Britain has declared war on Internet security

For the past two and a half years, many have hoped that the mass surveillance programs revealed by U.S. National Security Agency whistleblower Edward Snowden would inspire serious reform of Western intelligence agencies, nudging the post-9/11 national security pendulum back in the direction of privacy and civil liberties. Unfortunately, the opposite is occurring.

With few exceptions, the past year has seen governments around the world double down on intrusive mass surveillance. Unprecedented and draconian new laws crafted in the name of fighting crime and terrorism have emerged in France, Australia and many other countries. Last month the U.S. Senate passed the Cybersecurity Information Sharing Act, a deceptively named bill that has nothing to do with security and everything to do with having companies give more of their customers’ data to U.S. government agencies. And last week, U.K. Home Secretary Theresa May presented a long-awaited draft of the new Investigatory Powers Bill, a collection of sweeping reforms that would give more powers to British police and spy agencies, including the Government Communications Headquarters (GCHQ), the NSA’s close ally and longtime collaborator.

The U.K. draft law is a nightmarish cocktail of bad ideas from both sides of the pond — an authoritarian wish list that goes beyond even the NSA’s powers. Rather than roll back its most indefensible abuses, the text makes clear that the British government intends to retroactively legitimize the most invasive and legally dubious surveillance activities that Snowden exposed. As Snowden put it, the bill is an attempt “to fit the law around the spying, rather than making spying fit the law.” If successful, it will have dire consequences in the U.K., the U.S. and beyond.

Probably the most talked-about provision would require British Internet service providers to keep logs of every customer’s Internet browsing history for up to one year. It comes on the heels of Karma Police, a recently revealed GCHQ program that aims to record the Web browsing habits of every visible user on the Internet, creating a profile of each person’s activities without any suspicion of wrongdoing. Far from being harmless metadata as U.S. and U.K. officials continue to claim, this information is a comprehensive log of people’s entire digital lives — which sites they visit, when and how frequently they visit them and where they are when they do so. But instead of barring the practice, the Investigatory Powers Bill would allow British police and government agencies access to records of anyone’s website visits without a warrant. And there’s no telling if that means the Karma Police program will end.

The bill also effectively codifies mass surveillance programs such as Tempora, authorizing GCHQ to collect all communications — including metadata and content — whenever at least one party is believed to be outside the U.K. These rolling data dragnets now require judicial approval, but the checks seem purely symbolic. The text suggests that judges would base their decisions merely on whether the procedure has been correctly followed, not on any actual evidence the spy agency may provide to justify the surveillance.

For targeted surveillance, the bill proposes a so-called double-lock system requiring both judicial and ministerial approval. Even then, it provides an exemption for matters deemed urgent, allowing spy agencies a five-day window to conduct surveillance without any oversight. It also allows the government to target those dealing in privileged information, including journalists, doctors and lawyers. Even members of the British Parliament may now be spied on. But just as with GCHQ’s Web monitoring, the true scandal is that this all simply codifies extralegal surveillance that was already taking place.

Perhaps the bill’s most alarming provision was expected to bar companies such as Apple, Google and WhatsApp from offering encryption so secure that the companies cannot decipher users’ messages. British officials have tried to spin this by saying they have backed down and will no longer bar encryption, but the bill states that the government may still order the “removal of electronic protection applied by a relevant operator.” The language is unclear, but the distinction seems purely semantic: There is no functional difference between mandating government-accessible encryption and banning strong encryption outright. Forcing companies to circumvent encryption would simply be a ban on encryption that works.

Remarkably, the bill also proposes granting British government agencies, for the first time in any Western democracy, an explicit legal authority to hack into computers, phones and other digital devices — a practice it euphemistically calls “equipment interference.” This narrow but more intrusive method has been proposed as an alternative to encryption back doors, but here it seems to be presented in addition to them. New documents reveal that the National Crime Agency, Britain’s analog to the FBI, already has hacking capabilities, and that the agency justifies their use under a 1997 law that was never intended to authorize hacking. Spy agencies such as GCHQ would be given permission to hack computers in bulk — for example, by creating botnets of infected machines to distribute malware.

What’s truly revealing about the Investigatory Powers Bill proposal is how it demonstrates the seemingly intractable nature of secret state power. It shows an unaccountable intelligence agency can be caught red-handed and simply rewrite the rules to better accommodate its secret abuses — as long as some procedural fluff is added to provide the illusion of accountability. And with the U.K. marching in lockstep with the U.S. and other countries, the bill’s passage would almost certainly provide momentum to normalize these practices elsewhere.

In a networked world where nation-states conspire to spy on one another’s citizens, we no longer have the luxury of ignoring any country’s surveillance activities. Governments have taken the offensive to entrench and expand their mass surveillance regimes before citizens have a chance to act. Citizens must respond in kind — not because we have something to hide but because, in Snowden’s words, we all have something to lose.