Domain 7 of 18

Surveillance

Britain is building surveillance faster than it is building the rules. Police vans scan faces in the street with no dedicated law behind them. Secret orders reach into encrypted phones. Age checks push millions of identity documents into private databases. Each programme arrived before its safeguards did.

The gaps below are the missing counterweights. Some need Parliament: a biometrics law, transparency for encryption orders. Others could be built tomorrow: a public register of what is deployed where, a litigation fund, a stable income for the handful of small charities doing the entire country's watching of the watchers.

Full landscape notes (July 2026)

The UK runs one of the most extensive lawful surveillance regimes of any democracy, and 2024–26 expanded it on several fronts simultaneously. The Investigatory Powers (Amendment) Act 2024 eased bulk personal dataset rules and created notification notices for tech firms. Under IPA technical capability notices, the Home Office ordered Apple to break iCloud end-to-end encryption: Apple withdrew Advanced Data Protection from the UK (Feb 2025), a narrower UK-only order followed (Sept 2025), and an Investigatory Powers Tribunal hearing on assumed facts was listed for early 2026. Online Safety Act age checks became mandatory in July 2025, driving VPN sign-up surges and mass ID-document collection by third-party verifiers. Police live facial recognition is expanding from 13 of 43 forces towards a national rollout (40 new vans announced Jan 2026; first fixed cameras in Croydon, Oct 2025) ahead of legislation; a Home Office consultation on a biometrics legal framework closed February 2026. Retail facial recognition (Facewatch) grew rapidly; the ICO closed its inspection without action. Digital ID was announced Sept 2025, softened to voluntary in Jan 2026, but digital right-to-work checks remain planned by end of Parliament on One Login, which lost trust-framework certification in May 2025. DWP gained bank-account eligibility-checking powers (Royal Assent Dec 2025, rollout from 2026). NHS England's Palantir Federated Data Platform faces a February 2027 contract break-clause decision. Oversight is fragmented and under-resourced: IPCO reports falling resources amid rising demand, the ICO's public-sector approach is widely criticised, and civil society is capable but tiny and foundation-dependent.

The gaps (11)

72urgency 4policyShort (0–2y)State-led

No dedicated statute or single regulator for facial recognition and biometric surveillance

Facial recognition is rolling out nationwide before Parliament has written it a law.

73urgency 3policyShort (0–2y)State-led

Secret encryption-breaking orders with no transparency reporting or parliamentary notification

The order telling Apple to break iCloud encryption stayed secret until someone leaked it.

74urgency 2institutionalShort (0–2y)Build together

No independent pre-deployment testing infrastructure for police surveillance algorithms

The only real test of police face-scanning accuracy was paid for by the police.

76urgency 2fundingShort (0–2y)Build now

No dedicated fund or costs protection for strategic surveillance litigation

The cases that curb UK surveillance are fought by tiny charities betting their budgets.

77urgency 3fundingShort (0–2y)Build now

No domestic funding base for UK digital rights civil society

Britain's entire digital rights sector runs on less than £15m a year.

78urgency 2toolingShort (0–2y)Build now

No public observatory or machine-readable register of UK surveillance technology deployments

Nobody keeps a list of what surveillance kit is watching Britain. Not even the state.

79urgency 3policyShort (0–2y)State-led

No lawful retention and deletion regime for the 19 million custody images feeding facial recognition

A court found indefinite mugshot retention unlawful in 2012. Police hold 19 million.

80urgency 4institutionalMid (2–7y)Build together

No credible sovereign exit option for the NHS Federated Data Platform before the February 2027 break clause

The NHS can leave Palantir in February 2027. Nobody has built anywhere to go.

81urgency 4institutionalShort (0–2y)State-led

No independent regulator, redress scheme or offline guarantee for the digital identity system

Wrongly locked out of your digital ID? There is no ombudsman and no offline guarantee.

82urgency 5knowledgeShort (0–2y)Build now

No independent monitor or claimant-side capacity for DWP bank-account surveillance

Ten million bank accounts face benefit-fraud scans. Nobody has to publish the error rate.

224urgency 3policyShort (0–2y)Build now

No published test of whether foreign law can reach UK data before critical contracts are signed

US-owned firms run our NHS and defence data. Nobody checks if US law can reach it.

Also surfaced by this domain’s research (2)

Who is already here: key actors (14)
  • Big Brother Watch (charity/campaign group): Leading campaigner against live facial recognition, DWP bank-account checks and digital ID; produces FOI-based research; funded by JRRT and private donors, no government money.
  • Open Rights Group (membership nonprofit): Digital rights advocacy on the Online Safety Act, encryption and data bills; coordinated the 70-organisation letter demanding an inquiry into ICO enforcement collapse (Nov 2025).
  • Privacy International (charity): Strategic litigation specialist; brought the IPT challenge to the UK's secret Technical Capability Notice powers alongside the Apple case, heard in 2026.
  • Liberty / Liberty Investigates (charity + investigative unit): Won Bridges v South Wales Police (2020, LFR unlawful); backing the Met LFR judicial review with EHRC intervening; investigative journalism on police databases.
  • Information Commissioner's Office (becoming the Information Commission under DUAA 2025) (regulator): Data protection regulator; criticised for its public-sector approach (reprimands not fines) and for closing its Facewatch inspection with no action.
  • Investigatory Powers Commissioner's Office (IPCO) (oversight body): Judicial commissioners oversee 600+ public authorities' use of investigatory powers; its 2024 annual report (laid Dec 2025) warns resources are falling while demand and AI use rise.
  • Investigatory Powers Tribunal (judicial body): Only forum for complaints about surveillance powers; hearing the Apple/PI encryption-order case in 2026; long criticised for secrecy and limited remedies.
  • Biometrics and Surveillance Camera Commissioner (government-appointed commissioner): Prof William Webster appointed Nov 2025 after a 15-month vacancy; part-time and advisory; oversees a Surveillance Camera Code unrevised since 2021.
  • Ofcom (regulator): Online Safety Act enforcer, including age assurance; due to report on age-assurance effectiveness by June 2026; holds the paused s.121-122 'accredited technology' scanning powers.
  • Ada Lovelace Institute (research institute): Commissioned the Ryder Review (2022) finding biometrics oversight 'patchy and ineffectual'; leading public-deliberation evidence on biometrics and health data; Nuffield-funded.
  • AWO (data rights law firm/consultancy): Specialist legal capacity for data rights cases and policy advice; one of very few commercial-model providers NGOs can retain for surveillance litigation.
  • Foxglove (litigation nonprofit): Challenges government algorithms and NHS data deals; forced disclosure of early NHS-Palantir contracts; part of the campaign contesting the Federated Data Platform.
  • medConfidential (advocacy micro-organisation): Health-data confidentiality watchdog scrutinising the NHS FDP and the non-application of the national data opt-out; influential but one-to-two people and grant-fragile.
  • Statewatch (monitoring nonprofit): Documents UK/EU state surveillance and policing tech; submitted detailed evidence to the Home Office facial recognition framework consultation (Feb 2026).
Funders active or plausible here (12)
  • Joseph Rowntree Reform Trust (non-charitable; core funder of Open Rights Group, Big Brother Watch)
  • Joseph Rowntree Charitable Trust (Rights and Justice programme)
  • Luminate / Omidyar Group
  • Open Society Foundations (historically significant; reduced by post-2023 restructuring)
  • Sigrid Rausing Trust (Liberty, Privacy International)
  • Paul Hamlyn Foundation
  • The Legal Education Foundation (legal capacity, data rights lawyering)
  • Nuffield Foundation (funds Ada Lovelace Institute)
  • Digital Freedom Fund (European strategic litigation grants)
  • Mozilla Foundation
  • Individual donations and crowdfunding (CrowdJustice case funding)
  • Plausible new entrants: UKRI/ESRC (evidence and observatory infrastructure), Wellcome (health data governance), privacy-focused tech firms (e.g. Proton has funded UK digital rights work), UK community foundations pooling for a digital rights fund
Policy notes

Surveillance powers legislation is running ahead of governance. The IPAA 2024 expanded bulk personal dataset and notice powers, with codes of practice consulted through 2024-25; TCN secrecy is being tested in the IPT (Apple/PI hearing, early 2026). The Online Safety Act's s.121-122 'accredited technology' powers remain on the statute book despite the 2023 enforcement pause, a latent client-side scanning fight. The DUAA 2025 restructures the ICO into an Information Commission and retained (rather than abolished) the BSCC after the DPDI Bill fell, but the Surveillance Camera Code is unrevised since 2021. The Home Office biometrics/LFR framework consultation closed February 2026 with legislation expected; digital ID mandation was softened January 2026 with consultation in March; FERA codes were finalised May 2026. Principal holes: no biometrics statute, no notice transparency, Article 80(2) unimplemented, and an ICO public-sector approach that structurally under-enforces against state surveillance.