United Kingdom – In a news cycle still fixated on the US election result, on November 15 members of the UK’s upper house of parliament gave final approval to the country’s most invasive surveillance legislation to date.
The Investigatory Powers Act gives government agencies unprecedented powers to collect user information in bulk and access data about the websites that Britons visit.
The most controversial aspect of the law is the requirement for internet service providers (ISP) to hold information about every website a user visits for 12 months.
Government agencies, such as the security services, the Inland Revenue, and even the Food Standards Agency, will be able to access the information, for what officials say will be a “limited set of specified purposes” subject to “strict controls”.
Despite the ease with which it passed through the Conservative-controlled legislative chambers, the law nicknamed the Snooper’s Charter by the British press has prompted strong criticism.
Silkie Carlo, a policy officer for the National Council for Civil Liberties, dismissed the government’s justification of the law on the grounds of countering terrorism as “one that defies common sense.
“We urged the government to prove it was strictly necessary for the state to use bulk, suspicionless surveillance powers,” Carlo said, adding that the government had “cynically” avoided addressing the group’s concerns.
A targeted system of surveillance based on suspicion of criminality made more sense than one that captures huge amounts of data, Carlo argued, and security experts agree.
Johns Hopkins University cryptologist Matthew Green told Al Jazeera that there were major limitations with the new law from a security perspective.
“The amount of data being generated is going to be vast,” Green said.
“That’s going to drown the surveillance agencies in noise and false positives … My guess is the only real use of this data will be to keep police busy chasing leads, and to help fill in a profile after something has happened.”
According to Green, those behind previous attacks, such as in France last year, had easily evaded similar measures intelligence services had in place.
“We saw in Paris that even burner cellphones without encryption were sufficient to coordinate a large-scale attack.
“It’s much more likely that these measures will be used against amateurs and criminals, and won’t stop the sort of serious terrorism that’s being used to justify them.
“That’s worrying, because the privacy cost of these measures is going to be enormous.”
The UK is not alone in introducing expansive internet surveillance laws. France introduced similar measures in 2015, and Germany passed its own measures in October.
In the US, the National Security Agency’s PRISM programme gives it direct access to user data held by companies such as Google and Facebook.
Vian Bakir, professor of political communication and journalism at Bangor University, said Western governments had “created the tools for repression” and citizens would now have to trust that the state will not abuse such powers.
She described the British government as prioritising national security over human rights, and warned that the recent US election result could signal a turn for the worse.
“[Trump’s] populist election included calls to bring back torture and he stated his support for bringing back NSA bulk data collection,” Bakir said. “As such, we have very good reason to be concerned about our privacy.”
Potential government overreach is just one of the risks associated with the new measures.
Organised criminals and foreign state actors have little or no incentive to protect user data and are not bound by any form of accountability to citizens of the countries they operate in.
Several technologists Al Jazeera spoke to warned that the UK’s Investigatory Powers Act could lead to leaks of sensitive personal data.