The UK’s Secretive Web Surveillance Program Is Ramping Up

“ICRs are highly intrusive and should be protected from over-retention by telecommunications operators and intelligence agencies,” says Nour Haidar, a lawyer and legal officer at UK civil liberties group Privacy International, which has been challenging data collection and handling under the Investigatory Powers Act in court.

Little is known about the development and use of ICRs. When the Investigatory Powers Act was passed, internet companies said it would take them years to build the systems needed to collect and store ICRs. However, some of those pieces may now be falling into place. In February, the Home Office, a government department that oversees security and policing in the UK, published a mandatory review of the operation of the Investigatory Powers Act so far.

The review says the UK’s National Crime Agency (NCA) has tested the “operational, functional, and technical aspects” of ICRs and found a “significant operational benefit” of collecting the records. A small trial that “focused” on websites that provided illegal images of children found 120 people who had been accessing these websites. It found that “only four” of these people had been known to law enforcement based on an “intelligence check.”

WIRED first reported the existence of the ICR trial in March 2021, when there were even fewer details about the test. It is still unclear which telecom companies were involved. The Home Office’s February report is the first official indication that the trial was useful to law enforcement, and could help lay the groundwork for expanding the system across the UK. The Home Office review also states its trial found that “ICRs appear to be currently out of reach for some potentially key investigations,” raising the possibility that the law may be changed in the future.

In May 2022, the Home Office issued a procurement notice revealing that future trials “work is now underway” to create a “national ICR service.” The existence of the notice was initially reported by the public sector technology publication PublicTechnology. The notice says the government had a budget of up to £2 million to create a technical system that allowed law enforcement officials to access ICR data for investigations.

The contract for the technical system was awarded to defense firm Bae Systems in July 2022. In response to a Freedom of Information Act request from WIRED, the Home Office provided some pages of the contract with Bae but refused to give any technical details due to commercial interests. (A spokesperson for Bae said it could not discuss specific contracts for confidentiality and security reasons.)

The Home Office FOIA response also refused to provide details of an internal review into ICRs, citing national security and law enforcement grounds. A Home Office spokesperson said the UK has “one of the most robust and transparent oversight regimes for the protection of personal data and privacy anywhere in the world” and confirmed that trials of ICRs are ongoing.

When asked whether ICRs will be rolled out across the entire UK, the Home Office spokesperson pointed to the FOIA response, which says that providing additional information may jeopardize law enforcement activities. “Information on law enforcement capabilities and targeting is very sensitive, particularly in the field of digital communications, where it is often the case that criminal groups or individuals themselves display a high degree of technical sophistication and awareness,” the FOIA response says. Because of this, it continues, “it is vital that sensitive information on how they might conduct their investigations, or the nature of their technical abilities, are not publicly known.”