The Investigatory Powers Bill and Online Privacy

Share this page

The Investigatory Powers Bill (IPB) has been approved by the UK Parliament and will come in force in 2017.

We decided to do a deeper analysis of this law, since it potentially impacts a large number of Proton Mail users. According to our 2016 Encrypted Email User Survey, the UK accounts for the third largest group of Proton Mail users after the US and Russia. It came as a surprise to us that the law passed with such little fanfare, so we feel it is necessary to draw attention to what is quite possibly the worst surveillance law to have been passed so far in a Western democracy.

At Proton Mail, advocacy is a large part of what we do, and whether it’s fighting surveillance laws in Switzerland(new window), working with the ACLU(new window) in the United States, or supporting investigative journalists in Asia(new window), our mission is to ensure that the rights to privacy and freedom of speech, both critically important for democracy, remain protected. Simultaneously, we are employing our technology to provide individuals and organizations better protection against growing cyberthreats.

Developing end-to-end encryption technology like that used in Proton Mail is just one part of the battle. Just as important are the advocacy activities of educating politicians, journalists, and ultimately the youth who make up the next generation of leaders. To support this mission, Proton Mail works with lawyers both in-house and from outside human rights organizations, and a non-trivial part of our revenue goes towards supporting such efforts. With our legal team, we have created a short summary of the most relevant points of the IPB.

What is the Investigatory Powers Bill?

The IPB is a new Act of Parliament that gives broad new powers to UK intelligence agencies (GCHQ, MI5) and law enforcement. The key powers are:

1. Retention of Internet browsing records for 1 year

This is in our opinion the worst part of the law. Imagine your browsing history for the entire past year accessible to the government or police without a warrant. This would allow the construction of detailed profiles on every citizen, and categorization based on political views, personal beliefs, and much more.

All UK communication service providers (so Internet providers, phone companies, email providers, etc), will be required to retain 1 year of your internet connection records in a central database. This database includes what sites you visited, when you visited the site, for how long, who you called, who you emailed, etc. All of this data will be stored in a central database accessible to the government and law enforcement. More troubling is that no warrant or judicial oversight is required to gain access to this database, the police will have sole discretion to decide when they need to access this database.

2. Bulk collection of communications data

British communications providers will be required by law to assist in intercepting communications data in relation to an investigation. So far, foreign companies are not required to comply, but as we will discuss below, there are some caveats to this.

3. Breaking Encryption

Communication providers will be mandated by law to remove encryption whenever it is “practical”. The law is particularly dangerous because it doesn’t well define what is the meaning of “practical”, which means this can be subject to the government’s interpretation.

4. Enforcement of gag orders

When a communications provider receives a request for data, it is not permitted to reveal that the request took place. Under IPB, it is now a criminal offense for either the communications provider, or somebody working for the provider, to reveal a data request. Thus, if the powers of the IPB are abused, a whistleblower would be committing a criminal offense by revealing the abuse.

I don’t use a UK based communications provider, am I safe?

In theory, the IPB only applies to UK companies, but today with the rise of large multinational tech companies, even non-UK companies can be pressured to comply if they have a significant UK presence and employees in the UK. Since any such requests will happen behind the scenes, we will never know if foreign companies do comply with the IPB. Since the UK is a member of the Five Eyes(new window) network, along with the USA, Canada, Australia, and New Zealand, the intelligence scooped up by the IPB will also be shared with US intelligence so UK residents could find their private data being shared beyond UK borders.

Is Proton Mail still safe? How do I protect myself?

As a Swiss company, Proton Mail does not fall under the jurisdiction of the IPB. We believe that strong encryption isn’t just important for privacy, but also key to providing security in the digital age, and we will continue to advocate this position to governments and business leaders. If you would like to support our advocacy efforts, upgrading to a paid Proton Mail account is a great way to do so.

Bills like the IPB pose an unprecedented threat to democracy, and are strikingly similar to surveillance laws from totalitarian states. Fortunately, there are tools today that can help protect our digital rights. Getting a Proton Mail encrypted email account can protect your email communications from being intercepted or read by government agencies. The rest of your online activities can also be protected. In particular, we recommend using VPN services that don’t have a physical presence in the UK (like free vpn service Proton VPN(new window)), and also using apps like Signal(new window) for text messaging, or Tresorit(new window) for file sharing. Most importantly, we have to spread the word that more surveillance and less encryption isn’t the solution(new window) to today’s security challenges.

You can get a free secure email account from Proton Mail here.

Proton Mail is supported by community contributions. We don’t serve ads or abuse your privacy. You can support our mission by upgrading to a paid plan(new window).

The banner image of this blog post is provided under a free, unrestricted use, license

Protect your privacy with Proton
Create a free account

Share this page

Proton Team

We are scientists, engineers, and specialists from around the world drawn together by a shared vision of protecting freedom and privacy online. Proton was born out of a desire to build an internet that puts people before profits, and we're working to create a world where everyone is in control of their digital lives.

Related articles

The last thing you want when showing funny videos or holiday photos on your phone or tablet to friends and family is for them to see your sensitive and private photos. Although there are third-party apps dedicated to hiding your personal photos and
It can be slightly difficult to encrypt a zip file using the tools available on your Windows or Mac. Unlike encrypting a PDF or an Excel file, there’s no standardized software to use. You’ll need to rely on your device’s built-in encryption methods. 
Last week, the Spanish Presidency of the European Council delayed a vote regarding the Council’s position on the controversial Child Sexual Abuse Regulation (CSAR) due to a lack of consensus over the issue of encryption, among others. This proposed r
At Proton, we’re always working on new and innovative ways to protect the privacy and data of the Proton community. Sometimes that means developing entirely new services, like our Proton Sentinel program, which combines AI and human security analysts
How to unsend an email in Gmail, Outlook, Proton Mail, and Apple Mail
“Undo Send” gives you a chance to stop an erroneous message you’ve just sent. We’ve all done it. You hit Send on an email only to spot you’ve misspelled someone’s name, forgotten an attachment, or accidentally sent a cringing joke to half your conta
Google has already taken privacy washing to the extreme by trying to brand itself as “privacy focused”, even though its business model is based on surveillance.  Lately, the company’s marketing strategy has turned toward outright Orwellian doublespe