3aIT Blog

 

The "Investigatory Powers Act 2016" (or "Snooper's Charter") has just received royal ascent and is therefore now officially law.

The most notable part of this bill is that your internet service provider (ISP) will be required to retain a list of every website you've visited in the last year on an ongoing basis. The police will not require a warrant to obtain this information.

One technical point here - this will be a record of top level domains only. For instance, if you visited http://www.bbc.co.uk/news and http://www.bbc.co.uk/weather, this will only be recorded at http://www.bbc.co.uk twice. In other words, the list will record that you've been to the BBC site, but not the specific areas you visited.

Ignoring the ethical side of this, the storage of these records may yet prove to be a major headache for the ISPs. Assuming the technical challenges of actually recording this information can be overcome, keeping lists like this means that they have to be stored somewhere. As we have seen over the past few years, ISPs are not impervious to attack from hackers, and personal details have been obtained in these attacks. If someone managed to breach an ISP's security in such a way that they gained access to this data, it could cause huge embarrasment to millions of innocent people.

As an aside, when we refer to "The Government" above, this isn't just one branch that will have access to this data. The list of organisations within the Government that will be granted access is pretty extensive:

  • Metropolitan police force
  • City of London police force
  • Police forces maintained under section 2 of the Police Act 1996
  • Police Service of Scotland
  • Police Service of Northern Ireland
  • British Transport Police
  • Ministry of Defence Police
  • Royal Navy Police
  • Royal Military Police
  • Royal Air Force Police
  • Security Service
  • Secret Intelligence Service
  • GCHQ
  • Ministry of Defence
  • Department of Health
  • Home Office
  • Ministry of Justice
  • National Crime Agency
  • HM Revenue & Customs
  • Department for Transport
  • Department for Work and Pensions
  • NHS trusts and foundation trusts in England that provide ambulance services
  • Common Services Agency for the Scottish Health Service
  • Competition and Markets Authority
  • Criminal Cases Review Commission
  • Department for Communities in Northern Ireland
  • Department for the Economy in Northern Ireland
  • Department of Justice in Northern Ireland
  • Financial Conduct Authority
  • Fire and rescue authorities under the Fire and Rescue Services Act 2004
  • Food Standards Agency
  • Food Standards Scotland
  • Gambling Commission
  • Gangmasters and Labour Abuse Authority
  • Health and Safety Executive
  • Independent Police Complaints Commissioner
  • Information Commissioner
  • NHS Business Services Authority
  • Northern Ireland Ambulance Service Health and Social Care Trust
  • Northern Ireland Fire and Rescue Service Board
  • Northern Ireland Health and Social Care Regional Business Services Organisation
  • Office of Communications
  • Office of the Police Ombudsman for Northern Ireland
  • Police Investigations and Review Commissioner
  • Scottish Ambulance Service Board
  • Scottish Criminal Cases Review Commission
  • Serious Fraud Office
  • Welsh Ambulance Services National Health Service Trust

Of course, this opens many more attack vectors for a potential hacker. If they find they can't get a copy of these lists directly from the ISPs, compromising machines in these organisations opens up another 50 potential avenues to get at the data. In the highly unlikely event that hacking none of these systems is possible, there's still the option of paying someone with the right access in any of these organisations to just steal the data for you.

There's many ways for someone that actually wants to hide their tracks online to work round this system. If they don't already use these methods, this new bill will probably be the incentive they need to start doing it. This may cause some to question exactly what this mass surveillance will achieve.