Analysis

Snooper's Charter puts data at risk even with encryption

The more data ISPs must store, the more there is to steal, warn experts

The Investigatory Powers Bill could leave UK citizens at risk of data theft even though end-to-end encryption has not been banned.

Home Secretary Theresa May presented the proposed legislation, known colloquially as the Snooper's Charter, to Parliament today, and if passed, it would require ISPs to store Internet Connection Records (ICRs - which domains people visit) for up to 12 months.

This includes details of which services a device has connected through, such as a website or instant messaging (IM) platform.

"An ICR is not a person's full internet browsing history," the preamble to the bill reads. "It is a record of the services that they have connected to, which can provide vital investigative leads. It would not reveal every web page that they visit or anything that they do on that web page."

However, the data in question, which communications service providers will be required to store in bulk, is still sensitive, as pointed out by NSA whistleblower Edward Snowden.

One tech vendor, Dell, warned that such a requirement opens up the risk that ISPs will leak sensitive user data.

"We have countless examples of how organisations' security systems have failed in the past as a result of insufficient security and access procedures, and [as] a result sensitive data has been misused," said Timothy Brown, executive director of security with Dell Software Group.

"If organisations are required to store more information on their customers for longer periods of time, there must be appropriate controls and audit measures in place. People consider their telecommunications and internet activity to be private and If ISPs and wireless providers are required to store data on their customers, this only creates larger and more attractive targets for hackers and leaks."

Jonathan Parker-Bray, CEO of Criptyque, which owns secure messaging platform Pryvate, voiced a similar concern, saying: "Threat actors will always find nefarious ways of using good-intentioned technology for their own means, and this law is a potential license for the invasion of the right to privacy on a scale this country cannot allow."

"Whilst we would agree strongly that there does need to be an updating and an expansion of legislation to account for the digital age, this should not override the hard-fought right to privacy that is owned by every citizen in the UK," he added.

It could be worse

While there have been strong negative reactions, the draft of the bill published today does not include two of the clauses that had caused most concern: a ban on end-to-end encryption and the bypassing of the judiciary when issuing warrants to retrieve ICR data.

Instead for the first time in history, a judge must approve such warrants after the Home Secretary has signed off them, and the government will not require technology companies to weaken or water down encryption outside of RIPA's requirement for companies to be able to unencrypt communications data when authorities make such a request.

Mark Taylor, a partner with international law firm Osborne Clarke, said: "In regards to the authorisation of warrants, it's good to see that the Home Secretary has respected some separation of powers, with a degree of oversight from the judiciary as well as an independent commissioner."

"Businesses will breathe a sigh of relief that end-to-end encryption has not been banned. Many of their business models - and in particular payment transactions - are based on the trust that consumers place in their end-to-end encryption," he added.

Industry reaction

It has also received qualified support from some quarters of the tech and telecoms industry.

Antony Walker, deputy CEO of techUK said: "On first impressions [the bill] looks like a step in the right direction to creating what is required here - a world-leading legal framework that balances the security needs with democratic values.

"Parliament must now judge whether the powers government is seeking, such as internet connection records, equipment interference and bulk collection, are necessary and proportionate and whether the safeguards being proposed to govern their use are sufficient. The importance of the task ahead of the Joint Parliamentary Scrutiny Committee cannot be overstated."

Nicholas Lansman, general secretary of ISP industry body ISPA, was more enthusiastic, adding: "ISPA welcomes the attempt to modernise and clarify the law. We will work with government to ensure that the bill provides ISPs with a clear and stable legal framework that balances necessary powers with oversight whilst minimising the impact on business."

The bill will now be scrutinised by the Lords and the Commons.

Featured Resources

Five lessons learned from the pivot to a distributed workforce

Delivering continuity and scale with a remote work strategy

Download now

Connected experiences in a digital transformation

Enable businesses to meet the demands of the future

Download now

Simplify to secure

Reduce complexity by integrating your security ecosystem

Download now

Enhance the safety and security of your people, assets and operations

Enable a true vision of security with an engineered solution based on hyperconverged and storage platforms

Download now

Recommended

'Largest ever' Magecart hack compromises 2,000 online stores
hacking

'Largest ever' Magecart hack compromises 2,000 online stores

15 Sep 2020
Infocyte integrates with Palo Alto Networks Cortex XSOAR
cyber security

Infocyte integrates with Palo Alto Networks Cortex XSOAR

19 Aug 2020
Andrew Daniels joins Druva as CIO and CISO
Cloud

Andrew Daniels joins Druva as CIO and CISO

22 Jul 2020
University of California gets fleeced by hackers for $1.14 million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020

Most Popular

Accenture ploughs $3 billion into cloud migration support group
digital transformation

Accenture ploughs $3 billion into cloud migration support group

17 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
Google Pixel 4a review: A picture-perfect package
Google Android

Google Pixel 4a review: A picture-perfect package

18 Sep 2020