For the last For the past two years, police and internet companies across the UK have been building and quietly testing surveillance technology that could record and store every person’s web browsing in the country.
The tests, which are being conducted by two unnamed internet service providers, the Home Office and the National Crime Agency, are being conducted under controversial surveillance laws introduced at the end of 2016. If successful, collection systems data could be deployed nationwide, creating one of the most powerful and controversial surveillance tools used by any democratic nation.
Although the National Crime Enforcement Agency said “important work” was done in the trial, it remains obscured in secrecy. Elements of the legislation are also challenged in court. There was no public announcement of the trial, with industry insiders saying they couldn’t talk about the technology due to security concerns.
The trial is being conducted under the Investigative Powers Act 2016, nicknamed the Snooper Charter, and involves the creation of Internet Connection Records, or ICRs. These are broadly defined recordings of what you do online. In short, they contain the metadata about your online life: the who, what, where, why and when of your digital life. The surveillance law may require web and phone companies to store browsing histories for 12 months – although for this to happen, they must receive an order, approved by a senior judge, telling them to keep the data.
The first of these orders was placed in July 2019 and kicked off real-world-tested ICRs, according to a recent report the commissioner for investigative powers. A second order, sent to another ISP as part of the same trial, followed in October 2019. A spokesperson for the Office of the Commissioner for Investigative Powers said the trial was ongoing and that it carried out regular reviews to “ensure that the types of data collected remain necessary and proportionate”. They add that once the trial has been fully evaluated, it will be decided whether the system will be scaled up nationwide.
But civil liberties organizations argue that the lack of transparency around trials – and the seemingly slow nature of progress – points to legislation that is inadequate for its purpose. “Taking several years to get to a baseline test, to capture two ICRs, suggests the system wasn’t the best option then, and it certainly isn’t now,” says Heather Burns, Head of ICR policies at Open Rights Group, a UK internet privacy and freedom organization.
Burns said the ICR trial appeared to require ISPs to “collect the haystack in order to identify two needles.” She adds that it is not clear what data was collected by the trial, whether what was collected in practice went beyond the scope of the trial, or any of its specifics. “This is a pretty astounding lack of transparency regarding the collection and retention of mass data.”
The specific nature of the trial is a closely guarded secret. It is not known what data is collected, which companies are involved and how the information is used. The Home Office declined to provide details of the trial, saying it was “small scale” and is in the process of determining what data could be acquired and how useful it is. Data can only be stored if it is necessary and proportionate to do so and ICRs have been introduced to help tackle serious crime, according to the Home Office.
“We support the Home Office-sponsored trial of Internet connection recording capability to determine the technical, operational, legal and policy considerations associated with providing this capability,” said a spokesperson for the National Crime. Agency. The agency spent at least £ 130,000 on two external contracts used to commission companies to build underlying technical systems for testing. The contract documents, which were published in June 2019, claim that “significant work has already been invested” in internet data collection systems.