In two days time “Investigatory Powers Act” will come into force in the United Kingdom. The legacy of Theresa May’s time at the Home Office, the Act has attracted a huge amount of discussion and criticism amongst politicians, human rights activists and internet privacy campaigners.
This post breaks down the main provisions of the Investigatory Powers Act and how the Act will change the landscape of privacy in the United Kingdom. It starts with a brief explanation of how we got to this point. It ends with some thoughts on how the Act affects our relationship with government power and adds to what I’ve called the virtual panopticon of modern life. Most importantly, I’ll try to answer the fundamental question of “who can see my stuff?”
Some of this is a bit legal. The TLDR is that a lot of government workers can see you were on RedTube (other sites are available) – but not which of its particular offerings you decided to sample.
Our internet history
The internet has since its popular expansion been regarded as a great tool of freedom. It has created the opportunity for individuals to share, read and interact on a scale previously unseen. It is the printing press of the modern age and more. The possibility of complete or partial anonymity increased the potential for freedom of the online self.
The growth of an independent and private online self has obvious dangers. Institutions of state such as the police and security services have long recognised the need to patrol the internet for legitimate purposes – the suppression of terrorism, serious crime, trafficking and so on. The Investigatory Powers Act is not our government’s first attempt to create a legal framework for governing cyberspace.
Until 2014, the police and security services used a mixture of statute and common law, along with the extremely outdated Regulation of Investigatory Powers Act 2000, to authorise increasing sophisticated and intrusive surveillance and data gathering. Subsequently, the Edward Snowden leaks revealed mass collusion between the UK’s surveillance body GCHQ and its American counterparts in programmes such as Tempora and Prism; programmes which involved fibre-optic wiretapping and collection of private data from online services such as email, Facebook and Google on a mass scale. In October of this year, the Investigatory Powers Tribunal found that MI5, MI6 and GCHQ had been collecting this “bulk communications data” and “bulk personal data sets” illegally for the past 17 years. This included the personal, financial, tax, medical and travel information of UK citizens.
2014 saw the advent of the much criticised “DRIPA” – the Data Retention and Investigatory Powers Act. Described as “emergency” legislation, the 2014 Act was introduced and passed in only four days. DRIPA introduced an obligation on communication companies (internet service providers, phone companies and so on) to collate databases of private data (emails, texts, phone call logs etc.) which could then be accessed by state bodies on request, without warrant.
DRIPA was highly controversial from its inception and was subject to a legal challenge by Tom Watson (now deputy leader of Labour) and David Davis (then Tory backbencher, now Secretary of State for Brexit). The High Court deemed it illegal; the government appealed; the High Court referred the case to the European Court of Justice for guidance on if the UK breached its obligations to protect the privacy of citizens under EU law. In the first post-Brexit case against the UK government, the ECJ found that DRIPA does breach EU law due to its “general and indiscriminate retention” of private data, which is retained without the individual ever being informed – even if they haven’t done anything wrong.
DRIPA had not been used to protect against terrorism and serious crime. It had been used by local councils to authorise secret surveillance of dog fouling, pigeon feeding and noise complaints. The ECJ did however consider “targeted surveillance to combat serious crime” as legal; this can be justified in the public interest.
New year, new law
As mentioned, DRIPA is due to leave the field of play on 31 December. Its replacement is the Investigatory Powers Act (“the IPA”), devised by our previous Home Secretary and now PM, Theresa May and heralded by her successor Amber Rudd as “world leading legislation”. After receiving royal assent in November, a petition for its repeal garnered 205,916 signatures; The Petitions Committee then decided not to debate the petition, citing the Bill’s debate in Parliament before passage. So much for direct democracy.
The IPA for the first time sets out a legal framework for the interaction between the individual and state online. It governs the interception and retention of data (with and without a warrant), the government’s use of hacking and other security techniques and the issuing of “bulk” hacking and data collection. Happily, these practices require a warrant. This warrant requires the interested government department to apply to the Home Secretary, who may issue a warrant only after its approval by the Judicial Commissioners. This provides a key level of legal scrutiny of government action akin to a magistrate approving a search warrant for a suspect’s home. The official line on the IPA reflects this point:
“The Investigatory Powers Act dramatically increases transparency around the use of investigatory powers”.
So… who can see my stuff?
Despite the above claim of transparency, Part 3 of the IPA deals with what it describes as “Authorisations for obtaining communications data”.
Companies are still required to keep records of their users’ “relevant communication data” for one year. This data includes what the legislation helpfully calls “Internet Connection Records“. What this rather opaque phrasing means is that every time you connect to a site, a log is created of the domain you’ve visited, the duration of your visit, your IP address and details about the device you’ve used to connect.
IPA sets out a table of relevant public authorities at Schedule 4. It includes the usual suspects and a few surprising newcomers. All of these government bodies can potentially view your internet history. All they have to do is ask.
- The police
- Military police
- Security Service
- Secret Intelligence Service
- Ministry of Defence
- Ministry of Health
- Home Office
- Ministry of Justice
- Foreign Office
- National Crime Agency
- Department for Transport
- Department for Work and Pensions
- The Ambulance Trust
- Competition and Markets Authority
- Department for Communities
- Financial Conduct Authority
- Fire and Rescue Authorities
- Food Standards Agency
- Gambling Commission
- Health and Safety Executive
- Health and Social Care
- Serious Fraud Office
So… who do they ask?
… Themselves. The IPA uses a “single point of contact” model. This means that when a government body want to access this database of private data, they ask a “designated senior officer” within their own organisation. No judges, no hassle. Whilst we would expect an extremely senior level of authorisation instead, the legislation empowers, for example, a police officer of the rank of inspector or above to access certain information.
So… when are they allowed to ask?
The designated senior officer can grant a request from within his or her own organisation if he/she believes it is necessary for the purposes of a specific investigation or for one of several “Art 61(7) reasons”. These reasons are:
- National security,
- Preventing or detecting crime or of preventing disorder,
- The economic well-being of the United Kingdom so far as those interests are also relevant to the interests of national security,
- Public safety,
- Protecting public health,
- Assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department,
- Preventing death or injury or any damage to a person’s physical or mental health, or of mitigating any injury or damage to a person’s physical or mental health,
- Investigations into alleged miscarriages of justice,
- Regulation of financial services and markets, or
- Financial stability.
Whilst the ECJ and European Convention of Human Rights (enshrined in UK law by the Human Rights Act) view the prevention of terrorism and serious crime as legitimate reasons to obtain and collect our private information, the IPA leaves it at just “crime” and even includes “preventing disorder“. The definition of disorder treads a thin line between policing genuine threats to the public and the potential to limit democratic protest and civil disobedience. After all, what is disorder? How would this Act have been used against the London rioters as opposed to the Occupy movement? This wording forces us to place real trust in the proper and democratic use of power by the government of the day.
Furthermore, the ability to access information for the purposes of a “specific investigation or operation” appears to be a legislative “catch-all” for any purpose not included above.
And if you remember – didn’t the ECJ just find a lot of this to be unlawful?
The famous utilitarian thinker Jeremy Bentham first developed the idea of the “panopticon” – a prison in which cells are placed in a circle around a central observation tower. The guards in the tower can see every cell, whilst prisoners cannot see who is watching them. Examples of the design’s influence can be seen in Cuba, across the United States and the Republic of Ireland amongst others.
Michel Foucault later developed his theory of panopticism in his landmark work “Discipline and Punish”. Foucault studied power and the ways in which power operates. In the panopticon, the prisoner is always observed. His movements are always known. But as he cannot see who is watching him, the relationship is one-way. He is the subject of a power relationship. The goal of surveillance is information. Information – knowledge – is key to the exercise of power. They are the two sides of a coin. The inmate, who cannot avoid being observed or change the terms of his observation becomes:
“the object of information, never a subject in communication”
The central tower is always watching – even if there are no guards inside – due to its constant visibility to the prisoners. Thus, the panopticon operates automatically. Prisoners will act as if they are being observed even if they are not. Foucault demonstrated his theory in relation to other institutions such as schools and hospitals.
This theory of surveillance and power has been given interesting application to modern society, in which technology allows mass scale, centralised observation of citizens to take place. Shoshana Zuboff describes an “information panopticon” in her book In the Age of the Smart Machine in which surveillance is carried out by computer systems which track the input of users. It is not hard to replace the image of cells and a central tower with a security operative observing a wall of screens containing satellite images, CCTV footage and private internet data.
We are well used to the idea of living in democratic society. By that we mean more than a system of voting. Our idea of democracy carries with it ideas of inherent human rights, dignity and individualism. Privacy is one of these fundamental assumptions. While there are very compelling reasons to give up some privacy, and for the government to have extensive ability to track deserving suspects, we do expect a certain level of protection to be involved. We assume that in a democratic society our privacy will only be punctured if it should be – if there is a clear public interest in surveilling the individual which is independently verified by a court. After all, we are citizens, not subjects. The effect of the IPA and its “single point of contact” model bypasses this protection. It opens up a significant amount of private data to a wide range of public bodies, for a wide range of purposes – and the government has the resources to actually make use of its powers.
You wouldn’t allow public officials to observe and note what books you read or what hobbies you have. You wouldn’t allow them to know how long you spent fixing your car or cooking dinner. But now they can see how long you spent shopping online, or on facebook. Here we can see the IPA has the potential to subtly realign the exercise of government disciplinary power in society by creating citizens who are objects of information who do not know when or if they are being observed and will never be told, and are therefore never a subject in communication.
Of course, in a routine, day-to-day sense there may be very little visible impact on our lives. Our data is already recorded in a host of ways for advertising and commerce. We are already tracked in public on CCTV and satellite. Life goes on. We may even desire a degree of surveillance to guarantee public safety. We should however be careful to recognise laws which grant such broad powers as, one day, they might be abused. In a democracy we are always one election away from autocracy. The United States now has a president who is strongly pro-surveillance and has encouraged hacking of a political rival. Do we continue to share our information through joint UK-USA programmes?
Privacy and security in 2017
2016 is struggling to the finish, coated in the grime of war and terrorism, bloodied by political upheaval, cultural fears and even an inexorable tide of dead celebrities.
In the new year the UK government will have more power over private data than is enjoyed in many autocracies. The IPA, whilst introducing safeguards over some aspects of our online privacy simultaneously exposes it to unprecedented levels of government intrusion. It allows the gathering of evidence before the crime – before the suspicion of a crime. It is a small reversal of the idea that we are citizens rather than subjects and adds another screen to the ever strengthening virtual panopticon of the digital age.
Whilst there is a pressing and vital need for the government to access private data for several purposes – mainly counter-terrorism – this legislation is so broad that it is open to potential misuse. We must hope that we do not elect our own Donald Trump or that politics doesn’t continue with its current rhetoric on human rights.
We can no longer expect our online presence and identity to be private. The anonymity which was once the definition of the online experience is increasingly diminished. The way we use and understand the internet is changing. As our interactions online become more personal and identifiable, we must be careful not to lose the freedoms and individualism the internet’s anonymity originally allowed us. We should consider the need to protect our privacy using available software.
Overall, you now have arguably less privacy from government bodies online than you do from a tabloid journalistic taking a picture of you through your bedroom window.
As I’ve managed to do this without mentioning George Orwell or “Big Brother”, I’ll leave you with this:
“With the development of television, and the technical advance which made it possible to receive and transmit simultaneously on the same instrument, private life came to an end. Every citizen, or at least every citizen important enough to be worth watching, could be kept for twenty-four hours a day under the eyes of the police…”