Global companies are being forced to pioneer international privacy standards as they face a growing number of government requests to access customer data, says consultancy KPMG.
Stephen Bonner, partner in information protection and business resilience at KPMG, said that, in the absence of any state-led guidelines, he is seeing global companies doing it for themselves.
Although the UK’s controversial new Data Retention and Investigation Powers Act will mean little change for most companies, it is part of a challenging global trend, he told Computer Weekly.
Bonner said the trend of every nation taking things like intercepts and critical infrastructure protection more seriously is leading to difficult questions because there are no international norms and standards.
“We see global companies really struggling because you can get a legally-approved warrant in one country that is fundamentally against human rights in another.
“Both jurisdictions are comfortable saying their rules apply everywhere else, which makes it difficult for companies caught in the middle,” he said.
In June 2014, Vodafone revealed that government agencies in 29 countries were eavesdropping on its networks, according to The Guardian.
US communications firms AT&T and Verizon published similar reports after revelations from the whistleblower Edward Snowden about government spying.
As a result of this emerging trend, Bonner said a global bank, for example, could be asked by every country in which it does business to conduct penetration testing on its IT infrastructure and to share all the critical weaknesses it has in its control processes.
More on privacy
“Organisations are having to decide whether to say no to all of them and anger every regulator around the world, or say yes to some and have very difficult conversations with the ones you say no too because the request is not in the best interests of your customers or is in conflict with the requirments of other regulators,” he said.
Because sets of governments have so far failed to come together to set any norms, he said global companies have been forced to drive that agenda.
“They have to almost form their own diplomatic corps to negotiate with regulators and authorities around the world to bring them together to start them acting in a more sensible way about law enforcement co-operation, access to information, and data protection,” said Bonner.
While many global companies are unhappy about having to make the investment, he said they can see the benefits of getting deals working and getting regulators thinking a little more broadly.
“With the advent of internet-based services, our world has become less tied to particular geographical locations and legal jurisdictions, but the rules and laws have not caught up with that,” said Bonner.
In highly automated western nations, he said, the reliance on a safe and secure infrastructure is higher than many of their enemies.
“But every time we have made it easier to spy on our enemies by collecting data, by not releasing information about weaknesses and embedding weaknesses into systems, we have also made it easier for our enemies to spy on us,” said Bonner.
“And what is disappointing is that there has not been a proper debate about where that balance should lie, and the problem is that the people making the decisions are only going to see the negatives if bad things happen by individuals against the state, but they do not perceive the threat of state against individuals,” said Bonner.
“There is a big question that needs to be answered about whether defending is more important than attacking, but most of the choices being made by government seem to be in favour of attacking.
“We are hoarding vulnerabilities rather than sharing that information widely to protect critical infrastructure, we are spending a lot more on developing offensive capabilities than defensive capabilities, and it is easy to see why because offensive is cheap and impressive,” he said.
Bonner said this stems from the basic problem in security that the defensive side is not considered as “sexy” as the attacking side.
“What seem like brilliant short-term choices, are adding up to a quite a big long-term problem,” he said.
The Data Retention and Investigation Powers Act that was rushed through the UK parliament in mid-July 2014 could be in breach of European law, 15 technology law experts warned at the time.
In an open letter to parliament, they said the legislation is “a serious expansion” of the surveillance state.
The legislation is also being challenged by human rights organisation on behalf of prominent Labour MP Tom Watson and former Conservative shadow home secretary David Davis.
Liberty has applied for a judicial review of the new legislation, which was passed with support from the three main parties.
Davis told a Westminster news conference that the Drip Act was "driven through the House of Commons with ridiculous and unnecessary haste to meet a completely artificial emergency".
Watson said the act failed to answer concerns that the blanket retention of data was a breach of fundamental rights to privacy.
Liberty's director, Shami Chakrabarti, said the MPs' decision to go to court represented the legislature and the judiciary fighting back against the executive.
According to The Guardian, Liberty will argue on behalf of Davis and Watson that the new legislation is incompatible with article 8 of the European convention on human rights and article 7 of the European charter of fundamental rights.
More on Drip legislation
- Snowden slams UK emergency surveillance legislation
- Transparency promise delivers emergency surveillance law deal
- New data law a serious expansion of surveillance, say law experts
- Legal challenge to UK surveillance set to kick off at Investigatory Powers Tribunal
- No return to snooper’s charter under emergency surveillance law
- Drip bill could put data at greater risk, warns (ISC)²