The UK government is quietly expanding and developing a controversial surveillance technology that could be capable of logging and storing the web histories of millions of people but little is known about the system, Wired magazine reports.
The UK police have deemed the testing of a system that can collect people’s “internet connection records” a success in the past year, and have started work to potentially introduce the system nationally.
If implemented, it could hand law enforcement a powerful surveillance tool.
Critics say the system is highly intrusive, and that officials have a history of not properly protecting people’s data. Much of the technology and its operation is shrouded in secrecy, with bodies refusing to answer questions about the systems.
At the end of 2016, the UK government passed the Investigatory Powers Act, which introduced sweeping reforms to the country’s surveillance and hacking powers. The law added rules around what law enforcement and intelligence agencies can do and access, but it was widely criticized for its impact on people’s privacy, earning it the name the “Snooper’s Charter.”
Particularly controversial was the creation of so-called internet connection records (ICRs). Under the law, internet providers and phone companies can be ordered—with a senior judge approving the decision—to store people’s browsing histories for 12 months.
An ICR isn’t a list of every page online you visit, but may nonetheless reveal a significant amount of information about your online activities.
ICRs can include that you visited this website but not that you read this individual article, for instance.
An ICR can also be your IP address, a customer number, the date and time the information was accessed, and the amount of data being transferred.
The UK government says an internet connection record could indicate when, for example, the travel app EasyJet is accessed on someone’s phone, but not how the app was used.
“ICRs are highly intrusive and should be protected from over-retention by telecommunications operators and intelligence agencies,” says Nour Haidar, a lawyer and legal officer at UK civil liberties group Privacy International, which has been challenging data collection and handling under the Investigatory Powers Act in court.
NCA found significant operational benefit to ICRs
Little is known about the development and use of ICRs.
When the Investigatory Powers Act was passed, internet companies said it would take them years to build the systems needed to collect and store ICRs.
However, some of those pieces may now be falling into place.
In February, the Home Office, a government department that oversees security and policing in the UK, published a mandatory review of the operation of the Investigatory Powers Act so far.
The review says the UK’s National Crime Agency (NCA) has tested the “operational, functional, and technical aspects” of ICRs and found a “significant operational benefit” of collecting the records.
A small trial that “focused” on websites that provided illegal images of children found 120 people who had been accessing these websites. It found that “only four” of these people had been known to law enforcement based on an “intelligence check.”
In May 2022, the Home Office issued a procurement notice revealing that future trials “work is now underway” to create a “national ICR service.”
The existence of the notice was initially reported by the public sector technology publication PublicTechnology.
The notice says the government had a budget of up to £2 million to create a technical system that allowed law enforcement officials to access ICR data for investigations.
The contract for the technical system was awarded to defence firm Bae Systems in July 2022.
Wired magazine sent a Freedom of Information Act request to Home Office in relation to the government supplier BAE System.
The request for transparency was met with a short reply lacking in any technical details, citing national security and law enforcement grounds, Wired writes.
ICR trials are ongoing
A Home Office spokesperson said the UK has “one of the most robust and transparent oversight regimes for the protection of personal data and privacy anywhere in the world” and confirmed that trials of ICRs are ongoing.
The Investigatory Powers Commissioner’s Office (IPCO), which oversees intelligence agencies, police, and local authorities, says the collection of ICRs to date has been to support “small-scale trials” and that it is “unable” to provide any figures on the number of data retention notices issued.
A separate independent review of the Investigatory Powers Act is due to be published this summer. The National Crime Agency says it is still participating in the ICR trials to evaluate the use of ICRs, and that “data exploitation is essential” to its work.
The possible expansion of ICR collection in the UK comes as governments and law enforcement agencies globally try to gain access to increasing amounts of data, particularly as technology advances. Multiple nations are pushing to create encryption backdoors, potentially allowing access to people’s private messages and communications.
Haidar of Privacy International says that creating powers to collect more of people’s data doesn’t result in “more security” for people. “Building the data retention capabilities of companies and a vast range of government agencies doesn’t mean that intelligence operations will be enhanced,” Haidar says. “In fact, we argue that it makes us less secure as this data becomes vulnerable to being misused or abused.”
A call for tender for future surveillance contractors
Meanwhile the UK government’s Contracts Finder has put out a call for tender for the Department of Culture, Media and Sport (DCMS), for companies of all sizes who would like to identify “harmful disinformation and misinformation narratives, Coordinated Inauthentic Behaviour (CIB) or systematic manipulation of the information environment.”
Applications are open until May 23 and will close a month later. Award is open to both SMEs, small and medium sized enterprises, and voluntary, community and social enterprises. The positions don’t involve transparency and anyone picked must sign a non-disclosure agreement.
Successful applications could become future surveillance contractors and the definition of “misinformation narratives” might be quite subjective.