The UK government is quietly expanding and developing a controversial surveillance technology that could be capable of logging and storing the web histories of millions of people.
Official reports and spending documents show that in the past year, UK police have deemed the testing of a system that can collect people’s “internet connection records” a success, and have started work to potentially introduce the system nationally. If implemented, it could hand law enforcement a powerful surveillance tool.
Critics say the system is highly intrusive, and that officials have a history of not properly protecting people’s data. Much of the technology and its operation is shrouded in secrecy, with bodies refusing to answer questions about the systems.
At the end of 2016, the UK government passed the Investigatory Powers Act, which introduced sweeping reforms to the country’s surveillance and hacking powers. The law added rules around what law enforcement and intelligence agencies can do and access, but it was widely criticized for its impact on people’s privacy, earning it the name the “Snooper’s Charter.”
Particularly controversial was the creation of so-called internet connection records (ICRs). Under the law, internet providers and phone companies can be ordered—with a senior judge approving the decision—to store people’s browsing histories for 12 months.
An ICR isn’t a list of every page online you visit, but may nonetheless reveal a significant amount of information about your online activities. ICRs can include that you visited Wired.com but not that you read this individual article, for instance. An ICR can also be your IP address, a customer number, the date and time the information was accessed, and the amount of data being transferred. The UK government says an internet connection record could indicate when, for example, the travel app EasyJet is accessed on someone’s phone, but not how the app was used.
“ICRs are highly intrusive and should be protected from over-retention by telecommunications operators and intelligence agencies,” says Nour Haidar, a lawyer and legal officer at UK civil liberties group Privacy International, which has been challenging data collection and handling under the Investigatory Powers Act in court.
Little is known about the development and use of ICRs. When the Investigatory Powers Act was passed, internet companies said it would take them years to build the systems needed to collect and store ICRs. However, some of those pieces may now be falling into place. In February, the Home Office, a government department that oversees security and policing in the UK, published a mandatory review of the operation of the Investigatory Powers Act so far.
The review says the UK’s National Crime Agency (NCA) has tested the “operational, functional, and technical aspects” of ICRs and found a “significant operational benefit” of collecting the records. A small trial that “focused” on websites that provided illegal images of children found 120 people who had been accessing these websites. It found that “only four” of these people had been known to law enforcement based on an “intelligence check.”