Analysis

Snooper's Charter puts data at risk even with encryption

The more data ISPs must store, the more there is to steal, warn experts

The Investigatory Powers Bill could leave UK citizens at risk of data theft even though end-to-end encryption has not been banned.

Home Secretary Theresa May presented the proposed legislation, known colloquially as the Snooper's Charter, to Parliament today, and if passed, it would require ISPs to store Internet Connection Records (ICRs - which domains people visit) for up to 12 months.

This includes details of which services a device has connected through, such as a website or instant messaging (IM) platform.

"An ICR is not a person's full internet browsing history," the preamble to the bill reads. "It is a record of the services that they have connected to, which can provide vital investigative leads. It would not reveal every web page that they visit or anything that they do on that web page."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

However, the data in question, which communications service providers will be required to store in bulk, is still sensitive, as pointed out by NSA whistleblower Edward Snowden.

One tech vendor, Dell, warned that such a requirement opens up the risk that ISPs will leak sensitive user data.

"We have countless examples of how organisations' security systems have failed in the past as a result of insufficient security and access procedures, and [as] a result sensitive data has been misused," said Timothy Brown, executive director of security with Dell Software Group.

"If organisations are required to store more information on their customers for longer periods of time, there must be appropriate controls and audit measures in place. People consider their telecommunications and internet activity to be private and If ISPs and wireless providers are required to store data on their customers, this only creates larger and more attractive targets for hackers and leaks."

Jonathan Parker-Bray, CEO of Criptyque, which owns secure messaging platform Pryvate, voiced a similar concern, saying: "Threat actors will always find nefarious ways of using good-intentioned technology for their own means, and this law is a potential license for the invasion of the right to privacy on a scale this country cannot allow."

"Whilst we would agree strongly that there does need to be an updating and an expansion of legislation to account for the digital age, this should not override the hard-fought right to privacy that is owned by every citizen in the UK," he added.

It could be worse

While there have been strong negative reactions, the draft of the bill published today does not include two of the clauses that had caused most concern: a ban on end-to-end encryption and the bypassing of the judiciary when issuing warrants to retrieve ICR data.

Instead for the first time in history, a judge must approve such warrants after the Home Secretary has signed off them, and the government will not require technology companies to weaken or water down encryption outside of RIPA's requirement for companies to be able to unencrypt communications data when authorities make such a request.

Mark Taylor, a partner with international law firm Osborne Clarke, said: "In regards to the authorisation of warrants, it's good to see that the Home Secretary has respected some separation of powers, with a degree of oversight from the judiciary as well as an independent commissioner."

"Businesses will breathe a sigh of relief that end-to-end encryption has not been banned. Many of their business models - and in particular payment transactions - are based on the trust that consumers place in their end-to-end encryption," he added.

Industry reaction

It has also received qualified support from some quarters of the tech and telecoms industry.

Advertisement
Advertisement - Article continues below

Antony Walker, deputy CEO of techUK said: "On first impressions [the bill] looks like a step in the right direction to creating what is required here - a world-leading legal framework that balances the security needs with democratic values.

Advertisement - Article continues below

"Parliament must now judge whether the powers government is seeking, such as internet connection records, equipment interference and bulk collection, are necessary and proportionate and whether the safeguards being proposed to govern their use are sufficient. The importance of the task ahead of the Joint Parliamentary Scrutiny Committee cannot be overstated."

Nicholas Lansman, general secretary of ISP industry body ISPA, was more enthusiastic, adding: "ISPA welcomes the attempt to modernise and clarify the law. We will work with government to ensure that the bill provides ISPs with a clear and stable legal framework that balances necessary powers with oversight whilst minimising the impact on business."

The bill will now be scrutinised by the Lords and the Commons.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/security/cyber-security/354468/if-not-passwords-then-what
cyber security

If not passwords then what?

8 Jan 2020
Visit/policy-legislation/31772/gdpr-and-brexit-how-will-one-affect-the-other
Policy & legislation

GDPR and Brexit: How will one affect the other?

9 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020