The True Cost of Surveillance

Uploaded on 2015-12-28 in NEWS-Cybersecurity News, INTELLIGENCE--International, GOVERNMENT-Law Enforcement, GOVERNMENT-National, FREE TO VIEW

UK Home Secretary Theresa May

The British Conservative government recently published proposals for new legislation to regulate spying in the UK. The draft Investigatory Powers Bill, introduced by Home Secretary Theresa May, seeks to do many things, particularly gathering up powers already contained in a lot of different existing laws and subjecting them all to a coherent oversight procedure. Most of the discussion generated by these proposals has been about the implications for liberty. But there is another and related dimension that should be considered, and that is the potential for the Bill to harm the economy.

Whatever form the final Investigatory Powers Act takes, some kind of spying bill will have to be enacted by the end of next year as the main existing legislation covering digital surveillance (the Data Retention and Investigatory Powers Act) expires at the end of 2016. The government’s stated intention is to have a single package of measures in place that updates that and a lot of other disparate powers and practices that have gradually emerged into the light of day over recent years, such as the activities of the security and intelligence agencies in hacking computers and smartphones, and gathering large scale ‘bulk’ information at both an individual and group level.

As the Bill itself admits, there are now so many surveillance powers in the UK that it is ‘difficult to be sure that the Bill identifies and amends every power,’ although that is the intention. But in the process the powers of the state to seize and analyse private information are being expanded, adding to what is already Europe’s most intrusive government surveillance system. There are some signs that the existence of such extensive powers – however they are actually used – may have a negative effect on investment in UK industries that rely on secure digital technologies (in other words, most of the economy).

Businesses – like individuals – do not care to have governments wielding sweeping powers over the information they hold, and in particular they do not like large numbers of government departments or (in the phrase of the draft Bill) ‘public bodies’ having access to that data, not least because every additional key holder increases the vulnerability to breaches of data security.

Unlike individuals many businesses can shift jurisdiction with ease, and these concerns are already apparent in the way that US technology companies that hold large amounts of user data are reorganizing their operations to move data banks out of the US, in response to customer fears about the intrusive powers of the US National Security Agency. Last month, for example, Microsoft announced a deal with Deutsche Telekom that will allow the US company to move much of its customer data to servers in Germany, with the intention of putting it out of the reach of US security agencies.

Other companies are likely to follow Microsoft; the US Information Technology and Innovation Foundation, an independent think-tank, recently estimated that US technology companies could lose tens of billions in sales due to customer fears over US government surveillance, adding that for international companies foreign surveillance laws are now the deciding issue when it comes to where companies store data. The Foundation points out that in addition to Microsoft, other companies including Cisco, Qualcomm, IBM and Hewlett-Packard have recently reported lost sales due to concerns about data security in the US. Companies outside the tech sector are also affected; for example, Boeing recently lost a Brazilian contract to replace fighter aircraft due to similar concerns.

In many ways the draft Investigatory Powers Bill is an attempt to address such commercial concerns, by making digital surveillance in the UK more transparent, and also by allaying fears that the UK government will attempt to control all encryption of data (although the Bill does include continued powers to force communications companies to unpick their own encryption if the government requests it). But by increasing the volume of data that official bodies can acquire, it is possible that the Bill may end up doing the opposite of what is intended.

It is no easy thing to summarise what the government proposes. The draft Bill including preface, guide and notes runs to 296 dense pages, and the supplementary materials add another 224 pages. The Bill itself is the result of recommendations from three separate reviews of the UK’s surveillance laws, and unsurprisingly the result is a draft that includes a bit of everything, from procedures for acquiring routine data sets like electoral rolls, to rules for spooks charged with breaking into the computers of individuals and organizations.

Amongst all of this detail, two things stand out as new. The first is that the legislation will for the first time explicitly legalise and regulate the capture of large scale sets of data such as communications data (records of who communicated with whom, and how, and when, although not necessarily what they said), without the need for the investigating agencies acquiring the data to know exactly who or what they are looking for in advance. These are the so-called ‘bulk powers’ (not to be confused with the proposals on ‘bulk personal datasets’ which cover unglamorous matters like digital telephone directories).

Secondly, communications companies will have to keep and potentially make available a 12-month set of the Internet connection records of any person or organisation in the UK that uses the Internet. The government has made much of the fact that Internet connection records do not constitute a full record of Internet activity, but in fact the Bill allows that security agencies can make specific requests (in addition to the general record-keeping requirement in the Bill) for data that does amount to a full record.

Both of these innovations mean that government agencies will have legal powers to hold much more private information than before. Although the Bill proposes additional limits on whether they can actually analyse this data (depending on who the data relate to, whether or not the relevant individuals are in the UK, and whether there is a clear operational purpose to the analysis), these do not much alter the inherent risk of large data sets being held by a range of public bodies.

There remains uncertainty over who in government will be able to access the data that the draft Bill covers. In certain cases there are stated limitations on the use of data by local authorities, for example, suggesting that where there is no specific limitation then local authorities and many other bodies may have access to at least some data.

The purposes of the UK’s entire digital surveillance arrangements are described as law enforcement, security and intelligence, a definition so broad that in principle data could be accessed, by almost any, UK public body. And public bodies in the UK do not have a great record of digital security. If history is any guide, the more data they hold, the more they are likely to lose, and the greater the risk of sensitive data – including commercially sensitive data – leaking into the wrong hands.

These are not idle fears. The list of UK government departments and official organisations that have suffered significant data breaches in recent years is a long one. Various NHS trusts and individual hospitals are the most frequent offenders, along with local government bodies. But there have also been data security failures at the Ministry of Justice, the Department of Work and Pensions, the Ministry of Defence, the Foreign Office, the Serious Fraud Office, and amazingly enough the Information Commissioner’s Office, the body that is supposed to oversee data protection in the UK.

These data breaches have typically involved either lost disks or memory sticks containing unencrypted data, although there have also been cases of data accidentally being distributed by email. They have not involved direct access to large-scale officially-held databases, either through online hacking or the loss of physical storage devices that happen to contain access keys to online databases, although such losses would represent the ultimate data security nightmare scenario. That such losses are possible is very clear: if teenage hackers can break into the online databases of internet service providers such as TalkTalk – companies that have a strong commercial incentive to secure their data – then it is difficult to be optimistic about the chances of sluggish official departments keeping safe the oceans of data that the draft Bill would put in their hands.

This is a concern for any business that holds data it regards as commercially sensitive – and that really means all businesses. Information companies in Europe and Asia are already using their claimed ability to avoid official US digital surveillance as marketing tool. The US is not highly trade-dependent, and perhaps it can afford to make itself unattractive to international companies. The UK does not enjoy that option. If it joins the US as the place that businesses with valuable data need to avoid, the economic consequences could be dire.

CapX:  http://bit.ly/1RkhIKG

« Malware Mixed Into A Cyber Threat Cocktail
Encrypt A Message In the Big Bang Afterglow »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Feitian Technologies

Feitian Technologies

Feitian Technologies provides authentication and transaction security products for financial institutions, telecoms, government and leading business enterprises.

2Secure

2Secure

2Secure is one of Sweden's largest private security companies. Service inlcude personal security, corporate security, information and cyber security.

Honeynet Project

Honeynet Project

The Honeynet Project is a leading international non-profit security research organization, dedicated to investigating the latest attacks and developing open source security tools.

BooleBox

BooleBox

Boolebox is the innovative suite of enterprise data protection applications that preserve the integrity and confidentiality of data from any unauthorized access.

Field Effect Software

Field Effect Software

Field Effect Software build sophisticated and integrated IT security, threat surface reduction, training and simulation capabilities for enterprises and small businesses.

PQShield

PQShield

PQShield are specialists in Post-Quantum Cryptography. We provide quantum-secure cryptographic solutions for software, software/hardware co-design and data in transit.

VLATACOM Institute

VLATACOM Institute

Vlatacom Institute is privately owned accredited research and development institute, system integrator and turn-key solution provider. Areas of expertise include encryption and authentication.

Alcon Maddox

Alcon Maddox

Alcon Maddox is a niche recruitment and executive search firm specialised in sourcing exceptional Cyber Security sales and commercial leadership talent. Serving clients across the Middle East & Europe

ServerScan

ServerScan

ServerScan specializes in providing server scanning & compliance services to organizations of all types and sizes.

Difenda

Difenda

Difenda Shield is a fully integrated and modular cybersecurity suite that gives your organization the agility it needs to implement a world-class cybersecurity system.

Althammer & Kill

Althammer & Kill

Althammer & Kill offers pragmatic solution concepts for data protection and digitization. We advise in the field of data protection, information security and compliance.

DigitalPlatforms

DigitalPlatforms

DigitalPlatforms SpA is an Italian group with the mission of providing end-to-end solutions and Internet of Things and Cyber technologies to companies that manage critical infrastructures.

Omdia

Omdia

Omdia is a technology research and advisory group. Our deep knowledge of tech markets combined with our actionable insights empower organizations to make smart growth decisions.

QANplatform

QANplatform

QANplatform is a Quantum-resistant hybrid blockchain platform.

Blackmere Consulting

Blackmere Consulting

Blackmere Consulting is a Nationwide Technical and Executive Recruiting firm dedicated to Cyber Security and Information Technology.

Black Bison Cyber

Black Bison Cyber

Black Bison Cyber is a premier cybersecurity firm specializing in elite, discreet, and highly personalized digital protection for high-profile individuals and executives.