Will the Investigatory Powers Bill mean handing over the keys to the kingdom?

Nic Scott discusses how the IP Bill will fundamentally change the relationship between UK citizens and the government.

Nic Scott, managing director UK&I, Code42
Nic Scott, managing director UK&I, Code42

The Investigatory Powers Bill, more commonly known as the ‘Snoopers' Charter,' is currently being reviewed by the House of Lords. If the potential passing of this Bill does not concern you, think again. Whether in favour of it or not, you should be concerned with the fallout it would cause, not only for your personal data but also for your business. After all, vendors are not going to use one type of encryption for consumers and another for their business partners. 

A changing data protection landscape

This Bill will fundamentally change the relationship between UK citizens and the government. It will allow the government the power of mass interception and mass hacking—forcing communications service providers (CSPs) to store every individual's communications data and web browsing history. Moreover, this would force the retention of bulk personal datasets, which are population-level databases.

The government has also made it clear that it will give secretaries of state the power to have CSPs bypass encryption. This is a profoundly troubling statement both from a privacy and cyber-security perspective. While the Bill is meant to give the security service and the police new powers to protect UK residents from potential terrorist and serious criminal activity, which is important, there are no half measures with encryption. You either have it in place or you do not.

Leaving the door open

As individuals and citizens of the UK, we are entitled to privacy except when there is a good and sufficient reason for the government to intrude for our safety. A recent YouGov poll found that just over two-fifths of British nationals (44 percent) suggested it would not bother them to know that they would be spied on. I doubt the results would be the same amongst CIOs and CIOs, who are responsible for the protection of corporate and customer data.

Creating a backdoor for law enforcement purposes will effectively also mean opening the door to other, potentially malicious, parties. The suggestion that Earl Howe, the minister of state for defence, made during a House of Lords debate that the government could “develop and maintain a technical capability to remove encryption that has been applied to communications or data” simply fudges the issue. Encryption is an absolutely essential element of securing any electronic communication and data protection. During a time of unprecedented cyber-crime, businesses especially cannot afford to lower the standards of privacy and data protection at the cost of a “potential threat” that may never materialise—all while putting their reputations and revenues at risk.

Keep hold of the keys

Outside of the obvious risks, companies also have to keep an eye on legislation and compliance. The General Data Protection Regulation (GDPR), which will come into effect in 2018, will harmonise and strengthen the current data protection laws in place across EU member states. Also, whilst Brexit is still on the table, the reality is that the UK very likely will have to comply with the data protection regulations of the EU to remain part of the Single Market—putting this legislation and the ‘Snoopers' Charter' at odds. The question is, what can companies do to protect consumer data while ensuring that they are not outside the legal bounds of UK law if the Bill passes?

The reality is that there is no simple answer right now, given the rapidly changing compliance landscape and uncertainty about the implementation of new legislation. Proactive and forward- thinking CIOs and CISOs, however, should turn their attention to modern endpoint backup, as it could help solve a number of current challenges. A modern endpoint data protection and backup solution will allow the government to access information, when requested, with a few caveats. It will allow organisations to hold their own encryption keys and it will not build back doors or allow cloud data storage providers access to information. The government can request information and receive data in its deregulated form, keeping all sides compliant to law. The government, without the company's individual access keys, will not be able to decipher it. This will keep an organisation's customers comfortable and secure—all while helping meet local / EU data privacy regulations.

Ultimately, data is a company's most precious asset—and it should not be infringed upon without permission or very good reason, not even by the government. The right modern endpoint backup solution, in combination with a forward-thinking security strategy, will provide CIOs and CISOs peace of mind. It will also free them up to concentrate on driving technical innovation and business growth, rather than be kept up at night worrying about who might be snooping around in their data.

Contributed by Nic Scott, managing director UK&I, Code42