In what is seen by many as an alarming move, the UK Government has been discretely expanding a contentious surveillance technology with the potential to log and store the internet histories of millions of individuals.
According to official reports and expenditure records, the past year has seen UK police successfully test a system capable of gathering people’s “internet connection records” (ICRs), and there are indications of plans to implement this technology nationwide. If realized, this could provide law enforcement with a potent tool for surveillance.
Those opposing this technology argue that it is extremely intrusive and caution against the government’s track record of inadequate data protection. Further, there’s a mysterious air surrounding the technology and its operations, as responsible agencies have been tight-lipped, refusing to answer queries about the systems.
The UK Government passed the Investigatory Powers Act at the close of 2016, which overhauled the country’s surveillance and hacking powers. This Act introduced regulations regarding law enforcement and intelligence agencies access and actions. However, it was widely decried due to its impact on privacy, earning it the epithet “Snooper’s Charter.”
The creation of ICRs under the Act has been especially controversial. The law empowers the government to compel internet providers and telecom companies—subject to a senior judge’s approval—to store users’ browsing histories for up to a year.
An ICR may not detail every webpage a person visits but can reveal a substantial amount of information about one’s online activity. For instance, an ICR can show that a user visited theinternetpatrol.com but won’t specify the particular article viewed. Additional details like IP addresses, customer numbers, date and time of access, and the amount of data transferred could also be part of an ICR.
“The implications of ICRs are far-reaching and necessitate robust protection against over-retention by telecommunications operators and intelligence agencies,” advises Nour Haidar, a legal officer at UK civil liberties group Privacy International.
When the Investigatory Powers Act was passed, internet firms anticipated it would take years to construct systems capable of collecting and storing ICRs. Nonetheless, these systems may now be gradually falling into place.
A review published in February by the Home Office revealed that the National Crime Agency (NCA) had tested ICRs and found significant operational benefits. The review also highlighted an initial trial that focused on websites containing illegal child images. This trial identified 120 individuals accessing these sites, only four of whom were already known to law enforcement.
This trial’s existence was first reported by WIRED magazine in March 2021. However, the Home Office’s review in February is the first official acknowledgment that the prosecution proved beneficial for law enforcement and could support the expansion of the system across the UK.
In May 2022, a procurement notice from the Home Office revealed plans to develop a “national ICR service.” The notice disclosed a budget of up to £2 million for developing a system that would allow law enforcement officials to access ICR data for investigations.
Defense company Bae Systems won the contract to develop this system in July 2022. In response to a Freedom of Information Act (FOIA) request by WIRED magazine, the Home Office disclosed parts of the contract with Bae but omitted any technical details.
Concerns are growing about the potential broadening of ICR collection in the UK as governments and law enforcement agencies worldwide strive to access more data, especially in light of technological advancements. Critics, such as Haidar of Privacy International, argue that greater data collection does not necessarily result in better security for people. Instead, it exposes them to potential misuse or abuse of their data.
It seems that the fog of uncertainty surrounding the collection and use of ICRs will likely persist as the Home Office remains tight-lipped about the nature of their ongoing trials and their potential expansion. Their response to inquiries, citing the sensitivity of the information and the technical sophistication of criminal entities, suggests that the full extent of their capabilities may not be publicly disclosed anytime soon.
The Investigatory Powers Commissioner’s Office (IPCO), responsible for overseeing intelligence agencies, local authorities, and police, states that the ICR collection has been to support “small-scale trials.” However, they have been reluctant to provide any figures on the number of data retention notices issued.
An independent review of the Investigatory Powers Act will be published this summer. Despite these impending evaluations and the potentially limited application of ICRs, there has already been one notable system failure. IPCO highlighted in its 2020 annual report, published in January 2022, an incident where a telecom company, due to a technical error, supplied more data than what was authorized.
In an effort to investigate the situation further, inquiries were sent to nine of the UK’s leading internet service providers and telecom companies regarding their capabilities to create and store ICRs. Of these, eight declined to comment. TalkTalk, the only company to respond, stated that it would “meet its obligations” under UK law, but refrained from confirming or denying the existence of ICRs.
The potential expansion of ICR collection in the UK is emblematic of a global trend wherein governments and law enforcement agencies strive to gain access to more and more data, particularly with advancing technology. This includes concerted efforts to establish encryption backdoors that could potentially grant access to people’s private communications. In the US, the FBI’s use of Section 702 of the Foreign Intelligence Surveillance Act (FISA), which allows for the interception of overseas targets’ communications, is raising a storm of controversy.
Privacy advocates, including Nour Haidar of Privacy International, argue that expanded data collection powers do not inherently lead to improved security. In Haidar’s words, “Building the data retention capabilities of companies and a vast range of government agencies doesn’t mean that intelligence operations will be enhanced.” He continues, “In fact, we argue that it makes us less secure as this data becomes vulnerable to being misused or abused.”
This evolving landscape of digital surveillance, especially the potential nationwide expansion of ICRs, represents a complex intersection of privacy rights, security needs, and technological advancement. As this story continues to unfold, the balance between these often-conflicting aspects will be crucial in shaping the future of digital privacy and security in the UK and beyond.
Take a look at their website and let us know how you feel about the U.K. government going Big Brother: https://www.ncsc.gov.uk/
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.