Snooper’s Charter is nearly law: how the Investigatory Powers Bill will affect you

Snooper’s Charter is nearly law: how the Investigatory Powers Bill will affect you

The Investigatory Powers Bill has passed its third reading in the House of Lords and will soon become law

By MATT BURGESS
Tuesday 1 November 2016

After almost 12 months of debate, jostling and a healthy dose of criticism, the United Kingdom’s new surveillance regime is about to become law.

Members of the House of Lords have passed the third reading of the Investigatory Powers Bill, first introduced by then-Home Secretary Theresa May in November 2015 and often referred to as the Snooper’s Charter. It has now been voted on by both the House of Commons and Lords.

This means the 300-page bill has almost completely passed through the parliamentary process and is likely to be passed into law before the end of 2016 (in line with the government’s intentions and ahead of existing surveillance laws expiring).

The Home Office, the department responsible for the law, has said the provisions listed within it are needed to help protect the country’s national security and give more oversight than ever before. While civil rights groups and those in opposition to the powers say it is intrusive and draconian.

What remains for the IP Bill is the consideration of amendments by opposing houses. The Lords will vote on any amendments put forward by the Commons and vice versa. After this stage, the bill will receive Royal Assent and officially become law.

While that’s taking place, here’s a reminder of what the legislation includes:

Hacking power

For the first time, security services will be able to hack into computers, networks, mobile devices, servers and more under the proposed plans. The practice is known as equipment interference and is set out in part 5, chapter 2, of the IP Bill.

This could include downloading data from a mobile phone that is stolen or left unattended, or software that tracks every keyboard letter pressed being installed on a laptop.

“More complex equipment interference operations may involve exploiting existing vulnerabilities in software in order to gain control of devices or networks to remotely extract material or monitor the user of the device,” a draft code of conduct says.

The power will be available to police forces and intelligence services. Warrants must be issued for the hacking to take place.

Bulk hacking

For those not living in the UK, but who have come to the attention of the security agencies, the potential to be hacked increases. Bulk equipment interference (chapter 3 of the IP Bill) allows for large scale hacks in “large operations”.

Data can be gathered from “a large number of devices in the specified location”. A draft code of practice says a foreign region (although it does not give a size) where terrorism is suspected could be targeted, for instance. As a result, it is likely the data of innocent people would be gathered.

Security and intelligence agencies must apply for a warrant from the Secretary of State and these groups are the only people who can complete bulk hacks.

Commissioners

To help oversee the new powers, the Home Office is introducing new roles to approve warrants and handle issues that arise from the new powers. The Investigatory Powers Commissioner (IPC) and judicial commissioners (part 8, chapter 1 of the IP Bill) will be appointed by Theresa May, or whoever the serving prime minister is at the time.

The IPC will be a senior judge and be supported by other high court judges. “The IPC will audit compliance and undertake investigations,” the government says.

“The Commissioner will report publicly and make recommendations on what he finds in the course of his work,” guidance on the original bill says (page 6). “He will also publish guidance when it is required on the proper use of investigatory powers.”

Web records

Under the IP Bill, security services and police forces will be able to access communications data when it is needed to help their investigations. This means internet history data (Internet Connection Records, in official speak) will have to be stored for 12 months.

Communications service providers, which include everything from internet companies and messenger services to postal services, will have to store meta data about the communications made through their services.

The who, what, when, and where will have to be stored. This will mean your internet service provider stores that you visited WIRED.co.uk to read this article, on this day, at this time and where from (i.e. a mobile device). This will be done for every website visited for a year.

Web records and communications data is detailed under chapter 3, part 3 of the law and warrants are required for the data to be accessed. A draft code of practice details more information on communications data.

Bulk data sets

As well as communications data being stored, intelligence agencies will also be able to obtain and use “bulk personal datasets”. These mass data sets mostly include a “majority of individuals” that aren’t suspected in any wrongdoing but have been swept-up in the data collection.

These (detailed under part 7 of the IP Bill and in a code of practice), as well as warrants for their creation and retention must be obtained.

“Typically these datasets are very large, and of a size which means they cannot be processed manually,” the draft code of practice describes the data sets as. These types of databases can be created from a variety of sources.

More on the IP Bill
During the past 12 months, WIRED has covered the passage of the IP Bill through parliament. Here’s some more reading on the bill’s journey from WIRED and beyond:

– Full bill as passed by House of Lords: read more

– UN warns UK’s IP Bill ‘undermines’ the right to privacy: read more

– Government codes of practice: read more

– Mass surveillance in UK’s IP Bill not justified, MPs and Lords say: read more

– Snooping law must be ‘fundamentally rethought and rebuilt,’ Lord Strasburger says: read more

Leave a Reply