What the Investigatory Powers Act means for you

With the passing of the Investigatory Powers Act, previously secret illegal surveillance practice revealed by Edward Snowden will now be entrenched in law, alongside new powers not used in any western democracy. Below are some of the key ways the IPA might affect you.

Your Internet history can be logged

Every website you visit, the fact of every communication you make, and every mobile app that connects to the internet can now be logged, recorded and made accessible to the Government.

Logs of your Internet activity, dubbed “Internet Connection Records” by the Investigatory Powers Bill doesn’t already exist, and companies will be forced to spy on their customers to create the records from scratch. They are imprecisely defined, and different companies will be forced to apply the vague standards in different ways. With everything from your fridge to your car being connected online, the scope of this power, and the number of records created about your life will only grow.

Location and phone call history will be recorded

Every time you make a phone call or send a text message, your location and who you are communicating with will be logged by your mobile phone provider. This can be requested and made accessible to the Government.

The broad nature of these powers have already been struck down by the courts, but the Investigatory Powers Bill tweaks them to try and sidestep the courts ruling.

Police will have a new data-mining super search

A new data mining super search will allow police to combine your Internet history alongside your mobile phone location and call records as well as any other data the police may hold. No judicial warrant will be needed before the police or the intelligence agencies can use ‘the filter’. Instead, the requesting body will internally authorise such access.

Your phone can be hacked even if you’re not of interest

For the first time the police will be able to hack your phone, take photos using the camera, nosy through anything stored on the phone and remotely switch on the microphone – even when the phone is turned off.

Remarkably, hacking powers will be able to be used against people who “are not of intelligence interest in their own right” meaning even if you are not suspected of committing a crime of any other wrong doing you phone could still be compromised.

The intelligence agencies will have specific powers to hack in bulk including for everyone in a particular location. While the power is intended to only be focussed outside the UK, loopholes mean it can be used at home in the UK too.

You might never be able to trust your computer again

One of the ways the police will undertake their hacking operations will be to enlist technology companies to do the hacking for them. Whether it’s an app developer, internet service provider or hardware company, the Government can now force them to assist. This means software updates pushed out to customers might be booby trapped with government backdoors.

How can you tell the difference between a backdoored software update and a legitimate one? You can’t.

Your private information is less safe

Newly created massive databases to create, and store your Internet Connection Records in one place are attractive targets for cyber criminals and other attackers. The question isn’t whether they will tried to be hacked, but when.

Whats worse is that companies products may not be as safe and secure as they’d like them to be. When served with a notice, companies may be forced to remove encryption which keeps data safe, or re-architect their systems to be less secure so that law enforcement can get the information they think they need. The problem is that this could weaken the security of the companies products for every single person in the world.

Mass surveillance of communications will continue

None of the capabilities revealed during the Snowden revelations will end. Instead, they are being placed onto a legal footing so they can’t be challenged as easily in the courts.

This means that on top of all the powers already listed, a further 50 billion communications events will be captured by GCHQ every single day. As there are only seven billion of us in the world, and three billion of us who have access to the internet, the intelligence services are subjecting as many people in the world to surveillance as their computers can handle. This includes programs like Optic Nerve, which stored nude images from millions of Yahoo! webcam users.

What can you do?
Any successful campaign needs resources, whether it be for educational material, undertaking investigations, or mount legal challenges. Any donations you are able to make to NGOs can help fight back against mass surveillance and the intrusion into your private life.

You can read up on the Bill and educate your friends and family as to the concerns and dangers. Other articles about what the IPBill means have been published by the Guardian, the Verge, Wired, or Computer World among many others.

You can help ensure that your communications are technically protected by practicing good operational security – and teaching others how to do this. There are great guides out there to get yourself up to speed or help double check what is good practice.

Google+ Delicious Digg Facebook Google LinkedIn StumbleUpon Twitter Reddit Newsvine E-mail

Comments (1)

  1. Cloud Starer:
    Dec 19, 2016 at 02:12 PM

    The ICR log is extremely dangerous it is too easy to taint this log with false information without the user being aware.

    For the non technical people I shall explain a little, the ICR log contains much more than just the website in the address line of your browser.

    When you visit a website with a browser, you download a description of the page, this is set of instructions written in HTML which tell your browser what to display and how to display it.

    These instructions can access content from several sites just to show you a single page, all of these sites will be logged in the ICR log.

    Also if the page has any JavaScript, say to control the display of advertising, handle input verification on an on screen form, perform analytics or even play a game, then these scripts may be located on other websites and worse may even access yet more websites to access content for the browser. All of these websites will be logged as well.

    For example this page loads media from the same site as in the address line so the ICR log will only contain an entry for "www.dontspyonus.org.uk", however I'm using Privacy Badger from EFF which tells me that there are 3 trackers on this site from "code.jquery.com", "action.openrightsgroup.org" & "bug.openrightsgroup.org", all three of these sites will be logged in the ICR log when I look at this page.

    Most people don't even know this is happening and for the majority of sites this isn't an issue, certainly the sites referred to by this page are innocuous.

    However some sites can access content from 20 to 30 other websites and some of those aren't so innocuous.

    Now for the majority of sites this wouldn't be a problem except for the bad guys, the people who plant viruses or ransomware in adverts from third party servers. For example The BBC was found to be serving ransomware because a 3rd party site had been compromised.


    Now antivirus packages can deal with a lot of this so while it is a pain it can be controlled.

    However lets imagine the bad guys compromise a server and insert a few lines of JavaScript into an otherwise legitimate script and instead of trying to install a virus or ransomware on your PC, it accesses a child porn or terrorism site and downloads several megabytes, dumping this into a variable and then exiting without ever displaying what was downloaded.

    You access a legitimate site that uses this 3rd party script and your browser will quietly download information in the background and you will know nothing about it, your browser is just doing what browsers do and no antivirus or antimalware in the world would spot this is happening let alone stop it.

    Then a week or so later they access the server & remove the script so there's no evidence linking to them.

    Your ICR log will now show that while you were sat at your PC surfing the web, you accessed a child porn or terrorism site & downloaded several megabytes of information.

    The first you will know about this is when the authorities, having gone on a fishing expedition possibly helped by an anonymous tip, knock on your door at 4am, remove every piece of electronic equipment you own and haul you off for interrogation about these regular and repeated accesses to a child porn or terrorism site.

    You're protestations of ignorance will be ignored and the authorities failing to find anything will just make them look harder.

    They may eventually give up but you will be forever tarnished with the suspicion of being a paedophile or terrorist sympathiser and there's a good chance you'll no longer have a job, home or family by this time.

    After a few of these have appeared in the papers the bad guys start making random phone calls, saying this has happened to the ICR log of the person who answers and for a fee they won't tell the authorities.

    ICR logs destroy any trust you can have in a website, surf the web after ICR logs become live and you may as well play Russian roulette