The uncertainties of the post-Brexit-Referendum period have concerned, among others, a major legislative project that is currently developed – the Investigatory Powers Bill. The Bill is a comprehensive new legal framework for the surveillance powers of British security agencies, and as such, it has significant implications for civil rights and academic freedoms.
When information provided by NSA whistleblower Edward Snowden started to reveal the extent of mass surveillance by security agencies over three years ago, calls for policy reform emerged. In the UK, several institutional reviews raised concerns about the legitimacy and legal grounding of surveillance practices. The ‘Anderson Report’ by the Independent Reviewer of Terrorism Legislation criticized the legal framework as ‘fragmented’, ‘obscure’ and ‘undemocratic’,1 and the Independent Surveillance Review of the Royal United Services Institute (RUSI) called for a “democratic licence” for the surveillance activities of intelligence agencies.2 Some of these practices were declared unlawful in judicial challenges. In autumn 2015, the government therefore proposed a new legislative framework for all data interception and monitoring activities. The Investigatory Powers Bill has been reviewed in Parliament over the past few months and is (or was) planned to come into effect by the end of the year.
While the increased transparency of previously secret practices by security services through this new law has been widely acknowledged, civil society groups and industry have criticized many of the law’s provisions. The Bill allows the ‘bulk collection’ of vast troves of user data; the hacking of computer systems by intelligence agencies; the collection of our browsing history; and it may compromise encryption and thus the security of user data.
Academic work would be affected, for example, by the collection of “internet connection records” (ICRs), i.e. all websites that a scholar may access while conducting research. If that research concerns sensitive issues, the scholar may risk being profiled and monitored. Further, as the Bill legalizes the intrusion (or hacking) of computers – including computers of individuals “who are not intelligence targets”3 to access information or other connected systems – it creates the legal possibility for intelligence agencies to access research data (e.g., contact details, interviews, etc.) by hacking into the computers of academics and universities. The Bill does introduce judicial oversight for some, but not all, of these activities. ICR collection can be authorised merely by a ‘designated senior officer’ from within the same authority requesting access. Further, the definitions of these powers and capabilities are vague and not clearly focused. As, for example, the Scottish PEN noted: “We are concerned that the vagueness that defines the bill will enable the intelligence agencies to go beyond what was initially contained within the bill, as the parameters to their behaviour have not been clearly identified.”4
Civil society groups, industry, and Parliamentary committees have urged the government to review the Bill, but with limited success. The Intelligence & Security Committee recommended that “the new legislation contains an entirely new Part dedicated to overarching privacy protections, which should form the backbone of the draft legislation around which the exceptional powers are then built.”5 Yet so far, the government has been unwilling to review the Bill more substantially. In light of the Brexit referendum, some digital rights groups now argue a halt to the further deliberation on the Bill. As the Bill affects intelligence and business activities outside the UK, as well as European jurisprudence, a broader review may be inevitable. However, as the new Prime Minister Theresa May was the main force behind the development of the Bill, expectations of its demise may be premature.