The U.K.’s Investigatory Powers Act (PDF), called the Snoopers Charter by some critics, became law upon receiving royal assent on Tuesday. The controversial legislation replaces the expiring Data Retention and Investigatory Powers Act of 2014, and will come into force in stages, as some provisions require testing, while measures forcing web companies to collect user data will be applied before the end of 2016, The Guardian reports.
“The government is clear that, at a time of heightened security threat, it is essential our law enforcement and security and intelligence services have the power they need to keep people safe,” Home Secretary Amber Rudd said. “The internet presents new opportunities for terrorists and we must ensure we have the capabilities to confront this challenge. But it is also right that these powers are subject to strict safeguards and rigorous oversight.”
The Guardian quoted critics, however, who say the Act is “a death sentence for investigative journalism” and “one of the most extreme surveillance laws ever passed in a democracy.”
Whatever the merits of the Act, it has significant implications for service providers in the cloud and web hosting industry. Here are five of the most important of those implications.
1. Bulk Data Collection Gets Legal Backing
The government has suggested that increasing transparency is part of aim of the bill. By outlining the mass surveillance powers already in use by government agencies, it also makes them law, rather than simply common practice. Under the law, GCHQ can retain Internet traffic from tapped undersea cables for “several days,” and metadata for six months, according to the Open Rights Group.
2. New User Data Storage Obligations
Under the Act, service providers will be forced to store “Internet connection records” of their users. The records consist of web applications used and websites, but not specific pages, visited. Those records would then be available to government agencies, such as police, intelligence services, the serious fraud office, and others, on request.
The bill also commits the government to paying the cost for service providers to comply with their new data retention obligations.
3. Government Sneak Previews for New Technology
Companies receiving “technical capability notices” will be required to “notify the Government of new products and services in advance of their launch,” according to a draft of the Code of Practice (PDF), updated in October, which accompanies the legislation. This notification will help the U..K government evaluate what help, if any, it requires to deal with the new service.
4. Encryption Backdoor at Cabinet Minister’s Discretion
This is the most extreme form of the help mentioned above. Section 254-256 of the final version of the act outlines the scope of technical capability notices, and says companies receiving them “may be” obligated to remove electronic protection from “any communications or data,” and appears to leave it up to a Secretary of State (of which the Home Secretary is one of 18) to decide on individual cases.
5. You May Be Forced to Hack Your Customers
“Equipment interference” is the term used in the act to refer to breaking into computers and mobile devices. In addition to authorizing the use of the practice by security agencies against individual or “bulk” targets, it also gives them the power to enlist service providers to help, for instance by using their privileges to install malware onto devices.