As ISPs are set to record their data, how secure will the database be?

Monday will see the introduction of a database that will instruct all internet service providers to keep a record of all their communications for a year.

 

Although the details of this seem fairly sketchy at the time of writing, the introduction of such an initiative has a sense of inevitability to it as the nanny state will want control over the actions of those with a level of security under their belt.

 

The first question that has to be asked is about the logistics of collating such information, has guidance been given on how to actually record information? Or what sort of information should be collected and recorded?

 

Around a year ago I was working on a mortgage magazine, and at the time the Financial Services Authority introduced its ‘Treating Customers Fairly' (TCF) rule for advisors and brokers. Part of the practice of the ruling was that registered and regulated financial advisors would need to show evidence of their meetings and dealings with customers to keep up with regulatory standards.

 

However not all went swimmingly. Pensions Age magazine revealed that just 13 per cent of firms had met the March interim deadline to collect the management information necessary, which would enable them to measure the outcomes.

 

So as one industry saw problems in getting its recording of information ruling under control, although admittedly the thoughts of advisors were on other matters during this time, can it be safe to assume that all will go well in this instance?

 

A distinct lack of guidance is the first dilemma, but the second is the danger of so much material being stored on one single database, and the possible security headache that could be caused should this information be stolen, harvested or breached.

 

Fabrice Pragnaud, vice president EMEA of LogLogic, claimed that the amount of sensitive information stored on databases is growing rapidly, so it is little wonder that databases are a huge target for security attacks today.

 

Pragnaud said: “The database is basically a one stop shop for valuable information. What organisations need to do is to consider threats and attacks from both internal and external threats and protect all data copies, locations and platforms. It should be actionable in real-time to detect, alert and prevent.

 

The need to preserve the confidentiality and integrity of data and monitor privileged user activity is driving CIOs and auditors to re-consider their strategy for database security and impose stringent controls across database systems. It's critical they implement a workable, secure solution and that they not only act upon it, but that they maintain processes and stay up-to-date with patches and controls. Compliance demands it and customers/consumers expect it.”

 

So moving back to the original point of this database, what do we know about it? The plan is to keep information about every email sent or received in the UK for a year. It is part of a European Commission directive that will see firms having to store the information under the government's Interception Modernisation Programme and make it available to any public body that makes a lawful request, which could include police, local councils and health authorities.

 

The Home Office has insisted that the data, which does not include email content, is vital for crime and terror inquiries, a spokesperson said: “It will allow investigators to identify suspects, examine their contacts, establish relationships between conspirators and place them in a specific location at a certain time.

 

“Implementing the EC directive will enable UK law enforcement to benefit fully from historical communications data in increasingly complex investigations and will enhance our national security.”


Jamie Cowper, director of marketing EMEA at PGP Corporation, said: “Given the numerous data breaches of late, it is hardly surprising that concern has been raised over these proposals. With public confidence about data security at an all time low, it is absolutely essential that ISPs take their obligations seriously.  If privacy violation is to be avoided, and the huge cost of this operation is to be justified, then the security of the public's data must be watertight.

“Whilst there are no prescribed methods to ensure compliance within this directive, at the very least it is essential that proven technologies, such as encryption, are deployed to show both customers and industry regulators that the data that ISPs are entrusted with is continuously protected and treated with the respect it deserves.”

 

Meanwhile Susan Hall, ICT and media partner at Cobbetts, claimed that the security of the database should be paramount, and so much that it can only cause problems. Hall said: “The Government is trying to impose liabilities on service providers and for what: the theoretical possibility that it will stop terrorists?

 

“People applying for access to the database will, on the basis of what we've already seen happen with RIPA, use a slippery slope argument: first arguing for using the information for sex offenders and other serious criminals, but ultimately using it to worry about parking tickets or whether children are entitled to be enrolled in the school they've applied to, as in the recent Poole Council case.”

 

With just a few days to go until its introduction, the amount of information seen or heard by SC Magazine has been lacking in quantity, and this is concerning. If I am incorrect, and all ISPs know all about this initiative then please correct me, but I am sure that opinions on how secure the whole operation is will be heated.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Sign up to our newsletters