Official reports and spending documents show that in the past year, UK police have deemed the testing of a system that can collect people's "internet connection records" a success, and have started work to potentially introduce the system nationally. If implemented, it could hand law enforcement a powerful surveillance tool.
Critics say the system is highly intrusive, and that officials have a history of not properly protecting people's data. Much of the technology and its operation is shrouded in secrecy, with bodies refusing to answer questions about the systems.
At the end of 2016, the UK government passed the Investigatory Powers Act, which introduced sweeping reforms to the country's surveillance and hacking powers. The law added rules around what law enforcement and intelligence agencies can do and access, but it was widely criticizedfor its impact on people's privacy, earning it the name the "Snooper's Charter."
Particularly controversial was the creation of so-called internet connection records (ICRs). Under the law, internet providers and phone companies can be ordered—with a senior judge approving the decision—to store people's browsing histories for 12 months.
[...] Little is known about the development and use of ICRs. When the Investigatory Powers Act was passed, internet companies said it would take them years to build the systems needed to collect and store ICRs. However, some of those pieces may now be falling into place. In February, the Home Office, a government department that oversees security and policing in the UK, published a mandatory review of the operation of the Investigatory Powers Act so far.
The review says the UK's National Crime Agency (NCA) has tested the "operational, functional, and technical aspects" of ICRs and found a "significant operational benefit" of collecting the records. A small trial that "focused" on websites that provided illegal images of children found 120 people who had been accessing these websites. It found that "only four" of these people had been known to law enforcement based on an "intelligence check."
WIRED first reported the existence of the ICR trial in March 2021, when there were even fewer details about the test. It is still unclear which telecom companies were involved. The Home Office's February report is the first official indication that the trial was useful to law enforcement, and could help lay the groundwork for expanding the system across the UK. The Home Office review also states its trial found that "ICRs appear to be currently out of reach for some potentially key investigations," raising the possibility that the law may be changed in the future.
[...] The Home Office FOIA response also refused to provide details of an internal review into ICRs, citing national security and law enforcement grounds. A Home Office spokesperson said the UK has "one of the most robust and transparent oversight regimes for the protection of personal data and privacy anywhere in the world" and confirmed that trials of ICRs are ongoing.
[...] The possible expansion of ICR collection in the UK comes as governments and law enforcement agencies globally try to gain access to increasing amounts of data, particularly as technology advances. Multiple nations are pushing to create encryption backdoors, potentially allowing access to people's private messages and communications. In the US, a storm is brewing about the FBI's use of Section 702 of the Foreign Intelligence Surveillance Act (FISA), which allows it to intercept the communications of overseas targets.
Haidar of Privacy International says that creating powers to collect more of people's data doesn't result in "more security" for people. "Building the data retention capabilities of companies and a vast range of government agencies doesn't mean that intelligence operations will be enhanced," Haidar says. "In fact, we argue that it makes us less secure as this data becomes vulnerable to being misused or abused."
(Score: 3, Interesting) by inertnet on Monday May 22 2023, @10:25AM (1 child)
Not that I feel sorry for them, but Facebook was fined €1.2bn for ""mishandling user data" [bbc.com].
While similar or worse handling of data is apparently okay for the governments that handout those fines.
(Score: 2) by PiMuNu on Monday May 22 2023, @11:10AM
> While similar or worse handling of data is apparently okay for the governments that handout those fines.
Yes, in fact GDPR has explicit provision to enable nation states to collect any data they want, if it is required by law.
(Score: 2) by Spook brat on Tuesday May 23 2023, @04:59PM
So, after Snowden made it public that the NSA and GCHQ were illegally [1] collecting metadata on their own citizens, and after the UK passed regulation that was supposed to keep that illegal surveillance in check, they're not only still doing it but rolling it out to their civilian law enforcement counterparts?
Sounds about par for the course.
[1] A September 2020 Federal Appeals court ruling established that the PRISM program was illegal, and that U.S. authorities were lying about its nature and how it was used. Edward Snowden is still having to live in Russia to avoid retribution from the Powers That Be.
Travel the galaxy! Meet fascinating life forms... And kill them [schlockmercenary.com]