Skip to content
Naked Security Naked Security

Dismay as ‘snooper’s charter’ finally becomes law

Critics fear a surveillance state while tech firms question new law's unintended effects

After a year of debate, the British government’s Investigatory Powers Act – derided by critics as a ‘snooper’s charter’– has been given the royal assent that makes it law.

To the government, the IP Act makes legal a series of vital oversights necessary for intelligence and police services to contain a rising volume of terrorism and organised, stealthy criminality.

To its political and civil liberties foes, it is at best the most intrusive piece of surveillance legislation ever passed in the UK and, at worst, a template other governments will use to carry out similar activities against their own citizens.

A third perspective held by some in the tech industry is that whatever its merits or flaws, aspects of it probably won’t work anyway.

Largely forgotten in all this are ordinary internet users who must feel caught in a web of argument and counter-argument, unsure what to make of it all.

The IP Act includes big provisions, the most discussed of which is that service providers will have to keep a record of their customers’ web browsing history and phone calls for 12 months.

From December 31 (the date the current Data Retention and Investigatory Powers Act 2014 expires), if you visit a website, the broadband provider will record its domain.

A long list of agencies will be able to look at this record in addition to the police and intelligence services and “bulk collection” powers mean that users won’t have to be suspected of anything for this to happen.

That’s a red flag to privacy campaigners because they interpret it to mean that innocent citizens will be watched.

If police go a stage further and obtain a warrant from the home secretary (co-authorised by judges in a “double lock” arrangement), they will also be able to conduct “equipment interference” against suspects’ computers, in other words hack them.

That covers the interception of all actual communications including emails, actual phone calls and SMS messages.

Some of the IP Act’s powers already exist under existing laws stretching back decades so in a sense it is cleaning up and making explicit provisions already in use.

The larger question is whether ordinary citizens should have privacy concerns.

According to Amber Rudd, home secretary (pictured):

This government is clear that, at a time of heightened security threat, it is essential our law enforcement, security and intelligence services have the powers they need to keep people safe.

The counter-argument is that in trying to do this the IP Act goes too far.

Sophos’s vice-president of product management John Shaw remained concerned about practicality:

What we should be more nervous about is the potential for a hacker to break into the store of data held by your ISP and sell it on.

The glaring example of that was the data breach that affected large ISP TalkTalk in 2015, he said.

He also worried about the expertise of the judicial commissioners, the burden on UK ISPs as opposed to foreign providers and the careless ambiguity of the Act’s use of the term “communication provider,” which could in theory refer to almost any technology firm based in the UK.

What about encryption?

Although [now prime minister] Theresa May, as home secretary, said there would be no requirement on technology companies to provide access to their customers’ encrypted data, no mention of this was made in the bill itself.

Encryption is, of course, only one of several evasions criminals can use to beat surveillance which raises the question of what the IP Act will, ultimately, achieve.

Will it end up as a giant system for pointlessly monitoring blameless citizens while tech-savvy criminals surf invisibly?


It might be useful to learn what websites the Queen visits at night, maybe someone working for the NHS or the Food Standards Agency will be able pass it onto Wikileaks.


Are they allowed to search the data top-down? Or only on an individual level?
i.e. Can they ask for all the names and addresses of everyone that visited or, and then come and black-bag us in the middle of the night?
Or are they only allowed to get all the sites visited by a user? Which would suggest that you have to have raised a flag somewhere to warrant investigation. Whereas if they can search for everyone who hit a particular domain, then I fear the system is ripe for abuse.


If you have nothing to hide, you will, soon enough.


Nice one. I always ask the “If you have nothing to hide, then you have nothing to worry about” people if they would live in a glass house. After all you have nothing to hide! Funny how people suddenly appreciate their privacy then.


Nice to see that the MP’s themselves are exempt from this surveillance unless it is signed off by the Prime Minister. Last time I checked that is a form of discrimination which is illegal on the UK. We the general public are being discriminated against as we aren’t MP’s


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!