Initially introduced in 2012 and successfully blocked by the Liberal Democrats for the last four years, the Draft Communications Data Bill, colloquially known as the Snooper’s Charter, is being tabled yet again by the Conservative Party.
The highly controversial bill is well intentioned. Proponents of the bill say that it is needed to meet the security needs of the nation in the face of the quickly evolving cyberspace and communication technologies. The countermeasures that currently exist are barely able to contain known threats and vulnerabilities let alone the dozens to hundreds of new threats being concocted on a daily basis.
Detractors on the other hand believe that personal rights and people’s privacy will be infringed should the Snooper’s Charter receive the stamp of approval. Ironically, the steps to reduce risk of cyber-attacks and breaches as stipulated in the Snooper’s Charter also leaves businesses and people open to other types of risk.
This dichotomy has polarized the issue within the government, the media, the corporate space and in the general public.
But what does it really mean for businesses and people if or when it is passed? How are the defenders of the bill correct? And why are the detractors of the Snooper’s Charter right to worry?
To gain a better perspective it is prudent to first examine the bills call-to-action’s which mainly centers around CSPs. Communications Services Providers (CSPs) are companies who are in the business of transmitting electronic messages. This basically means any and all telecommunications companies and internet services providers operating or conducting business within the UK. The bill will force such companies to not only retain communications data for a significantly longer period of time, but will also grant law enforcement and select public authorities access to said data. The reason for all of this, it is said, is to aid investigators and agencies fight or prevent crime and acts of terror.
This essentially means that the law enforcement and intelligence agencies will be given free reign to every phone conversation (which would be recorded and available for playback), file transmitted (via the internet) and email sent. This is not limited to just the body or content of the file or email but also includes details such as the identities of both sender and recipient, time sent and also the potential location of both parties.
The onus would fall to the CSPs to not only setup the infrastructure and implement the strategies required by the bill, but to also store the vast amount of data generated by their users every day. The dozens of hours of phone calls, hundreds of files transferred and untold amounts of emails for each user must be stored, replicated and secured somehow. For many opponents of the Snooper’s Charter, herein lies the rub.
In the world of cybersecurity there is an adage which goes something like, “There are two sorts of organisation: those who have been hacked and those who just don’t know it.”
The point being is that everyone, at some point, will suffer a breach of some sort. Not may suffer a breach, but will suffer a breach. Gone are the days of opportunistic hackers who will demonstrate their coding proficiency by penetrating a classified or highly secured site just for the admiration and high fives of their peers. No, today’s cybercriminals are consummate professionals. Were they working in a bank or law office or engineering firm, you would never notice their presence on the street. These days they belong to organised crime rings, “cyber armies” that are created and sponsored by hostile states or identify as hacktivists. These parties specialise in the penetration of even the most stringent security protocols and the acquisition of the data being protected.
Usually CSPs retain user generated data for 30 days, but most keep them for around 90 days, with some performing the rate one-year retention. However, are CSPs forced to retain data for longer periods of time than those mentioned they essentially create a reservoir rich in mineable data that it practically attracts and begs hackers to attack it. Very strong cybersecurity measures do exist and they are already in use, however there is no such thing as an impregnable cybersecurity. Hackers have two things going for them; the element of surprise, for you never know when a cyberattack will be launched, and time. Cybercriminals are surprisingly patient. They will test and probe defenses for weaknesses and vulnerabilities, once they find one they will wait for the most opportune time. Basically, they want the “biggest bang for their buck” and are waiting for a critical amount of data to be present before launching an assault on the CSPs database, server or devices.
For CSPs this is a terrible event. They have to deal with the breach, devise and implement a patch and then deal with the PR fallout. In the meantime, businesses and users have to may have had their information stolen without them ever knowing it. And a cyberattack is only one way that the data can be compromised. A prominent strategy for cybersecurity is the practice of keeping only the most necessary pieces of information for the shortest amount of time necessary. This way, exposure to and likelihood that it will even be compromised will be kept to the most absolute minimum. A major problem with the Snooper’s Charter is that it opens the potential for a great deal of exposure. This will exponentially increase the likelihood that the data will be lost, stolen, corrupted, damaged, destroyed or accessed accidentally.
For a businesses, such an event can be devastating. The storage or redundant information is usually considered a good idea by laymans, going with the “more is better” attitude. However, those who live and breathe information security see the availability of too much information as a costly and risky practice for an organisation with little to no reward. For most businesses the order of the day would be to delete or destroy as much non-critical data as possible to decrease exposure in the event of an attack. The Snooper’s Charter, however directly opposes this highly logical practice.
Needless to say, many individual users have likened the bill to the invasion of their privacy. After all, their every phone call, every email and every file sent will be kept on record. Even the most upstanding citizen may find this amount of surveillance unsavory. But that is on a personal level, what one individual personally communicates to another. When you step back and look at how an individuals personal information is handled by different organisations, however, things look even worse. Companies often share user and customer information with each other, this includes telecommunications companies, medical practices, insurance companies and a host of other professional practices. All that personal information, since it was sent through the internet is being collected. So it’s not just a person’s conversation or files that are being made known to law enforcement and intelligence agencies, but also medical records, addresses, employment history, even their content on social media and browser history are also being indexed.
Everyone wants to be protected and secured against crime and terrorism but the cost may be the erosion of their privacy.
In the face of the Draft Communications Data Bill what is a business or an individual to do? Fortunately, in 1998 the Data Protection Act (DPA) was passed. Created to protect user data from being exploited, the act imposed fines for companies who failed to safeguard the information of its customers and users. It also limited the amount of information that a company can collect. Even employees received protection as their communication within the workplace was granted privacy. With fines ranging from £5,000 (GBP) to £500,000 (GBP) companies were quick to fall in line.
Unfortunately for CSPs, this puts them in between the possible hammer of the Snooper’s Charter and the anvil that is the DPA. To make things worse there are regulations in the pipeline within the EU which penalises companies up to €100 million (EUR) should they fail to comply with security guidelines and protocols. Without a doubt all parties involved has the security of information in mind. But the real issue seems to be the costs involved. For CSPs there is the all too real financial costs of setting up the infrastructure and implementing the data collection that the Snooper’s Charter requires. Then there is navigating the treacherous waters with the DPA (which to this day has not been amended). Businesses, will have to entrust their data with CSPs and hope that a breach and subsequent data loss will not occur. But, in the event of the worst case scenario they may have to face a PR nightmare, loss of reputation, the ire of their customers and financial ruin, to start. The public, on the other hand, has the most to lose; their identity (so to speak) and their privacy.
Whether you want to call it the Draft Communications Data Bill or Snooper’s Charter, the fact is that it is and may forever be contentious subject. Is the protection of a nation worth the loss of privacy for its citizens? Who will, in the end, shoulder the cost? And, does the bill offer real protection from crime and terror, or does it just open more doors for disaster? This issue, it seems, currently offers more questions than answers. One thing is for certain, a solution is required, but people’s lives should also be respected.