The House of Lords has passed the Investigatory Powers Bill, putting the huge spying powers on their way to becoming law within weeks. The bill forces internet companies to keep records on their users for up to a year, and allows the Government to force companies to hack into or break things they’ve sold so they can be spied on. IT security experts from ESET, Comparitech.com, Lieberman Software and Blancco Technology Group commented below.

Mark James, Security Specialist at ESET:

mark-james“For me one of the biggest concerns here is the wealth of data that is being harvested by the internet companies and how they are going to store and protect it. For instance, if they were to get hacked, the intruders would have a lot of information available for them for very little effort. If companies are going to be forced to store all this information then we need an enforceable level of protection to keep it safe.

The modern day fight against cybercrime is a lot different than traditional warfare; attacks can happen at any time, from anywhere in the world in theory and in some cases require almost no effort from the attacker. So using internet resources to track, monitor, anticipate and combat these criminals is a must these days but safely storing that information needs to be of utmost priority.

There will always be people on each side of the fence when it comes to privacy and what is perceived to be stored and monitored. Protecting our personal data to achieve a level of anonymity is becoming harder and harder as our daily digital lives are distributed throughout the internet and stored on servers of which we have no control or say in the their security levels or procedures.”

Lee Munson, Security Researcher at Comparitech.com:

Lee Munson“For those people saying they having nothing to hide, and hence nothing to fear, the passing of the Investigatory Powers Bill into statute will be something of a non-event.

Privacy advocates, and an increasing proportion of the rest of the population, may well be concerned, however, that the so-called ‘Snooper’s Charter,’ for so long championed by new Prime Minister Theresa May, has now been passed by the House of Lords.

It means law-abiding citizens across the country could now see their web browsing history stored for a year, and GCHQ and others will be able to intercept online communications with ease, and what appears to be very limited oversight.

So, whether citizens have anything to hide or not is no longer for them to decide – their government will do it for them.”

Jonathan Sander, VP of Product Strategy at Lieberman Software:

Jonathan Sander“The Investigatory Powers Bill demonstrates yet again that law – and law makers – have an extremely difficult time keeping up with technology and making constituents well informed. There are two striking aspects to the Investigatory Powers Bill. The Bill managed to keep in the secret back door provisions, which on paper would mean manufacturers of mobile phones and other tech would need to build in a secret key for government spies. If I listed all the spy movies and novels based on the “bad guys get the powerful thing only the good guy government was supposed to have” plot device, it would take all day. If there is a magic key and even if we assume the government itself will not abuse it, we still must assume the bad guys can steal it.

Add to this the fact that it’s likely to be ineffectual. People who really want protection will just use apps that weren’t built in by the manufacturers that don’t have the back door. Then only the uninformed, average user is vulnerable. The other striking thing about the Investigatory Powers Bill is that, like so much other law in cybersecurity, it ignores current thinking on what really reveals terrorist cells and operations. If the recent success in thwarting plots has shown us anything, it’s that the machine learning and data science studying Metadata – who called or texted whom but not the contents of these conversations – has the power to out the bad guys. The Bill will strengthen this program, but it missed the chance to double or even triple those efforts to yield the data we really need, who exactly the bad guys among us are.”

Richard Stiennon, Chief Strategy Officer at Blancco Technology Group:

Richard Stiennon“Britain’s Investigatory Powers Act is counter to the spirit of the EU GDPR, which attempts to prevent the indiscriminate collection of data on individuals. For an organization to be in compliance with both the Investigatory Powers Act and the EU GDPR, it will have to notify subscribers of the type of data being collected and its intended purpose. It will also have to make that data available in a machine-readable format. The biggest conflict with EU GDPR is that a user cannot make a request based on the ‘right to erasure’ for data younger than 12 months.

The new Act, passed by both houses of parliament and awaiting the Queen’s approval, will require ISPs to keep logs of all websites visited by UK citizens for 12 months and which websites were visited but not the particular pages and not the full browsing history. It allows police and intelligence officers to see the Internet connection records, as part of a targeted and filtered investigation, without a warrant. It’s pretty much the modern equivalent of looking at a borrower’s history of books taken out of the library.

In addition to web logs, the bill gives law enforcement access to records of emails, calls, and texts. Even postal mail may be opened by law enforcement without a warrant. It also requires software vendors and communications companies in the UK to provide backdoors to encryption schemes, although no technical details of how this can be safely accomplished are provided.

The Act makes it illegal for a company to reveal when these types of surveillance have been used. One of the repercussions of the Act is that it will reduce trust in UK telecoms and equipment vendors.”

Information Security Buzz