A recent article about how your interest in privacy could land you on an NSA watchlist drew out a lot of ire towards the US government, but the UK proved last week that mass surveillance and privacy violations aren’t the sole province of the United States. The Data Retention and Investigation Powers bill (DRIP) garnered a lot of attention from the press, but it moved so quickly through Parliament that you might have missed it—here are the details you need.
What Is DRIP?
In a recent decision, the European Court of Justice overturned an EU directive that allowed e-mail and phone providers to keep users’ data—including location, travel, and social contact data—for up to two years in case of a later government investigation, in which case they’d be served a warrant to hand that data over.
After the overturning of this directive, members of the British Parliament sped the Data Retention and Investigation Powers bill through the legislative process, in essence, to get those regulations and powers back in place. DRIP requires that telecommunications providers keep users’ metadata for 12 months.
It also extends this requirement to any organization that provides services to British citizens, meaning that, according to UK law, an American or Japanese e-mail provider could be served a warrant for a UK citizen’s metadata. E-mail is inherently insecure, but this could make it even more so if international companies decide to cooperate.
DRIP makes some alterations to an already controversial set of laws called the Regulation of Investigatory Powers Act (RIPA). In addition to the expansion of metadata storage requirements to international companies, this new legislation also changes the definition of “telecommunication providers” to include “companies who provide internet-based services.” Some commenters say that this places all of UK citizens’ e-mail, Facebook, iCloud, and text messages in danger of government snooping.
The law may also cover remote data storage, meaning that if you store data on an international server, like US-based Dropbox, the government could potentially serve a warrant to the owner of that server.
One of the discussion points that’s been getting a lot of press is whether or not this legislation expands the UK government’s powers to scrutinize and intercept communications. David Cameron has been quoted as saying, “I want to be very clear that we are not introducing new powers or capabilities,” but many critics are calling him out on this, saying that it’s just not true.
A number of concessions were made to get the bill through, including the creation of a new oversight board, limitations on which public bodies can use data acquired through the new legislation, a review of data-intercept laws, and a “sunset clause” that states the bill will expire in 2016, when it will have to be reviewed again before reinstatement.
What’s The Big Deal?
There are a number of factors that make DRIP so controversial. One of those factors is the fact that the bill was called “emergency legislation” and rushed through Parliament in a stunning eight days. When was the last time you remember a bill getting through any congressional body that fast?
The text of the bill itself, of course, is also cause for concern, as the idea of companies retaining data from your cell phone, e-mail, or remote storage for 12 months just so they can pass it on to the government if they’re asked is very worrying—that’s a lot of data being stored, and there have been a number of high-profile losses of private data in recent memory—Adobe, eBay, and Target come to mind.
Whether or not the data being stored under DRIP will appeal to hackers is unknown, but just the fact that it’s there will certainly be reason enough for some people to try to get access to it.
And, of course, there’s the issue that the European Court of Justice just struck down a large set of very similar laws in the European Union as violating the right to privacy. Without getting into political speculation, this could have some big effects in the coming days for the UK’s relationship with the EU, as it’s effectively contravening a judgment passed by the highest European Court.
What Should You Do?
DRIP has garnered a lot of attention, even if it was blitzed through Parliament before the press or the people could say boo. However, people are speaking out (here’s a great open letter from a number of academic legal experts). As we’ve seen in the past, a large public outcry can have a positive effect in situations like this.
And, of course, we always recommend encrypting your data. Even if companies are only required to store metadata, there are plenty of examples of more substantive content being stored and accessed. To get started, encrypt your browsing with Tor, encrypt your e-mail with PGP, and switch from Dropbox to one of these three secure cloud storage providers.
It’s clear now that the US isn’t the only major Western nation with surveillance and privacy issues—the UK government has made a major statement with DRIP that it will take measures to store and access users’ data. We’ll be keeping a close eye on developments!
What do you think about DRIP? Does it violate the judgment by the ECJ? Does it violate a right to privacy? Should the UK attempt to enforce these sorts of laws internationally? Share your thoughts below!