The fight against the Investigatory Powers Bill isn't over yet

Update: it would appear that Theresa May et al's grasping hands may be kept away from our personal data after all. The Investigatory Powers bill has been struck down - sadly not by public outcry and concerted demonstrations that reinforced the country's resistance to dystopian state surveillance, but by the European Court of Justice.

The court ruled that the bulk data collection outlined by the Snooper's Charter in all cases other than when it was specifically related to "serious crime". Although it told Ars Technica it has some ominously vague backup plans in place, the Home office has nevertheless confirmed that it has put the plan on hold, for now.

Privacy campaigners should not be resting on their laurels just yet, though. The government is likely to be exploring other options in order to reinstate bulk data collection. Worryingly, the political climate has now become so chaotic that any future versions run the risk of passing with even less scrutiny than the original.

The ECJ's decision is a heartening one for those of us who don't wish to surrender our online identities to the security services but, make no mistake, this fight is far from over.


Do you like to be watched?

If the answer is no, I've got some bad news for you. The Investigatory Powers Bill - commonly known as the Snooper's Charter - has been passed by Parliament, meaning the government now has the power to examine and dissect virtually every element of your online life.

Although privacy campaigners and most of the security industry have been up in arms about the Snooper's Charter, it has met largely with apathy from the general public. That's understandable; mass surveillance is a difficult concept to fully wrap one's head around, mainly due to the sheer size of it.

It's virtually impossible to comprehend this kind of issue without putting it in some kind of context. When John Oliver interviewed whistleblower Edward Snowden about similar US surveillance programmes, he used the analogy of whether or not the government was able to spy on people's "dick pics". I'll attempt to employ a similar, if less crude, analogy here.

Let's say, for example, that you decide to visit a porn website. Under the new laws, the government will be able to see:

  • Which site you visited
  • What time you visited it
  • What kind of device you visited it from
  • Which browser or app you used to visit it
  • Your physical location when you visited it

The same goes for any app that uses the internet. Made a Skype call? Government agents will be able to tell who you called, from where, for how long and much more. They can tell when you upload photos to iCloud, and when you open up Instagram. The only limit, an admittedly sizeable one, is that they can't directly read what you said or wrote.

We've all deleted our internet history at one point or another, but once these laws come into effect, your internet provider - as well as the provider of any communications service like WhatsApp, Snapchat, and Facebook - will have to store your entire history for a full year.

Another element of the incoming law now gives the government the right to hack into your devices. That means they can break into your laptop, tablet or smartphone, go through the data stored on it, or even install keylogger software that can tell them exactly what you're typing, as you're typing it.

While many (although not all) of the powers outlined in the act require a warrant, many people have raised questions about this process. For example, in order to access your internet connection records, most government bodies only need approval from an internal officer within the department, rather than a judge.

In order to hack your computer or phone, a warrant must be issued by a senior official - a chief constable in the case of the police, or a Secretary of State in the case of spy agencies - and then approved by a special judge. But that judge will be legally compelled to approve warrants in all but the most extremely unreasonable of circumstances.

One of the most common arguments is that the end justifies the means, and that this is a small price to pay for fighting terrorism. But what about fighting unpaid parking tickets? In order to access your internet records, agencies must show that they've got a good reason, but while the government lists issues of national security and public safety as acceptable reasons, it also says that public bodies can look at your internet history for the purposes of collecting taxes, duties, or any other financial contribution owed to the government. It can also look at your data in order to serve "the regulation of financial services and markets".

There's an argument that says if you've got nothing to hide, then you've got nothing to fear. The problem with that is, it's frighteningly easy for governments to move the goalposts, and the definition of 'something to hide' can change overnight. For example, a part of the Digital Economy Bill, currently being looked at by Parliament, would ban any websites showing videos of 'non-conventional' sex acts - including spanking and female ejaculation.

If the government decided not only to ban this kind of content, but also to make viewing it a criminal offence, it would already have all the tools it needed to track down and arrest you in minutes - all for watching a bit of slap and tickle.

Systems like this are notoriously vulnerable to abuse, too. Not only would the agencies themselves have to trust that none of their employees will exploit their access to a vast and comprehensive database of their friends and families' secrets, they would also have to protect against the legions of hackers that would love nothing better than to get access to the entire country's internet records.

This is something that has proven notoriously difficult for them in the past; two-thirds of London councils have suffered data breaches in the last four years, while in the last five years, the police have had more than 2,300. This is not particularly encouraging when the government is essentially discussing creating a centralised database of all of our internet activity.

Theresa May is hoping that this bill will pass unnoticed into law; that you will be too busy worrying about Brexit, and Trump, and your own personal stresses to care about the monolithic and terrifying surveillance apparatus that is being assembled around you.

We don't have to let that happen. It may be too late to stop this bill from being passed, but it is not too late to show this government that we will not consent to having our every action monitored, our every movement filed and our every conversation logged.

If you believe that privacy is not a luxury, and that the government's surveillance powers can and should be tempered in a democracy, there are ways to fight back. Use a VPN. Donate to privacy groups. Write to your MPs and elected officials. Protest.

Adam Shepherd

Adam Shepherd has been a technology journalist since 2015, covering everything from cloud storage and security, to smartphones and servers. Over the course of his career, he’s seen the spread of 5G, the growing ubiquity of wireless devices, and the start of the connected revolution. He’s also been to more trade shows and technology conferences than he cares to count.

Adam is an avid follower of the latest hardware innovations, and he is never happier than when tinkering with complex network configurations, or exploring a new Linux distro. He was also previously a co-host on the ITPro Podcast, where he was often found ranting about his love of strange gadgets, his disdain for Windows Mobile, and everything in between.

You can find Adam tweeting about enterprise technology (or more often bad jokes) @AdamShepherUK.