Theresa May presented her long-awaited proposals on how the UK's surveillance powers for police and intelligence agencies should work on Wednesday.
The draft bill comes after three reviews of existing surveillance powers, triggered in large part by the revelations from NSA whistleblower Edward Snowden.
The proposals, which have been accompanied by an unprecedented PR offensive by the UK's spy agencies, reiterate several of the long-known surveillance powers of the UK state and make others explicit for the first time.
Oversight of spying powers is also boosted under the plans, with the introduction of judicial approval for most warrants and a beefed-up investigatory powers commissioner overseeing how the powers are used – in part a bid to avoid further court battles after both the European Court of Human Rights and the UK's High Court struck down previous spying laws.
Here is the list of the main powers the bill, if passed, will grant police and intelligence agencies.
1. Police, councils, and intelligence agencies will still be able to access your metadata without a warrant.
The new rules don't change one of the UK's key provisions on getting hold of the "communications data" of UK citizens and others.
If police, councils, or agencies want this data – which is who you contact, when, for how long, and similar, but not the content of the message – they don't need a warrant or other approval. Instead, they can go to a designated person within their organisation who approves or denies the request.
These have to relate to solving or preventing crime, or valid national security purposes. The new rules require phone and internet companies to retain the relevant data so agencies can collect it after the fact.
Use of this power will be reviewed regularly by the new investigatory powers commissioner, the bill promises.
MPs, MSPs, MEPs, and Welsh assembly members all gain an extra level of protection against warranted surveillance that will have to be signed off by the prime minister himself.
Journalists gain an extra level of protection against requests from police trying to find their sources – these will now have to be signed off by a judge, although the journalist won't be informed of the attempt – but the bill specifically exempts intelligence agencies trying to track down sources from this safeguard.
2. Internet companies will have to store your browsing history for a year.
To make sure authorities can access the information they want under the powers above (or warranted surveillance), internet service providers will be required to store the top-level information on all their customers' browsing histories for 12 months.
May repeatedly assured MPs that this was not the full record of every page you visit, but instead the domain name of sites you accessed – so, for example, it would show you had visited buzzfeed.com, but not that you specifically read this article.
Mirror journalist Mikey Smith helpfully set out the distinction between the two in a tweet:
Some examples of the difference between Internet Connection Records (no warrant) and browsing history (warrant)
Technology companies will also have to comply with a series of new powers compelling them to remove encryption protection on certain communications, when requested, and also to help authorities hack their customers systems (or modify communications equipment) when required.
The bill also makes it a criminal offence to implement any kind of "warrant canary", a term for a system designed to tip-off users that their communications are subject to surveillance.
The companies will be compensated financially by the taxpayer for the costs incurred complying with this legislation.
3. Police, armed forces, and intelligence agencies now explicitly have powers to hack and modify computer systems, both individually and "in bulk".
All three already had some form of these powers through legislation dating back to the 1990s, but the new bill will set these out on a more explicit footing.
Modification of systems can range from the simple, such as installing a keylogging device on a target's computer, to intercepting and modifying servers or routers in international telecoms companies so as to track the bulk traffic crossing their systems.
Warrants will be signed off either by a police commissioner or a secretary of state (for intelligence agencies), then approved by judicial commissioners.
As with all of the measures where judicial commissioners give their approval, this can be bypassed for "urgent" needs – defined as less than five days – and the grounds on which the judges can disallow the warrant are procedural: They don't consider the evidence of the case, but rather whether the warrant follows the rules – which surveillance opponents like David Davis MP deem inadequate.
4. Intelligence agencies will still be allowed to collect internet data – including that of UK citizens – in bulk.
The Guardian revealed the existence of "Tempora" – described as Sky+ or iPlayer for the internet – in 2013. Tempora stores three days of content and 30 days of metadata from all of GCHQ's fibre-optic cable taps around the UK.
Such bulk collection will remain under the new surveillance laws, signed off by a secretary of state and the judicial commissioner, provided the primary intelligence purpose is foreign or the data sought is just metadata.
If agencies want to access the data they've collected on a UK citizen they must go on to obtain a targeted warrant before they look at it – but they don't need a warrant to store it.
5. Intelligence agencies can buy up or borrow big repositories of personal data.
The new rules also make explicit another practice agencies have been engaging in (without publicly declaring it) for some time: using other bits of government data, or data bought from the private sector, to help their intelligence missions.
The government document gives the electoral roll or a phone book as examples of "bulk personal datasets", but also cites a register of firearms owners. But records from marketing companies, tax records, or even credit ratings agency records could also fall under this definition.
A secretary of state will have to approve a "class-based warrant" – essentially a warrant authorising using a certain type of dataset – every six months, and the investigatory powers commissioner will review how they've been used. So long as a dataset is covered by one of these warrants, it won't be subject to oversight from the judicial commissioner.
• You can read the full draft investigatory powers bill (all 299 pages of it) here.