Understanding the Investigatory Powers Act 2016
Last week, on 29th November 2016, the new Investigatory Powers Act 2016 received Royal Assent in the UK and came into force immediately.
Nicknamed the Snooper’s Charter, this new Act replaces the Regulation of Investigatory Powers Act which came into force in February 2000 and is due to expire in December.
The Investigatory Powers Act introduces new powers and clarifies some of the greyer practices around the police, and other security and enforcement agencies, hacking into devices and computers, both in the UK and abroad.
The Snooper’s Charter
The most controversial new power is to force all Communication Service Providers (CSPs) to record and store every web site that their customers visit, for a period of twelve months. This data can then be accessed by a wide range of government agencies without a warrant. Dubbed “The Snooper’s Charter”, privacy campaigners have argued that such mass surveillance is unwarranted and is at risk of being abused, or the data simply being hacked.
Everybody wants to help prevent terrorism, nobody wants their privacy invaded. We all want to put potential terrorists under surveillance, but we don’t want our privacy infringed.
The concerns with all such government legislation is that once it has been introduced in the name of combating terrorism, it will certainly be used to other ends, especially if there is no judicial oversight. What might be an acceptable compromise between civil liberties and the prevention of terrorism becomes a little less acceptable when used for anti-money laundering, or catching tax evaders, or benefit cheats.
While all those aims are worthwhile they don’t warrant mass surveillance. But once in place, the powers will be used for that and far more minor offences. This is what happened with the previous Act when it was used to capture data for speeding offences and the like.
Certainly, when you look at the list of agencies that can freely access the data, which includes the Welsh Ambulance Services and the Food Standards Agency, one wonders how this is helping the fight against terrorism.
A less covered power is that to enforce the installation of “technical capabilities” to allow interception of communications. This could cover monitoring equipment or possibly back-doors to circumvent encryption. Whether the UK will force non-UK providers, such as Facebook and Google, to comply with this is still to be seen.
Of course, any serious terrorist with an ounce of technical ability, or communicating with somebody else who has, will be able to circumvent all these controls. It will be only the amateurs that will be detected.
It is possible that the European Court will find some of the law invalid, and certainly some privacy advocates are bound to take that route.
US Law v. EC Data Protection
On the same topic, last week the US extended a law (Rule 41). This allows the FBI to hack into computers anywhere in the world. This has implications for US companies, like Microsoft and Amazon, who are busy building data centres in Europe specifically to comply with EC data protection and to avoid the more egregious of US data legislation. Again, this will have to be tested in court to see the outcome but it will come as no surprise if a US court decides that US legislation overrides European data protection.
What does it mean for you?
So what does this all mean for our CRM customers? Our UK customers who are concerned that their browsing habits will be monitored will probably not be too worried to be seen to be users of our CRM. UK enforcement agencies will still need a warrant to demand access to customer data, providing some level of oversight against (literally!) unwarranted access. We purposefully don’t host our data on any platform that is controlled by a US company, so we aren’t effected by US legislation such as Rule 41 or the Patriot Act.
But the Act is sharp reminder that when it comes to the war between a citizen’s privacy and the State’s desire to police them, the State is winning all the battles.