Governance & Risk Management , Privacy
UK Lawmakers Push Ahead With Revised Snoopers' Charter
The Investigatory Powers Bill Will Allow Police to Collect More DataProposed legislation called the "snoopers' charter," which would allow British intelligence agencies to collect data on a large scale, cleared further parliamentary scrutiny this week despite mounting criticism from privacy advocates, watchdog groups and technology companies.
See Also: Four Imperatives Financial Institutions Face in the Digital Era
U.K. lawmakers in November 2023 introduced the Investigatory Powers Bill, which seeks to update the Investigatory Powers Act of 2016 - the primary regulation governing the interception of electronic communications by British intelligence agencies, including the Government Communications Headquarters, MI6 and MI5, and other British law enforcement agencies.
Civil society organizations dubbed the regulation the "snoopers' charter" when it was first introduced in 2015.
The House of Commons on Tuesday approved the revised bill on the first reading and retained provisions that could allow British intelligence agencies to carry out large-scale collection of bulk public datasets that contain the "who, where, when, how and with whom of communications," according to MI5.
The bill also authorizes law enforcement to collect data in bulk from third-party telecom service providers, including internet connection records, such as details of websites visited by users, which enable law enforcement agencies to process further data at a user's IP level.
The revised regulations will require telecom companies to notify the Home Office of any changes introduced to their software.
At Tuesday's hearing, Andrew Sharpe, a conservative member of Parliament and co-rapporteur of the bill, said the amended proposal will give the U.K.'s intelligence services "tools to keep the country safe" while ensuring that law enforcement requests for information are made in a "proportionate way which places privacy at its heart."
Hours after the conclusion of the hearing, tech industry body TechUK was quick to criticize the proposal, fearing that the bill could hinder "technological advancements aimed at improving consumer privacy, integrity and security."
The organization, which represents 1,000 tech firms, said the proposals that require companies to notify the government of software changes would deter them from making changes to their products.
"Instead of focusing on improving user privacy and security, firms' attention would have to be diverted towards fulfilling the surveillance needs of the government," TechUK said.
Tech giant Apple also criticized the provision on change notification on Monday. It told the BBC that the proposal could allow the U.K. government to "secretly veto new user protections globally," which would prevent the company from rolling out security updates to its customers.
"We're deeply concerned the proposed amendments to the Investigatory Powers Act now before Parliament place users' privacy and security at risk," Apple said.
A Home Office spokesperson played down the concerns, saying the government supports "innovation and privacy" but added that "lawful access" to communication is vital to identify child sexual abusers and terrorist activities.
"We have always been clear that we support technological innovation and private and secure communications technologies, including end-to-end encryption, but this cannot come at a cost to public safety," a Home Office spokesperson told Information Security Media Group.
Efforts to revise the bill stem from the June 2023 review of the Investigatory Powers Act of 2016 by British parliamentarian David Anderson. The review, called the Lord Anderson report, said current restrictions on processing bulk personal datasets in the 2016 law have prevented British intelligence agencies from collecting large swaths of public datasets.
British intelligence agencies primarily objected to restrictions imposed on processing bulk personal datasets, which is currently under "triple-lock" authorization, requiring the agencies to first obtain a warrant for interception or equipment interference from the Secretary of State. The warrant then has to be approved by a judicial commissioner and ultimately by the prime minister. Warrants are currently valid only for six months.
These measures prevented the agencies from accessing data needed to train their machine learning systems for faster crime detection and threat disruption, which in turn posed a threat to national security. The agencies raised similar concerns about end-to-encryption rolled out by tech companies, which they said also prevented them from collecting data in a timely manner, according to the report.
The report recommends further amendments to the act, including the introduction of a new category of bulk personal data "with low or no expectation of privacy," an increase in the timeline for data retention, and revisions to the role of judicial commissioner.
In response to the suggestions, lawmakers have introduced the latest bill with an amended scope for bulk personal datasets. Under the revised bill, a bulk personal dataset could include any data in the public domain that is shared with consent, bringing official records, audiobooks and podcasts, and content derived from online video sharing.
The amended proposal will also allow the head of the intelligence service to authorize data collection and processing, creating a new Investigatory Powers Officer, who can nominate individuals from the law enforcement agencies to the position of judicial commissioner. It also proposed extending the time of interception and data retention to 12 months.
The bill also removes safeguards put in place to secure journalistic sources under the previous regulation, to allow law enforcement agencies to "identify any confidential journalistic material" or "identify or confirm a source of journalistic information."
In addition to industry tech players, privacy groups Big Brother Watch, Privacy International and Open Rights Group are vocal critics of the bill. In a January letter, Open Rights Group said the bill could transform "private companies into arms of the surveillance state" - "eroding the security of devices and the internet."
Sarah Simms, policy officer at Privacy International, said the government is using the proposed amendments to dilute existing safeguards put in place under the IPA 2016 to reduce the administrative burden for law enforcement agencies.
"Overall, the government is suggesting to essentially weaken the powers/existing safeguards, which we believe need to be strengthened, not diluted," Simms told ISMG.