In a news cycle still fixated on the US election result, on 15 November members of the UK’s upper house of parliament gave final approval to the country’s most invasive surveillance legislation to date.
The Investigatory Powers Act gives government agencies unprecedented powers to collect user information in bulk and access data about the websites that Britons visit.
The most controversial aspect of the law is the requirement for Internet service providers to hold information about every website a user visits for 12 months.
Government agencies such as the security services, Inland Revenue and even the Food Standards Agency will be able to access the information, for what officials say will be a “limited set of specified purposes” subject to “strict controls”.
Despite the ease with which it passed through the Conservative-controlled legislative chambers, the law nicknamed the Snooper’s Charter by the British press has prompted strong criticism.
Silkie Carlo, a policy officer for the National Council for Civil Liberties, dismissed the government’s justification of the law on the grounds of countering terrorism as “one that defies common sense.
“We urged the government to prove it was strictly necessary for the state to use bulk, suspicionless surveillance powers,” Carlo said, adding that the government had “cynically” avoided addressing the group’s concerns.
A targeted system of surveillance based on suspicion of criminality made more sense than one that captures huge amounts of data, Carlo argued, and security experts agree.
No one disclosure will bring you to harm, but disclose enough over time and you’ll get bitten by it
Johns Hopkins University cryptologist Matthew Green said there were major limitations with the new law from a security perspective.
“The amount of data being generated is going to be vast,” Green said.
“That’s going to drown the surveillance agencies in noise and false positives… My guess is the only real use of this data will be to keep police busy chasing leads, and to help fill in a profile after something has happened.”
According to Green, those behind previous attacks, such as in France last year, had easily evaded similar measures intelligence services had in place.
“We saw in Paris that even burner cellphones without encryption were sufficient to coordinate a large-scale attack.
“It’s much more likely that these measures will be used against amateurs and criminals, and won’t stop the sort of serious terrorism that’s being used to justify them.
“That’s worrying, because the privacy cost of these measures is going to be enormous.”
The UK is not alone in introducing expansive Internet surveillance laws. France introduced similar measures in 2015, and Germany passed its own measures in October.
In the US, the National Security Agency’s Prism programme gives it direct access to user data held by companies such as Google and Facebook.
Vian Bakir, professor of political communication and journalism at Bangor University, said Western governments had “created the tools for repression” and citizens would now have to trust that the state will not abuse such powers.
She described the British government as prioritising national security over human rights, and warned that the recent US election result could signal a turn for the worse.
Extremely personal information will be leaked with terrible consequences for some people
“[Trump’s] populist election included calls to bring back torture and he stated his support for bringing back NSA bulk data collection,” Bakir said. “As such, we have very good reason to be concerned about our privacy.”
Potential government overreach is just one of the risks associated with the new measures.
Organised criminals and foreign state actors have little or no incentive to protect user data and are not bound by any form of accountability to citizens of the countries they operate in.
Technologists warned that the UK’s Investigatory Powers Act could lead to leaks of sensitive personal data.
The law mandates ISPs to hold Internet connection records, which detail websites accessed by a user, for 12 months.
The British home office did not reply to a request to explain what safety measures would be in place to protect the information held by communications companies but network security analysts said breaches were definitely possible in the future.
“There is no cast-iron guarantee that someone could not raid the data,” said Danny Dresner, lecurer in information, cybersecurity and governance at Manchester University.
“[There are] too many actors and a shed load of technology that opens the kimono of vulnerabilities all the time — often faster than it can be closed.”
As recently as two weeks ago, a breach at UK telecommunications company Three Mobile resulted in hackers obtaining the personal details of about 130 000 customers .
Others hacked within the past two years include O2 and TalkTalk.
Ars Technica’s Glyn Moody warned that the new law was a “privacy disaster” waiting to happen and could open up individuals to blackmail, if data is breached.
“They [ISPs] don’t have to store this kind of intimate, highly personal information at the moment,” Moody said.
“They don’t have any experience in making databases really secure. That’s why there have been high-profile losses of personal data by companies such as TalkTalk, Vodafone, O2 and Three.”
Moody said some companies would do a better job than others in protecting data but that it was inevitable that some databases would be hacked.
“Extremely personal information will be leaked with terrible consequences for some people. The only question is when.”
Moody said he preferred a targeted approach of collecting data instead of one that “harms privacy and freedom”.
“Nobody would agree to the installation of CCTV cameras in every room in the house, but this is the digital equivalent, it’s just that most people don’t appreciate that fact,” Moody said.
Personal attitudes
For all the fears of government surveillance or criminal breaches of data, huge amounts of information are surrendered voluntarily on social media platforms and use of now-indispensable apps.
The drip feed of tweets, Instagram posts and status updates may not amount to much on its own, but over extended periods of time can accumulate into a trove of personal information that can expose new vulnerabilities, according to author and tech blogger Cory Doctorow.
“I think that we all struggle to adequately gauge the down-the-line pitfalls of in-the-moment disclosures,” Doctorow said.
“It’s always hard to think about what may happen in the distant future, especially when you’re enjoying the real-time benefits you get from revealing personal information: contact, connection, help.”
This detachment from consequence combined with tactics used by social media companies to encourage people to “share” was analogous to smoking, Doctorow explained.
“No one puff will give you cancer, but smoke enough and you’ll get cancer eventually. No one disclosure will bring you to harm, but disclose enough over time and you’ll get bitten by it.”
Whereas the cigarette industry drew close to the government with the economic benefits it brought, social media companies drew close to officials by offering them the “tantalising prospect of plundering their gigantic databases”, he said.
Doctorow warned against the “nihilism” of accepting the current status quo as just the way things are.
“[People] can choose better tools and better practices that let them maintain their social relations and discussions without giving the platforms all the salient facts of their lives.”
Loss of privacy is not inevitable, but is also not the only, or even the best way to understand our data lives
No analysts recommended becoming a digital hermit to counter the risks to privacy. Instead, a common theme was encouraging the responsible use of social media and understanding the ways in which data produced as a result of online interaction was used by governments and tech companies.
The information we emit online is not just useful to proprietary platforms, governments or even criminals. For researchers, the huge amounts of raw data available present a wealth of knowledge that can provide myriad uses in terms of social insights and developing future technologies.
“Loss of privacy is not inevitable, but is also not the only, or even the best way to understand our data lives,” said Mark Cote, a lecturer in digital culture and society at King’s College London.
“No one should be forced to live in full transparency, or be compelled to share our data without control. Yet that is what digital intellectual property rights are leading us [to]. When we use the platforms and tools we love, like Google, what we generate becomes theirs through secondary rights.”
However, a singular focus on privacy can blind people to the benefits of ethically sharing the data we generate, Cote explained.
“One of the best ways we can counter the profound asymmetry between our pervasive data generation and lack of access or agency is through developing a social big data commons,” Cote said, referring to anonymised non-proprietary platforms on which user data can be collected and accessed.
“We need to think of privacy in conjunction with access and agency. Otherwise we risk further individualising society at a time when we desperately need to explore new lines of affinities and commonalities.
“To both safeguard reasonable privacy, and to learn how we might share and use our data to our collective advantage, we need to develop new forms of data literacy.
“The data age is here to stay, barring environmental catastrophe. We need to become more well-rounded and active participants in data life.”