Theresa May refuses to say if UK spies access medical data

Houses of Parliament

Home Secretary says sweeping up large amounts of data is not “mass surveillance”

Home Secretary Theresa May has refused to answer whether Britain’s security services are accessing medical records and other sensitive data.

She was defending the Snooper's Charter to the draft Investigatory Powers Bill, and told the committee she  would not "go down the route of giving information about the sort of data sets that are being acquired", according to the BBC.

Her comments come after it was revealed last year that GCHQ is downloading large amounts of personal data, which could include everything from the electoral register, to supermarket loyalty schemes or bank records.

This data would then be analysed to “join the dots” and draw conclusions about individuals, and such use of information is covered by old legislation.

But May said new safeguards would cover such powers - one was limited six-month warrants that give access to data and another was judicial oversight of such requests.

The controversial bill has been attacked by major technology companies, ISPs and campaign groups.

Central to the controversy is the mass collection and storage of sensitive data, which the bill in its current form says could be held for up to 12 months.

May said security minister, John Hayes, had written to the committee of MPs and peers to ask why the government did not want to reveal the kinds of data that investigators would access.

May, however, maintained that the practice of siphoning large amounts of web data does not amount to “mass surveillance”.

“The UK does not undertake mass surveillance,” she said.

13/01/16: Information Commissioner attacks Snooper's Charter

The Information Commissioner's Office (ICO) has attacked the Investigatory Powers Bill, AKA the Snooper's Charter, saying downgrading encryption could be dangerous for personal security.

Not only can the information be used maliciously by hackers if it falls into the wrong hands, but it could also be used as a weapon by nation states.

“The information commissioner has stressed the importance of encryption to guard against the compromise of personal information,” the ICO said.

“Weakening encryption can have significant consequences for individuals. The constant stream of security breaches only serves to highlight how important encryption is towards safeguarding personal information. Weakened encryption safeguards could be exploited by hackers and nation states intent on harming the UK’s interests.”

The privacy watchdog expressed its concerns to the parliamentary committee responsible for investigating the impact of the bill, saying there was also little justification for asking communications providers to store data for up to 12 months.

11/01/16: Anonymous browser developer Tor has condemned the Snooper's Charter, saying it will "significantly harm" people's safety.

"The draft bill should not centre on the false tradeoff between civil liberty and security. While it is undoubtedly not the intention of the Home Office, this draft bill will significantly harm the safety of human rights activists," The Tor Project wrote in its written evidence presented to the government.

The group said the Investigatory Powers Bill storing the metadata the lw requires companies to store about people for up to 12 months could reveal sensitive information about people who are using its privacy browser and others who are purposefully protecting their identities, meaning their lives could potentially be in danger.

May of Tor's users are human rights campaigners and depend on anonymity for their safety. The new rules could mean information about these campaigners are accessible by the wider world.

"Although there are techniques to protect computer systems from large-scale attacks, there are no effective measures for protecting computer systems from targeted attack by a capable adversary, especially when an adversary with state backing is a possible threat," Tor wrote.

"The discussion of the draft bill thus can be framed as a tradeoff between giving additional powers to law enforcement in exchange for taking away the ability of human rights activists and human rights organisations to protect themselves,"

07/01/2016: Four of the world’s biggest tech companies have officially condemned the so-called ‘Snooper’s Charter’.

Google, Facebook, Microsoft, Twitter and Yahoo have joined the chorus of industry voices condemning the Investigatory Powers Bill, alongside Apple and a roster of ISPs.

Their official submission to Parliament stated that “governments have a responsibility to protect people and their privacy”.

According to the signatories, “the best way for countries to promote the security and privacy interests of their citizens… is to ensure that surveillance is targeted, lawful, proportionate, necessary, jurisdictionally bounded, and transparent”.

The companies had several key complaints with regards to the bill’s current form, predominantly around the scope of the proposed powers, which would require ISPs to hold metadata on people's communication for at least a year.

For example, they argued that the wording is “vague” and “opaque”, and caution that this could lead to confusion over how much power authorities are actually granted.

They also said that the bill may undermine trust in their technologies, as it “could involve the introduction of risks or vulnerabilities”.

Another major concern regarded the implications of the new laws on foreign data legislation.

“Key elements of whatever legislation is passed by the UK are likely to be replicated by other countries,” they wrote, “including with respect to UK citizens’ data.”

A pre-existing mess of contradictory data protection laws also runs the risk of leaving companies “in the impossible position of deciding whose laws to violate”, the group said.

18/11/2015 - ISPs tell Parliament they are “very concerned” about Snooper’s Charter

Parliament’s Science and Technology Committee is due to examine whether the technology exists to support Home Secretary Theresa May’s Draft Investigatory Powers bill

MPs sitting on the committee will also assess the costs of the bill, its potential impact on communication providers, the consequences for citizens’ use of IT services. 

“More specific issues of interest to the Committee include the extent to which communications data and communications content can be separated and the extent to which this is reflected in the Draft Bill,” it added. 

The “short inquiry” will take place after industry experts questioned the actual scale of data storage required by the so-called Snooper’s Charter, which would force ISPs to keep a list of internet connection records (ICRS – the websites people visit) for 12 months.

Such sensitive details of people’s online activities would need to be protected by strong security measures, yet the bill is being proposed at a time when data breaches are becoming more and more common. 

In oral evidence given to the committee last week, the chair of the Internet Services Providers’ Association said a solution that suits the bill’s purposes will be hard to create because the bill’s concept of an ICR does not accurately describe the data ISPs

“We are very concerned,” James Blessing told the committee. “The whole idea of an internet connection record does not exist as far as internet service providers are concerned. We do not have an internet connection record.” 

“We do not store information about what our customers do online in this particular way. It is not clear from the bill what constitutes a connection record.”

He added: “If you want to get at the URL someone is visiting, you need to open the packet, inspect it, take information out and then throw data away, which makes the whole processing of those records even more complicated and prone to mistakes.”

The committee is welcoming written submissions on the issues until Friday, 27 November.