In practice this would take the form of an itemised list of each citizen's browsing history. This would not be a list of the specific web pages but the main domain (so computerworlduk.combut not the specific stories you read) so a basic online footprint can be drawn up. One concern here will be around the security of this data, especially in the current climate of TalkTalk customer hacks and data dumps.
The bill seeks to make the power for security services to acquire bulk collections of communications data explicitly legal. For example this could mean a bulk data set such as NHS health records.
Security services will also be legally empowered to bug computers and phones upon approval of a warrant. Companies will be legally obliged to assist these operations and bypass encryption where possible (more on this below).
The science and technology joint committee report tackles the possibility of public concern over the power to hack devices, stating: "The tech industry has legitimate concerns about the reaction of their customers to the possibility that electronic devices could be hacked by the security services," before stating that the government has a responsibility to inform the public about the extent to which this power may be used.
Oversight for these operations will change, with a new "double-lock" where any intercept warrants will need ministerial authorisation before being judged by a panel of judges, who will be given power of veto. This panel will be overseen by a single senior judge, the newly created Investigatory Powers Commissioner.
For some context, figures from the Home Office, as published by The Guardian, show there were 517,236 authorisations in 2014 of requests for communications data from the police and other public bodies and a further 2,765 interception warrants authorised by ministers.
The joint committee report
The joint committee for the bill issued its report, along with a list of suggested amendments for the bill, on February 11. The suggestions include:
- Clarification over the concept of end-to-end encryption: "The Government still needs to make explicit on the face of the bill that Communications Service Providers (CSPs) offering end-to-end encrypted communication or other un-decryptable communication services will not be expected to provide decrypted copies of those communications if it is not practicable for them to do so."
Update 4/3/16: On the issue of encryption the government says the revised bill: "Clarifies the government's position on encryption, making it clear that companies can only be asked to remove encryption that they themselves have applied, and only where it is practicable for them to do so."
- CSPs being forced to retain internet history data of users should be provided with "whatever technical and financial support is necessary to safeguard the security of the retained data" but the government shouldn't be responsible for 100 percent of the costs.
Sign up for CIO Asia eNewsletters.