THE UK government wants your web history. Surveillance powers proposed by the Home Office last week have come under fire from privacy advocates for putting innocent people’s personal data at risk. The proposed law may even spark a wave of encryption, making it more difficult for the police and security services to find criminals and terrorists.
If passed into law, the Investigatory Powers Bill, presented to Parliament on 4 November, would require internet service providers (ISPs) to keep a record of every website their customers visit, storing each for. It would also create a legal basis for the government to survey phones and computers on a large scale, and read encrypted messages sent through online services – activities that documents suggest the government was already doing.
The bill is meant to bring the power to track online communications in line with the government’s ability to monitor landlines and cellphones. “It cannot be right that today the police could find an abducted child if the suspects were using mobile phones to coordinate their crime, but if they were using social media or communications apps then they would be out of reach,” UK home secretary Theresa May said in her speech presenting the bill. Police say their inability to look into online services has already stymied some investigations.
Authorities will only be able to access internet connection records – root addresses like, along with the time and date of the visit – for three reasons: to identify the sender of a communication, to identify the apps or services they are using, and to determine whether or not someone has accessed illegal material. Once they know which sites someone is using to communicate, they can request more complete details from the site or service involved.
The goal is to apply the existing model of investigation, in which phone records are used to reveal patterns of communication, to the digital age. Butof the University of Kent, UK, says the websites we visit are far more revealing than the numbers we call: “If I go to a website about a rare disease, that says a lot more than if I have a phone call with my GP.” Collecting everyone’s browsing history also puts innocent people at risk, he adds (see “ “).
It’s not even clear that the plan is technically feasible. The UK government says it will pay ISPs £175 million over the next 10 years to cover the cost of collecting and storing internet communication records. Sky and BT, leading ISPs in the UK, declined to comment on how this would be achieved when asked by New Scientist, but Adrian Kennard, managing director of specialist ISP, says it isn’t as simple as keeping phone records.
Unlike a call routed from one person to another, accessing a website can involve sending hundreds or thousands of packets of data, and the web address won’t be in all of them.
“It’s technically very difficult to put together the sequence of packets from a customer that identifies they are visiting a website,” says Kennard. “Large ISPs have a vast amount of data going across their network. To comply with this they may have to send every single one of those packets, millions or billions a second, through some system to work out what is going on. It’s not going to be cheap.”
Even with the added expense, recording web traffic may not be worthwhile. “This will get ordinary people doing ordinary things, it will not get the serious criminals, the serious terrorists,” says, who researches internet privacy law at the University of East Anglia, UK. Savvy criminals already use encryption and software like Tor to hide their online activities, so storing web records won’t help combat this.
“This will get ordinary people doing ordinary things, it won’t get the criminals or terrorists”
It could also push lower-level criminals, along with people concerned about their privacy, into using encryption and Tor, making the police’s job more difficult. “I think that’s entirely likely, “says Bernal. “The more people use those, the harder it is to find people using them who are potentially dangerous.”
The government has attempted to prevent this by clarifying an existing legal power requiring communication service providers to remove any encryption they apply to users’ messages when asked by authorities. However, it’s not yet clear what this will mean for end-to-end encryption services like the Android version of Facebook’s WhatsApp, and Apple’s iMessage. These use a long number called a key, stored on the user’s device, to scramble messages in a way that only the recipient can read. These encrypted messages cannot be decrypted by Apple or Facebook because they don’t hold the keys.
Kennard compares the government’s plan to the overuse of antibiotics – it may end up leaving only resistant strains that are harder to fight. “If enough stupid criminals go to jail because they aren’t smart enough to use iMessage, the rest will start using it,” he says. It’s also possible to run your own encryption without a service provider like Apple, so it can’t be banned outright.
These issues mean the government should abandon plans to collect web history, says Bernal. “Mass systems get the masses, they don’t get the ones they really want,” he says. “The approach should be much more intelligent.”
Hacking specific phones and computers is a more precise way to intercept someone’s communications. The bill clarifies police and security services’ power to do this “equipment interference”. But that kind of hack, which requires a warrant, relies on fundamental flaws in software or hardware, either bugs overlooked by manufacturers or introduced at a government’s request. If the UK government finds or introduces such flaws, then others can find and exploit them too, putting everyone at risk. GCHQ, the UK’s digital spies, does assist companies in patching vulnerabilities, but Snowden’s files reveal they also keep some back for use in their hacking arsenal.
Adapting investigatory powers for the digital age is crucial, but the complexities of doing so and the potential for harm can’t be ignored. “What we do now will probably set the agenda for surveillance for the next couple of decades. We have to be thinking of where things are moving, not just how it is written right now,” says Bernal. “Where there are gaps or vagueness in the law, the snoopers take advantage of those and stretch the limit.”
(Image: Sam Edwards/Plainpicture)
Your browsing life
Your web history says a lot about you. The sites you visit can reveal sexual orientation, religious beliefs, details about your health – and lots more.
The UK government says it won’t look at this information, but if the draft Investigatory Powers Bill proposed last week becomes law, it will have access to it. Powers meant for stopping terrorists have beenpeople who let their dogs foul public spaces, so there is precedent for data to be misused.
What’s more, if an ISP storing this data is hacked, as TalkTalk was recently, it could harm millions of people. “It certainly becomes a very attractive target for hackers, if they can get the web browsing history of every single person in the country,” saysof Royal Holloway, University of London.
This article appeared in print under the headline “Every click you make”
This entry passed through the Full-Text RSS service – if this is your content and you’re reading it on someone else’s site, please read the FAQ at fivefilters.org/content-only/faq.php#publishers.