2016 has been a very good year to bury very bad news. And political distractions perhaps explain why a bill that has been described as the most extreme surveillance legislation ever passed in a democracy has today passed into law in the U.K., never havingfaced substantial opposition.
It will come into force next year, after emergency surveillance legislation put in place by the prior coalition government, with even less parliamentary scrutinythan the IP bill was afforded, sunsets at the end of December.
The Investigatory Power Act, as it now is, creates an updated framework for state surveillance capabilities, enshrining in law investigatory powers that had previously been authorized in the shadows via a patchwork of obscure legislative clauses.
Some capabilitieswere only avowed in parliament in recent years, followingthe 2013 Snowden disclosures and deemed by the U.K. intelligence agencies own oversight court to have been illegally operated as a result.
The new lawalso brings ina new requirement: that communications service providers harvest and retain logs of the digital services accessed by all their users for a full year. This log is accessible to a wide range of government agencies, not just law and intelligence agencies. Access to the log does notrequire a warrant.
While combating terrorism has been the governments explanation for the need for the surveillance powers set out in the legislation, they have never adequately explained how a senior exec working in fraud and error services at theDepartment for Work and Pensions, for example, might be actively engaged in aWar on Terror.
Privacy concerns are not the only problem either. A massive securityconcern is what the legislation implies forencryption given it hands U.K. authorities the power to require a company to remove encryption, or limit the rollout of end-to-end encryption on a future service, raising the specter of backdoors damaging trust in U.K. companies as well as risking the security of user data.
The law also sanctions statehacking of devices, networks and services, including bulk hackingon foreign soil. And it allows the security agencies to maintain large databases of personal information on U.K. citizens, including individualssuspected of no crime. Questions remain over how information harvested by domestic intelligence agencies might be shared with foreign equivalent agencies in other countries (and thus vice versa, as a workaround forany domestic surveillance limits).
The government claims a double lock authorization process that loops in the judiciary to signing off intercept warrants for the first time in the U.K., along with senior ministers, bolsters against the risk of the most intrusive investigatory powers being misused. Critics question this, arguing judges will just be rubber-stamping warrants on process, not interrogating the proportionality of the substance.
The oversight court for U.K. intelligence agencies also has yet to rule on the proportionality of the laws so-called bulk measures its due to do that next month, when it will also be ruling on the legality of the powers with the wider European Union context. Rather too late to be factored into the IP bills parliamentary scrutiny, however.
Challenges to the legislation at the European level are likely, given European courts have ruled against bulk collection. Although the U.K.s future within the EU is now crowned bya Brexit question mark so whether U.K. lawwill be bound by any European legal judgments condemning the new surveillance law remains to be seen.
A petition to parliamentto repeal the IP Acthas already passed more than 140,000 signatures exceedingthe 100,000 signature threshold where parliamentmust consider debating a petition. But given the lack of debate in parliament the first time round its hard to see the majority of MPs whobacked the bill suddenly waking upto the fact they sleepwalked into a surveillance state