The British government has presented the final draft of legislation that critics call a “snooper’s charter”—it would create records of all the websites that people visit, legitimize the hacking of people’s computing devices, force organizations to hand over bulk data sets about the people they serve, and compel tech firms to remove encryption when asked to do so.
Some of the changes since the first draft of the Investigatory Powers Bill include attempts to satisfy calls for better safeguards. Urgent surveillance warrants will now need to be reviewed by a senior judge more quickly than before. There is also now a requirement for the home secretary to authorize any request from British intelligence agencies to their overseas partners to spy on British people.
The government has expressly rejected some of the recommendations made by parliamentary committees scrutinizing the bill last month—it insists it will keep the idea of bulk hacking warrants, along with the right to do all this surveillance to protect the U.K.’s “economic well-being.”
“The bill ensures that the security and intelligence agencies and law enforcement continue to have the powers they need to keep us safe against a backdrop of an increasingly complex, serious, and unpredictable threat,” home secretary Theresa May said in Parliament on Tuesday.
“The continued inclusion of powers for bulk interception and bulk equipment interference—hacking by any other name—leaves the right to privacy dangerously undermined and the security of our infrastructure at risk,” said Gus Hosein, the executive director of Privacy International. “Despite this, the Home Office stands by its claim that the Bill represents ‘world-leading’ legislation. It is truly world-leading, for all the wrong reasons.”
Get Data Sheet, Fortune’s technology newsletter.
What’s more, the new version of the bill actually broadens some of its powers. Police will now be able to access all of a person’s web-browsing records in an investigation, not just those pointing to illegal websites and communications services. And the police—rather than just the intelligence services—will also be able to hack into computers in cases involving missing people or “threat to life.”
“It beggars belief that the government is blundering on with its snooping power grab completely disregarding the concerns being raised from all sides, including no fewer than three of its own parliamentary committees, every privacy group in the country, the UN, and tech firms like Apple,” (AAPL) said Kate Allen, the director of Amnesty U.K.
Meanwhile, the World Wide Web Foundation warned that pushing the bill through in haste would be “a slap in the face for Britain’s democracy and her people.”
“The bill and its supporting documents run to well over 500 pages. If, as reported, the Bill will get its second reading within a fortnight or sooner, MPs will have to crunch through more than 50 complex and technical pages per working day just to get a basic handle on the Bill and hold an informed debate. This is not only unrealistic, but dangerous,” said Anne Jellema, the foundation’s CEO.
The purpose of the Investigatory Powers Bill, introduced last November, is ostensibly to provide a simplified, unified replacement for the many bits and pieces of existing legislation that say what the U.K.’s law enforcement and intelligence services can and cannot do in the realm of surveillance. Even the bill’s critics agree simplification and more transparency is much needed, though they’re not so keen on the fact that the bill would legalize many shadowy activities that only came to light through Edward Snowden’s revelations.
However, the initial draft of the bill came in for criticism last month by no fewer than three government committees (Science and Technology, Intelligence and Security, plus a special joint committee) over its broadness, inconsistency, and incomprehensibility. For example, here’s an actual quote from the first draft: “Data includes any information that is not data.”
One particular gem from the joint committee’s report read: “We recommend that more effort should be made to reflect not only the policy aims but also the practical realities of how the Internet works on a technical level.” Ouch.
Observers were therefore mildly surprised to see the government come back with its next attempt just a few weeks after this stinging criticism. This morning a host of politicians, human rights advocates, and legal experts (including members of those committees) said in a letter to The Telegraph that the government’s insistence on pushing through the bill this year is “not in the nation’s interest” and getting it right would be a better idea.
Why is the government so keen to make these new surveillance powers law as soon as possible? Ostensibly because another piece of legislation it rushed through in 2014, the Data Retention and Investigatory Powers (DRIP) Act, only works until the end of this year.
For more on privacy and national security, watch:
The DRIP Act is a piece of data retention legislation, allowing the government to force Internet service providers to store customers’ communications records, in case investigators want to comb through them. It was passed as “emergency” legislation because the U.K.’s previous data retention law was based on an EU-wide law that got struck down by the EU’s highest court in 2014, because it was anti-privacy.
So the U.K. government is desperate to make sure it doesn’t lose data retention, which is a form of mass surveillance. However, the signatories to the Telegraph letter noted, that aspect of the new bill can be split off to be dealt with more urgently—there’s no need to also rush through all the other stuff about hacking and recording what people do online.
(Bonus fact: The High Court struck down part of the DRIP Act last year because it lacked sufficient safeguards, but gave the government until this month to rewrite it. If you’re thinking, “So the court allowed a law to stay in operation, despite the fact that it illegally tramples over fundamental rights?” then yes, that is what happened.)
Anyhow, the government is pushing ahead with its plan of getting the whole Investigatory Powers Bill package on the statute books by the end of this year.
“On first reading, the revised bill barely pays lip service to the concerns raised by the committees that scrutinized the draft bill,” said Jim Killock, the executive director of the Open Rights Group. “If passed, it would mean that the U.K. has one of the most draconian surveillance laws of any democracy with mass surveillance powers to monitor every citizen’s browsing history.”
“In the short term, I cannot see how security-conscious cloud and hosting companies can remain in the country if this bill is passed,” said Jacob Ginsberg, a senior director at email encryption outfit Echoworx.
Oh, and what about that “data includes any information that is not data” absurdity? The replacement for that definition is equally broad, if not as paradoxical: “‘Data’ includes data which is not electronic data and any information (whether or not electronic).”
