The emergency surveillance legislation being rushed through parliament could put UK personal data at greater risk, says information security professionals' organisation (ISC)².
The Data Retention and Investigatory Powers legislation, known as the Drip bill, requires domestic and foreign internet and phone companies to store all communications data relating to UK citizens.
The bill was fast-tracked after the prime minister struck a deal with Labour and the Liberal Democrats to support the process in exchange for a list of safeguards and undertakings.
The legislation was passed by the House of Commons in just one day and is expected to pass rapidly through the House of Lords.
“This means more personal information will be stored, processed, accessed, backed up and deleted,” said Adrian Davis, managing director for (ISC)² in Europe.
“It also means more people will have access to and control over this data, some of which will be stored outside the UK, exposing it to greater risk of theft by hackers.”
Davis said this type of information is not only of use to security services and law enforcement, but highly sought after by cyber criminals, who frequently target communications firms to get it.
Read more on Drip bill
- Snowden slams UK emergency surveillance legislation
- Transparency promise delivers emergency surveillance law deal
- New data law a serious expansion of surveillance, say law experts
- Legal challenge to UK surveillance set to kick off at Investigatory Powers Tribunal
- No return to snooper’s charter under emergency surveillance law
The chances of an accidental breach or disclosure also increase when more people and processes are involved, Davis pointed out.
While the Drip bill requires foreign companies to store data on UK nationals, it is unclear what level and type of protection those foreign organisations will have to put in place to protect the stored data.
“Questions about data protection such as the applicability of local or UK data protection law, the type of security controls required to protect data, supplier/customer relationships and the ability to gain legal redress should a breach occur are all unanswered,” said Davis.
He also noted that the new bill extends the provisions within the equally controversial Regulation of Investigatory Powers Act (Ripa) for foreign firms to build interception capabilities into their infrastructure.
“Such capabilities are attractive targets for hackers and cyber criminals, and access can often be gained through the compromise of user accounts or knowledge of manufacturers’ default passwords,” said Davis.
“We have seen that even the biggest internet and phone companies are vulnerable to online attacks. In June 2014 hackers stole details about the date, time, duration of customer calls from telecoms giant AT&T, while Orange recently suffered a massive phishing attack when cyber criminals used promotional ads to steal the email addresses, phone numbers and birth dates of 1.3 million users.”
The new bill extends Ripa’s definition of “telecommunications services” to include webmail and possibly even instant messenger services and social media.
“This all increases the amount of our personal communications that must be saved, further widening the array of targets for hacker groups,” said Davis. “With the Drip bill increasing the amount of data that must be held and the number of companies that must hold it, we could potentially see more frequent and devastating data breaches in the future.”
Davis said that while the initial debate around the Drip bill has focused on UK state surveillance, the legislation is likely to have much wider implications for information security.
On 15 July, a group of 15 technology law experts warned in open letter to parliament that the bill represents “a serious expansion” of the surveillance state.
“In practice, the legislation could have the unintended consequence of making our data more accessible not just to the UK authorities, but also intelligence agencies, governments, organisations and criminals around the world,” Davis said.