According to a recently leaked draft of the Investigatory Powers bill, the UK government is searching for a new mass surveillance method. And not in the sense that the government is asking private firms how to access the darknet to purchase stolen NSA tools; they are in the process of developing a plan to force those fortune, namely ISPs, into actively participating in the invasion of a customer’s privacy.
Many countries are developing, or have developed, similar privacy laws. But for the most part, the ISPs are not necessarily forced to spy on their victims, and even then, the data collection is not blatantly for the government’s own spying ventures. An excellent and recent example of this comes from the Prime Minister on Cybersecurity in Australia, Dan Tehan. And mind you, by “excellent” I speak of to the example’s ability to demonstrate the point—not that the ideas themselves were excellent.
But, to cut right to the chase with Australia: the government wants ISPs to feel responsible (or be responsible) for protecting customers and essential infrastructure from cybercrime. Dan Tehan has not expressed anything beyond his strongly opinionated thoughts on what the government should do in which a situation. And since Tehan’s job is literally to advise the Prime Minister on cybersecurity decisions, his word carries weight.
He chose an interesting and routinely disputed comparison to make: “just as we trust banks to hold our money, just as we trust doctors with our health, in a digital age we need to be able to trust telecommunications companies to protect our information from threats.” He mainly pushed, in several columns or forums, the notion that ISPs should monitor and block access to threatening domains. With that phrasing, though, he needed to convince the public that it was not a form of censorship. And that was not his first time calming the public down about cybersecurity.
Much of financial technology sector disapproved of the idea. Some disagreed on principal but some simply saw no benefit for the ISPs and technology companies themselves whereas the government would be benefiting tremendously. As would the Australian people who did not want to pay for anti-virus software. When a customer chooses not to pay for their own antivirus where, the ISP would be expected to provide the software for them. So the only structure at a loss would be the ISP themselves, providing them with little motivation to comply.
The leaked draft revealed that government legislators planned to take the spyware initiative to a new extreme. The document revealed that they wanted ISPs to maintain and monitor real time data from their customers as well as install malware and bypass security measures that a customer might have implemented. Legislators call it “targeted consultation.”
The document, while still a draft, does request measures that privacy advocates call “extreme” and likely to cause “dire consequences.” It requires the ISP intercept real-time data on one out of 10,000 citizens, thereby granting the government the ability to wiretap more than 6,500 unsuspecting citizens simultaneously, at will. This data would need to be made wholly accessible to the government within one day of the government’s request. And fully decrypted “in an intelligible form.”
While this is only a draft, the push against it is strong. When technology companies that already practice data collection—usually for diagnostic or or advertising purposes—are repulsed by the idea, something will change. If it doesn’t, internet users in the UK will face a rude awakening.