Originally published by Mashable, 18th February 2017
By Gianluca Mezzofiore
From the moment you set foot on British soil, your personal data could easily be accessed, or even hacked, by the government.
New invasive legislation has been dubbed by critics as one of the most extreme surveillance laws ever passed in a democracy.
The Snoopers’ Charter — aka the Investigatory Powers Act — was passed into law at the end of last year. It arguably removes your right to online privacy.
In short, it forces internet companies to keep bulk records of all the websites you visit for up to a year and allows the UK government to coerce tech companies to hand over your web history with a retention notice and remove encryption, upon request.
If you think all of this sounds rather alarming, it’s because it is.
So what happens if you’re an unsuspecting visitor blissfully unaware of mass surveillance in the UK? Here’s a provisional guide:
At the airport
Before you land, your data has already been sent to the UK’s border agency for risk assessment. This is a routine check and shouldn’t make you too worried.
The problems start as soon as you’ve arrive on British soil and you turn your phone on. Under roaming, typically you’ll get a message telling you who will be your phone provider while you are in the UK.
From that moment, all communications data could be collected, kept for up to 12 months and obtained in bulk from the UK government without suspicion of criminal activity.
Telecoms companies will be required by law to have a list of every phone call made, every website visited, along with a record of date, time and duration.
So what kind of data will the government keep?
It includes the who, what, when, where and how? For example:
- Visited websites
- Email contacts
- To whom, where and when an email is sent
- Map searches
- GPS location
- Home address
But the retained data also encompass so-called Internet Connection Records (IRCs), which basically includes the internet history of the phone services used in the last 12 months:
- Mobile apps (WhatsApp, Signal, Google Maps, Twitter, Facebook)
- System updates
Uber & Airbnb
OK, you’ve passed passport control, collected your luggage and stepped out of the airport. Now you’re ready to get an Uber to take you to the Airbnb you’ve booked.
Under the Snooper’s Charter, tech companies — like Uber and Airbnb — could be considered to have the same function as an Internet provider — such as BT and Virgin — and forced into handing over personal data to the government.
Privacy campaigners believe the law is purposely vague about what could be considered a “telecommunications provider”.
“The legislation is relatively unclear whether Uber and Airbnb are included in the companies from which the government could require to retain communications data,” says Camilla Graham Wood, legal officer at Privacy International, a human rights watchdog.
The human rights group Liberty says ‘telecommunications companies’ have been defined so broadly “as to include everyone from Facebook, Gmail and Twitter, to offices, businesses, law firms, Government departments and university networks.”
The definition of ‘telecommunications service has been kept “intentionally broad so that it remains relevant for new technologies”, according to the Code of Practice on communications data from March 2015.
The Snoopers’ Charter seems to expand this definition, indicating that it could apply to a wide range of organisations. By dropping the word “public” from the draft, the law hints that various aspects of legislation could extend to private services, including private company networks and cloud services.
“An online market place may be a telecommunications operator as it provides a connection to an application/website. It may also be a telecommunications operator if and in so far as it provides a messaging service,” the law says.
After a short nap, you decide to go outside to explore London. Unbeknownst to you, your movements around the city could also be under scrutiny by the government
“The UK intelligence agencies can access any public or private database using very broad warrants. For example if they choose to access all databases relating to ‘travel’, every ticket you buy that is recorded on a database could be accessed by the state,” says Pam Cowburn, Communications Director at the campaign body Open Rights Group.
The government could request bulk personal datasets from companies or organisations which hold large sets of customer and user data.
However, very little is known as to what constitutes these personal datasets.
Privacy International says they are likely to include passport databases, hotel reservations and oyster card data (the travel card for the Tube).
In order to obtain these datasets, the government has to get “thematic warrants” that affect millions of people and are issued from secret courts. Thematic warrants allow surveillance warrants to be issued without specifying who or what the warrant is targeting.
They could cover “a wide geographical area or involve the acquisition of a significant volume of data,” as stated by the government.
“The warrants are made by secret courts in the utmost secrecy and making the content public is a criminal offence.”
“It’s not your typical, American-style warrant that protects you and your property from a search without due suspicion,” says Silkie Carlo, policy officer at Liberty. “The warrants are made by secret courts in the utmost secrecy and making the content public is a criminal offence.”
A warrant will also be needed for intelligence agencies to hack into computers, phone and networks, even outside the UK’s borders.
But it gets better.
Under the Snoopers’ Charter, up to 48 government agencies will be able to access your communications data, in some cases without a warrant.
“There are no notification provisions, which means that you will not be told if your data and communications were obtained, misused, or abused,” says Camilla Graham Wood, of Privacy International.
WhatsApp and encryption
Under the Snoopers’ Charter, even encrypted services like WhatsApp, which offer end-to-end encryption, may not be safe from interception.
The law gives the government the power to “force telecommunications companies to break away their own encryption,” says Silkie Carlo of Liberty.
That means that companies like WhatsApp could be lured into creating a backdoor for the government’s interception.
According to Liberty, these companies could be coaxed into “secretly delivering malware to users, e.g. through a ‘security update’, or to secretly compromise their own products, or to assist the state in hacking some other way”.
Obligations to remove encryption can be issued in a notice from the Home Secretary and the companies must comply with it but not disclose the existence of such notice.
U.S. tech giants have expressed their concerns about the law.
In a written submission to the U.K. government, Apple, Google, Microsoft, Facebook and Twitter said: “We reject any proposals that would require companies to deliberately weaken the security of their products via backdoors, forced decryption, or any other means. ”
‘A key left under the doormat would not just be there for the good guys. The bad guys would find it, too,” Apple said.
“Were an Apple v FBI scenario to occur in the UK, Apple would not be able to disclose even the fact that it had been served with a notice, let alone challenge it in court”
“Were an Apple v FBI scenario to occur in the UK, Apple would not be able to disclose even the fact that it had been served with a notice, let alone challenge it in court,” says Silkie Carlo of Liberty.
Most people have nothing to hide, but the level of intrusion the government will legally be able to achieve at the drop of a hat is clearly concerning.
Are you worried?