Governance & Risk Management , Legislation & Litigation , Privacy
Britain's New Mass Surveillance Law Presages Crypto Fight
Parliament Passes 'Snooper's Charter' Pilloried by Privacy Rights GroupsBritain has enacted a new mass surveillance law that continues to draw criticism from privacy advocates. The Investigatory Powers Act 2016 was passed by Parliament and signed into law by the Queen this week.
See Also: JAPAC | Secure Your Applications: Learn How to Prevent AI-Generated Code Risk
The home secretary, Amber Rudd, hailed the IP Act using typical political bravado, lauding it as "world-leading legislation" providing "unprecedented transparency and substantial privacy protection" while allowing police and intelligence services to better battle terrorists.
But the new law enshrines the government's right to "bulk data collection" despite the EU's high court ruling that such untargeted collection violates human rights. And the inventor of the world wide web, Tim Berners-Lee, has slammed the new law, calling it a "security nightmare."
"This Snooper's Charter has no place in a modern democracy - it undermines our fundamental rights online," he tells the BBC. "The bulk collection of everyone's internet browsing data is disproportionate, creates a security nightmare for the ISPs who must store the data - and rides roughshod over our right to privacy. Meanwhile, the bulk hacking powers in the bill risk making the internet less safe for everyone."
Many privacy rights groups, which have been fighting the bill every step of the way, also remain concerned. Jim Killock, executive director of the Open Rights Group, has branded the IP Act as "one of the most extreme surveillance laws ever passed in a democracy," noting that it gives "police and intelligence agencies ... unprecedented powers to [monitor] our private communications and internet activity, whether or not we are suspected of a crime."
Numerous privacy experts predict that the bill will now be used by authoritarian regimes to justify their own domestic surveillance regimes.
The #snooperscharter is now law. If you wish to show your opposition to such extreme surveillance just send an email to, well, anyone really
— David Schneider (@davidschneider) November 29, 2016
Petition Seeks Overturn
A Parliament petition calling for the law to be repealed now has more than 140,000 signatures, which will require Parliament to consider debating the measure.
The Home Office has already responded to the petition, claiming that the new law was subject to "unprecedented scrutiny prior to and during its passage" and that more than 1,700 amendments to the bill were proposed and debated this year.
"The Investigatory Powers Act dramatically increases transparency around the use of investigatory powers," it claims. "It protects both privacy and security and underwent unprecedented scrutiny before becoming law."
If At First You Don't Succeed
This wasn't the first attempt by the government to push through the controversial law, which has been branded the Snooper's Charter by critics because of its focus on giving the government greater surveillance powers (see UK Debates Rebooted "Snooper's Charter").
The bill was first proposed by former Home Secretary Theresa May, who's now the country's prime minister. Critics say its passage may have been aided by Parliament's focus on Brexit.
The government says some provisions contained in the new law will need to be extensively tested and won't take effect for some time. But other parts of the law will take effect almost immediately. For example, before Dec. 31, when the current Data Retention and Investigatory Powers Act 2014 expires, ISPs and mobile phone services will be required to retain for 12 months the internet browsing, voice call, email, text, internet gaming and mobile phone usage records for every subscriber.
Backdoors Subvert Security
The new law also gives the government the power to demand that companies that do business in Britain weaken their crypto, on demand. That led many technology giants - including Apple, Facebook, Google, Microsoft, Twitter and Yahoo - to warn Parliament earlier this year that the bill stood to undermine personal security.
In particular, technical capability notices, as defined under clause 217 of the bill, can be imposed on any telecommunications operator, requiring them - in the bill's language - to remove any "electronic protections" on encrypted communications. The government can also legally prevent the organization from publicly discussing that it's been served with such a notice.
But strong crypto - meaning any strong encryption scheme with no backdoors - is essential for helping individuals, organizations and governments defend themselves against everyone from corrupt law enforcement agents and cybercriminals to foreign powers and bored teenagers.
"What a lot of politicians and lawmakers fail to understand is that if the U.K. government has a backdoor into encryption software, so does every other government on the planet," Dublin-based cybersecurity expert Brian Honan tells me. "So that means the Chinese, the Iranians, the North Koreans can get to that data. And they may not have the same qualms or structures in place to make sure that only authorized people get those keys or those keys are only used under certain conditions."
Thus, while the British government trumpets that its new surveillance law will help to better battle criminality and terrorism, if the government uses the law to weaken crypto by demanding backdoors, then it stands to make us all less safe.