Who can view my internet history?
Spoiler alert: they already know you visited this site.
Last week, whilst most of us were busy watching the comings and goings at Trump Tower and Ed Balls on Strictly, Parliament quietly passed the Investigatory Powers Act 2016 (a.k.a. the Snoopers’ Charter). It’s been described as the most intrusive system of any democracy in history and a privacy disaster waiting to happen.
The Act makes broad provisions to track what you do online. Amongst a raft of new surveillance and hacking powers, it introduces the concept of an internet connection record: a log of which internet services - such as websites and instant messaging apps - you have accessed. Your internet provider must keep these logs in bulk and hand them over to the government on request, whether you want them to or not.
This is a truly appalling development, but all is not quite lost: there are still legal actions pending against the UK’s mass surveillance powers, and you can visit Don’t Spy on Us to find out more.
In the meantime, read on to find out who exactly will be able to see what you’ve been up to online.
Who can view my stuff?
A list of who will have the power to access your internet connection records is set out in Schedule 4 of the Act. It’s longer than you might imagine:
- Metropolitan police force
- City of London police force
- Police forces maintained under section 2 of the Police Act 1996
- Police Service of Scotland
- Police Service of Northern Ireland
- British Transport Police
- Ministry of Defence Police
- Royal Navy Police
- Royal Military Police
- Royal Air Force Police
- Security Service
- Secret Intelligence Service
- Ministry of Defence
- Department of Health
- Home Office
- Ministry of Justice
- National Crime Agency
- HM Revenue & Customs
- Department for Transport
- Department for Work and Pensions
- NHS trusts and foundation trusts in England that provide ambulance services
- Common Services Agency for the Scottish Health Service
- Competition and Markets Authority
- Criminal Cases Review Commission
- Department for Communities in Northern Ireland
- Department for the Economy in Northern Ireland
- Department of Justice in Northern Ireland
- Financial Conduct Authority
- Fire and rescue authorities under the Fire and Rescue Services Act 2004
- Food Standards Agency
- Food Standards Scotland
- Gambling Commission
- Gangmasters and Labour Abuse Authority
- Health and Safety Executive
- Independent Police Complaints Commissioner
- Information Commissioner
- NHS Business Services Authority
- Northern Ireland Ambulance Service Health and Social Care Trust
- Northern Ireland Fire and Rescue Service Board
- Northern Ireland Health and Social Care Regional Business Services Organisation
- Office of Communications
- Office of the Police Ombudsman for Northern Ireland
- Police Investigations and Review Commissioner
- Scottish Ambulance Service Board
- Scottish Criminal Cases Review Commission
- Serious Fraud Office
- Welsh Ambulance Services National Health Service Trust
I always wondered what it would feel like to be suffocated by the sort of state intrusion that citizens are subjected to in places like China, Russia and Iran. I guess we’re all about to find out.
Who else can view my stuff?
Bulk surveillance of the population and dozens of public authorities with the power to access your internet connection records is a grim turn of events for a democracy like ours.
Unfortunately, bulk collection and storage will also create an irresistible target for malicious actors, massively increasing the risk that your personal data will end up in the hands of:
- People able to hack / infiltrate your ISP
- People able to hack / infiltrate your Wi-Fi hotspot provider
- People able to hack / infiltrate your mobile network operator
- People able to hack / infiltrate a government department or agency
- People able to hack / infiltrate the government’s new multi-database request filter
I’d wager that none of these people have your best interests at heart.
Sadly, if the events of the past few years are anything to go by, it won’t take long for one or more of these organisations to suffer a security breach. Assuming, of course, that the powers that be manage not to just lose all of our personal data in the post.
Postscript: What now?
Since I posted this piece, lots of people have been in touch to ask me what they can do. Here are three suggestions: