The so-called Snooper’s Charter is back. After being blocked by the Liberal Democrats in the last government, the legislation has been overhauled by Theresa May and is ready for another try. Under the proposed Investigatory Powers Bill, British spies will have legal access to private communications data and internet companies will be required to store details of customer activity for up to 12 months. Of course, the Home Secretary has been quick to point out that the British intelligence services aren’t interested in analysing the internet habits of the entire country. Rather, these powers are intended to help the security services confront and defeat organised crime and terrorism:
“Powers to intercept communications, acquire communications data and interfere with equipment are essential to tackle child sexual exploitation, to dismantle serious crime cartels, take drugs and guns off our streets and prevent terrorist attacks.”
Smashing the safe haven? According to Theresa May, “there should be no area of cyberspace which is a haven for those who seek to harm us, to plot, poison minds and peddle hatred under the radar.” It sounds good on paper, but in reality the new legislation will do little to end crime and terrorism online. When criminals and terrorists go about their nefarious business, they can easily turn to the anonymity and secrecy of the Dark Web. Using the Tor browser or other specialised tools, Dark Web users bounce traffic through different servers and multiple layers of encryption to ensure robust anonymity. This hidden online ecosystem will remain the perfect cover for a host of illegal industries, including everything from counterfeiters and drug dealers, to assassins and people smugglers. Meanwhile, other simple tactics like burner phones and browsing via Virtual Private Network connections can also be deployed to counteract increased state surveillance. Anyone with something to hide will be able to do so all too easily.
Help or harm?
If the Snooper’s Charter won’t really help, could it actually do harm? Well, in a word, yes. By providing the security services with a back door into corporate data and only allowing encryption that government agencies can break, this legislation will actually weaken the security posture of most organisations. Any back door provides another route for cybercriminals to exfiltrate valuable customer data, a process which is made all the easier without robust encryption. Additionally, by putting the onus on service providers to store this increased customer information, cybercriminals will have even more lucrative data to steal. Nor does the recent TalkTalk hack suggest that ISPs are up to the task of defending this data effectively.
As Ross Anderson, professor of security engineering at the University of Cambridge, commented: “If you set up something that has a back door in it, we by definition have made it less secure than it was before, and more vulnerable to parties that you don’t trust like cybercriminals”.
While knowledge of the website domains a person has visited sounds rather innocuous at first, cybercriminals could leverage this information to compromise bank accounts, tailor phishing attacks, or even blackmail individuals (consider what just happened to Ashley Madison’s members, for example).
Ironically, this discussion comes just days after TalkTalk has been roundly criticised for not encrypting customer data to prevent criminals from reading it even if it is stolen. As TalkTalk’s CEO, Dido Harding, pointed out: “Every organisation in the UK needs to spend more money and put more focus on cybersecurity – it’s the crime of our era.” That’s certainly true, but it looks like our government will be doing little or less to help.