United Kingdom Regulations and Policies
The United Kingdom has put in place several strategies and laws to prevent the misuse of the internet by terrorists. Most notably, the Terrorism Act 2000, in conjunction with the Terrorism Act 2006, serves as a guideline to all legal actions and strategies on this specific matter. In 2019, the UK Parliament passed the Counter-Terrorism and Border Security Act, which outlaws the viewing and downloading of terrorist content online. Additionally, the Counter-Terrorism Act 2015, which refers to the Data Retention and Investigatory Powers Act 2016 (the original 2014 DRIPA Act having been repealed) provides a legal context for governmental prevention of the use of the internet for terrorist purposes.
The CONTEST program, which is the UK’s general counter-terrorism strategy run by the Office for Security and Counterterrorism, aims to “reduce the risk to the UK and its citizens overseas from terrorism”. The UK National Cyber Security Strategy, on the other hand, is a five-year government plan aimed specifically at strengthening the security of the UK’s use of cyberspace. The Strategy is based on three pillars: Defense, Deterrence and Development. The British government acknowledges in the Strategy the rise of a computer-literate generation engaging in extremism online, and challenging legacy counter-terrorism regulations.
Following the 9/11 attacks in 2001 and the 7/7 London bombings in 2005, the British Parliament reviewed and passed several acts relating to to counter terrorism. Regarding cyber-enabled terrorism specifically, the Terrorism Act 2000, (as well as the Terrorism Act 2006 section 1.1.2.e)) includes in the definition of terrorism (beyond the legacy elements of terrorist intent to intimidate a poulation and/or compel a government) an action that “is designed seriously to interfere with or seriously to disrupt an electronic system” – although the term is not specifically defined there. However, the UK is presently bound by the definition of a “network and information system” by Article 4.1 of the European Directive on Network and Information Security (2016/1148) . In this Directive, the phrase includes:
(a) an electronic communications network within the meaning of point (a) of Article 2 of Directive 2002/21/EC;
(b) any device or group of interconnected or related devices, one or more of which, pursuant to a program, perform automatic processing of digital data; or
(c) digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance”.
Remaining in the context of cyber-enabled terrorism, the Terrorism Act 2006 also includes a provision that considers incitement to and glorification of terrorism as a criminal offense. Part 1 (Section 1 and Section 2) covers the “Encouragement of Terrorism” and the “Dissemination of terrorist publications”, including the “publication” of terrorist propaganda on the internet and other electronic services. Section 3 indicates the provisions applied to the internet and explains how law enforcement responds to cases of Section 1 and 2. Additionally, Section 58 (1) of the Terrorism Act 2000 indicates that “A person commits an offense if (a) he collects or makes a record of information of a kind likely to be useful to a person committing or preparing an act of terrorism, or (b) he possesses a document or record containing information of that kind. In this section, “record” includes a photographic or electronic record.”
The Data Retention and Investigatory Act of 2014 (DRIPA) provided a legal basis for the retention of certain types of data by domestic communication companies, until it was repealed on 31 December 2016 (see sec. 8(3) of that Act). The UK Court of Appeal and the CJEU had found DRIPA to be unlawful (Tele2 Sverige AB v Post-och telestyrelsen case (C-203/15)), stating that it infringes citizens’ rights by collecting internet activity and phone records; and allowing government access to collection of personal data without permission, where there is no suspicion of a serious crime.
The DRIPA framework was replaced by the Investigatory Powers Act of 2016, which permits the government to order private companies to store user data, including their internet use history. However, this has raised public concerns about the privacy of personal data. These concerns have led to a revision of the Act, which remains controversial, nonetheless.
The controversy centers on Part 4 of the Investigatory Powers Act, which permits the UK government access to computers, tablets, and phones to collect information about individuals, their location and their browser history. The Act also permits the government to retain that data for up to a year, for investigations of crimes punishable with a minimum of 6 months of imprisonment.
Private companies argue that this Act puts their clients’ trust and personal data privacy in jeopardy, while potentially incurring high legal costs and technical challenges for companies. Eventually, Part 4 of the Investigatory Powers Act was found incompatible with EU law in R (Liberty) v SSHD ( EWHC 975 (Admin) (see para. 186)). Consequently, the Data Retention and Acquisition Regulations 2018 were adopted in October 2018 to amend the statute and bring it in line with EU law.
Transitioning from the statutory provisions that are relevant to preventing terrorist abuse of the internet to strategy and policy, the central UK counter-terrorism strategy is called CONTEST, and was last updated in 2018. CONTEST 2018 acknowledges that terrorists are increasingly using the internet for propaganda, radicalization, recruitment and training purposes. The strategy is based on four pillars, known as the 4 P’s: Prevent, Pursue, Protect and Prepare. The Protect and Prepare pillars specifically focus on reducing the country’s vulnerability to terrorist attacks and their impact, while Pursue and Prevent focus on reducing the original risk of terrorist attacks. Paragraph 91 of the Strategy proposes to engage with UK communications service providers to ensure that they tighten up their policies and practices to prevent terrorist content from being uploaded and streamed. Paragraph 93 highlights the UK’s commitment to work globally to combat the use of the internet by terrorists, through capacity building and ministerially-led campaigns. Finally, paragraph 105 includes ways to encourage cooperation between the government and research organizations in the fight against terrorist use of the internet.
In the cyber-specific context, the National Cyber Security Strategy is a five-year strategy that aims to strengthen the security of UK activities in cyberspace. It is based on three pillars: Defense, Deterrence and Development. Defense focuses on cyber threats; Deterrence focuses on actors considering hostile cyber activities against the country, its citizens, businesses and allies; and Development focuses on enhancing the cybersecurity industry skills and the scientific research base. The National Cyber Security Strategy is addressed to not only governmental bodies, but also to the public and private sector, academia, and to the general public. One of its main aims is to develop the National Cyber Security Centre that opened in 2016 and enables cybersecurity coordination between the private and public sectors.
The Strategy acknowledges the rise of a computer-literate generation engaging in extremism online. For example, Paragraph 3.11 states that:
“Terrorist groups continue to aspire to conduct damaging cyber activity against the UK and its interests. The current technical capability of terrorists is judged to be low. Nonetheless, the impact of even low-capability activity against the UK to date has been disproportionately high: simple defacements and doxing activity (where hacked personal details are ‘leaked’ online) enable terrorist groups and their supporters to attract media attention and intimidate their victims.”
Paragraph 3.12 continues:
“The current assessment is physical, rather than cyber, terrorist attacks will remain the priority for terrorist groups for the immediate future. As an increasingly computer-literate generation engages in extremism, potentially exchanging enhanced technical skills, we envisage a greater volume of low-sophistication (defacement or DDoS) disruptive activity against the UK. The potential for a number of skilled extremist lone actors to emerge will also increase, as will the risk that a terrorist organisation will seek to enlist an established insider. Terrorists will likely use any cyber capability to achieve the maximum effect possible. Thus, even a moderate increase in terrorist capability may constitute a significant threat to the UK and its interests.”.
Finally, the UK government website allows the public to “Report illegal or harmful information, pictures or videos” anonymously. The webpage also specifies which types of material are susceptible to cause an alarm to the general public. These include articles, images, speeches or videos that promote terrorism or feature violent content that may encourage individuals to commit acts of terrorism.