Your Data Laid Bare - The Investigatory Powers Act

Whilst our political divides have been laid bare in the most dramatic manner this year, it’s not the only thing being exposed…

By Andre Armenian

“the most extreme surveillance in the history of western democracy”

As the UK reels from shocks to the political status quo (both here and abroad), a piece of legislation that substantially alters the way in which people’s communications data is kept and accessed quietly came into effect. A piece of legislation that facilitates, in the words of Edward Snowden, “the most extreme surveillance in the history of western democracy”, but is, in stark contrast, referred to by the Independent Reviewer of Terrorism Legislation as “an exercise in democracy”. With such wildly differing perspectives, what are we to make of the new Investigatory Powers Act?

Let’s stay grounded in what the new law actually says about intercepting and retaining your data – intercepting first. Under the new rules, communications like letters, emails and phone calls can be intercepted and examined by the intelligence services, police or HMRC as long as the action is necessary, proportionate, and it’s signed off by a Judicial Commissioner (a current or former High Court Judge). But not when it’s urgent – then their approval isn’t needed. According to the Act, it becomes “necessary” to take a peek at your communications when matters of national security are involved, the authorities are looking to detect or prevent serious crime, or the economic well-being of the UK is concerned. Sounds okay, until you realise that these three grounds are pretty vague. What does it take for the economic well-being of the UK to be threatened? How significant does the national security issue or “serious crime” have to be before the authorities can go snooping? The tipping point between an individual’s privacy and the wider community’s security and wellbeing is poorly defined here.

The Act also changes the way in which your internet records are retained, and it’s this aspect of the new law that’s grabbing the headlines. Under the Act, internet service providers can (and will) be ordered by authorities to retain their customers’ “internet connection records” for one year. These records will include what you did online, when you did it, where you did it, and the device you used to do it. In order to make providers hold on to these records, the authorities have to be satisfied that national security, detecting crime, national economic well-being, public safety or public health is at stake. A Judicial Commissioner must also check that the order is necessary and proportionate. But once again, it’s the grounds for keeping this data that’s the issue – it’s all too vague. I could justify ordering GiffGaff or Plusnet to retain everyone’s internet search history because, to my mind, the public’s taste in pornography is a public health issue. Slippery slope argument it may be, but there’s nothing stopping such an interpretation of the law. In the absence of clarity, when does it become okay to violate my privacy in the interests of the public?

It comes as no surprise that the Act is attracting some negative attention, and has already been successfully challenged at the European Court of Justice (ironically, by the very man responsible for negotiating the UK out of the EU – Brexit Secretary David Davis). The European Court has ruled that authorities should not be allowed to access people’s personal data without independent authorisation, and collecting people’s data en masse should only be permitted when trying to prevent and detect serious crime. Therefore, and at less than one month old, parts of the new Act are unlawful, according to the ECJ. With Brexit looming however, who knows whether this decision from the ECJ will have a significant impact on the new Act and its operation. I suppose this puts David Davis in a rather awkward position.

A politically turbulent year is drawing to a close, and the uproar caused by Mr. Snowden’s revelations in 2013 now seems like a distant memory. But amidst the din of Brexit, Syria, and Mr. Trump, it is important that we do not forget just how comfortable authorities are, and have been, with indiscriminate mass surveillance. The Investigatory Powers Act, by virtue of its ambiguity and breadth, serves as a pretty good reminder. But in an era in which we choose to log our movements and thoughts in an amorphous, faceless, near-unending mass of data, we must endeavour to find a satisfactory balance between respecting people’s privacy and the legitimate interception and storage of data for our protection. Crucially, we cannot continue to rely on “national security” and “public safety” as criteria for spying, because, as the past few years has taught us, public authorities will use those terms to justify pretty much any level of surveillance.