Reaction to the draft Investigatory Powers Bill, which was unveiled by the Home Secretary in the House of Commons on Wednesday, has understandably been mixed. There was general approval for the increased oversight proposals, in which interception of communications by the security services and police will require both a warrant authorised by a minister and judicial sign-off by a panel of judges – and in the case of investigations into members of the legislature, approval by the Prime Minister.
There is continued misunderstanding of plans regarding encryption bans – including calls for commercial boycotts of the UK by companies using strong encryption, whereas SC understands that there is no such call in the legislation for a ban on encryption, nor are the authorities seeking encryption backdoors put in by the companies, many of whom now provide encryption where the key is held by the user.
However, the authorities are seeking cooperation from the companies for access to non-encrypted data, and for equipment interference – essentially hacking (which can include government entities breaking encryption in their own right).
Plus there is concern from various quarters about the level of data collection revealed to be already happening, and now being extended at a level below that of interception. This includes the requirement for ISPs, telcos and others to hold virtually all communications metadata for a year, such as all websites visited, with a lower level of authorisation required to obtain access.
There is also concern about the extent to which internet phone companies have handed over bulk data in the past. While the bulk data on everything about everyone will be held for a year and accessible to the authorities, SC understands that GCHQ is able to hold the data on a much smaller subset relating to people of interest for two years – and more with specific authorisation.
A senior GCHQ officer described simply as ‘Peter' in the Guardian commented: There is another myth that needs busting, namely that GCHQ is against encryption and would not disclose vulnerabilities in software... it is right that companies holding customers' data take the strongest steps to keep it secure... We do not seek to ban encryption, we do not want mandatory backdoors and we frequently warn companies about security vulnerabilities we find.”
The security services have also been at pains to point out that they have neither the intent nor capability to look at all records, with ‘Peter' commenting: “It would be illegal for us to carry out ‘mass surveillance' nor would we want to even if the law allowed it.”
But the move has nonetheless generated significant criticism: “Requests for retention of internet connection records will provide access to the most detailed data on citizens, not just the who and when of a telephone record, but the what and how of the way we live our lives. The guarantee of security to this retained data will be critical," commented Renate Samson, chief executive of Big Brother Watch in an email to SCMagazineUK.com.
"Furthermore, demands on technology companies to adhere to warrants for encrypted data, as well as the power to legally hack into our devices, could create legislative backdoors which in a world of increased cyber-attack could make us more vulnerable to crime,” said said.
It echoed similar criticisms made by Edward Snowden who tweeted from Russia: “It's only a comprehensive record of your private activities. It's the activity log of your life.” This contrasted with Home Secretary May's view that it was just like an itemised phone bill.
Bharat Mistry, cyber-security consultant, Trend Micro posed the question: “If a Communications Service Provider (CSP) is required to capture this data and store it, there is a question around who is going to fund the infrastructure costs? This isn't just about the physical infrastructure assets but environmental such as power, cooling and physical security costs also have to be considered. CSPs are already saying that data storage repositories are growing at an unmanageable rate – so how can this quantity of data be managed and securely transferred and stored? Will the data be in one central repository or multiple and what about back up and storage? Another challenge will be keeping audit trails of who, what, when and where in relation to the data. Moreover, how and when will the data be purged?”
This has been partially answered by ISPs telling SC that ISPs are currently required to do things like site blocking, and they've been compensated by the government, hence it is anticipated that the £175 million for storage over the next ten years will largely go to cover ISP costs.
However, Mistry adds: “Keeping more data than is necessary is only really going to add to increasing the risk of a data breach. Capturing and storing this additional data is only going to increase the management and operational challenges of protecting it. Ultimately, CSPs will be forced to re-visit their data protection strategy and consider a tiered ‘one size fits all' model that will be cost prohibitive and increases risk. In the last week both TalkTalk and Vodafone have been hit and it both cases personal data was exposed. So consider a CSP potentially capturing data about surfing habits everyone – this will undoubtedly draw the attention of advanced threat actors such as nation states and hacktivists with strong political agendas – ISIS for example”.
And this fear that data held on members of the public remains vulnerable to hacking is one that the facts on the ground make difficult to dispel. Matt Little, vice president of product development at PKWARE agrees that holding this data is a security risk, telling SC: “The Internet grants some expectation of anonymity and privacy. Law enforcement and terrorists having access to this data would provide them with incredible leverage over an individual.”