Snooper's Charter puts data at risk even with encryption
The more data ISPs must store, the more there is to steal, warn experts
The Investigatory Powers Bill could leave UK citizens at risk of data theft even though end-to-end encryption has not been banned.
Home Secretary Theresa May presented the proposed legislation, known colloquially as the Snooper's Charter, to Parliament today, and if passed, it would require ISPs to store Internet Connection Records (ICRs - which domains people visit) for up to 12 months.
This includes details of which services a device has connected through, such as a website or instant messaging (IM) platform.
"An ICR is not a person's full internet browsing history," the preamble to the bill reads. "It is a record of the services that they have connected to, which can provide vital investigative leads. It would not reveal every web page that they visit or anything that they do on that web page."
However, the data in question, which communications service providers will be required to store in bulk, is still sensitive, as pointed out by NSA whistleblower Edward Snowden.
One tech vendor, Dell, warned that such a requirement opens up the risk that ISPs will leak sensitive user data.
"We have countless examples of how organisations' security systems have failed in the past as a result of insufficient security and access procedures, and [as] a result sensitive data has been misused," said Timothy Brown, executive director of security with Dell Software Group.
"If organisations are required to store more information on their customers for longer periods of time, there must be appropriate controls and audit measures in place. People consider their telecommunications and internet activity to be private and If ISPs and wireless providers are required to store data on their customers, this only creates larger and more attractive targets for hackers and leaks."
Jonathan Parker-Bray, CEO of Criptyque, which owns secure messaging platform Pryvate, voiced a similar concern, saying: "Threat actors will always find nefarious ways of using good-intentioned technology for their own means, and this law is a potential license for the invasion of the right to privacy on a scale this country cannot allow."
"Whilst we would agree strongly that there does need to be an updating and an expansion of legislation to account for the digital age, this should not override the hard-fought right to privacy that is owned by every citizen in the UK," he added.
It could be worse
While there have been strong negative reactions, the draft of the bill published today does not include two of the clauses that had caused most concern: a ban on end-to-end encryption and the bypassing of the judiciary when issuing warrants to retrieve ICR data.
Instead for the first time in history, a judge must approve such warrants after the Home Secretary has signed off them, and the government will not require technology companies to weaken or water down encryption outside of RIPA's requirement for companies to be able to unencrypt communications data when authorities make such a request.
Mark Taylor, a partner with international law firm Osborne Clarke, said: "In regards to the authorisation of warrants, it's good to see that the Home Secretary has respected some separation of powers, with a degree of oversight from the judiciary as well as an independent commissioner."
"Businesses will breathe a sigh of relief that end-to-end encryption has not been banned. Many of their business models - and in particular payment transactions - are based on the trust that consumers place in their end-to-end encryption," he added.
It has also received qualified support from some quarters of the tech and telecoms industry.
Antony Walker, deputy CEO of techUK said: "On first impressions [the bill] looks like a step in the right direction to creating what is required here - a world-leading legal framework that balances the security needs with democratic values.
"Parliament must now judge whether the powers government is seeking, such as internet connection records, equipment interference and bulk collection, are necessary and proportionate and whether the safeguards being proposed to govern their use are sufficient. The importance of the task ahead of the Joint Parliamentary Scrutiny Committee cannot be overstated."
Nicholas Lansman, general secretary of ISP industry body ISPA, was more enthusiastic, adding: "ISPA welcomes the attempt to modernise and clarify the law. We will work with government to ensure that the bill provides ISPs with a clear and stable legal framework that balances necessary powers with oversight whilst minimising the impact on business."
The bill will now be scrutinised by the Lords and the Commons.
The essential guide to cloud-based backup and disaster recovery
Support business continuity by building a holistic emergency planDownload now
Trends in modern data protection
A comprehensive view of the data protection landscapeDownload now
How do vulnerabilities get into software?
90% of security incidents result from exploits against defects in softwareDownload now
Delivering the future of work - now
The CIO’s guide to building the unified digital workspace for today’s hybrid and multi-cloud strategies.Download now