The U.K. government, on Wednesday, chose to double down instead.
The newly unveiled text of what critics are calling a proposed “Snooper’s Charter” or “Hacker’s License” would explicitly authorize the bulk collection of domestic data, require telecommunications companies to store records of websites visited by every citizen for 12 months for access by the government, approve the government’s right to hack into and bug computers and phones, severely restrict the ability of citizens to raise questions about secret surveillance warrants or evidence obtained through bulk surveillance presented in court, and oblige companies to assist in bypassing encryption.
Prime Minister David Cameron has said terrorists should have no “safe space” to communicate online, and Britain’s Home Office — charged with law enforcement, prisons, and border security — has presented in recent years several draft bills with that idea in mind.
The United Kingdom’s Home Secretary Theresa May, who is similar to the secretary of state for the U.S., insisted that the engines of Britain’s spy agencies would hum along as usual — just more efficiently, and with even more oversight, if the law passed. She answered questions from Parliament about the bill in the House of Commons in London on Wednesday.
There are some new limits in the bill. For example, if police wanted to use phone call information to try and track down a journalist’s source, those efforts would now have to be approved by a judicial commissioner. In fact, most warrants would need approval by a judicial commissioner, after the U.K. secretary of state signs off.
But overall, the bill, which May described as “world-leading” in its oversight provisions, remains a concern for privacy advocates because of its massive surveillance authorities and vague language and loopholes.
David Winnick, a parliamentarian from the Labour party and one of the few to offer criticism, told May that he was still “concerned” about the “excessive powers” being given to Britain’s spy agencies — a “bitter blow to civil liberties.”
Bulk Collection By Law
First, the bill explicitly authorizes bulk collection of domestic data, as long as it is “foreign focused,” “necessary in the interests of national security,” and approved by the secretary of state and the judicial commissioner. If an agency wants to actually examine domestic data, it has to get a targeted warrant — but massive amounts of data will have already been seized at that point.
“Powers for bulk interception that the government has long undertaken in secret have finally been explicitly avowed, but the case for them remains uncritically examined and evidentially weak,” wrote Privacy International in its initial statement about the bill.
May insisted that bulk collection is not a new power — that it was previously authorized under the Telecommunications Act.
However, the new standard is incredibly far-reaching. The United States Second Circuit ruled earlier this year that bulk collection of domestic communications data is so exceptionally broad as to be illegal, and in 2013 a District Court judge in Washington, D.C., found the program likely violated the U.S. constitution’s prohibition on general warrants. Congress ultimately decided to end the program and force the National Security Agency to replace it with something less intrusive.
Collection of Browsing History
Additionally, the bill would authorize British intelligence agencies to access a year’s worth of information about what websites British people visit without prior court approval. May did acknowledge this was a new power, but insisted it wasn’t all that intrusive, because a warrant would still be required to access specific browsing history for every page on every website visited, instead of just the homepage URL (like the Intercept homepage versus a specific article).
Anne Jellema, CEO of the Web Foundation, expressed concerns about the bill’s mass surveillance of Internet records.
“It will hurt U.K. businesses, create new vulnerabilities for criminals to attack, and ride roughshod over the right to privacy,” she wrote. “It will be possible to paint an incredibly detailed picture of a person’s hopes, fears and activities, and will create a data pool rife for theft, misuse or political persecution.”
British citizens also aren’t confident the government will protect all that new data it would now be entitled to. According to a poll conducted by British human rights group Big Brother Watch in 2012 — when a more severe surveillance bill was on the table — 71 percent of people said they didn’t think the government could keep their data, like websites visited, secure. Though the new bill isn’t as intrusive, this new power over website history remains.
License to Hack
The government will also create a new “regime” that will be granted authority to “interfere” with “electronic equipment” — basically to hack into devices and insert malware in order to covertly access information about the device or the user during an investigation of “serious crimes.”
Currently, the secretary of state approves the technique for intelligence or military agencies, while a chief police officer or “chief constable” authorizes a request made by law enforcement to hack. With the new bill, a judicial commissioner would also have to approve.
The U.S. government, including the FBI, also uses malware to access suspects’ devices, but the practice is much more secretive and unclear. Most warrants granted to law enforcement agencies to hack are sealed, making it hard to determine how often it happens.
Cooperating Companies and Encryption Restrictions
And companies, both abroad and domestically, would be under new pressures to comply with warrants issued by the U.K. government. For example, executives of foreign technology firms served with interception warrants from any “senior official” in the U.K., including local authorities, could be jailed or fined for ignoring a warrant.
And communications providers would be required to “remove any encryption applied” from communications when requested.
Though the U.K. government says companies were previously required to comply with warrants by decrypting messages, there’s a question as to whether that’s actually the case. The government wrote in February in its Interception of Communications Code of Practice that communications providers need to provide a “permanent interception capability” — or way to access communications through a warrant. However, there is no explicit mention of decrypting text or providing plaintext.
“It’s clearly not the same thing,” said Amie Stepanovich, U.S. policy manager for international digital rights group Access Now. The U.K. government is “reinterpreting current law” by saying companies “have to actually provide a way to decrypt communications.”
She said the new language would effectively eliminate forms of encryption that companies cannot decrypt upon request, namely end-to-end encryption where only the sender and receiver hold the key to read it — technology Apple provides. With the new bill, Apple could be pressured to comply with U.K. law or pull out of the market entirely.
No Questions Asked
Finally, some privacy advocates are worried that new protections would not be effective because of the bill’s provisions for challenging surveillance practices.
Under the new law, it would be illegal for anyone even to ask questions in court about whether or not evidence was obtained through bulk surveillance, or to talk to anyone about a surveillance warrant received — much like U.S. policy on national security letters issued to companies by intelligence agencies.
Amnesty International, the human rights group that learned it was being spied on by GCHQ this summer, wrote that the bill’s “wider powers” would “take U.K. closer to becoming a surveillance state.”
“Just a few months ago the government admitted through gritted teeth that they’d been spying on Amnesty International and another NGO,” wrote Alice Wyss, a U.K. researcher for Amnesty. “They were only caught out then because they broke their own rules and kept our communications too long, and that’s likely to have been just the tip of the iceberg.”
Correction: November 4, 2015
An earlier version of this story conflated two judicial rulings into one. A panel of the U.S. Second Circuit ruled bulk collection illegal, but did not rule on its constitutionality. D.C. District Court Judge Richard Leon raised the constitutional concerns.