The True Cost of Surveillance

UK Home Secretary Theresa May

The British Conservative government recently published proposals for new legislation to regulate spying in the UK. The draft Investigatory Powers Bill, introduced by Home Secretary Theresa May, seeks to do many things, particularly gathering up powers already contained in a lot of different existing laws and subjecting them all to a coherent oversight procedure. Most of the discussion generated by these proposals has been about the implications for liberty. But there is another and related dimension that should be considered, and that is the potential for the Bill to harm the economy.

Whatever form the final Investigatory Powers Act takes, some kind of spying bill will have to be enacted by the end of next year as the main existing legislation covering digital surveillance (the Data Retention and Investigatory Powers Act) expires at the end of 2016. The government’s stated intention is to have a single package of measures in place that updates that and a lot of other disparate powers and practices that have gradually emerged into the light of day over recent years, such as the activities of the security and intelligence agencies in hacking computers and smartphones, and gathering large scale ‘bulk’ information at both an individual and group level.

As the Bill itself admits, there are now so many surveillance powers in the UK that it is ‘difficult to be sure that the Bill identifies and amends every power,’ although that is the intention. But in the process the powers of the state to seize and analyse private information are being expanded, adding to what is already Europe’s most intrusive government surveillance system. There are some signs that the existence of such extensive powers – however they are actually used – may have a negative effect on investment in UK industries that rely on secure digital technologies (in other words, most of the economy).

Businesses – like individuals – do not care to have governments wielding sweeping powers over the information they hold, and in particular they do not like large numbers of government departments or (in the phrase of the draft Bill) ‘public bodies’ having access to that data, not least because every additional key holder increases the vulnerability to breaches of data security.

Unlike individuals many businesses can shift jurisdiction with ease, and these concerns are already apparent in the way that US technology companies that hold large amounts of user data are reorganizing their operations to move data banks out of the US, in response to customer fears about the intrusive powers of the US National Security Agency. Last month, for example, Microsoft announced a deal with Deutsche Telekom that will allow the US company to move much of its customer data to servers in Germany, with the intention of putting it out of the reach of US security agencies.

Other companies are likely to follow Microsoft; the US Information Technology and Innovation Foundation, an independent think-tank, recently estimated that US technology companies could lose tens of billions in sales due to customer fears over US government surveillance, adding that for international companies foreign surveillance laws are now the deciding issue when it comes to where companies store data. The Foundation points out that in addition to Microsoft, other companies including Cisco, Qualcomm, IBM and Hewlett-Packard have recently reported lost sales due to concerns about data security in the US. Companies outside the tech sector are also affected; for example, Boeing recently lost a Brazilian contract to replace fighter aircraft due to similar concerns.

In many ways the draft Investigatory Powers Bill is an attempt to address such commercial concerns, by making digital surveillance in the UK more transparent, and also by allaying fears that the UK government will attempt to control all encryption of data (although the Bill does include continued powers to force communications companies to unpick their own encryption if the government requests it). But by increasing the volume of data that official bodies can acquire, it is possible that the Bill may end up doing the opposite of what is intended.

It is no easy thing to summarise what the government proposes. The draft Bill including preface, guide and notes runs to 296 dense pages, and the supplementary materials add another 224 pages. The Bill itself is the result of recommendations from three separate reviews of the UK’s surveillance laws, and unsurprisingly the result is a draft that includes a bit of everything, from procedures for acquiring routine data sets like electoral rolls, to rules for spooks charged with breaking into the computers of individuals and organizations.

Amongst all of this detail, two things stand out as new. The first is that the legislation will for the first time explicitly legalise and regulate the capture of large scale sets of data such as communications data (records of who communicated with whom, and how, and when, although not necessarily what they said), without the need for the investigating agencies acquiring the data to know exactly who or what they are looking for in advance. These are the so-called ‘bulk powers’ (not to be confused with the proposals on ‘bulk personal datasets’ which cover unglamorous matters like digital telephone directories).

Secondly, communications companies will have to keep and potentially make available a 12-month set of the Internet connection records of any person or organisation in the UK that uses the Internet. The government has made much of the fact that Internet connection records do not constitute a full record of Internet activity, but in fact the Bill allows that security agencies can make specific requests (in addition to the general record-keeping requirement in the Bill) for data that does amount to a full record.

Both of these innovations mean that government agencies will have legal powers to hold much more private information than before. Although the Bill proposes additional limits on whether they can actually analyse this data (depending on who the data relate to, whether or not the relevant individuals are in the UK, and whether there is a clear operational purpose to the analysis), these do not much alter the inherent risk of large data sets being held by a range of public bodies.

There remains uncertainty over who in government will be able to access the data that the draft Bill covers. In certain cases there are stated limitations on the use of data by local authorities, for example, suggesting that where there is no specific limitation then local authorities and many other bodies may have access to at least some data.

The purposes of the UK’s entire digital surveillance arrangements are described as law enforcement, security and intelligence, a definition so broad that in principle data could be accessed, by almost any, UK public body. And public bodies in the UK do not have a great record of digital security. If history is any guide, the more data they hold, the more they are likely to lose, and the greater the risk of sensitive data – including commercially sensitive data – leaking into the wrong hands.

These are not idle fears. The list of UK government departments and official organisations that have suffered significant data breaches in recent years is a long one. Various NHS trusts and individual hospitals are the most frequent offenders, along with local government bodies. But there have also been data security failures at the Ministry of Justice, the Department of Work and Pensions, the Ministry of Defence, the Foreign Office, the Serious Fraud Office, and amazingly enough the Information Commissioner’s Office, the body that is supposed to oversee data protection in the UK.

These data breaches have typically involved either lost disks or memory sticks containing unencrypted data, although there have also been cases of data accidentally being distributed by email. They have not involved direct access to large-scale officially-held databases, either through online hacking or the loss of physical storage devices that happen to contain access keys to online databases, although such losses would represent the ultimate data security nightmare scenario. That such losses are possible is very clear: if teenage hackers can break into the online databases of internet service providers such as TalkTalk – companies that have a strong commercial incentive to secure their data – then it is difficult to be optimistic about the chances of sluggish official departments keeping safe the oceans of data that the draft Bill would put in their hands.

This is a concern for any business that holds data it regards as commercially sensitive – and that really means all businesses. Information companies in Europe and Asia are already using their claimed ability to avoid official US digital surveillance as marketing tool. The US is not highly trade-dependent, and perhaps it can afford to make itself unattractive to international companies. The UK does not enjoy that option. If it joins the US as the place that businesses with valuable data need to avoid, the economic consequences could be dire.

CapX:  http://bit.ly/1RkhIKG

« Malware Mixed Into A Cyber Threat Cocktail
Encrypt A Message In the Big Bang Afterglow »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Arthur J Gallagher & Co

Arthur J Gallagher & Co

Arthur J. Gallagher & Co. is a global insurance brokerage and risk management services firm. Services include Cyber Liability insurance.

DomainTools

DomainTools

DomainTools helps security analysts turn threat data into threat intelligence.

Zettaset

Zettaset

Zettaset’s XCrypt Data Encryption Platform delivers proven protection for Object, Relational/SQL, NoSQL, and Hadoop data stores…in the cloud and on-premises.

Ten Eleven Ventures

Ten Eleven Ventures

Ten Eleven is a specialized venture capital firm exclusively dedicated to helping cybersecurity companies thrive.

Evalian

Evalian

Evalian is a data protection services provider. Working with organisations of all sizes, we specialise in Data Protection, GDPR, ISO Certification & Information Security.

Servian

Servian

Servian is one of Australia's leading IT consultancies, with expertise in cloud, data, machine learning, DevOps and cybersecurity.

Kontex

Kontex

Kontex is a Cyber Security consultancy creating resilient solutions. From Strategy, Advisory and Implementation to Management and everything in between.

Tromzo

Tromzo

Tromzo's mission is to eliminate the friction between developers and security so you can scale your application security program.

Trusted Technologies and Solutions (TTS)

Trusted Technologies and Solutions (TTS)

TTS is a security consulting company specialised on business continuity and crisis management, information security management, information risk management and identity and access management.

Axiata Digital Labs

Axiata Digital Labs

Axiata Digital Labs is the technology hub of Axiata Group Berhad Malaysia which is one of the leading groups in telecommunication in Asia.

Detego Global

Detego Global

Detego Global are the creators of the Detego® Unified Digital Forensics Platform, a suite of modular tools used globally by military, law enforcement and intelligence agencies, and enterprises.

Xeol

Xeol

Software free of vulnerabilities, built and distributed by trusted entities. Our mission is to help customers secure their software from code to deploy.

BreakPoint Labs

BreakPoint Labs

BreakPoint Labs is dedicated to providing the methods and means for sustainable, measurable, and effective cybersecurity operations.

Cloud Software Group

Cloud Software Group

Cloud Software Group provides mission-critical software to enterprises at scale.

Telenor Cyberdefence

Telenor Cyberdefence

Telenor Cyberdefence is a newly established (2024) cloud-born Managed Security Service Provider focused on the Nordic markets.

Quantum Bridge

Quantum Bridge

Our unbreakable key distribution technology ensures the highest level of protection for your critical infrastructure and sensitive data in an evolving digital landscape.