The Investigatory Powers Bill, otherwise known as the Snoopers Charter, has been passed by the House of Commons and the House of Lords, and now just the signature of the Queen remains to be added before the most sweeping surveillance powers in the democratic world are passed into law in the UK.
And only now, at this late, late stage, are the mainstream media finally cottoning on to the fact that VPN users will be able to get around one of the biggest provisions: which requires ISPs to keep records of customers internet activities for a year.
Data Retention Risks
Many people in the UK are concerned about the risks of ISPs retaining this data. It compromises the privacy of online people if there is a record kept of all their internet habits, which various government bodies will be able to access with minimal oversight.
But the risks of such a database being compromised and the information leaked is also significant. It might be a skilled external hacker, a careless internal worker, or a disgruntled ex-employee, but the likelihood is the data will be breached at some point.
As James Blessing, chairman of the Internet Service Providers’ Association, which represents those ISPs who will have to retain the data, said, “Mistakes will happen. It’s a question of when. Hopefully, it’s in tens or maybe a hundred years. But it might be next week.”
How VPNs help users evade the problem
The BBC is the latest mainstream media outlet to highlight how VPNs can be easily used to get around the problem, latching on to the marketing drive many VPNs have been undertaking in recent days to draw concerned British users to their products.
VPNs work by diverting all internet traffic down an encrypted pathway and via an external server before reaching the sites and services users are visiting. This means that these sites can only see the IP Address of the external server.
But is also means that a user’s ISP can only see the IP Address of the VPN server. Therefore, by using a VPN, the only record the ISP can keep is the IP Address of the VPN servers you are using. They will have no record of the sites you are visiting.
Needless to say, the proposals in the Investigatory Powers Act offer a real opportunity for VPN providers. A spokesperson for NordVPN explained that subscriptions in Australia went up when they passed a similar law last year and that they are “already seeing an increase in inquiries from the UK.”
NordVPN is using the opportunity to market their new double-VPN offering, which reroutes traffic via two servers for additional security, as well as stressing their zero-logs policy, which means they keep no record of the activity of their users.
NordVPN also claims their servers are configured in a way that means even if the server itself were to be seized by the UK Authorities, they would not find any data they could use.
VPNs obliged to hand over data?
Some analysts have interpreted the Investigatory Powers Bill as meaning that VPNs will have to record the activity of their users in the same way that ISPs do and that should the UK Authorities request the data, they would be obliged to hand it over.
Not so, says a spokesperson for Private Internet Access. They have taken legal advice and, as a US-based company, have been told they would be under no obligation to comply with British law. NordVPN is based in Panama, with no data retention laws at all, so the same is true of them.
In fact, with all reputable VPNs being based outside of the UK, users can sign up for pretty much any one they choose and be confident that their data will be collected under the Investigatory Powers Bill.
It is certainly true of our pick of the top VPN providers. Both IPVanish and ExpressVPN are located outside of the UK and so users can be confident that their ISP will be harvesting only the minimum amount of data about their internet activities (namely that they are using a VPN).
The Home Office, the UK Government department behind the law, has not addressed the issue in the legislation or in any of the parliamentary debates about it so far. They also failed to respond to the BBCs request for comment.
This is mostly because it is an issue they can do very little about. Leading VPNs do not fall under their jurisdiction, and any plans to block them would be strongly opposed as they are a legitimate and legal online security and privacy tool, and also used by a great many businesses to protect their data.
Meaning the gaping loophole looks likely to remain and UK internet users can still enjoy privacy when surfing the net, simply by using a VPN.