2016 has been a whirlwind year for privacy and security. Online surveillance may be a topic of discussion now more than ever but it has not put an end to the seemingly endless parade of governments and legislators introducing new laws and regulations that further erode online privacy. One of the most infamous additions to this list is the recent change to the US’ Rule 41, which now allows judges to hand down warrants for hacking thousands of computers at once, even in other jurisdictions.
In Russia we’ve seen Putin’s government pass new data laws that require companies to store Russian user data within Russia; meanwhile Turkey continues to crackdown on dissent with intermittent blocks on Facebook, Twitter, and WhatsApp.
Perhaps the most shocking law passed this year though was in the UK. The Investigatory Powers Act, or “Snooper’s Charter”, was passed by the UK government a number of weeks ago and will officially come into law in 2017. It has been described as one of the most expansive surveillance laws passed by a western, developed country. So as 2017 approaches, what exactly does the IP law mean for people in the UK as well as globally?
ISPs and phone companies are required to store people’s browsing histories for 12 months, making it available to law enforcement (and not to mention a hacking target). The full breadth of the Investigatory Powers Act will not come into play immediately. The UK’s Home Office stated that some of the provisions will require testing before full usage but the data retention obligation will come into force right away on January 1.
The law extends unprecedented powers to the police and security service to hack into the computer systems of suspects and scoop up data. The IP law is intended to only be used as part of investigations with a warrant but this aspect of the act has raised plenty of eyebrows. In one bit of painful coincidence, the law was passed just a month after a tribunal in the UK ruled that security services like GCHQ, MI5, and MI6 had been unlawfully gathering confidential data on citizens for more than 15 years.
Encryption is a debate that will not die. The Investigatory Powers Act stipulates that companies must decrypt data where it is “practicable” but the exact meaning of that is unclear. You might think that this would make a UK-style FBI/Apple controversy inevitable but not quite. The law also puts in place gag orders restricting the company from speaking publicly about the decryption request. In another twist of secrecy, according to one analysis, the law allows police and security services to lie in court about the source of its evidence, lending more uncertainty how the law will be implemented day-to-day. At the same time, MPs and legislators are exempt from the law.
Photo by Carl Court / Getty Images.
Home Secretary Amber Rudd has described the law as “world-leading legislation, that provides unprecedented transparency and substantial privacy protection.”
According to Open Right Group, a British digital rights organization, the law is indeed world-leading but for all the wrong the reasons. Executive director of the group Jim Killock said the Investigatory Powers Act will provide some sort of inspiration or justification for other countries, namely authoritarian regimes, to enact their own sprawling surveillance laws.
For the most part, the Act was passed with little hubbub. The bill had been in the works for years and had fallen at a number of hurdles but in 2016, the UK found itself so wound up in Brexit that the IP law was somehow passed with no furious debate or opposition.
It may seem like a grim future for privacy in the UK. The fight against the Investigatory Powers Act is still not over entirely but one way or another, this is the law of the land. A citizens’ petition secured more than 100,000 signatures to try and instigate a new parliamentary debate but this has not derailed the law.
Several encryption and VPN services have pounced on the news as a means to sway people over to their products. Encrypted email provider ProtonMail for example says its end-to-end encryption service does not fall under the remit of the IPB as it’s based in Switzerland. Anyone in the UK is advised to bulk up on encryption and security if they’re very serious about maintaining a semblance of privacy. Avoiding this new surveillance apparatus entirely is impossible but there are steps to take like using a VPN with no UK-based servers, messaging apps like Telegram and Signal, and encrypted cloud storage services like Tresorit.