May calls for internet companies to store details of website visits

Theresa May is to propose a major extension of the surveillance state when she publishes legislation requiring internet companies to store details of every website visited by customers over the previous year.

The home secretary will try to sweeten the pill of her revived snooper’s charter on Wednesday by announcing that the police will need to get judicial authorisation before they can access the internet connection records of an individual – something that is currently banned in the US and every European country, including Britain.

She will also try to strengthen the oversight of Britain’s surveillance by replacing the current fragmented system of three separate commissioners with an investigatory powers commissioner who will be a senior judge appointed by the prime minister on the recommendation of the lord chief justice.

Two and a half years after the disclosures by the whistleblower Edward Snowden of the scale of secret mass surveillance undertaken by Britain’s security agency GCHQ, the bill will for the first time put into “comprehensive and comprehensible” legislation the existing bulk-collection powers of the security and intelligence services.

The draft investigatory powers bill will also enshrine in statute GCHQ’s licence to hack into computers worldwide, including powers to sweep up content of a computer or smartphone, listen to phonecalls, track locations or even switch on the microphones or cameras on mobile phones. The powers, known as “computer network exploitation”, even allow them to record conversations or snap pictures of anyone nearby the device.

May will tell the Commons that the powers are crucial to the security and intelligence agencies and police dealing with serious crime, including murder, child sexual exploitation and tracking online fraudsters and locating missing people.

She will insist that the new surveillance law will only amount to “updating existing powers while strengthening oversight and transparency”, but privacy groups regard the requirement that everyone’s internet connection recordsbe stored by web and phone companies as a major extension of surveillance powers.

At the heart of the draft bill is the proposal that the records of every website visited by every British citizen are retained. It stops short of a detailed history of their web browsing as it will not record every page visited or every click, but the measure is banned as too intrusive a method of surveillance in the USA, Canada, Australia and every other European country. It is also banned in Britain under the terms of the 2015 Counter-Terrorism and Security Act because of fears that such data might fall into the wrong hands.

David Anderson QC, the terror legislation watchdog commissioned to report on the state of Britain’s surveillance laws in the aftermath of Snowden’s disclosures, has previously said that internet connection records included storing details of every website visited up to the first forward slash in their address – but not a detailed record of all web pages on a particular site. The internet connection records will also include times of contacts and the addresses of the other computers or services with which the user made contact.

“Under this definition a web log would reveal that a user had visited eg google.com or bbc.co.uk but not the specific page,” said Anderson in his report, A Question of Trust. “It could also of course reveal ... that a user has visited a pornography site or a site for sufferers of a particular medical condition, though the Home Office tells me it is in practice very difficult to piece together a browsing history.”

The home secretary is also to propose a two-stage compromise over the current system of ministerial authorisation of the 2,700 warrants each year that allow the security services and police to intercept the content of calls and messages, with a panel of vetted judges having the power to veto her decisions.

She is also expected to announce that the police will need pre-authorisation from the same panel of vetted judges to access website viewing histories, the so-called individual internet connection records.

The current system under which more than 500,000 requests a year to access personal communications data – the who, what, where and when of our phone and web use – by the police will continue without the need for any warrant. Only local authorities and some other public bodies will need permission of a magistrate to access this metadata.

Government sources said that a new criminal offence carrying a two-year prison sentence will be created to prevent abuse of such communications data by public authorities, and local authorities will be banned entirely from acquiring internet connection records. They confirmed that “strong controls” will be imposed on access to these records.

Jim Killock of the Open Rights Group, which is part of the Don’t Spy on Us coalition of privacy campaign groups in Britain, said the bill would be seen by many as a return of the snooper’s charter blocked by Nick Clegg and the Liberal Democrats in the coalition.

“There is no doubt that our surveillance laws need to be reformed and it is unlikely that we will oppose this bill in its entirety,” he said.

“However, the bulk retention of British citizens’ data, whether or not they are suspected of a crime, is highly intrusive. We expect this bill will increase the types of personal data that is retained and many people will see that as a return of the snooper’s charter.

“Ensuring that the police have to go to judges for access to this data is a welcome step but we also need to see restriction on what information is kept about each of us in the first place,” he added.

“This bill will redefine the relationship between the state and the public for a generation and it is vital that the government gets it right.”