A guide to the Draft Investigatory Powers Bill

internet privacy

THE Draft Investigatory Powers Bill could see a huge shake up in the way our personal data is collected and used by the security services.

It's been designed to bring together and simplify the raft of existing surveillance laws, many of which are hopelessly outdated.

Most headlines have focused on the proposals to store lists of the websites we visit for a year, but the Bill has wider implications for all of us.

And as recent data security breaches have shown, there's a serious concern about how well those entrusted with storing this data can protect it.

In this guide we'll cover what information will be stored, who can get hold of it and under what circumstances, and some of the concerns that have been voiced.

Logging visited websites

Let's start with the headline grabber: if passed, the Bill would require ISPs and mobile network providers to keep a 12-month record of all the websites visited by their customers.

These "internet connection records" (ICRs) would only keep tabs on the domains visited, not the specific pages within the site.

In practice, this means that anyone reading this will have been noted only to have visited choose.net, not choose.net/media. Similarly, people visiting the BBC's site will only be recorded as visiting bbc.co.uk, rather than bbc.co.uk/news and bbc.co.uk/doctorwho.

The same kind of principle applies to messaging apps - a record will be made of each app we use - for example, WhatsApp and Facebook Messenger - but not who we talk to when using them, or what we said.

ICRs would also provide a record of the circumstances of our online activity, such as where and when a device has connected to the internet - useful for tracking our mobile devices - and what we connected to - a website, messaging app, and so on.

The Government say this will enable the authorities to see "how subjects of interests are communicating and whether they are accessing illegal material".

At the moment, the Counter-Terrorism and Security Act 2015 allows the police and other agencies to request that a provider start collecting this kind of data - without any kind of warrant - but they can't access historic information because it isn't stored.

Last year, there were more than 517,000 requests for such connection information, linking devices with the IP addresses they accessed.

The only authorisation required was the signature of a police inspector or superintendent, depending on what data is being requested.

Who could access the information?

Under the terms of the Bill, law enforcement and intelligence agencies, and certain public bodies, will be able to access to our ICRs without needing a warrant - but local authorities and councils will be banned from accessing them.

The Bill will also allow for police and security services to hack an individual's devices - though they must apply for an interception warrant to do so - see the next section to find out how these are issued.

There has to be a pretty good reason for a warrant to be granted - the Government say they'll only be issued in the interest of national security, to prevent or detect serious crime, or to safeguard the economic well-being of the UK.

As a gauge, it's thought that around 2,700 similar warrants were granted last year.

Why is this happening?

The Government hope that being able to provide surveillance and security bodies with better access to private information - including our historical will help prevent terrorists and the like from organising and carrying out attacks.

To help keep tabs on how information is being used, the Government proposes the creation of an Investigatory Powers Commissioner (IPC) consisting of a senior judge assisted by judicial commissioners.

The IPC would be responsible for approving interception warrants, which security and surveillance agencies need if they wish to access the content of people's messages. In "urgent cases" - where judicial approval isn't possible within five days - the Home Secretary can bypass the need for the IPC to sign off on the warrant.

At the moment, the Secretary of State is solely responsible for approving interception warrants. As the post is party-affiliated, this is far from ideal.

Having a judge ratify the Secretary of State's decision is meant to provide us with an independent safeguard - at least that's the impression the Bill's champion, home secretary Theresa May, wants us to believe.


Many people have pointed out that the mere act of recording the names of the domains we visit is a gross invasion of privacy.

After all, the URLs are often fairly indicative of the site's content. This has potentially damaging implications for those who become wary of visiting certain sites - like a teenager being put off visiting sites discussing contraception or drug use on a family computer, but on a broader scale.

Staying safe online
Communicating safely
Finding information online
Personal information and privacy
How secure is your mobile?

A record of someone's browsing history is also of immense interest to criminals. A browsing history can show where we're likely to be at certain times, what we like to do and who we like to do it with. This would make it easy to organise anything from house robbery to personalised scams and bribery.

Furthermore, some browsers and apps automatically connect to other websites that we don't intend to visit, or even know about. These would be recorded in the log, but should our records be studied and questioned, it'll be difficult to prove the connection was unintended.

It's also been argued that the information the Government want providers to collect isn't all that useful; mobile connections to sites can be active for days at a time.

In his evidence to the Home Office, Adrian Kennard, the director of the small ISP Andrews and Arnold (also known as AAISP), punctured the Government's example of using an ICR to track a missing girl:

"If the mobile provider was even able to tell that she had used Twitter at all (which is not as easy as it sounds), it would show that the phone had been connected to twitter 24 hours a day, and probably Facebook as well".

The reason it'll be difficult for the ISPs to tell whether she's been on Twitter or Facebook is that more sites are moving towards using encrypted connections - using "https" rather than the less secure "http".

For most people, however, the overarching worry is that the ISPs will be able to keep safe what they do collect. A string of recent data breaches, including several affecting TalkTalk customers, suggest the ISPs' record in this regard is rather poor.

The Bill offers weak protection against this by making a criminal offence of "knowingly or recklessly obtaining communications data". The penalty is up to two years in prison - not exactly the toughest deterrent.

Funnily enough, the one place where information is safe is being threatened by the Bill.

Data breaches
October 2015: TalkTalk
August 2015: Carphone Warehouse
February 2014: Tesco Clubcard

Messaging apps such as WhatsApp and iMessage use end-to-end encryption technology that is almost impossible for anyone but the sender and recipient to decrypt.

The Government are proposing placing a legal obligation on companies to assist security agencies in bypassing encryption - but several of these companies have pointed out that opening a backdoor to the software inevitably creates a vulnerability that could be exploited by anyone with the know-how.

And of course, none of this touches on the use of the "dark net", using VPNs and browsers such as Tor to avoid being tracked in the first place.

What's next?

It's clear that the Draft Investigatory Powers Bill is not guaranteed safe passage to becoming law. Labour have already said they'll try to amend it at the Committee stage to ensure a genuine "double lock".

Other campaigners say the Bill doesn't go far enough in protecting ICRs from hackers. Still more say that ICRs shouldn't be stored in the first place.

When it comes to bulk surveillance - collecting huge amounts of internet or phone data from large numbers of people, to be sifted through later for leads and fragments of information that could otherwise be missed - campaigners point out that what the Bill advocates is illegal in the US and every other European nation.

Only last year the European Court of Justice ruled against a similar bill - the Data Retention Directive - becoming law because it violated our right to privacy.

In this country too, similar bills have failed en route, most memorably the Draft Communications Data Bill in 2012.

The consultation period over the coming months is going to be interesting, as the Bill gets dissected and analysed before appearing as a revised Bill in the New Year.

» Read more of the latest news

» Search for more guides on broadband and mobile

Follow us or subscribe for FREE updates and special offers