The Investigatory Powers Bill has been passed by both Houses of Parliament. Once it receives Royal Assent it will become law.
After more than 12 months of debate, jostling and a healthy dose of criticism, the United Kingdom’s new surveillance regime is officially becoming law.
Both the House of Lords and House of Commons recently passed the Investigatory Powers Bill – the biggest overhaul of surveillance powers for more than a decade – and it is due to receive Royal Assent later today.
The Home Office, the department responsible for the law, told WIRED that some of the provisions in the Bill will require extensive testing and “will not be in place for some time”. It is currently developing plans for implementing the provisions in the Bill and will set out the timetable in due course.
This will be subject to consultation with industry and operational partners.
“In the meantime, the Government will commence the provisions in the Bill required to replace the Data Retention and Investigatory Powers Act 2014 (DRIPA), which sunsets on 31 December,” the official body explained.
Now the bill has been passed by both houses and is on the verge of receiving assent, it is likely to become law by the start 2017.
First introduced by then-Home Secretary Theresa May in November 2015 and often referred to as the Snooper’s Charter.
The Home Office has said the provisions listed within it are needed to help protect the country’s national security and give more oversight than ever before. While civil rights groups and those in opposition to the powers say it is intrusive and draconian.
Ahead of its Royal Assent, home secretary Amber Rudd said: “This Government is clear that, at a time of heightened security threat, it is essential our law enforcement, security and intelligence services have the powers they need to keep people safe.
“The internet presents new opportunities for terrorists and we must ensure we have the capabilities to confront this challenge. But it is also right that these powers are subject to strict safeguards and rigorous oversight.
“The Investigatory Powers Act is world-leading legislation that provides unprecedented transparency and substantial privacy protection.
“I want to pay tribute to the independent reviewers, organisations, and Parliamentarians of all parties for their rigorous scrutiny of this important law which is vital for the safety and security of our families, communities and country.”
Following the Bill passing both the Lords and Commons, however, there was a backlash over its measures. More than 100,000 people have signed an online petition calling for it to be repealed.
“This is an absolute disgrace to both privacy and freedom and needs to stop,” the petition created by Tom Skillinger says. “It has only made it this far due to it being snuck past the population in relative secrecy. It isn’t too late. We can fix this before the UK is turned into a dystopian surveillance state.”
And following today’s news about the Royal Assent, executive director of the Open Rights Group, Jim Killock, said: “Amber Rudd says the Investigatory Powers Act is world-leading legislation. She is right, it is one of the most extreme surveillance laws ever passed in a democracy.
“Its impact will be felt beyond the UK as other countries, including authoritarian regimes with poor human rights records, will use this law to justify their own intrusive surveillance regimes. “Theresa May has finally got her snoopers’ charter and democracy in the UK is the worse for it.”
More recently, in a rare public speech, the chief of MI6 has said new surveillance laws have provided British intelligence services with the legality it needs to battle the “existential threat” brought by data and the internet. But that MI6 must never “undermine the values we defend”.
Alex Younger said the “checks and balances” the law provides, “including a double-lock of Ministerial and independent judicial authorisation for the most intrusive activities” are vital “as a means of ensuring your confidence, even as our activities remain secret”.
Here’s a reminder of what the legislation includes:
For the first time, security services will be able to hack into computers, networks, mobile devices, servers and more under the proposed plans. The practice is known as equipment interference and is set out in part 5, chapter 2, of the IP Bill.
This could include downloading data from a mobile phone that is stolen or left unattended, or software that tracks every keyboard letter pressed being installed on a laptop.
“More complex equipment interference operations may involve exploiting existing vulnerabilities in software in order to gain control of devices or networks to remotely extract material or monitor the user of the device,” a draft code of conduct says.
The power will be available to police forces and intelligence services. Warrants must be issued for the hacking to take place.
For those not living in the UK, but who have come to the attention of the security agencies, the potential to be hacked increases. Bulk equipment interference (chapter 3 of the IP Bill) allows for large scale hacks in “large operations”.
Data can be gathered from “a large number of devices in the specified location”. A draft code of practice says a foreign region (although it does not give a size) where terrorism is suspected could be targeted, for instance. As a result, it is likely the data of innocent people would be gathered.
Security and intelligence agencies must apply for a warrant from the Secretary of State and these groups are the only people who can complete bulk hacks.
To help oversee the new powers, the Home Office is introducing new roles to approve warrants and handle issues that arise from the new powers. The Investigatory Powers Commissioner (IPC) and judicial commissioners (part 8, chapter 1 of the IP Bill) will be appointed by Theresa May, or whoever the serving prime minister is at the time.
The IPC will be a senior judge and be supported by other high court judges. “The IPC will audit compliance and undertake investigations,” the government says.
“The Commissioner will report publicly and make recommendations on what he finds in the course of his work,” guidance on the original bill says (page 6). “He will also publish guidance when it is required on the proper use of investigatory powers.”
Under the IP Bill, security services and police forces will be able to access communications data when it is needed to help their investigations. This means internet history data (Internet Connection Records, in official speak) will have to be stored for 12 months.
Communications service providers, which include everything from internet companies and messenger services to postal services, will have to store meta data about the communications made through their services.
The who, what, when, and where will have to be stored. This will mean your internet service provider stores that you visited WIRED.co.uk to read this article, on this day, at this time and where from (i.e. a mobile device). This will be done for every website visited for a year.
Web records and communications data is detailed under chapter 3, part 3 of the law and warrants are required for the data to be accessed. A draft code of practice details more information on communications data.
Bulk data sets
As well as communications data being stored, intelligence agencies will also be able to obtain and use “bulk personal datasets”. These mass data sets mostly include a “majority of individuals” that aren’t suspected in any wrongdoing but have been swept-up in the data collection.
These (detailed under part 7 of the IP Bill and in a code of practice), as well as warrants for their creation and retention must be obtained.
“Typically these datasets are very large, and of a size which means they cannot be processed manually,” the draft code of practice describes the data sets as. These types of databases can be created from a variety of sources.
More on the IP Bill
During the past 12 months, WIRED has covered the passage of the IP Bill through parliament. Here’s some more reading on the bill’s journey from WIRED and beyond:
– Full bill as passed by House of Lords: read more
– UN warns UK’s IP Bill ‘undermines’ the right to privacy: read more
– Mass surveillance in UK’s IP Bill not justified, MPs and Lords say: read more
– Snooping law must be ‘fundamentally rethought and rebuilt,’ Lord Strasburger says: read more
The public authorities that can access ICRs
Metropolitan police force
City of London police force
Police forces maintained under section 2 of the Police Act 1996
Police Service of Scotland
Police Service of Northern Ireland
British Transport Police
Ministry of Defence Police
Royal Navy Police
Royal Military Police
Royal Air Force Police
Secret Intelligence Service
Ministry of Defence
Department of Health
Ministry of Justice
National Crime Agency
HM Revenue & Customs
Department for Transport
Department for Work and Pensions
NHS trusts and foundation trusts in England that provide ambulance services
Common Services Agency for the Scottish Health Service
Competition and Markets Authority
Criminal Cases Review Commission
Department for Communities in Northern Ireland
Department for the Economy in Northern Ireland
Department of Justice in Northern Ireland
Financial Conduct Authority
Fire and rescue authorities under the Fire and Rescue Services Act 2004
Food Standards Agency
Food Standards Scotland
Gangmasters and Labour Abuse Authority
Health and Safety Executive
Independent Police Complaints Commissioner
NHS Business Services Authority
Northern Ireland Ambulance Service Health and Social Care Trust
Northern Ireland Fire and Rescue Service Board
Northern Ireland Health and Social Care Regional Business Services Organisation
Office of Communications
Office of the Police Ombudsman for Northern Ireland
Police Investigations and Review Commissioner
Scottish Ambulance Service Board
Scottish Criminal Cases Review Commission
Serious Fraud Office
Welsh Ambulance Services National Health Service Trust