Law enforcement and ISPs testing mass surveillance technology

Spies watching man on phone

The UK’s hugely controversial Investigatory Powers Act has cast a long shadow over internet rights and freedoms in this country for some time now.

But, since it passed in 2016, it has been hair-brained schemes like placing age verification on porn sites and the farcical Online Harms Bill that been raising the hackles of online rights campaigners.

Most people either don’t know or have blithely accepted that their Internet Service Provider is logging a record of what they do online and those that care have simply signed up for a VPN and used the encryption and no user logs guarantees they offer to ensure that their ISP has no relevant information to log.

But it seems like the Snoopers Charter (as the investigatory Powers Act is commonly described) is about to crash back into our consciousness as reports have emerged that for the past couple of years, police and British ISPs have been secretly working together on a centralised mass internet surveillance tool.

Internet Connection Records logs

Details of what is being developed remains fairly sketchy but Wired has reported that trials have been going on for almost two years with the police, the National Crime Agency (NCA) and two unnamed UK ISPs involved. According to the report, the NCA has confirmed that “significant work” has gone into the trial already.

There has been no further official comments or announcement which immediately raises concerns and suspicions. ISP insiders are quoted as saying they cannot speak about the technology because of “security concerns”; a comment which raises more questions than answers.

What we do know so far is that the trail is being run under the Investigatory Powers Act and that it involves the creation of Internet Connection Records, or ICRs.

An ICR is a record which contains metadata about everything you do online. Under the Act, ISPs can be compelled to log this data for a period of 12 months.

A judicial order has to be issued to require ISPs to do this and that happened for the first time in July 2019; a move which led to the first ICR trial taking place according to the Annual Report of the Investigatory Powers Commissioner.

A spokesperson for the National Crime Agency subsequently conformed that “We are supporting the Home Office sponsored trial of Internet Connection Record capability to determine the technical, operational, legal and policy considerations associated with delivery of this capability.”

Another trial began in October 2019 at which point a spokesperson for the Investigatory Powers Commissioner confirmed that they were keeping the trials under review. Their role is to “ensure that the data types collected remain necessary and proportionate”.

They went on to say that a decision over whether to roll out the trials nationally will be taken once the trials are completed.

That is an ominous statement, especially when we still know almost nothing about the trials and how they work. All we can say for certain is that the NCA has spent at least £130,000 on two external contracts so far.

The Snoopers Charter

This is partly down to the Snoopers Charter itself. It states that ISPs cannot speak about the data they are collecting or even mention the existence of orders telling them to collect people’s data.

Critics say such secrecy is preventing proper scrutiny of what developments are taking place. As Heather Burns, policy manager at the Open Rights Group, told Wired, “This is a fairly staggering lack of transparency around mass data collection and retention.”

She’s not wrong and its worth remembering that an ICR can include such information as the apps you use, the domains you visit, IP addresses, when your internet use starts and finishes, and the amount of data you send to and from your device, and much more.

This might not seem significant but the information it includes will be able to tell anyone who reads it a great deal about you and what you get up to online.

Will VPNs protect you from ICRs?

On the face of it, VPNs should still be able to help you avoid private and personal information about your online activity being logged in an ICR. But until we know more about the trials and how the technology will work, it is impossible to say that for sure.

But because VPNs encrypt all of your data, they should ensure that your ISP is unable to see the contents of your data and therefore know information like the websites you are visiting.

The news about the Investigatory Powers Act is not all bad. Legal challenges to it continue and it is also up for review in 2022 as the law requires a formal review after 5 years and 6 months.

That will give legislators the chance to tidy up what is a messy, intrusive and quite possibly illegal piece of legislation. We will have the chance to push them to do exactly that in due course.

But for now, it is vital to keep an eye on how the Snoopers Charter is being used to undermine our online privacy.

Author: David Spencer

Cyber-security & Technology Reporter, David, monitors everything going on in the privacy world. Fighting for a less restricted internet as a member of the VPNCompare team for over 7 years.

Away from writing, he enjoys reading and politics. He is currently learning Mandarin too... slowly.

Leave a Reply

Your email address will not be published. Required fields are marked *