UK's Investigatory Powers Bill to become law despite tech world opposition
Only minor changes from original proposals that kicked up privacy storm
The UK's contentious Investigatory Powers (Amendment) Bill (IPB) 2024 has officially received the King's nod of approval and will become law.
Dubbed the "snooper's charter" by critics, it aims to widen the digital surveillance powers of the existing Investigatory Powers Act 2016 (IPA) used by UK intelligence services, the police, government, and some emergency services.
Before the latest amendments came into force, the IPA already allowed authorized parties to gather swathes of information on UK citizens and tap into telecoms activity – phone calls and SMS texts.
The IPB's amendments add to the Act's existing powers and help authorities trawl through more data, which the government claims is a way to tackle "modern" threats to national security and the abuse of children.
"The world-leading Investigatory Powers regime is crucial to keeping the public safe," said security minister Tom Tugendhat. "That's why we're making urgent, targeted changes to the Investigatory Powers Act to ensure our laws keep pace with rapidly changing technology and to guard against modern threats to national security.
"These changes mean that not only will our citizens be better protected from serious dangers such as terrorism and child sexual abuse online – their privacy will be better protected too."
The UK government has positioned the changes, which include an expanded remit to collect data on UK citizens en masse, as a means to afford intelligence agencies and the National Crime Agency (NCA) "greater agility and speed" in responding to threats.
Among those alterations is the ability for authorities to surveil targets by gathering their internet connection records. This will allow investigators to determine who connected to what service – such as an app or website – what phone number they dialed, where they were at the time, and when they did so.
The amendments also expand authorities' ability to gather bulk datasets of personal information on individuals who have a low or no expectation of privacy. This includes data such as CCTV footage or images posted to social media.
There was hope among the Bill's opposers that some of the more controversial changes would be repealed following loud concerns over privacy infringements, but the UK's hardline stance on national security has prevailed.
Will Richmond-Coggan, privacy and data protection partner at national law firm Freeths, told The Register: "The amendments made to the Investigatory Powers (Amendment) Bill were ultimately welcomed by the House of Lords, but are unlikely to be welcomed by campaigners or tech companies who were concerned about the wide-ranging scope of notice provisions in relation to the introduction of new privacy-enhancing technologies which would also have the effect of impeding lawful surveillance.
"Additional safeguards have been introduced – notably, in the most recent round of amendments, a 'triple-lock' authorization process for surveillance of parliamentarians – but ultimately, the key elements of the Bill are as they were in early versions – the final version of the Bill still extends the scope to collect and process bulk datasets that are publicly available, for example."
Naturally, privacy campaigners strongly oppose the IPB and the changes that it brings to UK law, saying they expand an already robust arsenal of tools to collect data on UK citizens in bulk.
Tech trade body techUK said in a March statement that it had "substantial concerns" about the Bill, which was being "rushed" through parliament without proper scrutiny.
It believes the IPB will weaken the safety rails that guide the intelligence services when collecting data in bulk, and that it could lead to the wider data harvesting of millions of facial images, internet records, and social media data.
techUK told The Register this week: "As the Investigatory Powers (Amendment) Bill receives Royal Assent, we are disappointed that the government did not address the widespread concerns about its potential negative impacts.
"We remain concerned that these reforms will weaken privacy protections, expand surveillance powers, hinder security innovation, and risk exacerbating international conflicts of law without sufficient safeguards.
"As we look towards the next steps for this legislation, with consultations on how these regulations will work in practice, we look forward to further engagement to ensure a more workable and proportionate regime."
- UK Online Safety Bill to become law – and encryption busting clause is still there
- Wah, encryption makes policing hard, cries UK's National Crime Agency
- UK admits 'spy clause' can't be used for scanning encrypted chat – it's not 'feasible'
- Letters prove GCHQ bends laws to spy at will. So what's the point of privacy safeguards?
Privacy International said: "Sadly, but not surprisingly, [the IPB] has changed little from the government's original proposal, which means its becoming law is a major concern.
"The Bill waters down already insufficient safeguards in the Investigatory Powers Act. It makes mass surveillance easier and gives the UK the option to attempt to control, and perhaps lessen, the security and privacy of internet services used by billions of people around the world."
Potential threat to security updates in commercial software
Other key concerns revolve around the IPB's amendment that would force tech companies to consult the UK government before rolling out security updates to software.
It's a big one that opposers of the Bill think will undermine the security posture of the UK, and potentially lead to unnecessarily protracted delays in rolling out key security features, thus making the country a more popular target for cybercriminals.
Apple, for example – a company that famously refused to bend even to the FBI after they wanted to crack open the San Bernadino shooter's iPhone, said it would consider pulling iMessage and FaceTime from the UK over fears they would be forced to weaken security.
The company branded the IPB's rule "an unprecedented overreach by the government," adding it believes the changes are an "attempt to secretly veto new user protections globally, preventing us from ever offering them to customers."
Abigail Burke, platform power program manager at the Open Rights Group, previously told The Register, before the IPB was debated in parliament, that the proposals amounted to an "attack on technology."
The IPB, of course, goes hand-in-hand with the long-running calls to break end-to-end encryption (E2EE), which the government also claims impedes its efforts to tackle national security threats. It once again echoed these views [PDF] just this week, in fact.
The Online Safety Bill was also passed last year after a rocky process that garnered equally loud concerns from privacy campaigners about a so-called "spy clause" that aimed to capture encrypted private messages.
Although the UK government admitted that scanning encrypted chats wasn't "technically feasible", it didn't rule out the possibility of invoking a request for companies to do so in the future, perhaps at a time when, or if, E2EE becomes illegal in the UK, for example. ®