In 2016, the UK passed the Investigatory Powers Act (“Investigatory Powers Act"). This event led to the creation of a special system with which you can track the Internet activity of users living in the territory of this democratic state.
Over the past two years, law enforcement agencies have worked with Internet companies across the UK to secretly develop and test specific surveillance technology. With it, they were able to register and store browsing data on the Internet of each user residing in the country.
The tests, which were carried out by two unidentified ISPs, the Department of the Interior and the National Crime Agency, were carried out following the passage of the controversial Investigative Powers Act, which came into effect at the end of 2016. In case of successful implementation of this resolution, the government would be able to deploy surveillance at the national level.
Although the National Crime Agency said that "significant work" had been done in the process of implementing the act, the details of the implementation of the decree were not disclosed. This approach on the part of law enforcement agencies is already being challenged in court. There was no public announcement about the beginning of any testing or surveillance of users on the network. Moreover, many insiders who follow the activities of the police and government agencies claim that they cannot talk about the new technology due to their own security concerns.
There is still a lawsuit related to the implementation of the “Act on the powers of the investigation”, which entered into force in 2016. The act itself is associated with the Snooper’s Charter Act. Based on the totality of these regulations, the state was able to create records of each user’s connection to the network. They contain complete information about what actions the user performed on the Internet. In other words, this is metadata about his Internet life: who he is, what he does, who he communicates with, what he is interested in. Based on the Investigative Powers Act, the state or the police can require an Internet company to keep a particular user’s browsing history for 12 months.
The first of these demands was put forward in July 2019. It was then that user activity records or ICRs were put to the test (according to the Commissioner’s Report ). The second claim, brought against another ISP in the same litigation, appeared in October 2019. The trial itself is still ongoing. Regular checks are carried out by the police to ensure that the collected data does not violate users’ privacy rights. Once the data collection program has been thoroughly tested, it will be considered by the national government for adoption at the national level.
However, civil rights groups argue that the lack of transparency surrounding such lawsuits suggests that such a data-gathering program is not ideal. “It took several years for the lawsuit related to the collection of user data to become public. This suggests that the very system that tracks user activity on the network needs to be improved, “says Heather Burns, a political expert from Open Rights Group, a British organization for protecting privacy and freedom on the Internet.
Burns says the ICR collection lawsuit caused ISPs to " dig up a lot more personal information about users than planned ." She adds that it is not clear exactly what data was collected as a result of the trial. “I am struck by the lack of transparency in this massive collection and storage of the personal data of UK residents.”
The entire trial is shrouded in secrecy. It is not known what data is collected, which companies are involved in it and how the information obtained is used by third parties. The Home Office declined to provide details of the trial, saying it was "not that significant" and was only being conducted to determine what data could be obtained from such practices. The ICR reports were designed to uncover serious crimes and prevent them from happening in the future, according to the Home Office.
"We support a Home Office-sponsored initiative to create records of user activity on the web to meet technical, legal and political objectives," says a spokesman for the National Crime Agency. The agency itself has spent at least £130,000 on two external contracts to build basic technical surveillance systems. It is worth noting that documents related to the implementation of the June 2019 “Investigative Powers Act” state that “significant work” has already been done to implement records of user activity on the Internet.
Of the major ISPs in the UK, only Vodafone has confirmed that it has not been involved in any tests related to the storage of Internet activity data of its users. Representatives of BT, Virgin Media and Sky declined to comment on this situation, and the mobile operator Three did not respond to a request from journalists at all. Smaller ISPs claim they have not been involved in any testing of new security programs.
Most likely, service providers are being hampered by a law that prevents them from publicly disclosing the data they collect. Such secrecy jeopardizes the modernization and testing of the entire Internet network as a whole. One section of the Investigative Powers Act states that telecommunications companies or people working in the field are not allowed to speak publicly or privately about the "existence or content" of any orders related to the storage of users’ personal data.
The Investigative Powers Act is a layered law that sets out how law enforcement in the UK can collect and process data related to criminal activity. Since it was passed in 2016, the act has led to sweeping data security reforms in the UK. Law enforcement agencies have gained more control over the private information of the country’s residents, explaining that phones, computers and other gadgets can be hacked by intruders. As part of these changes, ICRs (User Activity Reports) have been introduced as a new type of data that can be collected and stored for security purposes.
Records of people’s activity on the Internet may contain information about the applications they used; the domains they visited; IP address specific to their network. With this amount of information, the police can learn about the beginning and end of a user’s session on the network, as well as the amount of data that was received or sent from his device. Although metadata cannot directly indicate what exactly you were looking at on a particular page on the Internet, they still carry a risk to your privacy. Among other things, ICRs contain information about the health status, political affiliations and personal interests of users. Home Office documents state that " there is no single set of data that is collected to create an ICR". All logs will be kept by ISPs for the required amount of time.
Five years have already passed since the adoption of the act. In 2016, many of its aspects seemed rather controversial – and the creation of ICR was at the top of this list. Edward Snowden called the law " the most extreme surveillance in the history of Western democracy ". It is also worth noting that after the act came into force, multiple legal proceedings took place about how much personal data of users ISPs can collect.
Although the law was passed back in November 2016, it is likely that the systems needed to collect information about the Internet activity of all users in the UK still need to be developed. When discussing the act in 2015, many Internet service providers announced that ICR is a completely new type of data, since nothing similar has yet been developed in the world.
Hugh Woolford, then chief operating officer of Virgin Media, said that such snooping requires " mirroring all traffic on our network so that it can be filtered out later ." Others argued that such systems would cost the state more than the £175 million originally budgeted by the Home Office to implement the act. As a result, people’s spending on Internet services may increase.
The "Act on the powers of the investigation" is planned to be carefully studied next year. It must be revised five years and six months after its adoption. Burns argues that this is a chance to improve the transparency of the data collection process itself and understand how the law works in practice. “We need to make sure that ICRs collect the right amount of data about user activity on the network,” she says. “It is also necessary to give guarantees that any steps to scale this practice will not be taken by the state and law enforcement agencies in the future.”
According to Wired.