The UK is secretly testing a controversial web snooping tool
The Investigatory Powers Act, or Snooper’s Charter, was introduced in 2016. Now one of its most contentious surveillance tools is being secretly trialled by internet firms
By MATT BURGESS
Thursday 11 March 2021
For the last two years police and internet companies across the UK have been quietly building and testing surveillance technology that could log and store the web browsing of every single person in the country.
The tests, which are being run by two unnamed internet service providers, the Home Office and the National Crime Agency, are being conducted under controversial surveillance laws introduced at the end of 2016. If successful, data collection systems could be rolled out nationally, creating one of the most powerful and controversial surveillance tools used by any democratic nation.
Despite the National Crime Agency saying “significant work” has been put into the trial it remains clouded in secrecy. Elements of the legislation are also being challenged in court. There has been no public announcement of the trial, with industry insiders saying they are unable to talk about the technology due to security concerns.
The trial is being conducted under the Investigatory Powers Act 2016, dubbed the Snooper’s Charter, and involves the creation of Internet Connection Records, or ICRs. These are records of what you do online and have a broad definition. In short, they contain the metadata about your online life: the who, what, where, why and when of your digital life. The surveillance law can require web and phone companies to store browsing histories for 12 months – although for this to happen they must be served with an order, approved by a senior judge, telling them to keep the data.
The first of these orders was made in July 2019 and kickstarted ICRs being trialled in the real world, according to a recent report from the Investigatory Powers Commissioner. A second order, made to another internet provider as part of the same trial, followed in October 2019. A spokesperson for the Investigatory Powers Commissioner’s Office says the trial is ongoing and that it is conducting regular reviews to “ensure that the data types collected remain necessary and proportionate”. They add that once the trial has been fully assessed a decision will be made on whether the system will be expanded nationally.
But civil liberties organisations argue that the lack of transparency around the trials – and the seemingly slow nature of progress – hint at legislation that isn’t fit for purpose. “Taking several years to get to a basic trial, in order to capture two ICRs, suggests that the system wasn’t the best option then, and it certainly isn’t now,” says Heather Burns, policy manager at the Open Rights Group, a UK-based privacy and internet freedom organisation.
Burns says the ICR trial appeared to require internet service providers to “collect the haystack in order to identify two needles”. She adds that it is unclear what data was collected by the trial, whether what was collected in practice went beyond the scope of the trial, or any of its specifics. “This is a fairly staggering lack of transparency around mass data collection and retention.”
The specific nature of the trial is a closely guarded secret. It is unclear what data is being collected, which companies are involved and how the information is being used.
The Home Office refused to provide details of the trial, saying it is “small scale” and is being conducted to determine what data might be acquired and how useful it is. Data can only be stored if it is necessary and proportionate to do so and ICRs were introduced to help fight serious crime, the Home Office says.
“We are supporting the Home Office sponsored trial of Internet Connection Record capability to determine the technical, operational, legal and policy considerations associated with delivery of this capability,” a spokesperson for the National Crime Agency says. The agency has spent at least £130,000 on two external contracts used to commission companies to build underlying technical systems to run trials. The contracting documents, which were issued in June 2019, say that “significant work has already been invested” in the systems for collecting internet records.
Of the UK’s major internet providers only Vodafone confirmed that it has not been involved in any trials that involve storing people’s internet data.
Spokespeople for BT, Virgin Media and Sky refused to comment on any measures around the Investigatory Powers Act. Mobile network operator Three did not respond to a request for comment. Smaller internet service providers say that they have not been included in any trials.
Industry sources say that service providers are hampered by the law saying they can’t talk about data they are collecting. Such secrecy, sources argue, risks the development and scrutiny of the systems. One section of the Investigatory Powers Act says that telecoms companies, or people connected to them, are not allowed to talk about the “existence or contents” of any orders telling them to keep people’s internet data. One person says there is secrecy “to the point where they can’t even talk between industry experts in different organisations to share knowledge around best practice”.
The Investigatory Powers Act is a wide-ranging law that sets out how bodies in the UK can collect and handle data that may be linked to criminal activity.
Since it was passed in 2016 the law has led to sweeping reforms of UK surveillance powers, adding new controls on what law enforcement and intelligence agencies can do and explaining when phones, computers and other systems can be hacked – other legislation previously covered these powers. As part of the changes, ICRs were introduced as a new type of data that could be collected and stored for security purposes.
People’s internet records can contain the apps they have used, the domains they have visited (wired.co.uk, for example, but not this specific article), IP addresses, when internet use starts and finishes, and the amount of data that is transferred to and from a device. While not containing the content of what people are viewing, metadata can still be hugely revealing. Amongst other things it can reveal health information, political leanings and personal interests. Documents from the Home Office say “there is no single set of data that constitutes an ICR” and that the logs are likely to be held by people’s internet service providers.
When passed five years ago, many aspects of the legislation were controversial – and ICRs were high on the list.
NSA whistleblower Edward Snowden called the law “the most extreme surveillance in the history of western democracy”. Since then the scope of the legislation has been expanded to include more organisations.
Lawsuits have followed – both succeeding and failing – to challenge the enormous quantity of data being collected.
Despite being passed into law in November 2016, it’s likely that the technical systems required to collect the internet histories of millions of people will have taken time and money to create. As surveillance law was being debated in December 2015, executives at internet service providers said ICRs were a brand new type of data and nothing like them existed.
Hugh Woolford, the then director of operations at Virgin Media, said it could require companies to “mirror our entire network’s traffic to then be able to filter it”. He continued to say it would take years for the technology to be developed.
Others said the systems would cost more than the £175 million the Home Office had budgeted for the development and it was possible people’s broadband bills could increase as a result.
The Investigatory Powers Act is scheduled to be scrutinised in the next year – it needs to be reviewed five years and six months after it was passed into law. Burns says this will be a chance to improve transparency and understand how the law has worked in practice. “We need to make sure that ICRs are reviewed for scope, proportionality, and costs versus benefits,” she says. “But we also need to ensure that any moves to scale that system back are not merely transferred or even increased in other proposals.”
Matt Burgess is WIRED’s deputy digital editor. He tweets from @mattburgess1
Updated 11.03.21, 14:30 GMT: The Investigatory Powers Act did not make state-backed hacking legal for the first time. Such powers were previously covered by other laws.