UK's covert web surveillance programme moves beyond test phase
Officials have reportedly commenced efforts towards gathering internet connection records on a national scale
The UK government is secretively advancing a web surveillance technology with the potential to record and retain the browsing histories of millions of individuals.
As per Wired, official reports and expenditure documents indicate that over the past year, UK law enforcement authorities have classified the testing of a system capable of gathering individuals' internet connection records (ICRs) as a successful endeavour.
Consequently, they have commenced efforts towards potentially implementing the system on a nationwide scale.
If put into effect, it could provide law enforcement with a potent surveillance tool at their disposal.
"ICRs are highly intrusive and should be protected from over-retention by telecommunications operators and intelligence agencies," Nour Haidar, a lawyer and legal officer at UK civil liberties group Privacy International told Wired.
Privacy International has been actively challenging the collection and handling of data under the Investigatory Powers Act, also known as the Snooper's Charter, through legal proceedings.
Under the 2016-introduced Investigatory Powers Act, law enforcement agencies possess the authority to request mobile and internet companies to retain users' browsing data for a duration of 12 months. However, this order necessitates approval from a senior judge.
In 2021, it came to light that undisclosed ISPs had been secretively testing a new mass surveillance tool for a period of two years. These tests were conducted in collaboration with the National Crime Agency (NCA) and were carried out under the framework of the Investigatory Powers Act.
The objective of these tests was to assess the feasibility of implementing a nationwide bulk surveillance system, intended for law enforcement and national security purposes.
An ICR does not encompass a comprehensive list of every webpage visited by users online. Instead, it consists of metadata concerning individuals' online activities, such as the websites they accessed and the amount of data they downloaded.
Although an ICR does not reveal specific URLs visited, it has the potential to expose substantial personal information about a user, including their financial or health-related details.
It can encompass additional data points such as an individual's IP address, customer number, and the date and time when the information was accessed.
In February, the Home Office released a mandatory review assessing the implementation of the Investigatory Powers Act thus far. The report disclosed that the NCA had conducted tests evaluating the "operational, functional, and technical aspects" of ICRs and determined that there was a notable operational advantage in collecting such records.
During a limited trial that specifically targeted websites hosting illicit child images, approximately 120 individuals were identified as accessing such websites. Out of these individuals, it was discovered that only four of them were previously known to law enforcement through an intelligence check.
In May 2022, the Home Office released a procurement notice indicating that efforts had commenced to establish a "national ICR service," reflecting the ongoing work in that direction.
PublicTechnology reported in July 2022 that the government had awarded a £2 million contract to defence firm BAE Systems for the development of a technical system aimed at enabling authorities to search and acquire internet records of citizens from communication companies.
According to the Investigatory Powers Commissioner's Office (IPCO), the collection of ICRs thus far has been carried out to facilitate "small-scale trials."
The NCA informed Wired that it is still actively involved in ICR trials, assessing their utility. The agency emphasised that data exploitation is essential for their operations.