Two UK internet providers have been helping the Home Office and National Crime Agency track the websites visited by customers.
A trial of new powers granted by the controversial Investigatory Powers Act of 2016 has been going on for months.
It involves the internet providers creating internet connection records (ICRs), which can be used to show which websites a person visited and when.
Digital rights campaigners have raised privacy concerns.
“It’s needles in haystacks, and this is collecting the entire haystack,” said Heather Burns, policy manager with the Open Rights Group.
“We should have the right to not have every single click of what we do online hoovered up into a surveillance net on the assumption that there might be criminal activity taking place.”
The Home Office said the trial was small in scale and in its early stages.
It is exploring what kind of data could be retrieved under the law and how useful – or not – it might be, it said.
But due to the nature of the trial, its exact workings are shrouded in secrecy, and it is not clear how many internet records are being collected for testing purposes, or to whom they belong.
The test’s existence was first reported by Wired.
The power to spy on the websites people visit comes from the Investigatory Powers Act, which critics call a “snoopers’ charter” due to widespread concerns about its scope.
The act gives the secretary of state the power, with a judge’s approval, to order internet providers to keep their records for up to a year. The definition is so broad that critics believe all ISPs will simply be issued with such orders to cover all their customers.
Those records can include which websites a customer visits, when, and how much data they download, as well as the relevant IP (internet protocol) addresses – but not what pages or exactly what content they read on those sites.
But that so-called “metadata” can still reveal a lot about a person’s habits – from what political sites they visit to their use of pornography. There are, however, restrictions on who can access the ICRs and for what reasons.
The trial involves the two UK internet providers, which have not been named, the Home Office, and the National Crime Agency.
The internet providers themselves are prevented from saying if they are involved, as the law bans “disclosing” the existence of a data retention notice to anyone else.
The trial’s existence was never formally announced or publicised, but was instead contained in two short paragraphs in a 168-page annual report from the Investigatory Powers Commissioner’s Office (Ipco), published in December.
A spokeswoman for Ipco said the trial was continuing, and “regular reviews” were being carried out to make sure the data collection was “necessary and proportionate”.
“Once a full assessment of the trial has been carried out, a decision will be made on whether there is a case for national rollout,” she said.
But Ms Burns said the level of secrecy involved was a cause for concern.
“Yes, they’re ticking the boxes about the oversight and the judicial approval every way they can,” she said.
“But there’s still an aspect of transparency which is crucially missing here.”
She said questions remained around the scope of the law, which had been a key concern for critics as it was being debated in Parliament.
The Ipco report’s brief reference to the trial revealed that it began in July 2019, when a judge approved a “retention notice” on a telecoms company. Another was granted in October that year, for a different telecoms company.
Both are, it said, for “testing purposes only” – so it is not clear whether they are linked to criminal suspects.
The National Crime Agency said it uses what it calls “data exploitation” to tackle crime.
“We are supporting the Home-Office-sponsored trial of internet connection record capability to determine the technical, operational, legal and policy considerations associated with delivery of this capability,” it said in a statement.