When your Internet history is no longer history – the danger of the UK's new Investigatory Powers Act Thumbnail
Building Trust 29 November 2016

When your Internet history is no longer history – the danger of the UK's new Investigatory Powers Act

By Ryan PolkDirector, Internet Policy

There is an old adage that trust takes years to build, seconds to break, and forever to repair.

When it comes to the Internet and its users, the same holds true. For average Internet users, trust in the Internet has to be built. They have to gain confidence in the safety of their private information online. When a user’s private online information is made public, they lose trust in the Internet and its services.

It is critical that the actions taken by governments foster Internet trust and do not put users, or their data, at greater risk. One of the simplest means of achieving this is through data minimization.

Today, the United Kingdom passed the Investigatory Powers Act 2016 into law. The Act widens the scope of investigatory powers for UK security and law enforcement agencies online. Under the new law, the agencies will have expanded powers of surveillance, hacking, and interception of communications. The biggest impact of these expanded powers is likely to be on British Internet users who can no longer trust that their online communications are private or secure.

There are several aspects of the Act which are likely to damage user trust. The first requires communications service providers (CSPs) to provide a “technical capability” to help the government access encrypted data. How this will be put into practice remains to be seen. However, this could take the form of adding an encryption “backdoor” or involve removing encryption on request, putting user data at risk.  This obligation could also discourage CSPs from offering encryption, thus weakening security for all British Internet users.

Another is bulk “equipment interference,” or hacking, performed on devices in a designated geographic area. Bulk hacking, like mass surveillance, collects data from innocent citizens alongside suspected criminals.

The aspect which may have the biggest direct impact on user trust is mandatory data collection.

Under the Act, CSPs must record and keep customers’ communications metadata for 12 months for use by law enforcement in the event of an investigation. But safeguarding the data will be impossible. The task will be expensive for CSPs and stored data will be an enticing target for attackers. Already in the UK, TalkTalk and Three mobile have experienced major breaches.  Following implementation of this new rule, a massive data breach is almost inevitable. Criminals will likely steal, sell, or make available to the public the data of millions of citizens.

For Internet service providers, the law requires they collect customers’ web history and other data. Web history is information that most users want to keep private. After all, there is a reason the delete history function exists on most browsers. Web history can reveal large amounts of personal information. This includes political views, religion, interests, daily routines, illnesses, and much more. The personal and visible nature of the data collected by CSPs, such as web history, makes its exposure so destructive to the trust of everyday users.

While access to communications data could help law enforcement carry out its activities, mandatory data retention is dangerous for the Internet and its users.

Any legislation to increase public security must also ensure the security and privacy of citizens’ information.  In particular:

  • Law enforcement should undertake focused and proportional investigatory efforts. They should not engage in pervasive surveillance or bulk hacking.
  • Governments should promote trust-enabling technologies, such as end-to-end encryption, and never limit them or compromise their effectiveness.
  • Governments should advocate for data minimization even in the context of law enforcement. Evidence suggests that data breaches are almost inevitable. The less data collected and retained by CSPs, the less devastating the breaches will be to user privacy and trust.

We have more recommendations for promoting trust online in our Internet Society Policy framework for an open and trusted Internet and our Global Internet Report 2016 on data breaches. We encourage you to read and share these recommendations with policy makers in your region.

When trust in the Internet breaks down, everyone loses.

Image credit: Robin Wilton CC BY NC ND

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Building Trust 21 February 2020

NDSS 2020: The Best in Security Research – For the Good of the Internet

On 23 February, the 27th consecutive Network and Distributed System Security Symposium (NDSS) kicks off in San Diego, CA....

Building Trust 11 February 2020

Every Day Should Be Safer Internet Day

Safer Internet Day is an opportunity for people and organizations around the world to join forces in a series...

Building Trust 28 January 2020

This Data Privacy Day It’s the Little Things That Count

Today we’re celebrating Data Privacy Day, which is all about empowering people and organizations to respect privacy, safeguard data,...