The European Court of Justice (ECJ) has just clarified that the collection of bulk data from telephone calls and emails – such as that within the IP Bill – is only legal if law enforcement agencies use it to tackle ‘serious crime’. Security experts at MIRACL and AlienVault commented below about what this means for privacy and security in the UK.
Brian Spector, CEO at MIRACL:
“It’s great that the EU’s highest court is questioning the legality of the IP Bill with more scrutiny and conviction than our MPs did back in March. However there are still plenty of grey areas, such as what is ‘proportionate’ in terms of data retention and exactly which cases are considered to be ‘serious crime’. The Home Office has a chequered past when it comes to exploiting loosely worded legislation, and with Theresa May – the poster girl for UK surveillance – as Prime Minister, it’s difficult to see how this will change.
“Unfortunately, allowing any kind of bulk data collection will weaken the very products and standards that we all use to protect ourselves. The government believes that it can manipulate security in such a way that only they can take advantage of that subversion. But this is a fallacy. The same technologies, standards and products are used by everyone, so we either allow everyone to spy on everyone, or prevent anyone from spying on anyone. If we insert vulnerabilities, we weaken security for everyone. The same vulnerabilities used by intelligence agencies to spy on global citizens can also be used by criminals to steal your passwords. We either enable spying – by either governments or hackers – or we defend against it.
“Given that most people now place all their personal data online, the IP Bill would grant enormous surveillance capabilities to the government. If the legislation proceeds, it could undermine trust in the Internet as a whole, from service providers, to device manufacturers, to the apps we use as part of our everyday lives. But it also has serious implications for tech companies who, under the proposals, would be legally bound to help UK police and security services access an individual’s device. In addition, any software made by a British company could soon be perceived to be facilitating government spying on its customer’s data. This could have enormous repercussions by making it much harder for British technology and information security companies to compete globally. Given that many technology companies based in the UK are already worrying about their ability to conduct business in light of the Brexit vote, the IP Bill being brought into effect could be the final straw that convinces them to move their businesses to other countries such as the Netherlands, Switzerland and Luxembourg, which have a more supportive approach to encryption.”
Javvad Malik, Security Advocate at AlienVault:
“It’s an interesting opinion delivered by the Advocate General and one to keep an eye on to see how it pans out.
“This doesn’t necessarily change anything from a technical perspective on how the data is collected or stored. What it does to is introduce safeguards into ensuring the data is only used where appropriate for serious crime.
“The key principle being applied here is one to safeguard the privacy of individuals.
“However, the definition of serious crime is one that will likely be debated and interpreted differently depending on circumstances. Whatever the definition is, there should be an element of accountability and transparency built into the process to ensure powers are not being abused. Similar to how companies like Google or Microsoft present their transparency report annually that discloses how many requests for data came from law enforcement across the globe.
“For the UK, the implications will not be fully realized until the Brexit process has been undertaken. Depending upon the agreements put in place, it could be that European privacy laws will remain somewhat unchanged in their impact on the UK, or alternatively, they could mean nothing altogether.”
Further information on this story can be found here:
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.