The speed with which the government has fast-tracked the DRIP bill, circumventing the democratic process; and indeed the manner in which the House of Lords has passed it into law (without a vote) is staggering! Clearly a knee-jerk reaction to the European Court of Justice’s recent ruling that the EU’s data retention policies for phone and internet companies are too broad, one cannot but help question the government’s rationale and even understanding of the digital challenges the world faces.
Much of the debate around DRIP has centred on how much the state should be allowed to know about us, but it is not just the state that would like to know who we have called, emailed, or instant-messaged.
Cyber criminals and hacker groups are frequently targeting phone and internet companies in search of this information with increasing success. In fact, it is big business – a recent report estimates that the cost of cyber crime for the global economy is £266 billion annually with cyber espionage and personal information of individuals being stolen having affected more than 800 million people during 2013 alone. I suspect the DRIP Act potentially makes it easier for cyber-criminals to access such lucrative data.
Clause 4 of DRIP forces foreign internet or phone companies with UK customers to comply with interception warrants, store personal data outside of the UK in data centres around the world where it could be exposed to greater risks from hackers. This means that more information to be stored, processed, accessed, backed up and deleted with increasing number of people having either access or control over it. The more people involved, the more steps involved, the more likely that an accidental breach or disclosure may occur: it is not inconceivable that such capabilities will be attractive to criminals.
Also, with the international nature of the law placing requirements on foreign companies to store data on UK nationals, do we know the level and type of protection those foreign organisations have in place to protect the stored data?
From a data protection standpoint, what is the applicability of local or UK data protection law, what type of security controls are required to protect data, supplier/customer relationships and what measures exist to gain legal redress should a breach occur? All these questions are unanswered.
Extension of RIPA
Furthermore, the bill extends the provisions within RIPA for foreign organisations to build interception capabilities into their infrastructure: such capabilities are attractive targets for hackers and cyber criminals and access can often be gained through the compromise of user accounts or knowledge of manufacturer’s default passwords.
We have seen that even the biggest internet and phone companies are vulnerable to online attacks; in June 2014 hackers stole details about the date, time, duration of customer calls from telecoms giant AT&T, while Orange recently suffered a massive phishing attack when cyber criminals used promotional ads to steal the email addresses, phone numbers and birth dates of 1.3 million users.
Vitally, this Act extends RIPA’s definition of ‘telecommunications services’ to include webmail (possibly even including Instant Messenger and social media) – it increases the amount of our personal communications that must be saved, further widening the array of targets for hacker groups.
Including web mail is in the legislation's net means that all manner of companies that supply these services are included, not just the big telcos whom we expect to at least have a reasonable level of security in place. Webmail is now a cloud -based service for many and cloud security as we know is a variable beast: security lapses have led to a cloud service provider closing in recent weeks.
So our concern is not simply the amount of data being stored; it is the kind companies being required to store it. Potentially, we may see more frequent and devastating data breaches in the future.
UK data at the mercy of foreign laws and foreign intelligence agencies
The extension of RIPA includes a duty on foreign-based internet companies with subsidiaries in the UK to cooperate with UK surveillance requests. This raises disturbing legal questions over how that data will be protected in foreign jurisdictions that are not governed by our data privacy laws.
For instance, with overseas companies in foreign jurisdictions being forced to store more details of UK customers, who will be held responsible in the event of a data breach in those jurisdictions? It is estimated that the new DRIP Bill could increase the average cost of government surveillance by £8.4 million a year (partly due to the cost of paying ISP’s to store extra data), but if the UK government is paying for this storage, how does the UK government know that the data is being protected according to best practice?
This is not all. DRIP’s requirement that foreign companies comply with UK interception warrants may mean that more of our communications data will be retained in countries where it could be accessed by foreign states. We have already seen allegations that European customer data stored in US datacentres was given to the NSA by foreign companies including Apple and Facebook. The DRIP Act could make this even worse.
DRIP is not just about state surveillance; the true legacy reaches much further, with unintended consequences of making our data more accessible to intelligence agencies, governments, organisations and criminals across the globe. We will no doubt see the real outcome of this Act in the coming months, and I sincerely hope we don’t regret it. Once unleashed, attempting to reverse the consequences will be impossible and futile.
Sourced from Adrian Davis, Managing Director, (ISC)2 EMEA