It has been called the “most extreme surveillance in the history of Western democracy.” It has not once but twice been found to be illegal. It sparked the largest ever protest of senior lawyers who called it “not fit for purpose.”
And now the UK's Investigatory Powers Act of 2016 – better known as the Snooper’s Charter – is set to expand to allow government agencies you may never have heard of to trawl through your web histories, emails, or mobile phone records.
In a memorandum [PDF] first spotted by The Guardian, the British government is asking that five more public authorities be added to the list of bodies that can access data scooped up under the nation's mass-surveillance laws: the Civil Nuclear Constabulary, the Environment Agency, the Insolvency Service, the UK National Authority for Counter Eavesdropping (UKNACE), and the Pensions Regulator.
The memo explains why each should be given the extraordinary powers, in general and specifically. In general, the five agencies “are increasingly unable to rely on local police forces to investigate crimes on their behalf,” and so should be given direct access to the data pipe itself.
The Civil Nuclear Constabulary (CNC) is a special armed police force that does security at the UK’s nuclear sites and when nuclear materials are being moved. It should be given access even though “the current threat to nuclear sites in the UK is assessed as low” because “it can also be difficult to accurately assess risk without the full information needed.”
The Environment Agency investigates “over 40,000 suspected offences each year,” the memo stated. Which is why it should also be able to ask ISPs to hand over people’s most sensitive communications information, in order “to tackle serious and organised waste crime.”
The Insolvency Service investigates breaches of company director disqualification orders. Some of those it investigates get put in jail so it is essential that the service be allowed “to attribute subscribers to telephone numbers and analyse itemised billings” as well as be able to see what IP addresses are accessing specific email accounts.
UKNACE, a little known agency that we have taken a look at in the past, is home of the real-life Qs, and one of its jobs is to detect attempts to eavesdrop on UK government offices. It needs access to the nation's communications data “in order to identify and locate an attacker or an illegal transmitting device”, the memo claimed.
And lastly, the Pensions Regulator, which checks that companies have added their employees to their pension schemes, need to be able to delve into anyone’s emails so it can “secure compliance and punish wrongdoing.”
Taken together, the requests reflect exactly what critics of the Investigatory Powers Act feared would happen: that a once-shocking power that was granted on the back of terrorism fears is being slowly extended to even the most obscure government agency for no reason other that it will make bureaucrats' lives easier.
None of the agencies would be required to apply for warrants to access people’s internet connection data, and they would be added to another 50-plus agencies that already have access, including the Food Standards Agency, Gambling Commission, and NHS Business Services Authority.
One of the biggest concerns remains that there are insufficient safeguards in place to prevent the system being abused; concerns that only grow as the number of people that have access to the country's electronic communications grows.
It is also still not known precisely how all these agencies access the data that is accumulated, or what restrictions are in place beyond a broad-brush “double lock” authorization process that requires a former judge (a judicial commissioner, or JCs) to approve a minister’s approval.
A report published earlier this month by the Investigatory Powers Commissioner's Office (IPCO), which was setup to oversee the spying law, covering 2018, gave the entire process a clean bill of health while revealing a self-contained process brimming with self-congratulation.
“We have been increasingly impressed by the advantage of IPCO’s dual role: first, undertaking the review of warrants and, second, having retrospective oversight of the use of investigatory powers,” the report noted. “JCs regularly ask the inspectors to focus on particular issues during the latter’s’ oversight visits and the inspectors similarly share information relevant to the warrantry process with the JCs. In other words, these two functions – warrantry and ex post facto (retrospective) inspection – serve significantly to enhance each other and the confidence in the overall system.”
The report noted that 2018 was a “year of transition” but only in a separate section explained that was as a result of the fact that the law had to be changed because it had been found to be illegal since it did not limit the public authorities’ access to retained communications data solely for fighting serious crime.
Everything is peachy
Despite the “transition” resulting in what the report acknowledged is inaccurate data (“the statistics at the end of the report do not provide as full a picture as they will in future years”), it was encouraged by the fact that “it is clear that there were only a few refusals by the JCs of the applications they considered.”
The IPCO then immediately defended both the JCs and the government: “It is critical that this should not be interpreted as a failure by the JCs to provide rigorous scrutiny of the applications. Nothing could be further from the truth. These applications only come to IPCO after there has been detailed, multi-layered consideration within the organisation requesting the authorisation and, when applicable, the Warrant Granting Department.”
There is no indication in the new memo that seeks to expand the Investigatory Powers Act's surveillance powers to five new agencies whether the resources of the Investigatory Powers Commissioner (IPC), which currently employs “approximately 50 people," will also be expanded.
That, and whether the new agencies’ investigatory work can be considered "serious crimes" and sufficient to grant them access to millions of people’s personal data, will have to be decided by MPs and peers as it progresses through the Parliamentary process. ®