UK government is quietly expanding and developing controversial surveillance technology that could be capable of recording and storing the web histories of millions of people.
Official reports and spending documents show that last year UK police deemed the trial of a system that can collect people’s “Internet connection logs” a success and began work to introduce the system nationwide. If implemented, it could provide law enforcement with a powerful surveillance tool.
Critics say the system is highly intrusive and that officials have a history of failing to adequately protect people’s data. Much of the technology and how it works is shrouded in secrecy, and the agencies refuse to answer questions about the systems.
In late 2016, the UK government approved the Investigative Powers Act, which introduced sweeping reforms to the country’s surveillance and hacking powers. The law added rules about what law enforcement and intelligence agencies can do and access, but it was widely criticized for its impact on people’s privacywhich earned it the name “Snooper’s Letter”.
Particularly controversial was the creation of so-called Internet Connection Records (ICRs). Under the law, Internet providers and telephone companies can be ordered, with the approval of a higher judge’s decision, to store people’s browsing histories for 12 months.
An ICR is not a list of all the online pages you visit, but it can still reveal a significant amount of information about your online activities. ICR can include who visited TechDigiPro.com but not read this individual article, for example. An ICR can also be your IP address, a customer number, the date and time the information was accessed, and the amount of data being transferred. The UK government says an internet connection log could indicate when, for example, the easyJet travel app is accessed on someone’s phone, but not how the app was used.
“KIs are very intrusive and need to be protected from excessive retention by telecom operators and intelligence agencies,” says Nour Haidar, a lawyer and legal officer with UK civil liberties group Privacy International, who has been challenge data collection and handling under the Investigative Powers Act In the court.
Little is known about the development and use of ICRs. When the Investigative Powers Act was passed, Internet companies said it would take them years to build the systems needed to collect and store ICR. However, some of those pieces may now be falling into place. In February, the Home Office, a government department that oversees security and police in the UK, published a Mandatory review of the operation of the Law on Investigative Faculties up to now.
The review says the UK’s National Crime Agency (NCA) tested the “operational, functional and technical aspects” of KPIs and found a “significant operational benefit” from collecting the records. A small test that “targeted” websites that provided illegal images of children found 120 people who had been accessing these websites. It found that “only four” of these people had been known to law enforcement based on an “intelligence check.”