Some tech companies will inform users if law enforcement makes a request to turn over their data. Twitter, for example, has a policy that they will inform users of any such requests unless prohibited from doing so. Now the UK government is considering legislation to punish tech companies who notify their customers that police or intelligence agencies are monitoring them. This proposal is an amendment added to the Investigatory Powers Act - an incredibly authoritarian bill that is being considered by the UK parliament, which among other provisions, requires companies like Apple to decrypt their encrypted communications.
This latest amendment makes an already bad bill even worse. The law carries a maximum penalty of two years in prison for informing a target of surveillance that they are being snooped on, unless explicitly permitted to do so by the investigating agency. This proposal has been criticized on the grounds that it stands in the way of citizens challenging unlawful surveillance. Antony Walker, Deputy CEO at techUK, stated, "A right of redress by the citizen depends upon individuals being notified at some appropriate time that requests have been made to access their data."
The bill also contains a provision criminalizing obtaining communications data without lawful authority, which is aimed at cracking down on abuses by law enforcement and intelligence agencies. This section also carries a maximum of two years in prison. While this sort of provision sounds pretty good, actual enforcement of it is going to be an issue. Since the previous provision was directly aimed at preventing people from finding out they are the target of surveillance, it will be far less likely that surveillance without lawful authority will even be discovered, not to mention prosecuted.
Another amendment in the bill would allow police to deploy filter software to gather data from a suspect from multiple sources at once. These automated systems collect extensive communications and personal data from numerous companies and forward any data relevant to the investigation to law enforcement, while deleting any other data that was collected. This provision is presented as a safeguard against unnecessary intrusion, and notes on the bill state, "By using the Request Filter to automate the analysis, the amount of data passed to public authorities will be minimised, reducing the levels of intrusion and protecting privacy."
Should companies be punished for informing their customers of government surveillance? Leave your comments below.