8 December 2015

The true cost of surveillance

By

The Conservative government recently published proposals for new legislation to regulate spying in the UK. The draft Investigatory Powers Bill seeks to do many things, particularly gathering up powers already contained in a lot of different existing laws and subjecting them all to a coherent oversight procedure. Most of the discussion generated by these proposals has been about the implications for liberty. But there is another and related dimension that should be considered, and that is the potential for the Bill to harm the economy.

Whatever form the final Investigatory Powers Act takes, some kind of spying bill will have to be enacted by the end of next year as the main existing legislation covering digital surveillance (the Data Retention and Investigatory Powers Act) expires at the end of 2016. The government’s stated intention is to have a single package of measures in place that updates that and a lot of other disparate powers and practices that have gradually emerged into the the light of day over recent years, such as the activities of the security and intelligence agencies in hacking computers and smartphones, and gathering large scale ‘bulk’ information at both an individual and group level. As the Bill itself admits, there are now so many surveillance powers in the UK that it is ‘difficult to be sure that the Bill identifies and amends every power,’ although that is the intention. But in the process the powers of the state to seize and analyse private information are being expanded, adding to what is already Europe’s most intrusive government surveillance system. There are some signs that the existence of such extensive powers – however they are actually used – may have a negative effect on investment in UK industries that rely on secure digital technologies (in other words, most of the economy).

Businesses – like individuals – do not care to have governments wielding sweeping powers over the information they hold, and in particular they do not like large numbers of government departments or (in the phrase of the draft Bill) ‘public bodies’ having access to that data, not least because because every additional key holder increases the vulnerability to breaches of data security. Unlike individuals many businesses can shift jurisdiction with ease, and these concerns are already apparent in the way that US technology companies that hold large amounts of user data are reorganizing their operations to move data banks out of the US, in response to customer fears about the intrusive powers of the US National Security Agency. Last month, for example, Microsoft announced a deal with Deutsche Telekom that will allow the US company to move much of its customer data to servers in Germany, with the intention of putting it out of the reach of US security agencies.

Other companies are likely to follow Microsoft; the US Information Technology and Innovation Foundation, an independent think-tank, recently estimated that US technology companies could lose tens of billions in sales due to customer fears over US government surveillance, adding that for international companies foreign surveillance laws are now the deciding issue when it comes to where companies store data. The Foundation points out that in addition to Microsoft, other companies including Cisco, Qualcomm, IBM and Hewlett-Packard have recently reported lost sales due to concerns about data security in the US. Companies outside the tech sector are also affected; for example, Boeing recently lost a Brazilian contract to replace fighter aircraft due to similar concerns.

In many ways the draft Investigatory Powers Bill is an attempt to address such commercial concerns, by making digital surveillance in the UK more transparent, and also by allaying fears that the UK government will attempt to control all encryption of data (although the Bill does include continued powers to force communications companies to unpick their own encryption if the government requests it). But by increasing the volume of data that official bodies can acquire, it is possible that the Bill may end up doing the opposite of what is intended.

It is no easy thing to summarise what the government proposes. The draft Bill including preface, guide and notes runs to 296 dense pages, and the supplementary materials add another 224 pages. The Bill itself is the result of recommendations from three separate reviews of the UK’s surveillance laws, and unsurprisingly the result is a draft that includes a bit of everything, from procedures for acquiring routine data sets like electoral rolls, to rules for spooks charged with breaking into the computers of individuals and organizations.

Amongst all of this detail, two things stand out as new. The first is that the legislation will for the first time explicitly legalise and regulate the capture of large scale sets of data such as communications data (records of who communicated with whom, and how, and when, although not necessarily what they said), without the need for the investigating agencies acquiring the data to know exactly who or what they are looking for in advance. These are the so-called ‘bulk powers’ (not to be confused with the proposals on ‘bulk personal datasets’ which cover unglamorous matters like digital telephone directories). Secondly, communications companies will have to keep and potentially make available a 12-month set of the the internet connection records of any person or organisation in the UK that uses the internet. The government has made much of the fact that internet connection records do not constitute a full record of internet activity, but in fact the Bill allows that security agencies can make specific requests (in addition to the general record-keeping requirement in the Bill) for data that does amount to a full record.

Both of these innovations mean that government agencies will have legal powers to hold much more private information than before. Although the Bill proposes additional limits on whether they can actually analyse this data (depending on who the data relate to, whether or not the relevant individuals are in the UK, and whether there is a clear operational purpose to the analysis), these do not much alter the inherent risk of large data sets being held by a range of public bodies.

There remains uncertainty over who in government will be able to access the data that the draft Bill covers. In certain cases there are stated limitations on the use of data by local authorities, for example, suggesting that where there is no specific limitation then local authorities and many other bodies may have access to at least some data. The purposes of the UK’s entire digital surveillance arrangements are described as law enforcement, security and intelligence, a definition so broad that in principle data could be accessed by just about any public body in the UK. And public bodies in the UK do not have a great record of digital security. If history is any guide, the more data they hold, the more they are likely to lose, and the greater the risk of sensitive data – including commercially sensitive data – leaking into the wrong hands.

These are not idle fears. The list of UK government departments and official organisations that have suffered significant data breaches in recent years is a long one. Various NHS trusts and individual hospitals are the most frequent offenders, along with local government bodies. But there have also been data security failures at the Ministry of Justice, the Department of Work and Pensions, the Ministry of Defence, the Foreign Office, the Serious Fraud Office, and amazingly enough the Information Commissioner’s Office, the body that is supposed to oversee data protection in the UK.

These data breaches have typically involved either lost disks or memory sticks containing unencrypted data, although there have also been cases of data accidentally being distributed by email. They have not involved direct access to large-scale officially-held databases, either through online hacking or the loss of physical storage devices that happen to contain access keys to online databases, although such losses would represent the ultimate data security nightmare scenario. That such losses are possible is very clear: if teenage hackers can break into the online databases of internet service providers such as TalkTalk – companies that have a strong commercial incentive to secure their data – then it is difficult to be optimistic about the chances of sluggish official departments keeping safe the oceans of data that the draft Bill would put in their hands.

This is a concern for any business that holds data it regards as commercially sensitive – and that really means all businesses. Information companies in Europe and Asia are already using their claimed ability to avoid official US digital surveillance as marketing tool. The US is not highly trade-dependent, and perhaps it can afford to make itself unattractive to international companies. The UK does not enjoy that option. If it joins the US as the place that businesses with valuable data need to avoid, the economic consequences could be dire.

Richard Walker is a journalist and communications advisor to financial companies.