Britain unveiled plans on Wednesday (4 November) for sweeping new surveillance powers, including the right to find out which websites people visit, measures which critics denounce as an assault on freedoms.
Across the West, debate about how to protect privacy while helping agencies operate in the digital age has raged since former U.S. intelligence contractor Edward Snowden leaked details of mass surveillance by British and U.S. spies in 2013.
Experts say part of the new British bill goes beyond the powers available to security services in the United States.
The draft was watered down from an earlier version dubbed a “snoopers’ charter” by critics who prevented it reaching parliament. Home Secretary Theresa May told lawmakers the new document was unprecedented in detailing what spies could do and how they would be monitored.
“It will provide the strongest safeguards and world-leading oversight arrangements,” she said. “And it will give the men and women of our security and intelligence agencies and our law enforcement agencies … the powers they need to protect our country.”
They would be able to require communication service providers (CSPs) to hold their customers’ web browsing data for a year, which experts say is not available to their U.S. counterparts.
“What the British are attempting to do, and what the French have already done post Charlie Hebdo, would never have seen the light of day in the American political system,” Michael Hayden, former director of the U.S. National Security Agency and Central Intelligence Agency, told Reuters.
May said that many of the new bill’s measures merely updated existing powers or spelled them out.
Police and spies’ access to web use would be limited to “Internet connection records” – which websites people had visited but not the particular pages – and not their full browsing history, she said.
“An Internet connection record is a record of the communications service that a person has used – not a record of every web page they have accessed,” May said. “It is simply the modern equivalent of an itemised phone bill.”
The Computer and Communications Industry Association, a lobby group for Internet and telecoms firms including Google , Microsoft Corp and Facebook Inc, said the proposals were a concern.
“The bill is a setback for privacy rights and part of a worrisome trend towards more governmental surveillance in Europe while the United States is reforming its surveillance practices,” CCIA Europe Director Christian Borggre said.
May said there would be no new ban on encryption, but in its guide to the bill, the Home office said there was an existing requirement on CSPs “to maintain permanent interception capabilities, including maintaining the ability to remove any encryption applied by the CSP”.
The bill would also place explicit obligations on service providers to help intercept data and hack suspects’ devices, which U.S. experts said might defeat any encryption that remains, such as the end-to-end encryption on Apple’s iMessages.
As well as being able to carry out bulk interception of communications data, the security services would be allowed to perform “equipment interference”, whereby spies take over computers or smartphones to access their data.
Technology companies could be compelled to assist in that process. Even if they cannot be ordered to provide an update that would compromise equipment, said Kurt Opsahl, deputy executive director of the Electronic Frontier Foundation, they might be told not to issue an update that patches a security flaw being exploited by the government.
“Equipment interference is a big one, because that undermines trust in the products,” said a US industry trade group’s expert on the bill, asked to predict opposition from the likes of Apple, Facebook and Google. “If it makes you hesitate to update your iPhone software or use WhatsApp or Gmail, that’s a big deal for them.”
In a statement, Yahoo said it was especially concerned that the law would extend to non-UK companies. It and other companies did not respond to questions as they digest the lengthy bill.
In a concession to privacy groups, May said there would be jail penalties for anyone abusing the system and a two-tier oversight system with senior judges with veto power reviewing all the 2,800-odd ministerial-approved warrants issued each year to allow suspects’ emails and conversations to be intercepted.
Amnesty International said the powers would “take the UK closer to becoming a surveillance state” and Shami Chakrabarti, director of civil liberties group Liberty, said the bill constituted “a breath-taking attack on the Internet security of every man, woman and child”.
The opposition Labour Party broadly supports the bill, but veteran Labour lawmaker David Winnick said if the proposals were passed without substantial amendments “it would be very unfortunate and a bitter blow for civil liberties”.
“I remain concerned, even if I am one of the few who do remain concerned, about the excessive powers which will be given to the security authorities in addition to what they already have, though judicial involvement is better than no judicial involvement,” he told parliament.
Ministers and officials have argued that current British laws governing surveillance powers are outdated, drafted in the days before anyone anticipated the widespread use of social media, leaving the police and security agencies unable to keep up with technology used by terrorists and serious criminals.
In April last year, the European Court of Justice (ECJ) struck down an EU directive requiring telecoms companies to store communications data for up to two years because it interfered with people’s right to privacy.
Britain rushed through emergency legislation as a result, but these measures were later ruled unlawful by London’s High Court, meaning the government must produce a replacement by the end of next year.
After Snowden’s disclosures, three major reviews cleared British spies of acting illegally but all agreed the laws needed an overhaul.
In unprecedented display, spy chiefs have invited journalists into their headquarters to argue for new powers and to try to reassure sceptics that they were not interested in mass state surveillance of people’s private lives.
They have also pointed out that private companies such as Google or Facebook hold more data about individuals with less oversight.
Existing European rules on data protection were adopted in 1995, when the Internet was still in its infancy.
In January 2012, the European Commission published a vast legislative package aimed at replacing the existing rules and giving greater protection to personal data across the EU.
The package includes two legislative proposals: one general regulation on data protection (directly applicable in all the member states) and one directive specifically aimed at data protection in the police and the justice systems (to be transposed into national law).
Since then, the data protection debate took a new twist with revelations about US eavesdropping activities.
Whistleblower Edward Snowden revealed in 2013 that the NSA had secret wide-reaching authority to snoop on emails and internet communications using a data-mining programme called Prism.
European politicians reacted angrily to the news and called for stricter measures to ensure privacy.