This week, the House of Lords passed the Investigatory Powers Bill, which is likely to become law within weeks. One year ago, the UN’s special rapporteur on privacy, Joseph Cannataci, described the bill as “just a bit worse than scary.” Some provisions of the bill include:
- Internet Connection Records (ICRs). Internet Service Providers and telecommunications companies must create ICRs for all of their users and maintain them for one year. The UK government’s fact sheet states that these records include the IP addresses a user visits, including the service name (such as Google or Facebook), but it would not contain the full web address visited because that “would be defined as content.” In other words, the bill seeks to draw a distinction between metadata and the content of communications. Some argue that this distinction insufficiently protects privacy because metadata can be as revealing, if not more, than the content itself. Regardless of the privacy concerns, a CEO of a cloud security firm described the creation and retention of ICRs for twelve months as a “huge security risk.”
- Bulk Personal Datasets. The law allows government intelligence services to collect “bulk personal datasets.” In part, the law defines a “bulk personal dataset” as one in which the “majority of individuals are not, and are unlikely to become, of interest to the intelligence service in the exercise of its functions.” Unlike ICRs, a warrant is required before an intelligence service may obtain a bulk personal dataset.
- Technical Capability Notices. Companies receiving technical capability notices from the government may be required to remove “electronic protection applied by or on behalf of” that company. This provision has raised concerns of several organizations about the security of devices, including some major technology companies that view the bill as an attempt to ban strong encryption.
Recent concerns about cybersecurity, however, are not limited to the UK. In the United States, several publications provided information on how to secure one’s electronic communications in the wake of the election, including Slate, Recode, and VentureBeat. More broadly, Wired published an article, “What Trump’s Win Means for Cybersecurity.” Meanwhile, China passed a Cyber Security Law that becomes effective in June 2017. Among other provisions, the law requires internet service providers to “verify an individual’s real identity” prior to service and that “personal information and other important data” collected in China must be physically stored on servers in China.