The Snoopers Charter: The good, the bad and the ugly

The Investigatory Powers Act, commonly known as the Snoopers Charter, has been controversial since it was first discussed in Parliament by the then Home Secretary, Theresa May, in 2015. It has continued to make headlines since, most recently because the European Court of Justice ruled that key aspects of the Investigatory Powers Act are unlawful, especially the “general and indiscriminate retention” of emails and electronic communications. However, many feel that the Act’s real purpose is to grant the government the legitimacy to continue doing what it is already doing – snooping. 

The sheer level of data the Government will have access to and the ramifications for the privacy of individuals are terrifying for many. Under the charter, the Government can request a year’s worth of records from internet service providers, revealing a customer’s internet history and other communications data. In theory the Government can’t see the ‘content’ of the pages, although in practice the distinction between ‘communications data’ and ‘content’ is very blurry for modern web apps. 

For some, allowing the Government access to such data is  an invasion of privacy. While others feel that if the Act can protect individuals from criminals, then the potential invasion of privacy is worth it. There is no right answer, but ultimately, individual users should have freedom online, and simultaneously have reasonable expectations of privacy. 

Just like most citizens, technologists differ greatly in their opinions on how to make the trade-off between citizens’ rights to privacy online and the Government’s desire to protect all citizens from terrorists who coordinate online.   But most technologists share some very specific concerns about the Act.

Concerning legislation 

The ambiguous and non-specific language used in the Investigatory Powers Act is a key concern. Many aspects of the Act can be interpreted in a number of ways, and the weak nature of definitions in it could lead to its abuse. For example, the Act defines the type of company that is required to retain customer data as a ‘telecommunications operator’. But the definitions of a ‘telecomunications operator’ are so loose that it could include any company that passes data between two or more devices as long as one is located within UK borders. 

In practice, it is very hard to see how the Government will enforce the Act on companies like Whatsapp or Google who operate their communications services entirely outside the UK. This could result in an unfair competitive disadvantage, costly compliance, and the risk of severe penalties for UK-based ISPs.

Another more practical concern is the safe and secure storage of data. The potentially vast volume of data that service providers are now required to store presents a significant opportunity to cyber criminals, and many will already be planning how they can steal it for monetary gain. This  places a huge burden and costly responsibility on ISPs.

What happens when they’re hacked? 

Government advisers claim that there will be very strict controls on storing and securing the data. However, as we have all learnt, there is no such thing as guaranteed security. For instance, the revelations about TalkTalk, where records of 157,000 customers were stolen, shows that ISPs can easily fall victim to an attack. And ISPs will become even bigger targets for cyber criminals once this Act is enforced.  

And when they are hacked – which they will be – ISPs will not only face reputation damage, but also very heavy fines. Once the Information Commissioner Office comes into line with the new GDPR regulations, due to be enforced on any breach after May 2018, fines may increase to up to four per cent of a company’s global revenues. The fine for TalkTalk might have been as high as £70M under that new regime, way higher than the already record fine of £400K that the ICO imposed.  

What about backdoors 

Another major, worrying issue for the industry is “backdoors” – in other words ways for tech companies to provide government agencies with special access to otherwise encrypted or protected customer data. As part of the original new bill announcement, Theresa May specified that there would be no requirement on technology companies to provide access to their customers’ encrypted data. Unfortunately, no mention of this was made in the Act itself or of encryption at all – the Government has tried to avoid the issue. Sophos remains vehemently opposed to backdoors: read about it here.

Competent commissioners 

And finally, are the appointed “Judicial Commissioners” who have the power to grant warrants for accessing data, “equipment interference” (hacking to you and me) and so on, likely to be sufficiently tech savvy and conscious of our current and complex technological advances to make sensible decisions in the public interest? Would they be able to identify a cybercriminal from a rogue officer extracting far more personal data than they should and using it for nefarious means? The answer is probably no. It’s really concerning that those taking charge in the decision making process aren’t likely subject matter experts. 

Should IT professionals worry?

Despite all these concerns, there is little that the average UK business can do about them now that the Act is in place, other than maybe worry needlessly.   One practical step would be to ensure that your ISP is one that takes the security of your data very seriously.      

But focusing on keeping your own data safe as you transact online is far more important than worrying about Government snoopers for the average business.

Here are some areas that businesses can focus on to tighten their security:

  • Patch patch patch. Always update every piece of software you use. Eighty per cent of successful hacks start by exploiting legitimate software that has not been updated. The easiest way is to just automatically update to the latest, and give up any illusion of control especially on end user machines. While it’s obvious advice, very few organisations manage to do it.
  • Tighten network security, on premise and in the cloud. Ensure that your firewalls are up to date and give you visibility and control of the applications and web services your employees are using. If your servers have moved to the cloud, make sure your security hasn’t been left behind – you can run modern next generation firewalls in the cloud too.
  • Secure all endpoints not just Windows. The iPhone or Android in your pocket is a fully capable computer and your employees are using theirs to access work documents and data, whether you like it or not. Take control with an MDM or “EMM” solution and enforce at least the basics of security such as a long passcode to cover for the device being lost.
  • Encrypt your devices and even your files – it won’t hurt as much as you think. Ensure you turn on the built-in disk encryption in your computer – Bitlocker in Windows, Filevault 2 in Mac. Simple management tools can help you handle the common concerns of dealing with forgotten passwords and proving to the boss or auditor that the lost device was in fact encrypted.
  • Move to the Next generation of Endpoint / anti-virus. Deploy “next generation” endpoint protection software that goes beyond just blocking malicious executables and blocks the techniques, such as exploits against legitimate software and script based ransomware, that modern hackers use.

John Shaw, VP Product Management, Sophos
Image Credit: Jeremy Reddington / Shutterstock