The True Cost of Surveillance

Uploaded on 2015-12-28 in NEWS-Cybersecurity News, INTELLIGENCE--International, GOVERNMENT-Law Enforcement, GOVERNMENT-National, FREE TO VIEW

UK Home Secretary Theresa May

The British Conservative government recently published proposals for new legislation to regulate spying in the UK. The draft Investigatory Powers Bill, introduced by Home Secretary Theresa May, seeks to do many things, particularly gathering up powers already contained in a lot of different existing laws and subjecting them all to a coherent oversight procedure. Most of the discussion generated by these proposals has been about the implications for liberty. But there is another and related dimension that should be considered, and that is the potential for the Bill to harm the economy.

Whatever form the final Investigatory Powers Act takes, some kind of spying bill will have to be enacted by the end of next year as the main existing legislation covering digital surveillance (the Data Retention and Investigatory Powers Act) expires at the end of 2016. The government’s stated intention is to have a single package of measures in place that updates that and a lot of other disparate powers and practices that have gradually emerged into the light of day over recent years, such as the activities of the security and intelligence agencies in hacking computers and smartphones, and gathering large scale ‘bulk’ information at both an individual and group level.

As the Bill itself admits, there are now so many surveillance powers in the UK that it is ‘difficult to be sure that the Bill identifies and amends every power,’ although that is the intention. But in the process the powers of the state to seize and analyse private information are being expanded, adding to what is already Europe’s most intrusive government surveillance system. There are some signs that the existence of such extensive powers – however they are actually used – may have a negative effect on investment in UK industries that rely on secure digital technologies (in other words, most of the economy).

Businesses – like individuals – do not care to have governments wielding sweeping powers over the information they hold, and in particular they do not like large numbers of government departments or (in the phrase of the draft Bill) ‘public bodies’ having access to that data, not least because every additional key holder increases the vulnerability to breaches of data security.

Unlike individuals many businesses can shift jurisdiction with ease, and these concerns are already apparent in the way that US technology companies that hold large amounts of user data are reorganizing their operations to move data banks out of the US, in response to customer fears about the intrusive powers of the US National Security Agency. Last month, for example, Microsoft announced a deal with Deutsche Telekom that will allow the US company to move much of its customer data to servers in Germany, with the intention of putting it out of the reach of US security agencies.

Other companies are likely to follow Microsoft; the US Information Technology and Innovation Foundation, an independent think-tank, recently estimated that US technology companies could lose tens of billions in sales due to customer fears over US government surveillance, adding that for international companies foreign surveillance laws are now the deciding issue when it comes to where companies store data. The Foundation points out that in addition to Microsoft, other companies including Cisco, Qualcomm, IBM and Hewlett-Packard have recently reported lost sales due to concerns about data security in the US. Companies outside the tech sector are also affected; for example, Boeing recently lost a Brazilian contract to replace fighter aircraft due to similar concerns.

In many ways the draft Investigatory Powers Bill is an attempt to address such commercial concerns, by making digital surveillance in the UK more transparent, and also by allaying fears that the UK government will attempt to control all encryption of data (although the Bill does include continued powers to force communications companies to unpick their own encryption if the government requests it). But by increasing the volume of data that official bodies can acquire, it is possible that the Bill may end up doing the opposite of what is intended.

It is no easy thing to summarise what the government proposes. The draft Bill including preface, guide and notes runs to 296 dense pages, and the supplementary materials add another 224 pages. The Bill itself is the result of recommendations from three separate reviews of the UK’s surveillance laws, and unsurprisingly the result is a draft that includes a bit of everything, from procedures for acquiring routine data sets like electoral rolls, to rules for spooks charged with breaking into the computers of individuals and organizations.

Amongst all of this detail, two things stand out as new. The first is that the legislation will for the first time explicitly legalise and regulate the capture of large scale sets of data such as communications data (records of who communicated with whom, and how, and when, although not necessarily what they said), without the need for the investigating agencies acquiring the data to know exactly who or what they are looking for in advance. These are the so-called ‘bulk powers’ (not to be confused with the proposals on ‘bulk personal datasets’ which cover unglamorous matters like digital telephone directories).

Secondly, communications companies will have to keep and potentially make available a 12-month set of the Internet connection records of any person or organisation in the UK that uses the Internet. The government has made much of the fact that Internet connection records do not constitute a full record of Internet activity, but in fact the Bill allows that security agencies can make specific requests (in addition to the general record-keeping requirement in the Bill) for data that does amount to a full record.

Both of these innovations mean that government agencies will have legal powers to hold much more private information than before. Although the Bill proposes additional limits on whether they can actually analyse this data (depending on who the data relate to, whether or not the relevant individuals are in the UK, and whether there is a clear operational purpose to the analysis), these do not much alter the inherent risk of large data sets being held by a range of public bodies.

There remains uncertainty over who in government will be able to access the data that the draft Bill covers. In certain cases there are stated limitations on the use of data by local authorities, for example, suggesting that where there is no specific limitation then local authorities and many other bodies may have access to at least some data.

The purposes of the UK’s entire digital surveillance arrangements are described as law enforcement, security and intelligence, a definition so broad that in principle data could be accessed, by almost any, UK public body. And public bodies in the UK do not have a great record of digital security. If history is any guide, the more data they hold, the more they are likely to lose, and the greater the risk of sensitive data – including commercially sensitive data – leaking into the wrong hands.

These are not idle fears. The list of UK government departments and official organisations that have suffered significant data breaches in recent years is a long one. Various NHS trusts and individual hospitals are the most frequent offenders, along with local government bodies. But there have also been data security failures at the Ministry of Justice, the Department of Work and Pensions, the Ministry of Defence, the Foreign Office, the Serious Fraud Office, and amazingly enough the Information Commissioner’s Office, the body that is supposed to oversee data protection in the UK.

These data breaches have typically involved either lost disks or memory sticks containing unencrypted data, although there have also been cases of data accidentally being distributed by email. They have not involved direct access to large-scale officially-held databases, either through online hacking or the loss of physical storage devices that happen to contain access keys to online databases, although such losses would represent the ultimate data security nightmare scenario. That such losses are possible is very clear: if teenage hackers can break into the online databases of internet service providers such as TalkTalk – companies that have a strong commercial incentive to secure their data – then it is difficult to be optimistic about the chances of sluggish official departments keeping safe the oceans of data that the draft Bill would put in their hands.

This is a concern for any business that holds data it regards as commercially sensitive – and that really means all businesses. Information companies in Europe and Asia are already using their claimed ability to avoid official US digital surveillance as marketing tool. The US is not highly trade-dependent, and perhaps it can afford to make itself unattractive to international companies. The UK does not enjoy that option. If it joins the US as the place that businesses with valuable data need to avoid, the economic consequences could be dire.

CapX:  http://bit.ly/1RkhIKG

« Malware Mixed Into A Cyber Threat Cocktail
Encrypt A Message In the Big Bang Afterglow »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Radware

Radware

Radware is a global leader of application delivery and cyber security solutions for virtual, cloud and software defined data centers.

Momentum

Momentum

The Cyber Security team at Momentum offers a professional and specialist recruitment service across Cyber & IT Security.

Apcon

Apcon

Apcon's mission is to provide valuable network insights that enable security and network professionals to monitor, secure and protect their data in both physical and virtual environments.

NPCore

NPCore

NPCore is specialized in defense solution against unknown APT and Ransomware and provides two-level defense on network and endpoint based on behavior.

Kiuwan

Kiuwan

Kiuwan provide software security solutions with SAST and SCA source-code analysis that fit into your DevOps process.

DigiSec360

DigiSec360

DigiSec360 is a technology firm focused on the human element of cybersecurity.

Netsurion

Netsurion

Netsurion powers secure and agile networks for highly distributed and small-to-medium enterprises and the IT providers that serve them.

Nucleon Security

Nucleon Security

Nucleon Endpoint Detection and Response EDR is the most effective way to protect the value created by your organization against any threat.

Speedinvest

Speedinvest

Speedinvest is one of Europe’s most active early-stage investors with a focus on Deep Tech, Fintech, Industrial Tech, Network Effects, and Digital Health.

NWN Corp

NWN Corp

NWN Corporation is a leading Cloud Communications Service Provider (CCSP) focused on transforming the customer and workspace experience for commercial, enterprise and public sector organizations.

RevealSecurity

RevealSecurity

RevealSecurity's TrackerIQ detects malicious activities in enterprise applications.

RiskSmart

RiskSmart

RiskSmart empower risk, compliance, and legal teams with a tech-led and data-driven platform designed to save time, reduce costs and add real value to businesses.

Bluefin Payment Systems

Bluefin Payment Systems

Bluefin is the recognized integrated payments leader in encryption and tokenization technologies that protect payments and sensitive data.

Abacus Group

Abacus Group

Abacus Group is a global IT services firm for alternative investment firms, providing an enterprise technology platform specifically designed to meet the unique needs of financial services.

Third Wave Innovations

Third Wave Innovations

Third Wave Innovations (formerly RCS Secure) offers a full spectrum of cybersecurity safeguards and IT services.

HTX (Home Team Science & Technology Agency)

HTX (Home Team Science & Technology Agency)

HTX brings together science and engineering capabilities to transform the homeland security landscape and keep Singapore safe.