At the beginning of last week, British ministers confirmed rumours of plans substantially to increase the government’s surveillance powers that would permit Whitehall agencies to undertake real-time surveillance of internet communication.
Details of the plans have not yet been released, but considerable pressure has already been exerted and the government appears to have backtracked (or ‘clarified’) in relation to some of the proposals.
In an attempt to calm the growing row, ministers have confirmed that the content of communications will not be monitored and that there will not be a ‘giant database’ of recorded information. The law will have a longer period of legislative scrutiny than originally proposed and there are hints that the new rules will include judicial oversight.

Ordinary people

The announcement and handling of these proposals has been a mess, but what is the substance of the debate and what impact does it have on what many see as a global trend of state powers invading the lives of ordinary people?
There are relatively strong existing UK surveillance laws, principally the Regulation of Investigatory Powers Act (RIPA). The problem with existing laws, argues the government, is that they were designed for a time when communication was mainly telephone-based and emails were sent using email addresses provided by ISPs. Current laws allow for warrants to be obtained that force telephone networks and internet service providers to provide information about telephone, e-mail and internet use.
Existing laws cannot be used against internet providers, such as Skype, Facebook, and Twitter, which host an increasing amount of modern-day communications. This does not mean that data held by internet services cannot be accessed or used in the event of a prosecution or civil claim. Internet platforms (like any other third party holding relevant information) can be subject to a court order requiring that information is provided in the context of proceedings, but agencies want access to the data before arrests are made – perhaps without needing to obtain a warrant.
Despite the British government’s assurance that the proposals simply update existing rules, there are fears that the changes would fundamentally undermine civil liberties and that, if passed, the legislation would give the UK the dubious honour of having some of the most wide-ranging surveillance powers of any democracy.

Dangerous precedent

The main criticisms of the proposals are that allowing access to data without a warrant or judicial oversight (if that is the case) would mark a dangerous precedent and would be an invitation to abuse by government agencies. Most commentary on the laws has focused on the security services and police accessing the data for the purposes of fighting terrorism or organised crime, but RIPA gives surveillance powers to a long list of agencies (including local government).
The most serious practical concern is that the laws might force any website that offers communication between users (online games, social networks) to install expensive technology to monitor use, setting up both an additional cost to online businesses and a barrier to entry for start-ups. As many services will operate overseas and will simply refuse, the government may require ISPs to install ‘deep-packet’ inspection technology that allows data passing through the network to be inspected. Internet services believe this will be expensive and potentially ineffective (as the technology is untested) and privacy watchdogs argue it is nothing less than outsourced government snooping.
The security agencies that are presumably pressuring the government to move forward with the proposals are going to want to avoid going through this process every few years and will also want to ‘future-proof’ the laws. The problem with future-proofing is that it requires wide, open-ended powers to account for future technologies not yet contemplated, but this also increases the possibility of abuse.
An international perspective shows just how far the plans seem to go. Recent Canadian proposals proved controversial earlier this year, despite the fact that they only required service providers to hand over IP and email addresses and telephone numbers (and not details of communications).
In the US, the Foreign Intelligence Surveillance Act requires judicial consent to monitor the communications of a US citizen and, in addition, the agency must prove that the person who is subject to the surveillance is an agent of a foreign power.

Constitutional protection

In Europe the strength of surveillance laws often depends on constitutional protection. For example, France’s constitution does not explicitly recognise privacy and French agencies have among the most wide-ranging surveillance powers (but even in France there is not an exact equivalent of the UK proposals). Germany, by contrast, has much stronger protection for individuals arising perhaps from the fact that the country has a powerful constitutional court and the constitution itself expressly recognises a right to privacy.
Democratic states around the world are pushing the envelope of privacy rights, but the UK has a political and constitutional mix that might make it easier to go further – Britain has no written constitution and virtually unlimited legislative powers for the government of the day. Balanced against this is the current existence of a coalition government between two parties, both of which stressed their commitment to civil liberties before the last election.
The announcement of and publicity surrounding the proposals have been handled appallingly, but the focus should be on the substance of the legislation. At the moment there is a lot of guesswork about exactly what the new law is going to say, but it would be surprising if the legislation is a step forward for privacy rights.

Guy Wilmot is an IT and e-commerce specialist lawyer at London-based law firm Russell-Cooke