The House of Lords has passed the Investigatory Powers Bill, putting the huge spying powers on their way to becoming law within weeks. The bill forces internet companies to keep records on their users for up to a year, and allows the Government to force companies to hack into or break things they’ve sold so they can be spied on. IT security experts from ESET, Comparitech.com, Lieberman Software and Blancco Technology Group commented below.
Mark James, Security Specialist at ESET:
The modern day fight against cybercrime is a lot different than traditional warfare; attacks can happen at any time, from anywhere in the world in theory and in some cases require almost no effort from the attacker. So using internet resources to track, monitor, anticipate and combat these criminals is a must these days but safely storing that information needs to be of utmost priority.
There will always be people on each side of the fence when it comes to privacy and what is perceived to be stored and monitored. Protecting our personal data to achieve a level of anonymity is becoming harder and harder as our daily digital lives are distributed throughout the internet and stored on servers of which we have no control or say in the their security levels or procedures.”
Lee Munson, Security Researcher at Comparitech.com:
Privacy advocates, and an increasing proportion of the rest of the population, may well be concerned, however, that the so-called ‘Snooper’s Charter,’ for so long championed by new Prime Minister Theresa May, has now been passed by the House of Lords.
It means law-abiding citizens across the country could now see their web browsing history stored for a year, and GCHQ and others will be able to intercept online communications with ease, and what appears to be very limited oversight.
So, whether citizens have anything to hide or not is no longer for them to decide – their government will do it for them.”
Jonathan Sander, VP of Product Strategy at Lieberman Software:
Add to this the fact that it’s likely to be ineffectual. People who really want protection will just use apps that weren’t built in by the manufacturers that don’t have the back door. Then only the uninformed, average user is vulnerable. The other striking thing about the Investigatory Powers Bill is that, like so much other law in cybersecurity, it ignores current thinking on what really reveals terrorist cells and operations. If the recent success in thwarting plots has shown us anything, it’s that the machine learning and data science studying Metadata – who called or texted whom but not the contents of these conversations – has the power to out the bad guys. The Bill will strengthen this program, but it missed the chance to double or even triple those efforts to yield the data we really need, who exactly the bad guys among us are.”
Richard Stiennon, Chief Strategy Officer at Blancco Technology Group:
The new Act, passed by both houses of parliament and awaiting the Queen’s approval, will require ISPs to keep logs of all websites visited by UK citizens for 12 months and which websites were visited but not the particular pages and not the full browsing history. It allows police and intelligence officers to see the Internet connection records, as part of a targeted and filtered investigation, without a warrant. It’s pretty much the modern equivalent of looking at a borrower’s history of books taken out of the library.
In addition to web logs, the bill gives law enforcement access to records of emails, calls, and texts. Even postal mail may be opened by law enforcement without a warrant. It also requires software vendors and communications companies in the UK to provide backdoors to encryption schemes, although no technical details of how this can be safely accomplished are provided.
The Act makes it illegal for a company to reveal when these types of surveillance have been used. One of the repercussions of the Act is that it will reduce trust in UK telecoms and equipment vendors.”