Should UK Citizens Be Scared of Their New Internet Surveillance Bill?

This post originally appeared on VICE UK.

The "Snoopers Charter" is back, and the UK government is making another attempt to store online activity, this time with something called the Investigatory Powers Bill. It could give police and spies powers to track our web browsing, build backdoors into secure apps, and snoop on journalists' sources.

That doesn't sound great, but there's no need to panic—not yet at least. This is only a draft bill, so expect some changes. Plus, alongside the expanded surveillance powers, there are some checks and oversight, which could help limit snooping.

Whether MPs and the Lords decide this is the right way to replace DRIPA—the previous piece of legislation concerning these powers which didn't do enough to protect privacy and was inconsistent with EU law—remains to be seen, but what does the Bill propose? Who will be able to see your porn habits? Will the police be able to read your encrypted messages to your dealer? And why will online criminals probably be rooting for this to become law?

In other words: How scared should you be?

Let's start with data collection. The UK government can already require web service providers and telecoms companies to bulk collect communications data and hold it for a year. That data includes who you call, text, or email, for example, but not the content of the message. They can find out if you contacted your dealer, but not whether you bought a bulk package or a little bit of weed.

That's now being extended to web browsing, and that applies to everyone in the UK. The plan is to also collect and store the "front page" of websites everyone visits, but not the individual pages viewed—they'll know you visited vice.com, but not that you read The Woman Who Trains Dogs to Have Sex with Humans hundreds of times.

"From my perspective, the web browsing issue is the biggest [concern]—and the emphasis on controls at the access stage rather than the gathering stage for these Internet Connection Records is part of it," Paul Bernal, lecturer at the University of East Anglia Law School, told me. "The Bill does not seem to sufficiently recognize the level of intrusion that even the gathering of this data provides. It creates vulnerability, chills behavior, and allows for huge possibilities of 'function creep.' When the data is held, all kinds of things can happen to it."

How scared should I be?
If this Bill passes, and you're visiting the types of sites that might interest police, it's safe to assume they'll know about it. Also if your porn habits will have to be stored, but I definitely can't see that being of any interest to blackmailing hackers.

The police and surveillance services can find out what's in your texts and the precise pages you're browsing, or even tap your phone conversations, and this is known as "interception." However, that requires a warrant and, under this Bill, could only be used by security services or police for the prevention and detection of serious crime, for national security and "in the interests of the economic well-being of the United Kingdom where it is connected to national security."

Presumably online piracy and low-level drug deals wouldn't fall into that category, but be warned that online laws often see function creep from more serious crimes to lesser offenses—for instance the system developed to block child abuse images from UK networks is now used to ban piracy sites, too.

At the moment, such tapping only needs to be approved by the Secretary of State, but under the new Bill would also have to be approved by a judicial commissioner. It's worth noting that this power is available not only to police and spies but the taxman, too—HMRC can also apply for interception warrants.

How scared should I be?
If you fit into the sort of profile that will arouse the attention of the authorities, you could find yourself targeted under this system. On the upside, thanks to the better oversight with judges, they'll need to convince more than just Theresa May that you're a threat.

The draft legislation itself mentions the word encryption only once, and then only in reference to existing laws, but it does make clear that companies can be given a "technical capability notice" to ensure they can comply with their "obligations" to hand over data requested by security services. Presumably this could require a company to undo encryption.

The guidance notes say: "It will provide an explicit obligation on CSPs [communications service providers] to assist in giving effect to equipment interference warrants." Existing laws (notably RIPA) already require companies to "remove any encryption" and that requirement will be kept.

What this all suggests is that encryption won't be banned, so long as it can be broken—which makes encryption a little bit pointless in the first place. It's unclear how the authorities would deal with third-party encryption, but presumably that wouldn't be CSP's problem.

Telcoms companies, comms providers, and their employees won't be allowed to tell us their encryption is broken, or about any other technical requirement from the government. People who blow the whistle on this could face up to two-years in prison. So don't expect WhatsApp, Gmail, or anyone else to tell you if the police have made them hand over your messages.

How scared should I be?
You can send secret messages, but they're only "secret" as long as the government allows them to be so.

This Bill gives GCHQ as well as police explicit permission to hack and bug computers and phones, euphemistically calling it "equipment interference."

This was already allowed under other laws, but will under this bill be subject to the same rules as interception (national security, serious crime, and all that) and will also require the approval of a judicial commissioner in addition to the Secretary of State—but only for the "more sensitive and intrusive techniques." Hacking a computer for spying purposes will need judicial approval, but if you're arrested for terrorism, police can look through your phone.

This means that if police or spies can't get to your data any other way—such as if you use your own strong encryption—they can simply hack your devices to see what you're typing.

How scared should I be?
The police can legally hack your stuff. That's quite scary, right?

The IP Bill is singling out a selected group of people in "sensitive professions" for more protection, including doctors, lawyers, journalists (hi!), MPs and religious ministers.

But that doesn't mean they can't be hacked or tapped. Communications to and from MPs can be intercepted, but the Prime Minister must be consulted first. To see comms data of journalists in order to identify a source, police and spies will need approval from the judicial commissioner, which isn't normally required. For actual interception, they will need to make a "compelling" case to the Secretary of State as to why it's necessary, and also get judicial approval.

Planning to blow the whistle? Be careful how you go about it—the police and spies will be legally allowed to unmask journalists' sources.

How scared should I be?
Tapping MPs and journalists will be legal, so long as the appropriate approval is granted. If you're blowing the whistle, don't expect your identity to necessarily stay secret.

For more sensitive aspects of snooping and spying—such as interception, but not access to bulk-collected communications data—warrants will require approval from the IPC's judges as well as the Home Secretary. This "double lock" won't apply in "urgent cases," however, which just need approval from the Secretary of State.

Alongside that, it will become a crime to access bulk collected comms data or intercept data without "lawful authority," which is bad news for hackers but good news for people who don't want to be the victim of the next cyber-attack. Web and telecoms companies are also allowed to publish transparency reports on how many warrants they receive.

How scared should I be?
We could finally have judicial oversight of some sort on surveillance—unless it's considered urgent. If it's a controversial case, assume it'll be dubbed "urgent."

Follow Nicole on Twitter.