In the wake of a December 2016 ruling by the European Union's Court of Justice, the UK Government has hit pause on controversial plans within the Investigatory Powers Bill (IPBill) that will force communications providers to scoop up the internet histories of British civilians in bulk.
The law, which has been branded a Snoopers' Charter by critics, gained royal assent last November. It gives police and intelligence agencies enhanced spying powers and effectively cements legal backing to a number of the surveillance tools exposed by Edward Snowden four years ago.
But a legal ruling from the EU's court system last year put at spanner in the works by calling the Government's plans to collect bulk communications data – including internet connection records (ICRs) – unlawful.
It said the proposed data collection techniques in the bill were "general and indiscriminate".
EU judges said communications data should only be used to help combat serious crime. Less than three months later, the Home Office has indicated the IPBill is yet to enforce some bulk collection amid the legal conflict.
"The European Court of Justice handed down a judgment relating to the UK's communications data regime in December," a Government spokesperson said in a statement to Ars Technica.
"The matter must now be considered by the domestic courts and the consultation on the communications data code of practice has been deferred until this has taken place."
In a new set of draft codes of practice, published on 23 February, the Home Office touted a public consultation that is running until early April. The aim, it says on its website, is to set out the "processes and safeguards" surrounding the use of mass spying powers.
The old draft codes have now been "superseded" by these new versions but it was quickly noticed the code for "communications data" was mysteriously absent. This should have provided key insights into how the Home Office would work with service providers to collect citizen data.
Intriguingly, the new codes were also lacking in many of the candid references in previous iterations. In one new copy – "Bulk Acquisition of Communications Data" – a search for "ICR" now returns no matches. Previously, an entire page was dedicated to the term.
One document confirms "an additional code of practice covering the obtaining and retention of communications data will be published for consultation in due course".
In the text of the consultation, Ben Wallace MP, UK Minister of State for Security, noted: "The internet presents ever-evolving opportunities for terrorists, criminals and paedophiles, and we must ensure that we have the capabilities to confront this challenge.
"There must be no guaranteed safe spaces online in which they are allowed to communicate beyond the reach of law."
Yet he did not reference the EU's 2016 ruling, which was the result of complaints from Brexit Secretary David Davis and Labour's Tom Watson, who both had major privacy concerns with the predecessor to the IPBill, the Data Retention and Investigatory Powers Act 2014, or Dripa.
The UK's spying regime was deemed unlawful as it does not require that the scooped-up data be kept within the EU, does not provide for notification after the fact to people whose data has been collected and, in some cases, lets police and public bodies authorise their own access.
"Such national legislation [...] exceeds the limits of what is strictly necessary and cannot be considered to be justified within a democratic society," the judges said.
At the time, a Home Office spokesperson responded: "We are disappointed with the judgement from the European Court of Justice and will be considering its potential implications.
"Given the importance of communications data to preventing and detecting crime, we will ensure plans are in place so that the police and other public authorities can continue to acquire such data in a way that is consistent with EU law and our obligation to protect the public."
It seems those plans are still being formulated.