More details have emerged of the bulk surveillance powers the UK Government has now that the Investigatory Powers Act has passed into law. And it doesn’t make for reassuring reading.
The Register website has reported on a leaked copy of the UK Governments draft technical capability notices paper which reveals the powers that the Government is intended to leverage over Internet Service Providers (ISPs) and telecoms companies.
Real Time Monitoring
They will not just have to provide content data on named individuals the Government wants to snoop on, but will also have to give intelligence agencies real-time access to their online content within 24 hours. If that wasn’t enough, there is also a range of what is described as “secondary data” which they will also be obliged to provide.
This real-time monitoring must be able to provide total surveillance of 1 in 10,000 of every ISPs customers. The Register has done the maths on this and worked out that means the UK Government will be able to simultaneously undertake real-time online surveillance of around 6,500 people at any one time.
To do they, they will need to secure the approval of either a senior police official or the Secretary of State, and the process will also be overseen by a Judge appointed by the Prime Minister.
Arguably more worrying is the definition of the term “secondary data” which according to the document includes encrypted communications.
What this document means in effect is that all UK communications companies will have to be able to provide the Government with access to encrypted communications on named individuals. In other words, they are now obliged to put a backdoor into encrypted communications.
What the document says on the matter is that companies must “provide and maintain the capability to disclose, where practicable, the content of communications or secondary data in an intelligible form and to remove electronic protection applied by or on behalf of the telecommunications operator to the communications or data.”
It has long been noted that this power existed in the Investigatory Powers Bill, but this appears to be the first evidence that the Government intends to apply it.
It is perhaps now less of a surprise that the UKs Home Secretary, Amber Rudd, appeared to back down on her calls for access to encrypted communications following the recent terrorist attack in London. It should perhaps be noted that the British intelligence agencies have since reported that they have managed to access the content of the terrorist’s WhatsApp account subsequently.
Of course, this new power can only be applied to companies that are based in the UK. No British company will be able to offer end-to-end encryption on any of its services from this point forward.
But of course, the British authorities cannot force companies based overseas to comply with their laws. This means that all the main encrypted communications providers, such as WhatsApp, Apple, and Signal, will continue to operate as normal. But British-based companies, including VPNS, will be significantly disadvantaged.
No public consultation
The way the Government has gone about seeking approval for this paper has also indicated their awareness that the public will be shocked and appalled at its content.
It has been shared with the UK’s Technical Advisory Board, which is made up of representatives from the country’s big six telecoms and ISP companies; O2, BT, Vodafone, Virgin Media, BSkyB, and Cable and Wireless. It has also been seen by the intelligence agencies. All appear to have agreed to its contents.
However, no public consultation has taken place; although the fact that it was leaked to the Open Rights Group suggests at least one person in those companies was suitably appalled by it.
Anyone who does wish to express an opinion on the paper can do so by emailing email@example.com, but in all honesty, the likelihood of your views being considered appears slim.
Your time would be better spent investing in a VPN to protect and encrypt all of your online content to prevent Government snoopers from being able to access it. In light of this document, you would be best to choose a non-British VPN such as IPVanish or ExpressVPN.
But if you weren’t already aware, this document makes it even more glaringly obvious that if British people want any privacy and security online, a VPN is just about their only option.