Sergey Nivens - Fotolia

The cost of security for UK business

The draft Investigatory Powers Bill to increase surveillance is already controversial, but there are growing concerns over the potential economic consequences

First announced during The Queen’s Speech in 2012, the Draft Communications Data Bill, as it was known then, was met with widespread criticism, before it was ultimately dropped during the coalition government in 2014.

With the Conservative party winning a majority government in the 2015 general election, the so-called “Snoopers’ Charter” has once more come to the fore. It was revealed during the Queen’s Speech on 27 May 2015 that a new Investigatory Powers Bill would “modernise the law on communications data”.

This was followed by the home secretary Theresa May announcing to the House of Commons that “the government would publish a draft bill for pre-legislative scrutiny by a joint committee of Parliament, with the intention of introducing a new bill early in the new year”. She went on to say: “Given the sunset clause in the Data Retention and Investigatory Powers Act 2014, the new legislation will need to be in place by December 2016.”

Through the Data Retention (EC Directive) Regulations 2009, service providers in the UK are already legally required to retain communications data – time, source, destination and duration of citizens' phone, text and email data – for 12 months. However, the government cites the ongoing threat of terrorism and child abuse as reasons for further extending this remit through the Investigatory Powers Bill.

While the bill is currently in development, there is an expectation that it will require greatly increased data storage and provisions for access to encrypted communications. The assumption is that telecommunications companies and internet service providers will be required to keep details of browsing activity, social media use, emails, voice calls and text messages. Since the government has not denied that either of these provisions will be included in this draft legislation, many have assumed they will be.

Economic impact of Investigatory Powers Bill

Despite the current threats to the UK, concerns are being raised by experts in the technology industry about the possible detrimental effects that the Investigatory Powers Bill could have on the economy.

Eris Industries and are two businesses that have recently decided to leave the UK, citing concerns over the far-reaching nature of this forthcoming legislation.

Preston Byrne, chief operating officer and general counsel of blockchain infrastructure company Eris Industries, says his concerns about the Investigatory Powers Bill stem from the implications that “these proposals would introduce the security state into the core of our business’s day-to-day operations”.

This would make doing business in the UK nearly impossible for Eris Industries, according to Byrne. “We expect the Investigatory Powers Bill to contain both requirements for state-mandated backdoors in our cryptography and onerous data-retention requirements,” he says.

Byrne decided that Eris Industries should leave the UK, as he believed it wasn’t worth spending what limited bandwidth it had on a “technologically illiterate piece of legislation”. He hopes that Eris Industries moving its headquarters to America will highlight the strength of his concerns.

Colin Tankard, managing director of secure data management company Digital Pathways, shares similar concerns about the effects that the Investigatory Powers Bill will have, specifically in regard to the data retention element.

To remain competitive, companies are naturally protective of their intellectual property, internal audit data and confidential information. Thus any attempts to intercept and/or store their communication data, regardless of the reasons behind these intercepts, will not be in the companies’ best interests.

Tankard believes that, should this legislation be introduced as is, companies will “move their data ‘crown jewels’ away from prying eyes, especially if they feel that government agencies are looking at it”.

This harvesting of sensitive corporate information will have grave consequences for the economy, as companies wishing to protect their data, such as those in the financial and technology sectors, will seek to move their headquarters to a new country. 

Such departures would, in turn, affect the economy, as millions in corporate tax would be lost, as well as the associated job losses.

Tankard is less concerned about the banning or controlling of encrypted communication. “Encryption in transit is difficult to crack, and just as complex to intercept as an open link,” he says, “so the bill seems weak in only focusing on this aspect.”

He also foresees a detrimental effect on online trade, as customers will be less inclined to conduct their banking online, or use other online financial services such as electronic tax return forms, if there are any concerns of inadequate protection. This could well result in companies needing to take a technological step back in regard to how this information is communicated, with human forms of interaction being re-introduced.  

Some, of course, may argue that this is a good thing, yet it would inevitably bring the possibility of human error back into the process.

Alternative methods of security

If such an act were to be enforced, Tankard believes this would give to rise to alternative forms of communication security, rather than the existing passwords and PIN codes. 

“Technologies such as pattern recognition for authentication are much simpler for a user to understand, more reliable than biometrics and cheaper than issuing hardware tokens such as the banks offer,” he says.

Another technology Tankard believes will come to the fore is server cloaking, which effectively hides the servers by making them go dark. “These systems then build communities of interest [to include only] those who are allowed visibility of the server, and hence access,” he says. “To the rest of the world there is nothing there, and you cannot hack what you cannot see.”

Tankard believes the Investigatory Powers Bill has not been adequately thought through. With its mandate of controlling encryption and retaining all communications data, those who are intended to be detected by this legislation will adopt home-grown encryption or different techniques for secure communication. “This measure would only be a temporary blip for the ‘bad guys’ and would only stop the small crime/amateur activists who have little resource,” he says. “But it would certainly hit ‘Joe Public’ greatly.”

Support for changes to data legislation

However, some companies have not only come out in favour of the forthcoming Investigatory Powers Bill, but claim it would hamper their performance if the legislation were not implemented.

“The implications are that [if the bill doesn’t go through], we will be severely restricted in doing our job in certain areas,” says Tony McDowell, CEO of IT security company Encryption.

His reasons for supporting this legislation are simple: “The problem is that when we [first] get involved, we do not know what information we need.” He cites cases of online fraud, where the more information that has been available, the easier it has been to track the parties behind the crime.

The number of cyber attacks, including those from foreign bodies, is increasing every day. To combat this threat we are going to need more data, and we will not know what data until we need it. “The act wants to increase what they can capture, not the content,” explains McDowell. “Just the IP address and where it came from.”

Further debate before bill is passed

Despite the concerns being raised by those in the technology sector, the Confederation of British Industry (CBI) remains unwilling to comment at this time.

When Ciaran Martin, director general of intelligence agency GCHQ, was questioned following his keynote speech at InfoSec Europe about whether the Investigatory Powers Bill would have any impact on the economy, he refused to speculate on the matter. 

Some companies have already decided to leave the UK, even before the draft legislation has been published, thus highlighting the seriousness of their alarm

Martin stated that “the ultimate decision regarding GCHQ’s powers will be made by the government after a lengthy and thorough period of debate and examination”. He added: “It is not our aim to slow or shut down the march of tech and, even if it was, we wouldn't be allowed to.”

Likewise, the home secretary explained in her statement to the House of Commons, when she announced the Investigatory Powers Bill, that: “A panel co-ordinated by the Royal United Services Institute, and established by the former deputy prime minister, the Rt Hon Member for Sheffield Hallam, will report on the legality, effectiveness and privacy implications of the UK’s surveillance programmes, and assess how law enforcement and intelligence capability can be maintained in the face of technological change.”

Nonetheless, concerns continue to be raised. Some companies have already decided to leave the UK, even before the draft legislation has been published, thus highlighting the seriousness of their alarm.

Furthermore, regardless of how secure any state-mandated backdoor access can be made within the encryption protocols, the encryption system will nonetheless be compromised.

Despite the best intentions of the new legislation, Eris Industries’ Byrne believes that “even without the encryption ban, this is still dangerous and exposes the public to significant risk of harm”.

If the Investigatory Powers Bill comes into force, and it does mandate the storage of all communications and require access to encrypted content, then the effects on the economy could be severe. Companies that are likely to be affected are assessing the risk to their businesses, and some have already taken the step of leaving the UK to protect their data. 

Concerns have been raised that communications security will be compromised and online trade will drop. However, a panel has been convened to discuss this draft bill. Hopefully, by further consideration of the harm this legislation could do, an approach that provides a more pragmatic and workable solution can be found.

Read more on Privacy and data protection