The Home Office has tightened up privacy safeguards in proposed new spying laws – but police will get more power to see internet browsing records.
The Investigatory Powers Bill will force service providers to store browsing records for 12 months.
It will also give legal backing to bulk interception of internet traffic.
The Home Office was forced to revise the draft bill after concerns it did not do enough to protect privacy and was too vague.
The revised version reflects these concerns.
But it also expands the purposes for which police can obtain internet connection records – details of the websites and online applications people use. It says they can be acquired for a “specific investigation” provided it is “necessary and proportionate”.
Ministers say the new powers are needed to fight terrorism, but internet firms have questioned their practicality – and civil liberties campaigners say it clears the way for mass surveillance of UK citizens.
Ministers want the new bill to become law by the end of the year, citing the urgent demands of national security and crime prevention.
Service providers, such as BT or Sky, will be required to store the internet connection records – what services a device connects to – for everyone in the UK for a year so that police can access them.
The bill also aims to put on a firmer legal footing the collection by the security services of large amounts of email and other data in the UK and personal details held on databases, potentially including bank or medical records.
The new legislation will also give legal backing to the hacking of smart phones and computers by the security services.
Extra safeguards in the revised bill include:
- Making clear all interception warrants must be subject to a “double-lock” of ministerial and judicial approval
- Security and intelligence agencies will require judicial approval if they want to obtain journalistic sources
- Clearer safeguards for legally privileged communications
- A warrant will be required if the UK wants foreign agencies to intercept communications in the UK
- A time limit on the examination of personal information downloaded from databases
The existence of these “bulk collection” of internet traffic only came to light following revelations by US whistleblower Edward Snowden and although the government insisted they were covered by existing surveillance laws, the new bill will make their legality more explicit and introduce privacy safeguards.
A warrant from the home secretary will be required for officers to access the content of emails – and a new Investigatory Powers Commission would be able to veto such requests.
An “operational case” for bulk powers will be published for the first time in the bill, in response to criticism that the original draft lacked clarity.
Powers to hack into computers and smart phones – so called “equipment interference” – will be extended to include “threat to life” situations – to save someone who is at risk, or to locate a missing child or vulnerable person.
The Home Office says the new legislation will address concerns expressed by Apple and other tech giants about encryption, which protects messages from being hacked.
The tech giants feared being forced to fit “backdoors” to their devices or make other changes to encryption that would compromise their customers’ security.
Officials said the revised version of the Investigatory Powers Bill would put beyond doubt that companies can only be asked to remove encryption that they themselves have applied, and only where it is “practicable” for them to do so.
In other changes from the draft bill, security services, as well as the police, will have to obtain a senior judge’s permission before accessing communications data to identify a journalist’s source.
UK agencies are explicitly prevented from asking foreign intelligence bodies to undertake surveillance activity on their behalf unless they have a warrant approved by a secretary of state and judicial commissioner.
The Home Office said the revised bill was “world-leading legislation… subject to a robust regulatory regime”.
But Lawrence Jones, from web hosting company UK Fast, dismissed it as “unenforceable”.
“The bill is doomed from the outset… It’s almost as if Theresa May doesn’t understand how the internet works,” he told BBC Breakfast.
“Criminals are not going to follow a set of rules. Criminals are going to hide behind proxy servers around the world where there’s no government legislation.”
James Blessing, chairman of the Internet Service Providers’ Association, said the demands on companies were achievable with “a big budget and plenty of time”, but there were concerns around the security of the information stored.
He said the material – for example, around banking and shopping habits – would become “a really rich vein” for criminals.
And on the reassurances that internet firms would only have to decrypt material for law enforcement where it is practicable, he added: “What is practicable and what is sensible are two very different things.”
The revised bill is expected to reflect the majority of the recommendations made by three Parliamentary committees.
Where recommendations have not been accepted, the government says they would compromise the capabilities of law enforcement and intelligence services.
Shadow home secretary Andy Burnham has said Labour supports the overall aim of the bill but has urged the government to achieve “the right balance for our security and privacy”.