Rights groups have called on the House of Lords to remove a controversial section of the Investigatory Powers Bill (IPB) which requires service providers to retain their customers’ internet connection records (ICRs) for a year.
The Lords will debate the bill – dubbed the Snoopers’ Charter – today, and have the power to approve an amendment which would remove the requirement for retention of ICRs and prohibit their acquisition by public authorities.
Human rights organization Liberty claimed in a statement that retaining ICRs will be ineffective in stopping criminals, who can use circumvention tools to hide their true identity.
It will also mark an “unprecedented intrusion” into the lives of UK citizens in that government agencies like HMRC and the Department for Work and Pensions will be able to access the ICRs alongside the police and security services.
Liberty also drew attention to the fact that Denmark was forced to repeal a similar law after finding it had not yielded any benefits in seven years.
“Easily evaded by anyone with a basic understanding of anonymity tools, including criminals, ICRs will create an unprecedented, invasive database of almost exclusively innocent people. Costing the taxpayer hundreds of millions of pounds, the creation of ICRs is a regime proven to fail that produces inaccurate, misleading and potentially falsely incriminating information,” argued Liberty policy officer, Silkie Carlo.
“And with the likes of TalkTalk forced to store millions of citizens’ web histories, billing data and passwords, it would create a goldmine for criminal hackers.”
ISPs are not the only potential source of breaches of this highly sensitive data.
Big Brother Watch revealed earlier this month that UK police have suffered over 2300 data breaches since 2011 as a result of insiders – both police and civilian staff – abusing their position.
The worry is that with ICRs, which will include a list of every website visited by everyone in the UK, those with access could use the information to blackmail their victims.
This is just one part of several controversial new elements to the IPB, which will establish in law for the first time the mass surveillance of the populace.
Critics have said that if the UK wants to keep its digital economy afloat and ensure the free flow of data between it and the EU it will have to remove some of the more contentious parts of the bill around bulk surveillance, or risk years of Safe Harbor/Privacy Shield-style negotiations with the European Union.
Chatham House associate fellow, Emily Taylor, warned that data can move offshore very quickly in such circumstances, if there is any uncertainty.
“In this scenario, we'd have to adopt measures to give equivalent protection to EU citizens' data as they enjoy within the EU. What's striking about the US Privacy Shield deal – heavily criticized though it has been – is how much it downplays the US' reliance on bulk data collection and processing, preferring targeted surveillance wherever possible,” she told Infosecurity.
“Our primary legislation does not adopt this approach. It's true that the codes of practice do go some way towards the 'last resort' approach, but it's unclear whether codes – which can be replaced and amended without parliamentary scrutiny – would satisfy the obligations.”