Don't rush us into the next big data disaster

Politicians and the public need more time to consider demands for a massive extension of the surveillance state.
Written by Steve Ranger, Global News Director

Should David Cameron's government fast-track online-snooping bill?

Image: Shutterstock

The UK government has laid out its plans for updating its web surveillance legislation, part of which will require internet companies to store details of their customers' web surfing data for a year.

Following the terrorist attacks in Paris last month, there have calls to fast-track the bill through parliament and into law as quickly as possible. That would be unwise. The bill is a significant extension of the state's ability to collect information about everyone -- not just criminals.

Don't Spy On Us, a coalition of privacy campaigners including Liberty and Privacy International, has also warned that such an important and complicated bill is being raced through parliament. Shami Chakrabarti, Director of Liberty, said: "We all agree new legislation is needed because public discourse and parliamentary scrutiny have lagged behind spying practices in recent years. We welcomed pre-legislative scrutiny of this important and complex Bill. Why undermine this now? Nearly 300 pages in three weeks -- is the Home Secretary serious?"

Eric King, the director of Don't Spy On Us, noted that the timetable offered by the government does not provide enough time for informed consideration of some extraordinary powers: "It is a fraction of the time previous versions of the Snoopers Charter received, which had just a fraction of the issues to consider," he warned.

Just one example of the issues to consider: the bill will require communications companies to retain so-called 'internet connections records' containing information about which services and websites (but not the particular page) a particular device has connected to.

This data can then be accessed as needed (to get further detail for a warrant, for example) by police and intelligence agencies, which argue that this sort of information is a vital element in fighting serious crime and terrorism.

Storage and security issues

But communications companies (mostly ISPs in this case) haven't retained this sort of information before and will now have to keep it for 12 months. The implementation and storage of such a vast archive is going to be a costly headache. And the bigger problem is securing it.

These internet connection records may well be among the most sensitive sets of information about anyone. While they might not contain the fine-grained detail of precisely which web pages someone visits, enough will be recorded to provide a deeply personal insight into how you live and think, and what matters to you. It will detail which bank you use, which online services you use and which websites you visit.

That, of course, is why the government is keen for communications companies to keep hold of it, to help with the investigation of crime. But it's not just the government that will be interested in such a treasure trove of information.

An irresistible target

These databases will be an irresistible target for criminals, and even state-sponsored hackers. Knowing which bank you use would be handy for scammers; knowing what someone has been looking at online could give foreign spies insight and leverage.

We are used to companies large and small buying, selling, slicing-and-dicing and -- more often then they should -- losing our data. The recent Talk Talk hack shows that even the biggest companies are still vulnerable to attack.

But it won't just be big companies storing this data: there are plenty of smaller communications companies that may be required to store it. They are going to have to get serious about protecting this data and fast. Significant safeguards must be put in place to stop these records being the source of the next big data disaster.

Unresolved issues

The government argues that it needs access to this data to keep us safe: it must also make sure that retaining it does not make us less safe too.

And this is just one of the unresolved issues with the Investigatory Powers Bill.

There's the big debate about whether it's technically feasible: ISPs have argued that the sheer mass of data generated will be hard to store and analyse.

And even bigger questions loom around other issues in the bill concerning the bulk collection of internet data, and of the extended powers it provides to law enforcement to hack into devices when needed.

Also still unresolved is how this legislation will impact on international companies who are the leading providers of mobile communications. And what about encrypted communications -- the ones that worry police most? None of this is currently clear, yet all of it is important.

It's much easier to expand the surveillance state than it is to shrink it back again, so every decision to extend it must be carefully considered. Parliament -- and the people -- need as much time as possible to get this one right.

More stories on surveillance and cybercrime

Editorial standards