It's easy to find places to lay the blame for the Investigatory Powers Act becoming UK law last month. Now, along with the power to hack and monitor the general public, internet service providers must now store your entire browsing history for 12 months and make it accessible to public authorities and the police - so called bulk powers.
Public and political distraction because of Brexit and everything else that has been going on in 2016 is a possibility. The speed at which government managed to get this bill through Parliament is another factor, and the weakness of opposition certainly didn't help in that regard.
For tips on how to protect yourself online feel free to skip ahead to the last section...
However, as Mairi Claire Rodgers from Liberty put it, the issue generally comes down to public passivity: "We have sort of failed as campaigners to communicated the impact of this. It feels really abstract and complex and kind of passive. We are always talking about how this data will be held, and held sounds so passive. That is where we struggle."
This isn't an issue of "having nothing to hide", as the star of the upcoming Hollywood movie Snowden told Techworld earlier this month. Joseph Gordon Levitt said this was "a slogan of the Nazis. They said that all day long, that was a staple slogan of the Nazi party, which should tell you something."
The failed petition
Unfortunately any form of opposition to the legislation effectively stopped this week, when the government outright dismissed a petition demanding further debate of the issues of personal privacy vs national security. The petition, which got nearly 155,000 signatures, should have forced a debate in the House of Commons after passing the 100,000 mark.
However, an email to all of the signees states: "The Petitions Committee has decided not to schedule a debate on this petition. When it decides which petitions should be debated, the Committee looks at whether the subject has recently been debated by the House of Commons.
"Before it was introduced into Parliament, the Bill was investigated by a Committee of MPs and Members of the House of Lords, who heard evidence and produced a report with recommendations about the Bill."
To add insult to injury the government's own petitions page states: "Petitions which reach 100,000 signatures are almost always debated." It seems like Parliament is sick of all this liberal moaning about privacy.
The government also issued a statement to reassure anyone that signed the petition, saying: "The Investigatory Powers Act dramatically increases transparency around the use of investigatory powers. It protects both privacy and security and underwent unprecedented scrutiny before becoming law."
One of these reassurances is around the new safeguards put in place around the surveillance powers, namely: "It introduces a ‘double-lock’ for the most intrusive powers, including interception and all of the bulk capabilities, so warrants require the approval of a Judicial Commissioner. And it creates a powerful new Investigatory Powers Commissioner to oversee how these powers are used."
Amendments included the introduction of a threshold to ensure internet connection records cannot be used to investigate minor crimes.
Unfortunately politicians showed themselves to be pretty inept at debating the bill, misunderstanding fundamental technical concepts like encryption and settling for cosmetic changes like the amendment located at clause 1, page 1, line 5: "This Act sets out the extent to which certain investigatory powers may be used to interfere with privacy."
The government statement added that this overarching ‘privacy clause’ was "added to make absolutely clear that the protection of privacy is at the heart of this legislation", and that "a public authority must consider whether less intrusive means could be used".
Wording like this is exactly that, just wording, with no practical protection for law-abiding members of the public to maintain their online privacy from the government. This might be because politicians themselves are exempt from the most intrusive surveillance powers the bill sets out.
The double-lock still only requires sign off from the secretary of state and a judge who are, presumably, going to be inundated with requests. Figures from the Home Office, as published by The Guardian, show there were 517,236 authorisations in 2014 of requests for communications data from the police and other public bodies and a further 2,765 interception warrants authorised by ministers.
This gives rise to concerns that the requests process just becomes a rubber stamp. In short, it requires a huge amount of faith to be put into our security agencies in the post-Snowden world.
How to protect yourself online
Now that it is too late to stop the legislation anyone concerned with agency snooping will need to take measures to cover their online tracks.
Istvan Lam, CEO at Tresorit, an end-to-end encrypted file sync startup, says ensuring all your communications are end-to-end encrypted is of the utmost importance. This means using:
- A secure and private internet connection through VPNs from the EU and Tor
- Secure email with the likes of Protonmail and Tutanota
- Secure messaging services like Wire, Threema, Signal - Read next: The best secure mobile messaging apps 2016
- Tresorit's own secure file storage, sync and sharing service
- Disk encryption to secure files locally as well as in the cloud
Lam added: "End-to-end encryption is not a cover-up to hide secrets; it is a tool that helps people protect data and empowers them to keep control over who has access to it. All information belongs solely to the sender(s) and the recipient(s), regardless of the degree of its confidentiality.
"However, it can be difficult to switch to secure services everywhere and in some situations it is not possible at all, so a good starting point is to assess one's own workflows and, based on where we frequently share information, decide where to start using end-to-end encryption."
Lastly, if you are concerned about your online security you should use a password manager and two factor authentication. This won't protect you from state snooping as such but is good practice. LastPass, 1Password and Dashlane are examples of password managers that allow you to generate and store secure passwords. Pair this with two-factor authorisation to secure your accounts.