Analysis

Snooper's Charter puts data at risk even with encryption

The more data ISPs must store, the more there is to steal, warn experts

The Investigatory Powers Bill could leave UK citizens at risk of data theft even though end-to-end encryption has not been banned.

Home Secretary Theresa May presented the proposed legislation, known colloquially as the Snooper's Charter, to Parliament today, and if passed, it would require ISPs to store Internet Connection Records (ICRs - which domains people visit) for up to 12 months.

This includes details of which services a device has connected through, such as a website or instant messaging (IM) platform.

"An ICR is not a person's full internet browsing history," the preamble to the bill reads. "It is a record of the services that they have connected to, which can provide vital investigative leads. It would not reveal every web page that they visit or anything that they do on that web page."

However, the data in question, which communications service providers will be required to store in bulk, is still sensitive, as pointed out by NSA whistleblower Edward Snowden.

One tech vendor, Dell, warned that such a requirement opens up the risk that ISPs will leak sensitive user data.

"We have countless examples of how organisations' security systems have failed in the past as a result of insufficient security and access procedures, and [as] a result sensitive data has been misused," said Timothy Brown, executive director of security with Dell Software Group.

"If organisations are required to store more information on their customers for longer periods of time, there must be appropriate controls and audit measures in place. People consider their telecommunications and internet activity to be private and If ISPs and wireless providers are required to store data on their customers, this only creates larger and more attractive targets for hackers and leaks."

Jonathan Parker-Bray, CEO of Criptyque, which owns secure messaging platform Pryvate, voiced a similar concern, saying: "Threat actors will always find nefarious ways of using good-intentioned technology for their own means, and this law is a potential license for the invasion of the right to privacy on a scale this country cannot allow."

"Whilst we would agree strongly that there does need to be an updating and an expansion of legislation to account for the digital age, this should not override the hard-fought right to privacy that is owned by every citizen in the UK," he added.

It could be worse

While there have been strong negative reactions, the draft of the bill published today does not include two of the clauses that had caused most concern: a ban on end-to-end encryption and the bypassing of the judiciary when issuing warrants to retrieve ICR data.

Instead for the first time in history, a judge must approve such warrants after the Home Secretary has signed off them, and the government will not require technology companies to weaken or water down encryption outside of RIPA's requirement for companies to be able to unencrypt communications data when authorities make such a request.

Mark Taylor, a partner with international law firm Osborne Clarke, said: "In regards to the authorisation of warrants, it's good to see that the Home Secretary has respected some separation of powers, with a degree of oversight from the judiciary as well as an independent commissioner."

"Businesses will breathe a sigh of relief that end-to-end encryption has not been banned. Many of their business models - and in particular payment transactions - are based on the trust that consumers place in their end-to-end encryption," he added.

Industry reaction

It has also received qualified support from some quarters of the tech and telecoms industry.

Antony Walker, deputy CEO of techUK said: "On first impressions [the bill] looks like a step in the right direction to creating what is required here - a world-leading legal framework that balances the security needs with democratic values.

"Parliament must now judge whether the powers government is seeking, such as internet connection records, equipment interference and bulk collection, are necessary and proportionate and whether the safeguards being proposed to govern their use are sufficient. The importance of the task ahead of the Joint Parliamentary Scrutiny Committee cannot be overstated."

Nicholas Lansman, general secretary of ISP industry body ISPA, was more enthusiastic, adding: "ISPA welcomes the attempt to modernise and clarify the law. We will work with government to ensure that the bill provides ISPs with a clear and stable legal framework that balances necessary powers with oversight whilst minimising the impact on business."

The bill will now be scrutinised by the Lords and the Commons.

Featured Resources

Security analytics for your multi-cloud deployments

IBM Security QRadar SIEM solution brief

Download now

Five reasons to move to the cloud

Join the enterprises moving their workloads to the cloud

Download now

Architecting hybrid IT and edge for digital advantage

Why business leaders should consider a hybrid IT strategy

Download now

Six reasons to accelerate remote asset monitoring with AI

How to optimise resources, increase productivity, and grow profit margins with AI

Download now

Recommended

CISA warns of ongoing Accellion File Transfer Appliance attacks
hacking

CISA warns of ongoing Accellion File Transfer Appliance attacks

25 Feb 2021
What is a Trojan?
Security

What is a Trojan?

25 Feb 2021
Cyber security firm saw attacks rise by 20% during 2020
cyber security

Cyber security firm saw attacks rise by 20% during 2020

23 Feb 2021
What to look for in a secure cloud system
cloud security

What to look for in a secure cloud system

23 Feb 2021

Most Popular

Npower shuts down app after hackers steal user data
hacking

Npower shuts down app after hackers steal user data

25 Feb 2021
Hackers publish Bombardier data in wide-reaching FTA cyber attack
cyber attacks

Hackers publish Bombardier data in wide-reaching FTA cyber attack

24 Feb 2021
New monitors for an agile new normal
Sponsored

New monitors for an agile new normal

19 Feb 2021