Investigatory Powers Act (IPA): Ultimate Introduction and Guide

The Investigatory Powers Act (PDF)is a new law that gives the UK government massive surveillance powers. It legalizes the tracking of internet usage, the hacking of smartphones and laptops, and the monitoring of innocent people.

It also opens up that data to a huge number of staff members in various agencies and organizations. And it provides a mandate for the mass surveillance of people outside the UK, whether they are innocent or not.

Amber Rudd, the UK’s Home Secretary, says that the Investigatory Powers Act is “world-leading” legislation, and will aid in the fight of global terrorism and pedophilia. But opponents to the Act believe that it’s the most significant threat to privacy in any democratic country, and that criminals would already know how to circumvent the systems it authorizes.

Read on to find out what the government knows about you now and how things might change in the future.

What Is the Investigatory Powers Act?

The Investigatory Powers Act legalizes a range of surveillance powers against all citizens in the UK, and a bulk surveillance provision for people outside the UK.

In the media, it’s been referred to as the “Snooper’s Charter.” Some campaigners believe that the Investigatory Powers Act has been made law without the right level of scrutiny. You can read the UK government’s explanatory notes (PDF); these notes were compiled before the Act became law.

Jill Killock of the Open Rights Group has called the Investigatory Powers Act the “most extreme surveillance law ever passed in a democracy.” Many journalists believe that it could hinder proper investigation, and Tim Berners-Lee said it “undermines our fundamental rights online.”

Joseph Cannataci, special rapporteur on privacy at the UN, has called it “worse than scary,” and more extreme than anything George Orwell imagined in Nineteen Eighty-Four.

Not all of the technology it demands is in place now, but it’s believed to be in active development.

DRIPA vs the IPA

The UK already has data retention laws under the Data Retention and Investigatory Powers Act (2014). The new Investigatory Powers Act is designed to expand and replace the DRIPA.

In December 2016, the European Court of Justice ruled that the mass collection of data under DRIPA was illegal. This is important, because that ruling could jeopardize the IPA. Both DRIPA and the Investigatory Powers Act give the UK government the same bulk data collection powers, so it’s logical that the Investigatory Powers Act will face the same level of scrutiny. But the European Court of Justice may not have the same control over the Investigatory Powers Act once the UK exits the EU, so this isn’t a foregone conclusion.

Here are three important parts of the new law, along with reasons why some experts are nervous about its consequences.

Issue One: Your Internet Use Is Being Tracked

Every UK citizen that connects to the internet is being constantly tracked by the government, and the Investigatory Powers Act makes this entirely legal. If you live in the UK, your internet activity – or “Internet Connection Records” – will be retained for a year on a central database.

Internet Connection Records contain data about your location, your calls, the domains you visit, and the devices that you use. Tracking covers every connection, including broadband and mobile. The government is able to distinguish connection activity from your phone, your laptop, and your Internet of Things devices, and it can see the services and apps that they are using.

What’s Being Tracked?

One Internet Connection Record contains the following data:

• Date
• Time
• Device
• Mobile number
• Source IP and port
• Destination IP and port
• Location
• Service or domain.

While some websites report that the browser history is being stored, that isn’t correct. The law only requires domain names to be logged; the part of the URL after the first slash may or may not be discarded – depending on the ISP.

As well as being accessed individually, bulk batches of Internet Connection Records can be obtained by security services with a warrant. These can be held for up to 6 months for analysis before being discarded, and by their nature, will almost always include data about innocent people. In reality, some bulk datasets could be held for longer.

The UK government says that Internet Connection Records will be used to determine (PDF):

• You, as the sender or user
• Services you use
• Methods you use to communicate
• Illegal content you access.

Is this really new? Yes and no. Some of the data that will be collected is probably already being collected.

• The UK government is already collecting metadata about mobile phone calls.
• GCHQ has intercepted webcam conversations to trial facial recognition.
• Edward Snowden revealed that GCHQ already monitors internet messaging under its Tempora program.
• Section 94 of the Telecommunications Act was already used to monitor communications.

So the Act takes existing surveillance activities and places them into a new legal framework. If techniques were unlawful or potentially unlawful before, they’re now certainly legal.

But there is a distinction in the way that the data is collected. The onus has shifted from intelligence agencies to ISPs and mobile networks. Hugh Woolford, Director of Operations at Virgin Media, says that Internet Connection Records are a completely new type of Big Data.

Why Is the Government Watching Me?

This data is harvested for two reasons:

• To provide information about the things individuals do online
• To analyze trends among groups of people.

For example, someone could look at the news websites you like to read, and then draw some conclusions about your political views. They might look at the time of day you use certain apps, look at the mental health services that you access, or match your political leanings with the phone calls you make. But they can also look at location data for large groups of people in one location, and cross reference that information with the websites and apps that group is using. This could be used to detect people attending a protest, for example.

The data collection is a form of mass surveillance, because it will not be targeted against people suspected of a crime. Everybody’s data is going to be logged and retained.

How Will the Tracking Be Done?

Internet Connection Records will be harvested by the ISP or mobile network that each person uses. If a UK ISP doesn’t already have a system in place, it will be required to set one up quickly, after possibly receiving financial support from the government.

The government will also have a new IT system called the Request Filter. This is a kind of search engine for all the Internet Connection Records that the ISPs and mobile networks are storing on every UK citizen.

Why You Should Worry

• The retention of internet usage records for 12 months is illegal in the EU (PDF) unless the person is under investigation, according to a Court of Justice of the European Union (CJEU) ruling concerning DRIPA. It also ruled that bulk data collection is illegal in a separate ruling.
• The retention of Internet Connection Records may infringe Article 8 or Article 10 of the Human Rights Act.
• No country in the EU, or the Commonwealth, retains Internet Connection Records in this format; Australia has actually made this kind of data retention illegal.
• New laws like the Digital Economy Bill could soon make some types of online content illegal, leading to a situation where someone could be tracked almost in real time accessing a prohibited website.
• You could be caught up in a dataset of people taking part in criminal activity due to your online behavior, entirely by accident.

Still Not Convinced?

Google maintains an archive of your entire usage history, for the entire lifespan of your account. You can view a recent summary of the kind of data it collects on the Google My Activity website.

And at Google Takeout, you can download your entire Google history as a series of zip file archives, including all of your search queries – ever. Our writers were astonished to find that Google held around 10 GB of data for every year that their accounts had been active.

Would you be comfortable if someone sent your Google archives to your family, your tax office, or your employer? What if someone else used your smartphone to do something illegal? Could you prove that it definitely wasn’t you?

Issue Two: Your Internet History Will Be Shared

The Internet Connection Records that are stored by your ISP can be accessed by a huge range of organizations. The key point about this is that sharing can take place with police or other administrative authorization alone – without the need of a court order.

The organizations in the list below can see full Internet Connection Records. What we don’t know is precisely how many people will get access. We know that there are 820 police Superintendents in England and Wales. That’s just the first line in the list below. There are 151 Superintendents and Chief Superintendents in the Police Service of Scotland. That’s just the second line. What about the rest?

We’ve now made a first attempt to answer this question. And the answer is astounding. We have documented 20,395 people who have access to your ICRs. And this is an absolute minimum – the number that we could confirm. We will doubtless add to this number as we learn more. But we will probably never know the total number because information from institutions like IM5 and IM6 are not publicly available.

• Police Force in England and Wales
• Police Service of Scotland
• Police Service of Northern Ireland
• Ministry of Defence Police
• Royal Navy Police
• Royal Military Police
• Royal Air Force Police
• Security Service Personnel
• Secret Intelligence Service Personnel
• Ministry of Defence
• Fraud Defence Unit at the Ministry of Defence
• Anti-Fraud Unit at the Department of Health
• Medicines and Healthcare Products Regulatory Agency
• Home Office Immigration
• National Offender Management Service
• National Crime Agency
• Her Majesty’s Revenue and Customs
• Marine and Coastguard Agency
• Marine and Coastguard Agency
• Air Accident Investigation Branch at the Department for Transport
• Marine Accident Investigation Branch at the Department for Transport
• Rail Accident Investigation Branch at the Department for Transport
• Department for Work and Pensions
• Department for Work and Pensions
• Scottish Health Service
• Competition and Markets Authority
• Criminal Cases Review Commission
• Department for the Economy in Northern Ireland
• Northern Ireland Prison Service
• Financial Conduct Authority
• Fire and Rescue Services From 2004 Act
• Food Standards Agency
• Scottish Food Standards Agency
• Gambling Commission
• Gangmasters and Labour Abuse Authority
• Health and Safety Executive
• Independent Police Complaints Commission
• Information Commissioner’s Office
• Counter Fraud and Security Management of the NHS Business Services Authority
• NHS Trust (any providing ambulance services)
• NHS Trust Ambulance Control Rooms
• Northern Ireland Ambulance Service
• Northern Ireland Fire and Rescue Board
• HSCNI Regional Business Services Organization
• Office of Communications
• Northern Ireland Police Ombudsman
• Police Investigations and Review Commissioner
• Scottish Ambulance Service Board
• Scottish Criminal Cases Review Commission
• Serious Fraud Office
• Welsh Ambulance Service.

In addition to these organizations that can access full Internet Connection Records, there are a number of other organizations with more limited access. They can access entities (like people and devices) and the links between entities. Some are included in the list above; these organizations provide this information for lower-level personnel.

• Police Force in England and Wales
• Police Service of Scotland
• Police Service of Northern Ireland
• Ministry of Defense Police
• Royal Navy Police
• Royal Military Police
• Royal Air Force Police
• National Offender Management Service
• National Crime Agency
• Her Majesty’s Revenue and Customs
• Marine and Coastguard Agency
• Information Commissioner’s Office (ICO)
• Security Service Personnel

The private company that builds the Request Filter will presumably also need some kind of access. So we don’t know exact figures, but we now know that there are at least tens of thousands of people who can log on and search the Request Filter.

Why You Should Worry

Let’s face it. The ISPs collecting this data will probably be hacked at some point in the coming years. We have past examples to prove it.

TalkTalk, a major UK ISP, has been hacked twice in 14 months. In a 2015 hack, an unencrypted database was stolen containing customer names, addresses, and payment details. In the 2016 hack, TalkTalk customers’ routers were infected with the Mirai worm. Personal data obtained in the first hack is widely thought to have been used to defraud TalkTalk customers.

Think about all of the hackers who are going to find the Internet Connection Records a new, irresistible target, full of data that can be sold, shared, and exploited.

There are real-world examples of this kind of surveillance system being used for dubious purposes, too. One UK family was put under surveillance for sending their child to the “wrong” school. It should be noted that local councils are not on the access list for Internet Connection Records, but when thousands of people have access to sensitive data, misuse is a realistic possibility. In December 2016, The Guardian revealed that local councils were using surveillance techniques designed for counter-terrorism in order to spy people suspected of petty crimes, like feeding pigeons, or finding the owner of a barking dog.

Still Not Convinced?

Various police staff will access Internet Connection Records using the Request Filter without judicial oversight. Let’s look at how often UK police forces leak data.

Between June 2011 and December 2015, the police:

• Experienced more than 2,000 data breaches
• Detected 800 staffmembers accessing information (PDF) with “no policing purpose”
  • Shared information inappropriately with third parties 800 times.

Between April and June, 2016, the Information Commissioner’s Office issued four massive fines for data security breaches in the police and health service:

• Blackpool NHS Trust: £185,000 for publishing a member of staff’s date of birth, national insurance number, sexuality, and religion on the internet
• Chelsea and Westminster NHS Trust: £180,000 for sending an email to patients of a HIV clinic using the CC box, instead of the BCC box
• Kent Police: £80,000 for sending the suspect in a domestic abuse case a copy of all data from his victim’s mobile phone
• Dyfed Powys Police: £150,000 for sending details about eight sex offenders to a member of the public.

These four cases alone occurred over just three months, and the number of overall data breach reports surged by 22% in that period. The health sector was most commonly found to be at fault; the Information Commissioner’s Office says that this was due to the size of the organizations and the sensitivity of the data.

If that isn’t a red flag for Internet Connection Records, what is?

The most common reason for a data breach was an IT misconfiguration, but the number of people accessing records with no policing purpose should be a cause for serious concern. Would you be Okay with your Internet Connection Records being accessed by a nosy neighbor during their lunchbreak? If you were attacked in the street, would you be comfortable with your location history being passed to the culprit?

We know this is highly likely to happen, because the number of data breaches is on the rise already.

Issue Three: You Can Be Hacked (Even If Encrypted)

Under the Investigatory Powers Act, UK security services can apply to the courts for permission to hack into anyone’s device. This permission can be granted even if the individual is not the subject of an investigation.

So it could:

• Seize, hack, and potentially destroy your devices
• Secretly install software on your device to infect other people’s devices
• Secretly install security software (like a keylogger) on your device
• Bypass service provider encryption using a backdoor
• Require service providers, such as cloud providers, to get government approval before rolling out a new service.

Bulk hacking of huge numbers of people by UK authorities is now legal too, as long as it’s only done outside the UK.

Even if you only use encrypted services, your data can be accessed. The government could demand a backdoor to any encrypted service, and demand access to the data flowing through it.

UK-based tech is now unsafe. All drafts of #IPBill “Code of Practice” require big companies offer Gov a chance to backdoor it, pre-launch. pic.twitter.com/4zNsNRBeS7

— Edward Snowden (@Snowden) December 9, 2016

Why You Should Worry

If you’re in the UK, your devices could now be hacked or infected legally. You might not have done anything wrong, and you might not be under investigation. You would probably never know about it. But it could happen. Just leave your phone unattended for a moment, and the damage would be done.

If you use an encrypted service, it could be subject to a government backdoor, legally and without your knowledge. So the government gets to bypass the security any time it likes, even if you use end-to-end encryption, essentially rendering it totally useless.

Still Not Convinced?

The Burr-Feinstein Bill proposed that the US government could effectively bypass encryption using a backdoor. This would avoid embarrassing FBI standoffs with device manufacturers who refuse to unlock devices, as Apple did last year. The Burr-Feinstein Bill has been declared effectively dead.

But this is essentially the same power that the Investigatory Powers Act grants in the UK; it forces businesses to bypass encryption if the Secretary of State approves the request. This has been likened to the recent WhatsApp ban in Brazil, where the government sought to limit encrypted communication.

Investigatory Powers Act vs Patriot Act

The Patriot Act has been extremely controversial in the United States since it’s passage shortly after the 9/11 attacks. The USA Freedom Act, which replaced parts of the Patriot Act in 2015, restricts or prohibits the bulk collection of telecommunications data by the NSA. The UK’s Investigatory Powers Act does exactly the opposite.

In Laura Poitras’ 2014 documentary Citizenfour, Edward Snowden reveals that the Patriot Act was being used as justification for bulk collecting data in the private communications between American citizens. The information he leaked was widely reported in the press and triggered a huge debate about the National Security Agency and its right to collect telecommunications metadata.

Since then, the mood in the US has turned against mass surveillance. The Patriot Act allows the US government to collect “any tangible things” (PDF) in the interest of national security. But Congressman Jim Sensenbrenner, who wrote the majority of the Patriot Act, believes that the US government embarked on mass surveillance as a “blatant misreading of the law.”

In a review of surveillance technologies, set up after the Snowden leaks, a presidential committee determined that the NSA was overstepping the boundaries (PDF), and should use other methods, such as court orders, to obtain that data.

Summary

The erosion of privacy is something that many internet users are rightly concerned about, and the Investigatory Powers Act is arguably the most extreme example of online surveillance in the western world.

Even if you feel you have nothing to hide, the prospect of hacking or casual unauthorized access should alarm you. Edward Snowden has spoken about turnkey tyranny, where systems that have been put in place by a trusted authority could be turned over to an organization with less benign aims. With mass surveillance systems in place, this becomes a more likely scenario.

The UK government is likely to face legal challenges against the Investigatory Powers Act, but it’s a step towards a world where internet freedom is compromised for the innocent as well as the guilty. Even if your country is not yet tracking you on this scale, it may only be a matter of time.

Update: Learn More About the IPA

We’ve written an update to this article, Now 20,395+ British Cops, Suits & Spooks Can Now See Every Website You Visit. Based on almost a hundred FOI requested hundreds of hours of work, we’ve created the first estimate of how many people can see your ICRs and who they are. This number (20,395 people) is a lower limit: just the people we absolutely know about. As we learn more, this number will likely rise significantly.