
THE UK government wants your web history. Surveillance powers proposed by the Home Office last week have come under fire from privacy advocates for putting innocent peopleâs personal data at risk. The proposed law may even spark a wave of encryption, making it more difficult for the police and security services to find criminals and terrorists.
If passed into law, the Investigatory Powers Bill, presented to Parliament on 4 November, would require internet service providers (ISPs) to keep a record of every website their customers visit, storing each for 12 months. It would also create a legal basis for the government to survey phones and computers on a large scale, and read encrypted messages sent through online services â activities that documents revealed by Edward Snowden suggest the government was already doing.
Advertisement
The bill is meant to bring the power to track online communications in line with the governmentâs ability to monitor landlines and cellphones. âIt cannot be right that today the police could find an abducted child if the suspects were using mobile phones to coordinate their crime, but if they were using social media or communications apps then they would be out of reach,â UK home secretary Theresa May said in her speech presenting the bill. Police say their inability to look into online services has already stymied some investigations.
Authorities will only be able to access internet connection records â root addresses like , along with the time and date of the visit â for three reasons: to identify the sender of a communication, to identify the apps or services they are using, and to determine whether or not someone has accessed illegal material. Once they know which sites someone is using to communicate, they can request more complete details from the site or service involved.
The goal is to apply the existing model of investigation, in which phone records are used to reveal patterns of communication, to the digital age. But of the University of Kent, UK, says the websites we visit are far more revealing than the numbers we call: âIf I go to a website about a rare disease, that says a lot more than if I have a phone call with my GP.â Collecting everyoneâs browsing history also puts innocent people at risk, he adds (see âYour browsing lifeâ).
Itâs not even clear that the plan is technically feasible. The UK government says it will pay ISPs ÂŁ175 million over the next 10 years to cover the cost of collecting and storing internet communication records. Sky and BT, leading ISPs in the UK, declined to comment on how this would be achieved when asked by New ĐÓ°ÉÔ´´, but Adrian Kennard, managing director of specialist ISP , says it isnât as simple as keeping phone records.
Unlike a call routed from one person to another, accessing a website can involve sending hundreds or thousands of packets of data, and the web address wonât be in all of them.
âItâs technically very difficult to put together the sequence of packets from a customer that identifies they are visiting a website,â says Kennard. âLarge ISPs have a vast amount of data going across their network. To comply with this they may have to send every single one of those packets, millions or billions a second, through some system to work out what is going on. Itâs not going to be cheap.â
Even with the added expense, recording web traffic may not be worthwhile. âThis will get ordinary people doing ordinary things, it will not get the serious criminals, the serious terrorists,â says , who researches internet privacy law at the University of East Anglia, UK. Savvy criminals already use encryption and software like Tor to hide their online activities, so storing web records wonât help combat this.
âThis will get ordinary people doing ordinary things, it wonât get the criminals or terroristsâ
It could also push lower-level criminals, along with people concerned about their privacy, into using encryption and Tor, making the policeâs job more difficult. âI think thatâs entirely likely, âsays Bernal. âThe more people use those, the harder it is to find people using them who are potentially dangerous.â
The government has attempted to prevent this by clarifying an existing legal power requiring communication service providers to remove any encryption they apply to usersâ messages when asked by authorities. However, itâs not yet clear what this will mean for end-to-end encryption services like the Android version of Facebookâs WhatsApp, and Appleâs iMessage. These use a long number called a key, stored on the userâs device, to scramble messages in a way that only the recipient can read. These encrypted messages cannot be decrypted by Apple or Facebook because they donât hold the keys.
Kennard compares the governmentâs plan to the overuse of antibiotics â it may end up leaving only resistant strains that are harder to fight. âIf enough stupid criminals go to jail because they arenât smart enough to use iMessage, the rest will start using it,â he says. Itâs also possible to run your own encryption without a service provider like Apple, so it canât be banned outright.
These issues mean the government should abandon plans to collect web history, says Bernal. âMass systems get the masses, they donât get the ones they really want,â he says. âThe approach should be much more intelligent.â
Hacking specific phones and computers is a more precise way to intercept someoneâs communications. The bill clarifies police and security servicesâ power to do this âequipment interferenceâ. But that kind of hack, which requires a warrant, relies on fundamental flaws in software or hardware, either bugs overlooked by manufacturers or introduced at a governmentâs request. If the UK government finds or introduces such flaws, then others can find and exploit them too, putting everyone at risk. GCHQ, the UKâs digital spies, does assist companies in patching vulnerabilities, but Snowdenâs files reveal they also keep some back for use in their hacking arsenal.
Adapting investigatory powers for the digital age is crucial, but the complexities of doing so and the potential for harm canât be ignored. âWhat we do now will probably set the agenda for surveillance for the next couple of decades. We have to be thinking of where things are moving, not just how it is written right now,â says Bernal. âWhere there are gaps or vagueness in the law, the snoopers take advantage of those and stretch the limit.â
(Image: Sam Edwards/Plainpicture)
Your browsing life
Your web history says a lot about you. The sites you visit can reveal sexual orientation, religious beliefs, details about your health â and lots more.
The UK government says it wonât look at this information, but if the draft Investigatory Powers Bill proposed last week becomes law, it will have access to it. Powers meant for stopping terrorists have been people who let their dogs foul public spaces, so there is precedent for data to be misused.
Whatâs more, if an ISP storing this data is hacked, as TalkTalk was recently, it could harm millions of people. âIt certainly becomes a very attractive target for hackers, if they can get the web browsing history of every single person in the country,â says of Royal Holloway, University of London.
This article appeared in print under the headline âEvery click you makeâ