Home Office and ISPs have been testing new mass surveillance tool in secret for two years

The tests are being conducted under the controversial Investigatory Powers Act

Two internet providers in the UK have been secretly testing a surveillance tool that could collect the web browsing history of all internet users in the country.

Wired alleges that the unnamed ISPs are conducting the tests in association with the National Crime Agency, as part of a Home Office exercise. The purpose is to determine if it's possible to roll out a bulk surveillance system on a country-wide scale, for the purpose of law enforcement and national security.

The tests are being carried out under controversial Investigatory Powers Act, or Snooper's Charter, which was introduced in 2016.

While limited details are available, the Investigatory Powers Commissioner's Office (IPCO) annual report [pdf] revealed that the first trial began in July 2019, after the regulator approved the Home Office 'retention notice' request relating to an internet provider. A second trial began in October 2019.

Both trials involved the creation of Internet Connection Records (ICRs) - the metadata about people's online activities, such as which websites they visited, how much data they downloaded, etc. While an ICR does not give details of specific pages visited on a website, it can provide a lot of personal information about a user, including their financial or health details.

Under the Investigatory Powers Act, law enforcement agencies can ask mobile and internet firms to store users' browsing data for 12 months, although the order must come with approval from a senior judge.

The NCA told Wired that a 'significant' amount of work has gone into the trial.

A spokesperson for the IPCO also confirmed that the trials are still ongoing. They added that the IPCO conducts regular reviews to ensure the data collected remains 'necessary and proportionate'.

ISP insiders said they cannot speak about the tools or trials due to 'security concerns'.

The revelation has prompted privacy activists to complain about a lack of transparency over citizens' data collection.

'This is a fairly staggering lack of transparency around mass data collection and retention,' said Heather Burns, policy manager at the Open Rights Group.

Burns characterised the trials as attempts to "collect the haystack in order to identify two needles."

"We should have the right to not have every single click of what we do online hoovered up into a surveillance net on the assumption that there might be criminal activity taking place," she added.

The Home Office declined a request to provide more details. It said the trial is 'small scale' and being conducted to determine what data might be collected and how useful it could be.