The Investigatory Powers Bill Is Junk

The UK Investigatory Powers Bill lacks a basic understanding of VPNs and should be thrown out.

• March 3, 2016
• Updated October 2, 2023

Back again ¶

The Investigatory Powers bill is back and as a UK based Internet company we are very interested in seeing how this progresses.

In short it proposes the following:

• Internet service providers will have to store the details of every website customers have visited for 12 months.
• Warrants for surveillance will be issued by ministers but only acted on when approved by judges, a so-called ‘double lock’.
• Make provisions for intelligence agencies to acquire information in bulk.
• A requirement for technology companies to remove encryption that they have themselves applied where it is practicable for them to do so.
• Formalise the Wilson Doctrine, meaning the communications of MPs can’t be accessed without approval from the Prime Minister.

12 Month History Retention ¶

Taking the most contentious of these proposals the bill will require UK based ISPs to hold twelve months of history for customers and to allow agencies to request access to logs for specific periods. This will clearly increase overheads at ISPs that inevitably will be passed onto consumers.

Easily bypassed ¶

The idea that requiring UK-based ISPs to maintain a list of ICRs (Internet Connection Records) giving agencies full visibility on UK Internet Activity is junk.

There are already VPN Companies offering products and workarounds to prevent traffic going through your ISP being loggable. This renders the bill irrelevant and for anyone with a modicum of technical experience getting and using a VPN outside of the UK is trivial and costs around $20 a month.

Jurisdiction over VPN providers ¶

Because a user can easily connect and use a VPN service outside the UK the bill will have no jurisdiction over VPN providers outside of the UK. Because data will be passing through networks outside of the UK and will be encrypted the UK ISP provider will not be able to log ICRs for a user either.

Rushing through parliament ¶

Theresa May seems hell-bent on pushing this bill through parliament before the EU Referendum campaign. It is a complex bill with deep implications for the UK Internet Industry and for Civil Liberties.

It is my opinion that this bill should be thrown out. Whether I agree with tracking ICRs or not this bill will not deliver on much of what it is trying to achive. I am not convinced that the authors of the report understand the fundamentals of the Internet well enough to realise that by using a VPN outside of the UK ISPs cannot record ICRs.

The bill is expected to be given a Commons second reading on 14 March and sent to the House of Lords before the end of April in order to get it on to the statute book before a 31 December deadline.

Although the Home Office claim the bill will be compliant with the European Convention of Human Rights a legal challenge looks likely if it is a passed.

Tags

• Opinion

Can you help make this article better? You can edit it here and send me a pull request.

See Also

• Tech is looking like banking in the 80s
  Feb 22, 2016
  Lack of women, tax avoidance, inflated salaries and an increasing disconnect with mainstream society. It is like Gordan Gecko but in a hoodie.

• Passwords are still an anti-pattern
  May 30, 2014
  Passwords continue to harm the web. We need to rethink our approach to authentication.

• Examining request headers with netcat
  Feb 19, 2014
  How to use Netcat to examine request headers from user agents or applications.