Described as the most extreme surveillance legislation ever passed in a democracy, the Investigatory Power Act has passed into law in the U.K. today, due to lack of substantial opposition.
It will come into force next year, after emergency surveillance legislation put in place by the prior coalition government, with even less parliamentary scrutiny than the IP bill was afforded at the end of December.
The Investigatory Power Act, in its current form, creates an updated framework for state surveillance capabilities, enshrining in law investigatory powers that had previously been authorized in the shadows via a network of obscure legislative clauses. Some capabilities were only avowed in parliament in recent years, following the 2013 Snowden disclosures — and as a result, were deemed by the U.K. intelligence agencies’ own oversight court to have been operated illegally.
The new law also brings with it a new requirement: that communications service providers harvest and retain logs of the digital services accessed by all their users for an entire year. This log can be accessed by a wide range of government agencies, not just law and intelligence agencies. Access to the log does not require a warrant.
While combating terrorism has been the government’s explanation for the need for the surveillance powers set out in the legislation, they have never adequately explained how a senior exec working in fraud and error services at the Department for Work and Pensions, for example, might be actively engaged in a War on Terror.
Privacy concerns are not the only problem, either. A massive security concern is what the legislation implies for encryption — given it hands U.K. authorities the power to require a company to remove encryption, or limit the rollout of end-to-end encryption on a future service, raising the specter of backdoors damaging trust in U.K. companies — as well as risking the security of user data.
The government claims a “double lock” authorization process that loops in the judiciary to signing off intercept warrants for the first time in the U.K., along with senior ministers, bolsters against the risk of the “most intrusive investigatory powers” being misused. Critics have argued against this, saying judges will just be rubber-stamping warrants on process, not interrogating the proportionality of the substance.
The oversight court for U.K. intelligence agencies also has yet to rule on the proportionality of the law’s so-called bulk measures — which it is due to do next month, when it will also be ruling on the legality of the powers with the wider European Union context. It will still be too late to be included into the IP bill’s parliamentary scrutiny, however.
Challenges to the legislation at the European level are likely, given European courts have ruled against bulk collection. However, the UK’s dynamic with the EU remains a question mark after the Brexit ruling, so whether U.K. law will be bound by any European legal judgments condemning the new surveillance law remains to be seen.
A petition to parliament to repeal the Investigatory Power Act has already passed more than 140,000 signatures — exceeding the 100,000 signature threshold where parliament must consider debating a petition. But given the lack of debate in parliament the first time round, the majority of MPs who backed the bill will probably not backtrack so easily.