For the last two years police and internet companies across the UK have been quietly building and testing surveillance technology that could log and store the web browsing of every single person in the country.
The tests, which are being run by two unnamed internet service providers, the Home Office and the National Crime Agency, are being conducted under controversial surveillance laws introduced at the end of 2016. If successful, data collection systems could be rolled out nationally, creating one of the most powerful and controversial surveillance tools used by any democratic nation.
Despite the National Crime Agency saying “significant work” has been put into the trial it remains clouded in secrecy. Elements of the legislation are also being challenged in court. There has been no public announcement of the trial, with industry insiders saying they are unable to talk about the technology due to security concerns.
The trial is being conducted under the Investigatory Powers Act 2016, dubbed the Snooper’s Charter, and involves the creation of Internet Connection Records, or ICRs. These are records of what you do online and have a broad definition. In short, they contain the metadata about your online life: the who, what, where, why and when of your digital life. The surveillance law can require web and phone companies to store browsing histories for 12 months – although for this to happen they must be served with an order, approved by a senior judge, telling them to keep the data.
The first of these orders was made in July 2019 and kickstarted ICRs being trialled in the real world, according to a recent report from the Investigatory Powers Commissioner. A second order, made to another internet provider as part of the same trial, followed in October 2019. A spokesperson for the Investigatory Powers Commissioner’s Office says the trial is ongoing and that it is conducting regular reviews to “ensure that the data types collected remain necessary and proportionate”. They add that once the trial has been fully assessed a decision will be made on whether the system will be expanded nationally.
But civil liberties organizations argue that the lack of transparency around the trials—and the seemingly slow nature of progress—hint at legislation that isn’t fit for purpose. “Taking several years to get to a basic trial, in order to capture two ICRs, suggests that the system wasn’t the best option then, and it certainly isn’t now,” says Heather Burns, policy manager at the Open Rights Group, a UK-based privacy and internet freedom organization.
Burns says the ICR trial appeared to require internet service providers to “collect the haystack in order to identify two needles”. She adds that it is unclear what data was collected by the trial, whether what was collected in practice went beyond the scope of the trial, or any of its specifics. “This is a fairly staggering lack of transparency around mass data collection and retention.”
The specific nature of the trial is a closely guarded secret. It is unclear what data is being collected, which companies are involved and how the information is being used. The Home Office refused to provide details of the trial, saying it is “small scale” and is being conducted to determine what data might be acquired and how useful it is. Data can only be stored if it is necessary and proportionate to do so and ICRs were introduced to help fight serious crime, the Home Office says.
“We are supporting the Home Office sponsored trial of Internet Connection Record capability to determine the technical, operational, legal and policy considerations associated with delivery of this capability,” a spokesperson for the National Crime Agency says. The agency has spent at least £130,000 on two external contracts used to commission companies to build underlying technical systems to run trials. The contracting documents, which were issued in June 2019, say that “significant work has already been invested” in the systems for collecting internet records.