The headline arguments against proposals to require Telcos and ISPs to retain communications data to enable the security services to do targetted traffic analysis, (akin to that used to support on-line advertising or unravel botnets) fail to address the risk that unnecessarily retained and insecure data is a common start point for the systemic fraud that is now costing the UK more than defence and education added together.
There is an urgent need to update and rationalise the current jungle of UK and EU legislation which mandates the retention or deletion of data (including transactions and personal data, not just not message addresses and headings) according to how many angels are on the head of a regulatory pin. There is also a need to streamline and clarify the routines under which such data can be brought together in support of law enforcement, civil as well as criminal.
Ministers have been talking of “industry-led partnerships” against e-Crime for some time. Their officials now need to be ready to listen to what the new “leaders” have to say – including on how they can help win the war against terrorism without destroying an economically vibrant and democratically accountable on-line society.
The failure to listen and act accordingly is costing business (not just ISPs) £billions in compliance overheads and the UK and EU economies £tens of billions in taxable revenues as transactions and searches are routed via the US, Switzerland and other stable off-shore nations – where regulatory certainty and stability are given the priority they deserve.
The proposals concerning the mandatory retention of traffic data by Internet Service Providers need to be debated alongside those for the mandatory retention of transaction data by mainstream business (in case it is needed by a consumer protection regulator) because both are already being brought together by on-line search engines and retailers under contract law (the small print you “signed” when you downloaded that app or signed up to that “free” service) in support of behavioural advertising as well as of “footprint analysis” to reduce the risk of fraudulent transactions in your name. Some of those merged files appear secure. Others have already been looted by organised crime.
Attempts to separate out the different issues are disingenuous. I added a comment on my attempt to make an anonymous donation to Big Brother Watch to one of my blogs that added the issues of Copyright and its enforcement to the mix. I should perhaps add the footnote to that story. I handed a small wad of used bank notes to Nick Pickles over a coffee.
Last week I chaired a meeting of the Conservative Technology Forum on Ubiquitous Computing. We focussed on the positive side of chips with everything – e.g. cutting energy costs by 30 – 50% with intelligent devices, buildings and shared infrastructures. One of negative sides is the vast amount of data that will be generated – especially if all building circuits are fully loaded with dummy traffic to prevent traffic analysis being used to identify when they are unoccupied. If ISPs have to log all of this in case it might be needed by the surveillance services …
One of the EURIM activities of which I was most proud was the work we did to bring sense to the original debates over RIPA and Electronic Signatures: in the face of the near impossibility of drafting legislation that reflected what was actually wanted. The problem was not just that those fronting the policy had neither the security clearances nor the technology background to understand what was actually intended and how it was likely to be achieved.
I have been helping my successor assemble a EURIM – EIF policy study team to look at the actions necessary to enable economic growth within an effective Digital Single Market. The planning session on the organisation of joined-up scrutiny of the Draft EU Data Protection Regulations reinforced my conviction that we will only get a sensible discussion on these proposals if we widen the debate on their potential economic impact well beyond the Information Security/ISP/Techology community to include mainstream business users, beginning with Financial Services and On-line Retailers.
I personally believe that an update of RIPA, to remove the bureaucratic paperchases that get in the way of the identification and removal of IT-assisted malpractice (including bullying, stalking and fraud as well as terrorism) is essential. But we also need to recognise US experience that over 40% of notice and take down requests come from commercial rivals alleging IPR infringements. I believe we will not get legislation that is fit for purpose unless we have robust public debate, across the EU as well as in the UK. In that debate we have to recognise that data that is not secured and maintained is vulnerable to systemic abuse.
Businesses who take the security of high value customers seriously (as opposed to those who wish to use their profiles to sell advertising) are therefore likely to bring an even more “robust” set of attitudes to this debate than last time – when the breakthrough came after the Treasury finally appreciated that banks really were quietly moving operations to serve high wealth individuals out of the UK, having taken the opinion of Counsel and been told the practical impact of RIPA when juxtaposed with “Mutual Assistance” et al.
You may have noticed that the Chancellor announced £325 million in the budget with a target of removing £14 billion of Benefit Fraud. Those opposing these proposals should be looking not only at how they can and should be amended to achieve the stated objectives at lower cost but also to help improve our on-line security and privacy against all those others who are monitoring our communications in order to impersonate and defraud us.
I do urge those of you who are serious about seeking constructive ways forward to join the Information Society Alliance (EURIM). You no longer have the excuse that I am Secretary General. Dr Edward Phelps is running a far more collegiate organisation. A consequence is that next year I anticipate being able to watch him succeed on several issues where I failed. That will be because he will have got the members to do the work, instead of expecting some-one else to do so. It helps that major commercial players are beginning to appreciate the damage to their businesses that will occur over the next couple of years if they do not work together to get better policy at both UK and EU level.