Sergey Nivens - Fotolia

What the Investigatory Powers Bill means for the telecommunications industry

The draft Investigatory Powers Bill could have major implications for telecommunication companies operating in the UK

On 3 November, UK home secretary Theresa May unveiled the draft Investigatory Powers Bill, which is planned for discussion in 2016 and not expected to come into law until 2017. 

However, following the recent Paris terrorist attacks, prime minister David Cameron stated on the BBC Radio 4 Today show: “We should look at the timetable.”

The government says the bill is intended to “introduce world-leading oversight arrangements” and bring together the disparate surveillance powers currently employed by the UK’s law enforcement and security agencies. Most notably, these are:

The last of these is particularly critical, because the sunset clause in DRIPA is due to expire on 31 March 2016.

The Investigatory Powers Bill will replace three existing commissioners – the interception of communications commissioner, the chief surveillance commissioner and the intelligence services commissioner – with a single oversight body, the Investigatory Powers Commission (IPC).

The IPC will be headed by an investigatory powers commissioner and supported by judicial commissioners (retired and senior judges), who will be responsible for approving warrants. These approvals can be bypassed if time is critical, but must still be approved within five days.

The Investigatory Powers Bill can be broadly subdivided into three elements:

  • Interception: Accessing communication (telephone, email or social media message) during transmission.
  • Interference: Access electronic equipment, such as computers and smartphones, to obtain communication data.
  • Retention: Store internet connection records for 12 months.

Although these powers cover any communication service providers (CSPs), it is the last element that would have the greatest implications for ISPs.

The legislation does not just apply to companies based in the UK, but to all companies that operate within the UK. However, a mutual assistance warrant must be in place before a request for interception can be made to authorities outside the UK.

Internet connection records

Currently, under the DRIPA, CSPs can be required to keep certain types of communications data for up to 12 months. But under the Investigatory Powers Bill, all ISPs will be required to record, store and give agencies access to their users’ internet connection records.

Once the data has been stored for 12 months, the deletion of the data must be, according to the draft bill, “in such a way as to make access to the data impossible”, and conducted at monthly (or shorter) intervals.

These internet connection records will document the sites each user visits, but will not reveal every page they visited within that domain. For example, ISPs will be required to record that their user visited the website, but not the pages visited.

Although internet connection records do not contain financial or confidential information, the fact that this data offers personal information about each user – such as who they bank with – gives it value and therefore stringent security measures would be required to protect it.

This data would be of particular interest to phishers, who would be able to target campaigns based on each user’s interests and online behaviour (such as shopping habits).

The sensitivity of this data has been recognised in the draft bill, and companies must ensure data is secured “by appropriate technical and organisation measures against accidental or unlawful destruction, accidental loss or alteration, or unauthorised or unlawful retention, processing, access or disclosure”.

Open to interpretation

However, the legislation does not specify what these measures are, leaving them open to interpretation. Anyone found unlawfully obtaining such data from a telecommunications service provider could be fined and/or imprisoned for up to 12 months.

David Emm, principal security researcher at Kaspersky Lab, says: “One of the big issues is the practical aspects for ISPs – how are they going to store it, how is it going to provide access when required, and how secure will both of those things be?” 

The recent hacks of TalkTalk and Vodafone highlight the fact that telecommunication companies are vulnerable to attack and need to restore consumer confidence in their ability to preserve user data securely.

The organisations that will be able to request access to this information include a variety of public bodies, ranging from GCHQ and the Metropolitan Police to the Food Standards Agency and the Department of Work and Pensions. Warrants can be issued for various reasons, including national security, criminal investigations and preserving financial stability.

The secretary of state may also require a telecommunications operator to retain all communications data as well as the associated metadata.

Emm adds: “Companies have to grapple with the issue of making sure, on the one hand, that any data is secure in the sense that if it is very sensitive, it needs to encrypted, and on the other hand, making sure that only the right people can access it. That comes down to issues of authentication.”

Encryption will not suffice

Encryption alone will not suffice, because it can be bypassed by an insider attack. Similarly, authentication systems are not foolproof technology, because people can be tricked into revealing their login details. Instead, a multi-layered security and authentication system will be required to not only protect the data, but also to audit who accesses what information and when.

The response by ISPs has, so far, been neutral. A BT spokesperson said: “National security is a critical issue and everyone needs to play their part, including industry. We believe there must be a clear legal framework around this regime – one that ensures adequate checks and balances are in place to weigh up any human rights concerns.”

Read more about the Investigatory Powers Bill

But there are certain clauses in the bill that may cause serious concern for companies. For example, Clause 133 states: “This clause makes it an offence for persons specified in subsection (1) to make an unauthorised disclosure to another person in relation to a bulk acquisition warrant.” 

Anyone found guilty of breaching this can be fined and/or jailed for up to 12 months. However, the interconnected nature of the internet necessitates a high degree of co-operation between service providers, because a technical issue at a border between two networks affects everyone’s customers.

The government has been keen to stress that it is not seeking to ban encryption (despite David Cameron’s previous comments). However, Clause 189 states that communication service providers have “obligations relating to the removal of electronic protection applied by a relevant operator to any communications or data”.

Future-proof the legislation

Many have seen this as an attempt to future-proof the legislation, but it means parts could be open to interpretation beyond what was intended. In this case, it could be interpreted as companies having to provide assistance to the government to hack their own users, opening their networks to bulk interception of data, or even modifying their systems to make data interception easier.

During the science and technology committee’s hearing of the Investigatory Powers Bill: Technology issues, Gigaclear chief executive officer Matthew Hare said: “There would be the most massive and enormous amount of data that, in future, an access provider would be expected to collect and keep.”

For example, a typical 1GB home internet connection usually has about 15TB of data passing through it every year. At least 21 million UK homes are connected to the internet, not including mobile internet connections. The storage problem is further compounded because encryption will increase the volume of data.

There would be the most massive and enormous amount of data that, in future, an access provider would be expected to collect and keep
Matthew Hare, Gigaclear

Telecoms providers will need to invest in new systems and protocols to meet the demands of this bill. Not only will there be the costs of new security systems and hardware to accommodate the data storage requirements, but also the ongoing costs of securely storing data and responding to warrants. The more frequent these warrants, the greater the costs.

Colin Tankard, managing director of Digital Pathways, predicts that in order to record the websites that users visit, “ISPs will have to enforce the type of router used, which will increase their cost and upset many users who prefer to use a better/higher-spec router”.

These costs are lightly covered in the bill (Clause 185), as follows: “The secretary of state must ensure that arrangements are in force for securing that telecommunications operators and postal operators receive an appropriate contribution in respect of such of their relevant costs as the secretary of state considers appropriate.” 

Costs paid for by the consumer

However, many feel these arrangements are insufficient, and expect that the costs will ultimately be paid for by the consumer.

Gigaclear’s Hare said at the science and technology committee hearing: “If I was a software business developing software in the UK and this bill was in legislation today, I would be very worried that my customers would not buy my software any more if it had anything to do with security at all. I would be worried that a back door was being built into the software by the bill that would allow the UK government to find out what information was on that system at any point they wanted in the future.”

As it stands, the Investigatory Powers Bill may be seeking to be future-proofed against emerging technologies, but it could be open to interpretation beyond what was intended by the home secretary.  There will also be financial implications for ISPs – the costs of meeting the demands of the bill and from developing a system to retain internet connection records.

Read more on Privacy and data protection