Reaction to the draft Investigatory Powers Bill, which was unveiled by the Home Secretary in the House of Commons on Wednesday, has understandably been mixed. There was general approval for the increased oversight proposals, in which interception of communications by the security services and police will require both a warrant authorised by a minister and judicial sign-off by a panel of judges – and in the case of investigations into members of the legislature, approval by the Prime Minister.
There is continued misunderstanding of plans regarding encryption bans – including calls for commercial boycotts of the UK by companies using strong encryption, whereas SC understands that there is no such call in the legislation for a ban on encryption, nor are the authorities seeking encryption backdoors put in by the companies, many of whom now provide encryption where the key is held by the user.
However, the authorities are seeking cooperation from the companies for access to non-encrypted data, and for equipment interference – essentially hacking (which can include government entities breaking encryption in their own right).
Plus there is concern from various quarters about the level of data collection revealed to be already happening, and now being extended at a level below that of interception. This includes the requirement for ISPs, telcos and others to hold virtually all communications metadata for a year, such as all websites visited, with a lower level of authorisation required to obtain access.
There is also concern about the extent to which internet phone companies have handed over bulk data in the past. While the bulk data on everything about everyone will be held for a year and accessible to the authorities, SC understands that GCHQ is able to hold the data on a much smaller subset relating to people of interest for two years – and more with specific authorisation.
A senior GCHQ officer described simply as ‘Peter' in the Guardian commented: There is another myth that needs busting, namely that GCHQ is against encryption and would not disclose vulnerabilities in software... it is right that companies holding customers' data take the strongest steps to keep it secure... We do not seek to ban encryption, we do not want mandatory backdoors and we frequently warn companies about security vulnerabilities we find.”
The security services have also been at pains to point out that they have neither the intent nor capability to look at all records, with ‘Peter' commenting: “It would be illegal for us to carry out ‘mass surveillance' nor would we want to even if the law allowed it.”
But the move has nonetheless generated significant criticism: “Requests for retention of internet connection records will provide access to the most detailed data on citizens, not just the who and when of a telephone record, but the what and how of the way we live our lives. The guarantee of security to this retained data will be critical," commented Renate Samson, chief executive of Big Brother Watch in an email to SCMagazineUK.com.
"Furthermore, demands on technology companies to adhere to warrants for encrypted data, as well as the power to legally hack into our devices, could create legislative backdoors which in a world of increased cyber-attack could make us more vulnerable to crime,” said said.
It echoed similar criticisms made by Edward Snowden who tweeted from Russia: “It's only a comprehensive record of your private activities. It's the activity log of your life.” This contrasted with Home Secretary May's view that it was just like an itemised phone bill.
Bharat Mistry, cyber-security consultant, Trend Micro posed the question: “If a Communications Service Provider (CSP) is required to capture this data and store it, there is a question around who is going to fund the infrastructure costs? This isn't just about the physical infrastructure assets but environmental such as power, cooling and physical security costs also have to be considered. CSPs are already saying that data storage repositories are growing at an unmanageable rate – so how can this quantity of data be managed and securely transferred and stored? Will the data be in one central repository or multiple and what about back up and storage? Another challenge will be keeping audit trails of who, what, when and where in relation to the data. Moreover, how and when will the data be purged?”
This has been partially answered by ISPs telling SC that ISPs are currently required to do things like site blocking, and they've been compensated by the government, hence it is anticipated that the £175 million for storage over the next ten years will largely go to cover ISP costs.
However, Mistry adds: “Keeping more data than is necessary is only really going to add to increasing the risk of a data breach. Capturing and storing this additional data is only going to increase the management and operational challenges of protecting it. Ultimately, CSPs will be forced to re-visit their data protection strategy and consider a tiered ‘one size fits all' model that will be cost prohibitive and increases risk. In the last week both TalkTalk and Vodafone have been hit and it both cases personal data was exposed. So consider a CSP potentially capturing data about surfing habits everyone – this will undoubtedly draw the attention of advanced threat actors such as nation states and hacktivists with strong political agendas – ISIS for example”.
And this fear that data held on members of the public remains vulnerable to hacking is one that the facts on the ground make difficult to dispel. Matt Little, vice president of product development at PKWARE agrees that holding this data is a security risk, telling SC: “The Internet grants some expectation of anonymity and privacy. Law enforcement and terrorists having access to this data would provide them with incredible leverage over an individual.”
Timothy Brown, executive director security, Dell Software Group agrees: “We have countless examples of how organisations' security systems have failed in the past as a result of insufficient security and access procedures, and a result sensitive data has been misused. If organisations are required to store more information on their customers for longer periods of time, there must be appropriate controls and audit measures in place. People consider their telecommunications and internet activity to be private and If ISPs and wireless providers are required to store data on their customers, this only creates larger and more attractive targets for hackers and leaks.”
Richard Beck, head of cyber-security at QA, noted: “Whilst it's perhaps unfortunate timing that the Government's draft Investigatory Powers Bill coincides with the screening of the most data privacy and surveillance focused 007 film to date, it is certainly true that the Bill is long awaited and very much contested.”
He adds: “In addition to the additional responsibility that this Bill will place on service providers themselves, there is now the question to be considered around who will be responsible for monitoring and policing the impact this Bill has on the Dark Web? This is where much of the illicit web activity that this Bill tries to expose will now be driven. What consideration or provision will be made for the impact that this Bill will have on the growth of the Dark Web and the support that organisations and individuals will need to protect themselves from this unknown? That's the question front on my mind today.”
“Organisations must have extremely strong processes and technology in place to protect this data from misuse and the public should also be made aware of the process and the details.”
Pravin Kothari, founder and CEO of cloud security company, CipherCloud, noted that, “Though the Home Secretary positions the bill as a departure from the ‘snooper's charter,' the word ‘disclosure' appears 182 times. The push to mandate data retention by ISPs and to allow warrantless access for investigators will certainly expand law enforcement's surveillance capabilities – to the detriment of personal privacy.
"As a technologist, I believe in the power of technology to solve problems. In times like these when fear-driven bills compromise the right to privacy, we can look to security tools, such as encryption, to defend online communications.”
For Ramsés Gallego, security strategist at Dell Software Group, the concern about these policies from a consumer standpoint was not around the collection of customer information, but the purpose and use of it. “We expect the UK Government, along with private companies, regulators and organisations to receive more and more questions around retention policies in general as they seek to obtain and store more data on the general public.”
“Trust is also a key word in the debate, and while companies across the world are adopting new processes to better handle data storage requirements, governments will need consumers to be on board in order to ensure the policies are sustainable. Technology can certainly help here and we expect to see increased demand for solutions that fully address organisations' data governance issues around who's touching data, when and for how long.”
One of those who is on board is Ian Glover, president of CREST, who came down in support of the legislation, telling SC: “I think it's very important that we provide access to the authorities to allow them to protect us against those who want to do us harm. What we mustn't do is, is to hamper those individuals who are trying to protect us.
“The authorities will not just be able to gather information just for any purpose, they have to go through the law, through the judges and they have to have authorised requests.
“Large corporates holding our information have a responsibility for making sure information they hold about us is appropriately collected, appropriately stored and appropriately used and is protected against people who might try to steal it.”
But that view does not placate the privacy advocates, with Brian Kudowitz, Bloomberg Law's commercial product director for privacy and data security commenting in an email to SC: “The trend of increasing state surveillance powers has definite potential to disrupt business and innovation. Ten years ago this law would have already been disruptive to consumer adoption of an exploding Internet, but with everything moving to mobile today, along with the burgeoning of the wearables and Internet of Things industry, consumers are living ever-increasing portions of their lives online – and that's particularly true for minors. Consumer fear of prying eyes poses a real business challenge for companies trying to grow their consumer bases and revenue through expanding and developing their digital technology offerings.”
The bill will now be discussed by MPs and the Lords, and amendments are expected; the aim is to get legislation passed by December 2016.