The UK's Secretive Web Surveillance Program Is Ramping Up
The UK government is quietly expanding and developing a controversial surveillance technology that could be capable of logging and storing the web histories of millions of people.
Official reports and spending documents show that in the past year, UK police have deemed the testing of a system that can collect people's "internet connection records" a success, and have started work to potentially introduce the system nationally. If implemented, it could hand law enforcement a powerful surveillance tool.
Critics say the system is highly intrusive, and that officials have a history of not properly protecting people's data. Much of the technology and its operation is shrouded in secrecy, with bodies refusing to answer questions about the systems.
At the end of 2016, the UK government passed the Investigatory Powers Act, which introduced sweeping reforms to the country's surveillance and hacking powers. The law added rules around what law enforcement and intelligence agencies can do and access, but it was widely criticized for its impact on people's privacy, earning it the name the "Snooper's Charter."
Particularly controversial was the creation of so-called internet connection records (ICRs). Under the law, internet providers and phone companies can be ordered--with a senior judge approving the decision--to store people's browsing histories for 12 months.
An ICR isn't a list of every page online you visit, but may nonetheless reveal a significant amount of information about your online activities. ICRs can include that you visited Wired.com but not that you read this individual article, for instance. An ICR can also be your IP address, a customer number, the date and time the information was accessed, and the amount of data being transferred. The UK government says an internet connection record could indicate when, for example, the travel app EasyJet is accessed on someone's phone, but not how the app was used.
"ICRs are highly intrusive and should be protected from over-retention by telecommunications operators and intelligence agencies," says Nour Haidar, a lawyer and legal officer at UK civil liberties group Privacy International, which has been challenging data collection and handling under the Investigatory Powers Act in court.
Little is known about the development and use of ICRs. When the Investigatory Powers Act was passed, internet companies said it would take them years to build the systems needed to collect and store ICRs. However, some of those pieces may now be falling into place. In February, the Home Office, a government department that oversees security and policing in the UK, published a mandatory review of the operation of the Investigatory Powers Act so far.
The review says the UK's National Crime Agency (NCA) has tested the "operational, functional, and technical aspects" of ICRs and found a "significant operational benefit" of collecting the records. A small trial that "focused" on websites that provided illegal images of children found 120 people who had been accessing these websites. It found that "only four" of these people had been known to law enforcement based on an "intelligence check."
WIRED first reported the existence of the ICR trial in March 2021, when there were even fewer details about the test. It is still unclear which telecom companies were involved. The Home Office's February report is the first official indication that the trial was useful to law enforcement, and could help lay the groundwork for expanding the system across the UK. The Home Office review also states its trial found that "ICRs appear to be currently out of reach for some potentially key investigations," raising the possibility that the law may be changed in the future.
In May 2022, the Home Office issued a procurement notice revealing that future trials "work is now underway" to create a "national ICR service." The existence of the notice was initially reported by the public sector technology publication PublicTechnology. The notice says the government had a budget of up to GBP2 million to create a technical system that allowed law enforcement officials to access ICR data for investigations.
The contract for the technical system was awarded to defense firm Bae Systems in July 2022. In response to a Freedom of Information Act request from WIRED, the Home Office provided some pages of the contract with Bae but refused to give any technical details due to commercial interests. (A spokesperson for Bae said it could not discuss specific contracts for confidentiality and security reasons.)
The Home Office FOIA response also refused to provide details of an internal review into ICRs, citing national security and law enforcement grounds. A Home Office spokesperson said the UK has "one of the most robust and transparent oversight regimes for the protection of personal data and privacy anywhere in the world" and confirmed that trials of ICRs are ongoing.
When asked whether ICRs will be rolled out across the entire UK, the Home Office spokesperson pointed to the FOIA response, which says that providing additional information may jeopardize law enforcement activities. "Information on law enforcement capabilities and targeting is very sensitive, particularly in the field of digital communications, where it is often the case that criminal groups or individuals themselves display a high degree of technical sophistication and awareness," the FOIA response says. Because of this, it continues, "it is vital that sensitive information on how they might conduct their investigations, or the nature of their technical abilities, are not publicly known."
The Investigatory Powers Commissioner's Office (IPCO), which oversees intelligence agencies, police, and local authorities, says the collection of ICRs to date has been to support "small-scale trials" and that it is "unable" to provide any figures on the number of data retention notices issued. A separate independent review of the Investigatory Powers Act is due to be published this summer. The National Crime Agency says it is still participating in the ICR trials to evaluate the use of ICRs, and that "data exploitation is essential" to its work.
Despite the potentially limited use of ICRs so far, there has already been one documented failure. In its annual 2020 report, published in January 2022, IPCO highlighted that an unnamed telecoms company that was asked to provide internet connection requests "provided data in excess of that which had been authorized." The reason? There was a technical error. No extra detail was provided.
WIRED contacted nine of the UK's internet service providers and telecom companies asking about their abilities to create and store people's internet connection records. Eight did not respond to the request for comment. TalkTalk, the only one that did, said it will "meet its obligations" under UK law but couldn't "confirm or deny" whether ICRs existed.
The possible expansion of ICR collection in the UK comes as governments and law enforcement agencies globally try to gain access to increasing amounts of data, particularly as technology advances. Multiple nations are pushing to create encryption backdoors, potentially allowing access to people's private messages and communications. In the US, a storm is brewing about the FBI's use of Section 702 of the Foreign Intelligence Surveillance Act (FISA), which allows it to intercept the communications of overseas targets.
Haidar of Privacy International says that creating powers to collect more of people's data doesn't result in "more security" for people. "Building the data retention capabilities of companies and a vast range of government agencies doesn't mean that intelligence operations will be enhanced," Haidar says. "In fact, we argue that it makes us less secure as this data becomes vulnerable to being misused or abused."