Communications data will be 'honeypot for hackers' says peer

News by Tom Espiner

Serious criminals and nation states will increase attacks on communications providers with UK customers if a controversial draft communications law is enacted, according to a Liberal Democrat peer.

Serious criminals and nation states will increase attacks on communications providers with UK customers if a controversial draft communications law is enacted, according to a Liberal Democrat peer.

The draft law, styled by critics as the 'Snooper's Carter', seeks to force communications service providers (CSPs) to retain valuable personal data for scrutiny by law enforcement.

Lord Strasburger, who sits on a joint parliamentary committee that is scrutinising the bill, said in a committee meeting with home secretary Theresa May on Wednesday that the data would be "a honeypot for hackers".

"If this bill were enacted, there would be a massive increase in the data being held about every citizen who uses the internet," said Lord Strasburger. "This data would be a honeypot for casual hackers, blackmailers, criminals large and small all over the world, and foreign states."

Under the draft Communications Data Bill, CSPs will be required to hold metadata on all UK citizens' web communications, including social media and instant messaging. Data such as who is speaking to whom, when and where will be collected. This data will be valuable, and will provide more of a motive for hackers to attack CSPs, said the peer.

Public and private sector organisations have a "woeful record" in protecting data they hold from loss or theft, Strasburger said.

"Why should the public have any confidence that their private and financially valuable data will remain secure?" said Strasburger.

Organisations including Nasa, Microsoft, Yahoo, Bank of America, CitiGroup and Apple have all suffered data breaches, the peer added, and LinkedIn recently had 6.5 million passwords stolen.

Not only will attacks be more serious, but they will be more likely to succeed, said Strasburger.

"We've heard from experts, including some of the CSPs, that they actually have concerns about their ability to withstand attacks given the increased amount of data and the increased attractiveness of this data," said Strasburger. "They are all vulnerable. Some of the experts have told us: this data will get out."

The government's position is that the mass of data will not be held by the public sector, and private sector organisations will face legal penalties for communications data breaches, said May.

"This is data that will be held by the private sector, by the CSPs," said May. "Obviously we've been talking to them about the security of that data, there will be, as you know, some sanctions in the bill in terms of any breaches in relation to the security of that data."

May said that CSPs are already holding significant amounts of data about people's communications, and that holding different types of data did not alter their security position or risk of attack.

"They will be holding more data, they will be retaining it for 12 months," said May. "That's what they do on some of the data anyway today, so the concept of the private sector holding data, and whether or not that is secure for individuals, is not changed by the nature of this bill."

May added that the government has to decide whether law enforcement agencies should be able to "carry on bringing people to justice and saving lives" by enacting the bill.

The joint committee has taken evidence on the Communications Data Bill from a number of organisations, including the police and CSPs.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews