 25, 2015
“It’s only communications data” = “It’s only a comprehensive record of your private activities.” It’s the activity log of your life. #IPBill
— Edward Snowden (@Snowden) November 4, 2015
The crux of the legislation lies in bulk data collection and retention. Internet service and mobile phone providers will be required to hold a year’s worth of your “Internet connection record,” which is basically a Rolodex of every website you’ve visited and everyone you’ve chatted with. For example, you’re reading this article, but your record would only show that you visited the Daily Dot; if you sext with your partner, it would only show that you’ve spoken with them, not the naughty details. It’s why British Home Secretary Theresa May has likened to an itemized phone bill which shows everyone you’ve rang, but doesn’t divulge the contents of the call.
It’s like a record of every book you’ve ever read: The government might not be able to see which chapter of 1984 you’re on, but they will certainly know that you’re reading Orwell.
It’s like a record of every book you’ve ever read: The government might not be able to see which chapter of 1984 you’re on, but they will certainly know that you’re reading Orwell.
Think of how many websites you visit a day and what they say about you. “Most people have their whole lives documented online,” pointed out Mike Weston, the CEO of data science consultancy Profusion. Weston has been warning of the bill’s consequences since it was first introduced last year. The bill, he said, “will be great news for the security services, hackers, and companies intent on misusing personal data…”
Even if you couldn’t see which pages I’ve specifically visited recently, you would find out some intimate personal details: the government could surmise, from me clicking on my Muck Rack profile, that I am a journalist, and from the number of tech sites I’ve visited (yet don’t regularly access) that I’m working on a story about tech. I visited a number of university websites, which might indicate I’m applying for postgraduate programs. I checked out the website of a cafe in my neighborhood, which they can assume I’ve visited. It is more than possible to discern a lot about people from their browsing history, as one Facebook user found when Facebook knew he was gay based off an algorithm, despite the fact the man was closeted and his profile didn’t contain references to sexual orientation.
It’s not just the security services or police which will have this power; other government agencies, such as Her Majesty’s Revenue and Customs, will also be able to access your Internet connection record. Oh, and your communications with your member of Parliament can also be monitored, as the new bill eliminates the protections of the Wilson Doctrine (which made MP correspondence private) should the prime minister sign off on it. This is particularly concerning, not because MPs deserve extra protections—though the thought of a prime minister allowing opposition MPs to be spied upon is disconcerting—but because constituents deserve privacy when petitioning their elected representatives.
Don’t be like #IPBill
— Prof Paul Bernal (@PaulbernalUK) January 24, 2016
;) pic.twitter.com/G0EfaJNWr6
But even if they never connect the dots, or even look at the dots, the fact that they could is jarring enough. The British people are being asked to put a lot of faith in the government that they’ll never abuse this information. The fact that a record of my online activities, which paints a pretty good picture of who I am, will be sitting in some corporate database for 12 months is concerning.
“Placing a legal obligation on companies to snoop on their own customers is a recipe for disaster,” writes Weston. “Not only will it undermine trust, it also gives unscrupulous tech companies ample opportunity to exploit the data they collect for their own purposes under the guise of legal authority.”
And if the tech companies themselves aren’t exploiting that data, criminals would love to.
This legislation has the potential to chill the British tech industry and hinder its competitiveness both in the United Kingdom and the global marketplace.
As Justin Schamotta pointed out over at Choose.net, this information would be of great value to criminals, and “would make it easy to organise anything from house robbery to personalised scams and bribery,” offering a unique glimpse into what we like to do, where we like to do it, when we do it and who with. The recent hack of TalkTalk, for example, shows just how vulnerable our personal information is already. If a teenager from Belfast could hack one of Britain’s tech giants, just imagine what someone more nefarious could do.
Currently, service providers are not keeping Internet connection records. They don’t even exist, as Virgin Media’s Hugh Woolford told the select committee last year. “From a business point of view, there’s no need for us to capture any of this information,” he said, and so they don’t. They’ll have to be created, continually updated, and stored. This “indiscriminate collection of mass data is going to have a massive cost,” said Gigaclear’s CEO Matthew Hare, a concern shared by Mike Weston.
The IP bill “will greatly increase the burden on businesses to collect, hold, and make accessible personal information and the cost of this is likely to have a knock on effect on the everyday citizen,” he said in a statement. The government has estimated it will cost £240 million (about $342 million) to implement, but service providers are saying that’s a gross underestimate and doesn’t take into account maintenance and upkeep. The cost is almost certainly going to be passed on to the consumer in the form of higher mobile and Internet bills, meaning that the British public will be paying for the privilege of having their government spy on them.
Consumers aren’t the only ones who will be paying. Even little cafes and local libraries who operate networks may be forced to collect and retain customer data, potentially adding to small businesses’ overhead. And while the government claims to have given up on plans to ban end-to-end encryption, they are still pushing for a “backdoor” which would allow them to unscramble and access this data, effectively nullifying the security feature.
The catch here is that Theresa May accepts she has no jurisdiction to require this of extraterritorial companies such as Apple, WhatsApp, and Facebook, meaning the law would likely apply mainly, if not only, to British companies. This has the potential to chill the British tech industry and hinder its competitiveness both in the United Kingdom and the global marketplace.
Nobody is denying that there is a need to streamline and modernize Britain’s communications laws. They currently lie in disparate pieces of legislation largely drafted prior to the advent of the Internet and mobile technology. But the Investigatory Powers bill poses serious costs to security, privacy, and the economy. The government has done a nice job of hiding the consequences in tech jargon and political doublespeak, but the fact is that this bill is bad for Britain.
Skylar Baker-Jordan is a Chicago-based essayist, commentator, and journalist writing about masculinity, the LGBT community, and U.K. politics. Follow Skylar on Twitter @SkylarJordan.
Image via Christiaan Colen / Flickr (CC BY 2.0)