UK legislation regarding data collection and accessibility of internet content

30th November 2016

Yesterday the Investigatory Powers Act 2016 -- known as the IP bill, or Snoopers' Charter -- received royal ascent, signifying its passage into UK law. With its ascent comes a removal of established internet freedom, and a threat to the future of privacy across the world. In light of the horrifying prospects of the IP bill, I sought to examine it and two other equally devastating pieces of potential UK legislation.

Investigatory Powers Bill

The IP bill introduces powers for the bulk collection of communications data to and from UK citizens. The bill introduces the authority to collect and intercept data to an extent that has not before been legally permissible by any modern non-authoritarian government. As inquiries have concluded1, such data interception has been occurring unlawfully in western civilisation for a number of years. The IP bill poses to legally regulate the collection of data, whilst at the same time permitting it to an unprecedented extent.

The bill grants new investigatory powers and maintains existing ones. Provisions of the bill2:

  • Require communication service providers (such as ISPs) to retain all internet connection records for twelve months.
  • Place a legal obligation on UK communication service providers to assist with targeted data interception relating to an investigation.
  • Maintains an existing requirement for UK content service providers to hold the ability to remove any encryption they apply to their data, and to do so on demand.
  • Allow police and intelligence officers to examine connection records as part of investigations, without a warrant.
  • Permit police and intelligence officers new powers pertaining to hacking devices for the purpose of data monitoring and collection.
  • Creates an Investigatory Powers Commission to oversee the use of the aforementioned surveillance powers.

New criminal offences are created for:

  • Unlawfully accessing internet data.
  • A content service provider revealing that data has been requested from them.

A communication service provider is any service that serves internet connections. This most commonly means an Internet Service Provider, who provides internet access, but can also apply to other services, such as VPN providers who may offer a secure or encrypted service for internet access. Top-level domain capture that is required to be held by such a service means that any TCP request made through a UK company - the request of a web page, or the download of a file - creates a record that must be held for up to twelve months.

The collected records are available to police and intelligence officers through a "request filter"3 - a search engine for inquiry into the internet data of citizens. The details of the request filter are not specified other than claiming to delete irrelevant data from an inquiry. Once records are retrieved through this filter, they are then accessible to public authorities. No warrant is required so long as they are thought to be pertinent to an ongoing investigation.

Over 40 public authorities can access the collected data4, ranging from GCHQ to the Food Standards Agency.

Digital Economy Bill 2016-2017

The Digital Economy Bill is a bill introduced to parliament in June 2016, and is expected to receive royal ascent during the first half of 2017. It largely pertains to the restriction of content - primarily pornographic - pending age verification of users of an internet service. The bill follows on from the Digital Economy Act 2010, which attempted to place restrictions on access to copyright infringing content, but was in most part repealed.

The bill is still in progress and receiving alterations. At the time of writing, it seeks to achieve the following5:

  • Establish a minimum download speed that Internet Service Providers must supply (expected to be 10mbps).
  • Create an age verification regulator to publish guidelines on how to ensure adult websites ensure their users are over the age of 18.
  • Permit the age verification regulator power to direct Internet Service Providers to block access to material deemed inappropriate
  • Requires the internet service provider to prevent persons in the UK from being able to access offensive material

The British Board of Film Classification (BBFC), who have classified British media including films, television programmes, and (until recently) video games; has been appointed to enforce ratings on content accessible via the internet. The bill deems that any web-accessible content that would not be given a classification under the rules of the BBFC must be blocked by an Internet Service Provider. Proposals for the bill state intent to prevent the distribution of offensive pornography, but the reach of the bill extends to any sexual or erotic content, and provides grounds for other content to be refused classification.

A refusal of the British Board of Film Classification to provide a content rating for media it presides over effectively results in a ban. A controversial case was in 2007, when the sequel to Rockstar's '''Manhunt''' was initially rejected for "a range of unjustifiable harm risks to both minors and adults". The refusal of classification meant that the game could not be sold by UK retail outlets, leading to an effective ban on its sale. It was not until 2008, following multiple revisions and appeals, that the game was given an "18" classification.

The guidelines that the BBFC currently uses for erotic content sold in stores across the UK will, under the Digital Economy Bill, apply to content that can be streamed or downloaded across the internet. Non-compliance with the provided guidelines will prompt the BBFC to require an ISP to block access to non-compliant content. Some of the acts prohibited by the BBFC include67:

  • Rough sex (including spitting, hair pulling, gagging during fellatio, and strong verbal abuse).
  • Penetration with large and dangerous objects, or objects associated with violence (pool cues, ice cubes, drill-powered dildos).
  • Urination onto a person, or the consumption of urine (general urination is allowed, provided it is not done erotically). This section also covers female ejaculation.
  • Focus on faeces, vomit, or menstrual blood.
  • Promotion of "dangerous fetish activities".
  • Injury resulting from sadomasochism (red marks or blood).
  • Fisting (or more precisely, a maximum of four fingers inserted into an orifice for sexual stimulation).

Infringing on the above content when attempting to classify a pornographic title for sale in the UK will result in the refusal of the highest classification the BBFC offers (R18), preventing its distribution. Films may cut or revise content and resubmit for BBFC classification. Under the Digital Economy Bill, these guidelines (and any future amendments the BBFC sees fit to make) apply retroactively to all pornographic content across the internet - almost none of which is created with these guidelines in mind - and non-compliance results in the ISP being forced to block the content.

The acts themselves remain legal between consenting adults, but in video form are grouped with illegal acts such as child exploitation, and non-consensual sexual violence.

Online Safety Bill

The Online Safety Bill was a Private Members' Bill in 2012, reintroduced again in 2012, and again across 2013, 2014, 2015, and 2016. A Private Members' Bill is a bill introduced by MPs and Lords who are not government ministers, providing elected officials and appointed peers a chance to propose bills for issues they may feel are relevant for their constituents, or for the country. It has not been passed, though the 2016 proposal remains ongoing.

The bill seeks to "[promote] online safety; to require internet service providers and mobile phone operators to provide an internet service that excludes adult-only content"8. Its provisions include:

  • Forcing Internet Service Providers to exclude adult content by default
  • Forcing mobile internet providers to exclude adult content by default
  • Require subscribers to confirm they wish to receive adult content, reliant on an age verification scheme approving they are above the age of 18
  • Provide education to parents regarding online safety measures and age filters
  • Require foreign pornographic services to be licensed

The Online Safety Bill is, as far as enforcing the regulation of internet content, a Digital Economy Bill-lite. It offers the same reaction to the availability of adult content as the IP Bill, and resolves to achieve the same ends, although without establishing a discussion on such a committee that would regulate content (leaving such classification to the ISP).

The parliamentary readings on this bill offer insight into, as with the Digital Economy Bill, why such enforcement of content is difficult to approach without restriction of content reaching absurd lengths.

A simplistic definition of pornography will cause immense problems in our courts. How do you define arousal and to what level of arousal-partial, full? Is that arousal the view of the average person on the Clapham omnibus, or should the definition cover the various fetishes that people may have? - Baroness Brinton, discussing the bill

The bill is not interesting for what it adds to the discussion of regulating content - most of which can be had with the Digital Economy Act - but how bills are received during parliamentary readings, and how they ascend. The rejection of the Online Safety Bill lies in part in the worries of classifying "adult" and "appropriate" content without clarification of what those terms mean. In contrast, the Digital Economy Bill is accepted for providing such clarification, but using existing provisions intended for a different medium, and without due consideration for whether those provisions transfer appropriately, or were well-founded to begin with.

Effects on national security

The aims of the government in the introduction of the Investigatory Powers Bill and the Digital Economy Bill are to give police and intelligence agencies the necessary powers to keep citizens safe9, and to protect children and other citizens from accessing harmful web content10. In my opinion, these bills will do the opposite of what they claim to seek, whilst causing needless censorship, a gross invasion of privacy, and the distinct possibility of disastrous consequences.

At the opening of parliament following the 2015 election, Queen Elizabeth delivered a speech to the Houses of Parliament, mentioning the future IP bill in regards to national security.

Measures will also be brought forward to promote social cohesion and protect people by tackling extremism. New legislation will modernise the law on communications data, improve the law on policing and criminal justice, and ban the new generation of psychoactive drugs. - Queen Elizabeth II11

Prime Minister Theresa May, introducing the bill as Home Secretary in 2013, has also spoken strongly about its effect on national security.

It is a matter of national security and we must keep on making the case for the communications data bill until we get the changes we need. - Theresa May, speaking in 2013 on the first draft of the Snoopers' Charter12

National security and protection of national interests has played a strong role in how the IP Bill has progressed through the Houses of Parliament to ascend to law with little opposition. In consideration if this, two questions must be asked:

  1. How effective is the bulk collection of data against preventing terrorist action?
  2. What security risks are imposed upon citizens through collection of data?

For studying the link between rates of terrorism in relation to communications data, we can look to the US, who have been legally keeping phone records between their citizens and foreign countries since 200213, and illegally keeping further records on domestic calls for just as long14.

An independent report from the non-profit New America Foundation published a 2014 study, examining cases involving 225 US terrorist recruitments over the span of a decade15. They concluded that of all the cases they studied, the number of them aided by communications data held by the US government was ... zero. None of the hoarded metadata obtained through the illegal invasion of privacy aided in the prevention of terrorist recruitment. Meanwhile, the UK government clings to an independent report stating that bulk data collection is "vital"16, though refuses to acknowledge its recommendation for an advisory panel on technology.

Surely then, we can at least hope that data held by Internet Service Providers can be stored safely until such a time that the government finds a way to use it effectively? Even ignoring the twelve month hold time, not likely.

Tim Berners-Lee says the IP bill creates a "security nightmare".

This snoopers charter has no place in a modern democracy - it undermines our fundamental rights online. The bulk collection of everyone's internet browsing data is disproportionate, creates a security nightmare for the ISPs who must store the data - and rides roughshod over our right to privacy. Meanwhile, the bulk hacking powers in the Bill risk making the internet less safe for everyone.17

The bill forced internet providers to hold data of their customers, though with no provisions on how it should be security held. An important point the bill does make is that any encryption applied by the ISP must be reversible so that it can be accessed upon government request. As we know from numerous leaks 18192021, "secure" encryption is not so, and data that simply exists has the possibility to be accessed and used nefariously. Spreading this data so widely (for each ISP will hold their own data) increases the likelihood of a weak link, leaving the private data of millions vulnerable. If the government can access the data, so can any third party will ill intent.

Effects on the economy

The Digital Economy Bill seeks to "transform lives through better access to information"22. Through the restriction of legal content from an industry worth billions23, all whilst removing the freedoms of citizens of the UK, it does just the opposite.

If the bill is passed in 2017, massive restrictions will be placed on adult content accessible across the internet in the UK, not just affecting the ability of the public to access content which they would be allowed to produce (but not distribute) themselves, but also hurting a gigantic industry. Pornography sites would be required to implement comprehensive age gates using their own resources, whilst also going through the trouble of managing and neutering their own content to keep it in line with the irrationalities detailed by the BBFC.

Cost is not something that would just affect pornography, but also the ISPs being forced to store data by the IP bill. To store the massive amounts of data gathered by the catch-all net imposed by the bill - millions of connections per millions of customers - requires equally massive amounts of storage. The bill states it will cover "appropriate costs" of such storage, though does not go into further details. Meanwhile, statements from the government and other figures indicate that only big-name ISPs will be expected to carry out the provisions indicated by the bill24, which leaves a big question mark surrounding the supposed priority of national security.

The cost of the IP bill goes further still. The bill introduces powers that are, as Home Secretary Amber Rudd calls them, "world-leading". Though Edward Snowden prefers to say:

The UK has just legalized the most extreme surveillance in the history of western democracy. It goes farther than many autocracies.25

However one may see it, the UK certainly stands alone in the surveillance the new law brings, and how it imposes on business. The collection of information doesn't just affect citizens, but also companies who are based in the UK, as well as any trade that occurs between a foreign and UK company. There is concern that it may be difficult to comply with both the IP bill and European legislation.

For an organisation to be in compliance with both the Investigatory Powers Act and the EU GDPR, it will have to notify subscribers of the type of data being collected and its intended purpose. - Richard Stiennon, of the Blancco Technology Group26

The General Data Protection Regulation (GDPR) is a European regulation which aims to give back citizens control of their personal data. When the regulation begins to apply, it is difficult to see how the IP bill will sit alongside it.

Effects on us

We have already observed the pains caused by blocking of legal content, and the worry caused by the breach of trust from government entities with laws that currently exist, and actions that have been performed outside of that law.

The ISP-level site blocking introduced across 2013 and 2014 has already exhibited worrying implications. With the blocking of content, said to be for the protection of children, we have also seen the restriction of websites promoting good sexual health practice27, content serving minority demographics28, and charitable organisations, including those which primarily aim to assist children in need29.

Keeping a record on all citizens, at all times for retroactive examination provides cause for concern. It becomes a requirement to trust that a government in charge of such data is only willing to use it in an appropriate fashion (however you may choose to define that). Even with such trust placed, the nature of UK democracy provides no guarantee that the forces holding such data are the ones to be in charge of it in five years time; information on all citizens is available not just to the current government, but to the unknowns of the future.

Authoritarian bills like the Investigatory Powers Bill, the Digital Economy Bill, and the Online Safety Bill cut deep into that freedom, leaving it irreparably scarred. Whether some of the decisions made are just or not and at the present time is a debate I can appreciate, to some extent. But the effects those decisions will have on tomorrow's world is unimaginably outrageous to my mind. I am firmly against these bills, and any that may try to follow in the same vein. The primary weapon we have is speaking out.

Following a petition, the Investigatory Powers bill will receive further debate in parliament.

https://petition.parliament.uk/petitions/173199

If nothing else, we should keep speaking for the possibility of the future hearing our voices, even if the present refuses to.

References

[1] The Guardian, “NSA and gchq activities appear illegal, says eu parliamentary inquiry,” 2014. https://www.theguardian.com/world/2014/jan/09/nsa-gchq-illegal-european-parliamentary-inquiry.

[2] parliament.uk, “Investigatory powers bill 2015-2016 to 2016-2017,” 2015. https://services.parliament.uk/bills/2015-16/investigatorypowers.html.

[4] Wired, “It’s official, the snooper’s charter is becoming law: How the ip bill will affect you,” 2016. http://www.wired.co.uk/article/ip-bill-law-details-passed.

[5] parliament.uk, “Digital economy bill 2016-2017,” 2016. https://services.parliament.uk/bills/2016-17/digitaleconomy.html.

[7] Index on Censorship, “Prime cuts,” 2011. https://www.indexoncensorship.org/2011/06/prime-cuts/.

[9] Amber Rudd, “Rudd: Speech to conservative party conference 2016,” 2016. http://press.conservatives.com/post/151334637685/rudd-speech-to-conservative-party-conference-2016.

[10] gov.uk, “New blocking powers to protect children online,” 2016. https://www.gov.uk/government/news/new-blocking-powers-to-protect-children-online.

[11] gov.uk, “Queen’s speech 2015,” 2015. https://www.gov.uk/government/speeches/queens-speech-2015.

[12] The Guardian, “Theresa may moves to give police powers to identify internet users,” 2014. https://www.theguardian.com/world/2014/nov/23/theresa-may-moves-to-give-police-powers-to-identify-internet-users.

[13] CNN, “Bush says he signed nsa wiretap order,” 2005. http://edition.cnn.com/2005/POLITICS/12/17/bush.nsa/.

[14] CNN, “Court rules nsa program illegal,” 2015. http://edition.cnn.com/2015/05/07/politics/nsa-telephone-metadata-illegal-court/.

[15] Bloomberg, “NSA data has no discenrible impact on terrorism,” 2014. https://www.bloomberg.com/news/articles/2014-01-13/nsa-data-has-no-discernible-impact-on-terrorism-report.

[16] The Guardian, “Bulk data collection vital to prevent terrorism in the uk,” 2016. https://www.theguardian.com/world/2016/aug/19/bulk-data-collection-vital-to-prevent-terrorism-in-uk-report-finds.

[17] BBC, “Snoopers law creates nightmare,” 2016. http://www.bbc.co.uk/news/technology-38134560.

[18] PressTV, “Data on 130k us navy sailors stolen,” 2016. http://www.presstv.ir/Detail/2016/11/24/494904/Data-on-130k-US-Navy-sailors-stolen.

[20] Motherboard, “You can now finally check if you were a victim of the 2012 linkedin hack,” 2016. https://motherboard.vice.com/read/you-can-now-finally-check-if-you-were-a-victim-of-the-2012-linkedin-hack.

[21] CNN, “Yahoo confirms massive data breach,” 2016. http://money.cnn.com/2016/09/22/technology/yahoo-data-breach/.

[22] gov.uk, “Improving government data to transform public services,” 2016. https://www.gov.uk/government/news/improving-the-way-government-shares-data-to-transform-public-services.

[24] The Register, “Small isps ’probably’ won’t receive data retention order following ip bill,” 2016. http://www.theregister.co.uk/2016/11/25/isps_with_no_history_of_working_with_spook_probably_wont_be_slapped_with_a_data_retention_order_following_ip_bill/.

[25] Edward Snowden, “Twitter,” 2015. https://twitter.com/snowden/status/799371508808302596.

[26] SC Magazine, “Investigatory powers and digital economy bills could threaten economy,” 2016. http://www.scmagazineuk.com/investigatory-powers-and-digital-economy-bills-could-threaten-economy/article/575207/.

[27] BBC, “Porn filters block sex education websites,” 2013. http://www.bbc.co.uk/news/uk-25430582.

[28] The Independent, “BT internet filter gives parents option to block ’gay and lesbian lifestyle’ content,” 2013. http://www.independent.co.uk/life-style/gadgets-and-tech/news/bt-internet-filter-gives-parents-option-to-block-gay-and-lesbian-lifestyle-content-9018515.html.

[29] TechEye, “Cameron’s internet filter a disaster,” 2013. http://www.techeye.net/business/camerons-internet-filter-a-disaster.