Home secretary Theresa May spoke on Tuesday about the Counter-Terrorism and Security Bill, the full details of which were published today, showing major changes to existing surveillance practises.
The bill introduces a raft of new proposals such as the ability for Police and Border Force to cancel and hold passports at the border for up to 30 days, move suspects to another part of the country and – crucially – force internet service providers (ISPs) to retain data on IP addresses. Airlines will also be obliged to disclose more passenger data in advance, including credit card details.
Privacy campaigners will be more satisfied to learn that a Privacy and Civil Liberties Board will monitor the impact of counter-terrorism legislation and act as a counter-weight to the demands of the security services for greater powers.
The announcement came just a day after the Intelligence and Security Committee inquiry into the murder of Fusilier Lee Rigby revealed that one US-based technology company – widely reported to be Facebook – withheld the online conversations of one of his murderers.
Speaking to SCMagazineUK.com earlier today, F-Secure analyst Sean Sullivan said that tracking terrorists should not be a job for the private sector.
“David Cameron said yesterday that "once you discover on someone's email account that they are planning a terrorist action”. Why the hell does he think it is okay for internet companies to discover anything from my email? -- that should be private communication.
“Perhaps there is a point about eight cancelled accounts for links to terrorist materials should raise a red flag on a particular IP address or something – but nobody should be in favour of routine scanning of anybody's inbox for anything.
“Cameron thinks US internet companies have a social responsibility - I think David Cameron has a political responsibility to address socio-economic issues that contribute to the creation of disaffected individual prone to the lure of jihadism. Blaming the internet for his government's failures will not help.”
The message on surveillance has been complicated by the fact that, just one day earlier, the UK government was detailing its involvement in a new campaign which aims to ensure local cyber-security start-ups adhere to human rights when exporting their products and services.
TechUK announced yesterday that it had partnered with the Institute of Human Rights and Business (IHRB) - on behalf of the government's Cyber Growth Partnership - to publish the ‘Assessing Cyber Security Export Risks' guide.
The 36-page guide is designed to give UK cyber-security companies detailed background information and a framework for developing a due diligence process, managing human risks rights and identifying national security risks.
Specifically, the report will urge companies to look at capabilities of the product or service and how it could potentially be used or misused, as well as potential buyers/countries and their intentions. It also says firms should evaluate potential business partners and resellers, and gives advice how they can mitigate and build risk management clauses into contracts.
Interestingly, Ed Vaizey, the minister for culture and the digital economy, added in the report that the guide was committed to human rights, with the report itself adding it ‘reduces the likelihood of reputational damage to British companies'.
“Some of the technologies that have transformed our lives for the better can also be misused. The export of particular technologies to the wrong hands could lead to human rights abuses or undermine UK national security,” he says. “The government has a duty to protect human rights and uphold national security by helping UK companies understand and manage the risks associated with cyber-security exports.”
The executive summary goes on to note: “Most often cyber-security capabilities are used only to defend networks or disrupt criminal activity. However, some cyber-products and services can enable surveillance and espionage, or disrupt, deny and degrade online services. If used inappropriately by the end-user they may pose a risk to human rights, to UK national security and to the reputation and legal standing of the exporter.”
Ruth Davis, head of cyber, justice, and emergency services at TechUK said in a statement: “We want British companies to take the lead on protecting human rights and driving innovation in cyber-security. The advice in this document is designed to help companies reduce reputational risk and to have confidence in the deals they make. We believe that ethical business practice is key; human rights and a vibrant British cyber-sector are two sides of the same coin.”
The guide is part of the government's Cyber Growth Partnership, which is aiming to increase UK cyber-security exports by £2 billion by 2016.
Kenneth Page, policy manager at Privacy International, told SCMagazineUK.com: "The Department of Business is charged with promoting UK exports, and we've seen a big push in this area over the past 12 to 18 months as a key part of growing the UK economy.
"As we've seen with the publication of the cyber-security export guide, there has also been more recognition of the problem of technologies being used for surveillance purposes in human rights abusing countries - most likely on the grounds of 'security' grounds. This is an important and positive step.
"But this week we've found another arm of government insisting US technology companies build more surveillance into their products and greater surveillance powers are needed. The truth for government is that human rights need to be at the bedrock of any surveillance policy, and until that happens, mixed outcomes like this will continue."
Just last week, Cabinet Office minister Francis Maude revealed that new cyber-security tech clusters are to be established in Cambridge, Bristol, London, Southampton and Brighton– in addition to the one already set-up in Malvern.