Yesterday, the UK home secretary Theresa May unveiled the Investigatory Powers Bill: a piece of draft legislation that entails the bulk collection of online data by spy agencies and forces internet companies to keep a record of every UK citizen's browsing history for a year. The first point is brazen — enshrining the hidden surveillance state that Edward Snowden first revealed — but the second is witless. If we've learned anything about computer security in the last decade it's that there is none. Computers are hacked, data is stolen, and if the UK government forces ISPs to collect browsing histories in this way, it's only a matter of time before the information is public.
Corporations and governments both leak data
This isn't an exaggeration: neither corporate nor government data is safe. Just this week, the UK's Crown Prosecution Service was fined for losing laptops containing video interviews with criminal suspects, and in the past the government has lost an almost comical amount of data, ranging from information about prison staff and patients, to the safety assessment for a nuclear power plant left on an unencrypted USB stick.
The corporate world is no better. In just the last two weeks there have been three data breaches, hitting retailer Marks & Spencer, energy provider British Gas, and internet service provider TalkTalk. In the latter case, data from 4 million customers was stolen including credit card details. The company's top exec panicked, a "Russian Islamist cyber jihadi group" was briefly blamed, and two teenagers and a 20-year-old man have since been arrested in connection with the hack. These are the companies that the UK thinks can keep personal data safe.
The record would not include individual pages, but this is still too personal
To be clear, as the bill currently stands, these records are not going to be held in secure GCHQ servers (although even then it would be at danger to whistleblowers), but by the ISPs themselves. "Internet service providers will be required to keep [the data] for a maximum period of 12 months," says the bill. It's going to be extremely vulnerable there, and if teenagers can hack UK ISPs, you can bet foreign powers might give it a go too.
Advocates of the bill also argue that the browsing records being collected are too limited to be intrusive. This is because instead of full URLs, the year-long records would instead track webpages only. (So www.theverge.com is okay, but not www.theverge.com/tag/surveillance.) This is a re-run of the old metadata argument, which claims that because details are not being recorded, the person under surveillance shouldn't worry.
It's obvious rubbish, and seems rooted in an outdated understanding of the world. When May introduced the bill in parliament, she described browsing history as "the modern equivalent of an itemized phone bill." It's a metaphor that neatly conveys the lack of understanding among the highest levels of government, the comparison conveniently forgetting all the context and rich detail that someone's browser history reveals. As Edward Snowden put it on Twitter: "Your web records are not like 'an itemized phone bill,' they're like a list of every book you've ever opened."
Similar legislation in the EU was struck down for violating human rights
The idea that this sort of bulk surveillance is intrusive isn't new, either. It's illegal in the US and in every other European nation. In 2014 the European Court of Justice ruled that a similar bill that applied to the whole of the EU (the Data Retention Directive) was invalid as it violated human rights to privacy. This legislation had been introduced in the wake of terrorist attacks in Madrid in 2004 and in London in 2005, but this time around the politicians don't have any similar justification — they just want the data.
This browsing history directive would be bad enough on its own, but the rest of the bill is just as bad. It makes explicit the bulk collection of metadata from phones and computers (accessible without a warrant), and it allows the police and secret services to hack individuals' devices (action which must be signed off by a police commissioner or secretary of state, and then a judge). The bill itself is a reminder that all our digital systems are fragile and easily compromised. It's short-sighted that politicians acknowledge the benefits of this, but not the dangers.