It doesn’t feel that long ago that the information security community were bemoaning the lack of attention they received from the government, national press and wider public. No danger of that happening now, is there?
Data protection, privacy and surveillance are leading front pages and parliamentary debates, particularly after recent high-profile incidents such as the Sony Pictures hack and internet snooping by the intelligence services.
The Paris terror attacks have brought widespread calls from politicians for greater powers to monitor our internet activities, countered by privacy campaigners pointing out the terrible irony of terrorism causing a reduction in our civil liberties as a result.
David Cameron’s naïve and careless call to outlaw “communication between people which we cannot read” has rightly led to criticism of what would be a technically unfeasible and highly dangerous attempt to ban encryption.
I can remember writing nearly 15 years ago that privacy would be the defining challenge of the internet era, and so it has proved.
Nobody can argue that targeted electronic surveillance is anything but a good thing for fighting crime and terrorism, but blanket recording of all our communications – even if it is only the meta data – on the basis the data is stored “just in case” is self-evidently a step too far in a liberal democracy.
When the Regulation of Investigatory Powers Act (RIPA) was passed in 2000, many observers warned that its loose language and broad powers could be misused. Politicians assured us that no such thing would happen, relying on the common sense and altruism of the authorities.
Fifteen years later, we have seen how the law has been abused, just as those experts warned, with councils citing RIPA to snoop on parents trying to get their children into schools outside their catchment area, and the police using it to uncover journalists’ emails and expose their legitimate sources.
Let’s not forget too, that the French authorities already have greater surveillance powers than the UK, and it was still not enough to prevent the Paris attacks by known extremists.
There is no easy solution, and none will be found in knee-jerk reactions or a tribal approach that creates a binary debate when nuance is needed. Both politicians and public need to understand the arguments and issues, and to reach an informed consensus on how best to balance privacy and national security. That debate is not currently taking place, and more education and awareness is needed before it can be conducted sensibly and fruitfully.
This, then, is the opportunity for the information security community. They are, finally, in the centre of the debate they have always called for. They need to lead, to educate and to listen – and most importantly, we and the UK authorities need to listen to them.