Hackers could exploit new RIP data snooping powers

Businesses fear that hackers and private investigators will abuse sweeping new government powers to access e-mail, telephone and...

Businesses fear that hackers and private investigators will abuse sweeping new government powers to access e-mail, telephone and Web browsing records unless strict controls are put in place.

A vast swathe of government bodies, from local councils to the health department and the fire service, will have the power to demand communications data, under proposals due to go before Parliament.

The move represents a significant extension of the Regulation of Investigatory Powers Act, which was originally intended to give law enforcement agencies the ability to access data to fight crime and terrorism.

Although directed at data held by Internet service providers (ISPs) and telcos, the Act will also give the Government the right to issue data access notices against any business with a Web server, call centre or Internet access, without a court order, legal experts said.

Employers groups expressed concern this week that the extension of access rights to a wide range of public bodies would open up the powers to abuse by hackers and criminals.

"The real issue is how you know that someone is genuinely authorised to issue a notice. These orders are going out from a large number of bodies. How do you know what is genuine?" said the Institute for the Management of Information Systems.

Clare Wardle, head of intellectual property at postal operator Consignia, said disclosure orders could cause difficulties for smaller firms, which may not be used to receiving them, unless safeguards are put in place.

"This sort of process has been abused by unscrupulous people in the past. One of the major issues we raised with the Government was that, as well as providing access to data for the welfare of people at large, it could allow people to obtain data for unlawful purposes," she said. "We have had problems with people pretending to be with the DSS or Benefits Agency trying to obtain information, when in fact they were private detectives."

Ian Brown, director of pressure group the Foundation for Information Policy Research, warned that small organisations would have to go through time-consuming procedures to verify that orders are genuine.

The London Internet Exchange, which represents ISPs, said it is having discussions with the Government to find ways of verifying the authenticity of notices issued by new government bodies. "There will need to be a framework for all these organisations to verify themselves. The onus will be on them to prove they are legitimate," said Roland Perry, acting chief executive at the London Internet Exchange.

The Home Office said it would circulate lists of people authorised to issue the disclosure notices, known as Section 22 orders, and that specimen notices would be made available.

Read more on IT risk management