One of the most thrilling developments in the privacy and security world is the ongoing drafting of the UK Investigatory Bill. That will regulate much of what the authorities are allowed to do when it comes to the crime and national security. The issue is highly controversial and does spark up feelings for and against, not only because of the years passed from what the NSA was leaked out to be doing (accidentally?).
Surely the UK has not been much more innocent when it comes to the surveillance of people in the UK but also abroad. Now, setting up a Bill to regulate or even institutionalise that action is better than to stay in operating in the grey area. At the moment the costs of such operations are heavy, risk of getting caught is high and nobody really wants to confess they are doing it. From this point of angle, it does make sense to put it all down on paper, publish publicly and lead the Bill through careful discussion and consideration. That will at least embed the institutional framework and ensure that the practices are well known. However there is more to the issue than just writing a Bill about it.
First of all, nobody seems to care about the question whether or not the means of surveillance should be institutionalised at all. Breaking up personal privacy should be an exceptional case, not like everyday matter. As the Bill has been approved and debated about, processes are in place and people across the administration are just eagerly waiting to get on it all rolling. While it remains unclear how much practical security this all brings to the people, if any, one thing is sure. The institutionalised surveillance mechanisms and seamless access to people online does have its chilling effect. It does, if nothing else, declare the presence and regain the authority of the UK inside its territory but also globally. While surely the UK is one of the kingdoms to have such a role in the world, for sure, one can question whether the small ones will follow the example. That unintended consequences of the innocent and well meaning Bill may not be something all are happy about.
As critique and part of the public debate on the Bill, some recent comments were raised from the technical and business sector. While these groups have understandable concerns in relation to the implementation effects for the businesses and the economy of the whole industry, the issue may be more not of “who pays” but “who governs”.
Storing customers’ details and transactional data for months and months implements a de facto bulk collection where data is filtered only at the time of inspection. This surely is a fancy feature for any low-rank official to play with. However it is far from the targeted surveillance and in fact more aims to promote the state as a competent authority and mandated actor in the cyber space. There may even be a taste of jealousy here. Many corporations have been doing more than that for ages, storing all the details and doings of their customer not only for months but years and decades. Surely states want to achieve the same capability and mandate granted. But should they, really? Isn’t the fundamental motivation in legislation to protect the individual from the tyranny, rather than secure the tyranny from the people?