The UK’s Investigatory Powers (Amendment) Act (IPAA) received royal assent on Friday, making it law and broadening the government’s ability to collect bulk communications data.
The Act raises concerns about potential mass surveillance and violations of individual privacy as it weakens safeguards when intelligence services collect bulk datasets of personal information, potentially enabling the harvesting of millions of facial images and social media posts. Authorities will also gain the enhanced ability to gather internet connection records.
The UK government argued that revisions to the law were needed in order help intelligence agencies and the National Crime Agency to keep pace with evolving threats and technological change. Safeguards built into the original law have been extended and enhanced, according to Minister for Security Tom Tugendhat.
But opponents said the legislation had been rushed through Parliament, limiting opportunities for public engagement and appropriate scrutiny.
Concerns over ‘veto’ on security updates
Critics argue that the Act lowers the threshold for obtaining warrants for data collection, potentially allowing for more intrusive surveillance without adequate oversight.
Other measures in the IPAA grant the government a “secret veto” on security software updates, according to technology industry critics.
The move could leave the UK vulnerable by hindering the development and deployment of crucial security tools.
Academics, think tanks, and civil liberties groups have all raised concerns about amendments to the 2016 Investigatory Powers Act, arguing that it makes rules previously dubbed a “snooper’s charter” even worse.
A joint statement by techUK and other lobby groups including the Internet Society, Liberty, and Privacy International summarises the misgivings of critics.
The new law will impede companies’ ability to “innovate and advance the data protection, data security, and data minimisation efforts expected by users, governments and regulators globally”, they warned.
Their joint statement also criticised the law for “severely restricting the use of security enhancing technologies” as well as allowing the introduction of “systemic vulnerabilities that would pose security and privacy risks”.
The revised law will make the UK a “weak link in the chain of online security”, they said.
“UK-developed products and services [will] become less appealing, because adopters will fear that they have been designed for Government access, and the UK will become a more appealing target for criminals and hostile nation states,” the groups warned.
Encryption backdoors
The revised law could have serious repercussions to UK tech innovation, potentially driving tech talent elsewhere, according to Nick France, CTO of Sectigo, a technology vendor that specialises in digital certificate management.
“With its push for encryption backdoors and the ability to grant — or not — permission for companies to patch vulnerabilities, [the Act] is raising alarm bells in the tech sector,” he said. “It’s a double-edged sword, hampering innovation and competitiveness while simultaneously weakening security.”
France concluded, “Ultimately, the amendment may achieve the opposite of its stated purpose, jeopardising national security and economic growth in the pursuit of increased surveillance capabilities.”
Transatlantic comparisons
Countries in the EU with stricter data protection regulations might offer fertile ground for tech firms that prioritise trust and privacy. Moving across the Atlantic offers a less attractive option.
The broadening of surveillance capabilities in the UK can be compared to moves in the US regarding the recent extension of communications monitoring under the Foreign Intelligence Surveillance Act (FISA).
Mayur Upadhyaya, CEO of API monitoring vendor APIContext, said, “Both legislative moves aim to address security threats effectively but have sparked debates about the potential for overreach and the implications for privacy. In the US, discussions around extending FISA monitoring often center on the need for oversight and the protection of civil liberties, a parallel concern shared in the UK context.”
But, said Upadhyaya, “The introduction of such laws requires a careful balancing act to maintain trust in digital environments, ensure compliance with human rights standards, and protect against unwarranted intrusion into private lives.”