GCHQ headquartersWhile the UK is preparing to exit the European Union, and therefore will no longer need to abide by the Charter of the Fundamental Rights of the EU, the Parliament passed the Investigatory Powers bill (also known as "Snoopers' Charter.")
The IP bill has been criticized by many individuals, companies, and human rights organizations, as well as parliamentary commissions, for being almost irreparably broken due to how invasive it is.
“The IP Bill will put into statute the powers and capabilities revealed by Snowden as well as increasing surveillance by the police and other government departments,” said Jim Killock, Executive Director at the Open Rights Group.
“There will continue to be a lack of privacy protections for international data sharing arrangements with the US. Parliament has also failed to address the implications of the technical integration of GCHQ and the NSA,” he noted.
The bill was first introduced in 2012 by then Home Secretary, and now Prime Minister, Theresa May. Since then, it has failed twice to get passed, as the Parliament’s upper house (the House of Lords) refused to send it along without further modifications. However, it looks like the third time was the charm.
Despite all the modifications, the Parliamentary committees that evaluated it still ended up declaring that the bill is fundamentally broken because it enshrines surveillance powers for multiple government agencies, while privacy rights are tacked on only as an afterthought.
The Intelligence and Security Committee argued it should’ve been the other way around; the privacy rights of UK citizens protected by many local and international laws, including EU’s Charter of Fundamental Rights, should’ve been included by default in the IP bill. Surveillance powers should’ve been given as exceptions only to those privacy rights for various specific and well-defined situations.
Decryption On Demand
The IP bill requires companies to decrypt encrypted conversations when it’s technically possible for them to do so. However, it’s not clear in the law what exactly that implies, and whether it forces companies to write code to make decryption easier.
For instance, Skype or Hangouts conversations can already be decrypted and seen by Google, which means it would be trivial for the UK government to ask for that data. What is not clear is what happens with Whatsapp conversations. Those messages are end-to-end encrypted, and even WhatsApp and Facebook don’t have access to them.
The government will likely imply that the law does indeed force them to make those messages decryptable, but Facebook would be smart to take the government to court and fight as hard as possible to reject that interpretation of the law. If nothing else, Facebook should fight it so that it doesn’t have to deliver two forms of encryption for its messages, based on whatever country makes end-to-end encryption illegal.
If Facebook is forced to do this, then trust in its end-to-end encrypted messages in countries where they are still legal may also wane. Once Facebook enables decryption capability, it would be hard to know if you’re actually using E2E encryption or whether Facebook changed it on you. One way to ensure Facebook behaves is to verify the security codes and watch out for when they change, as that may suggest possible interception by either Facebook or intelligence agencies. However, most people are unlikely to do this.
Browsing Activity Recorded Automatically By ISPs
Perhaps the even more obvious infringement on privacy rights to British people is the fact that all browsing activities will be recorded by ISPs and stored for a year. Similar laws have already been declared invalid by the Court of Justice of the European Union, because they infringed on people’s privacy rights under the Charter of Fundamental Rights. However, with the UK soon to leave the EU, this likely won’t be an impediment anymore for the UK government.
ISPs have complained about the costs that this might impose on them, but the government hasn’t given a clear response on how the ISPs are supposed to pay for them. What’s likely to happen, essentially, is that British citizens will end up paying for their own wiretapping through higher internet access bills.
Bulk Hacking & Surveillance
Earlier this year, the parliamentary committees also criticized the Snoopers’ Charter for giving intelligence agencies the power to collect data in bulk from everyone without any clear guidelines for when it's acceptable to do so, and without much supervision. They also criticized the bill for allowing hacking of networks of computers and devices under vague policies. The GCHQ may now be legally allowed to hack entire organizations, a power that the committees didn’t even think should exist.
Mass Surveillance Mitigations
The Snoopers’ Charter makes it law that all browsing activities should be recorded at the ISP level, which means it won’t do much good to use the “private mode” of your browser. The only way to protect against this is to obfuscate the connection between yourself and the ISPs.
That can be done through the use of the Tor Browser, which is probably the safest way to connect to the internet in the UK now. Zero knowledge VPN services that use modern security and don’t have servers in the UK may also be a reasonable alternative, but they’re likely to require payment if used constantly month after month.
The use of these tools doesn’t necessarily mean individuals would be safe against targeted surveillance by intelligence agencies, but at least their browsing histories won’t be tied to their identity when they’re collected automatically by the ISPs.
Other ways to make mass surveillance difficult is to use end-to-end encrypted apps and services, such as Signal for chat or ProtonMail for email. WhatsApp could also be a good interim alternative, but as we already mentioned, it remains to be seen how the decryption clause affects it. The decryption clause is less likely to affect the open source U.S.-based and nonprofit-backed Signal or the Switzerland-based ProtonMail.
Ultimately, these tools won’t be a magic solution to extremely invasive surveillance laws such as Snoopers’ Charter, and only political activism may one day be able to reverse these changes in the law. However, the more people use them, the more they also show their disagreement with the IP bill, and it’s one of the few ways in which they can make an impact against it right now.
The IP bill is technically still not a law yet, as it awaits royal assent. However, that’s usually a mere formality, so the bill is expected to be promulgated soon.