Since the Investigatory Powers (IP) Act received royal assent at the end of November 2016 we have seen a great many headlines deploring its implications. The “Snooper’s Charter”, as the Act has been dubbed, took a lot of people by surprise, and reactions have been almost uniformly outraged. The Daily Mail led with the headline Warning: UK Government can now record EVERYTHING you click on online, while Edward Snowden described it as the most extreme surveillance in the history of Western democracy. Tim Berners Lee tweeted of “dark, dark days”.
Regardless of your political position or your personal views on the legislation, however, the law now exists and unless attempts to amend it are successful, those of us working in the IT sector will need to comply with it. Exactly what this will mean has itself been the subject of some heated discussions.
While fighting the IP Bill during its passage through Parliament, The Internet Service Providers Association (ISPA) warned of costs of up to £1bn, demanding that the government should contribute far more than the £174m earmarked for the costs of supporting the new legislation.
The implications of the Act
It seems to me that there is a more pragmatic view to be taken. Firstly, we need to look at the Act itself, and at the specifics for technology providers. Home secretary Amber Rudd summed up the aim of the Act when she said: “The internet presents new opportunities for terrorists and we must ensure we have the capabilities to confront this challenge.” The legislation passed with the intention of using it as a tool to fight terrorism following the attacks in Europe in recent years. The essential points are as follows:
- Communication Service Providers (CSPs) – whether that’s for voice services such as telephone calls, post, data transfer or messaging and browsing services – will have to store records of communications for 12 months. ISPs must keep a record of which websites and chat applications have been made use of when and by whom.
- CSPs must be able to make this information available to up a wide variety of public bodies, ranging from the police to the Food Standards Agency.
- Upon the issue of a warrant approved by both a judge and the yet-to-be-appointed Investigatory Powers Commissioner, CSPs must be able to override security measures in order to de-encrypt mobile phone information for public authorities, with or without the knowledge of the owner.
What are the consequences?
So, what does this mean for those of us who might be classed as CSPs or who will be helping them to comply with the new law? Well possibly not all that much. There are three areas that stand out as likely to incur additional cost.
1. Storage. Much of this information will already be stored by CSPs for billing and backup purposes but it’s likely that more space will be required to ensure that all details stipulated by the Act are captured successfully. Thankfully, storage is still relatively inexpensive, particularly if cloud is considered an acceptable medium. So far there have been no indications that cloud storage won’t satisfy the act’s requirements.
2. Extracting information. The ability to extract data on request may require some additional reporting capabilities and will represent a genuine cost for businesses. The significance of this cost will become more apparent as agencies begin to exercise their right to demand information.
3. Encryption. The third requirement may be the most tricky to implement. It is still unclear to what extent providers will need to build in “back door” access to encrypted information in order to make it available when warrants are issued. This not only throws up huge questions about professional ethics, but could require a great deal of technical expertise. From another point of view, encryption may also incur costs for CSPs who need to protect the information in newly expanded databases that they have been charged with maintaining.
Where to from here?
It’s true that the IP Act will most likely create more work for CSPs. But we must also stop to consider the impact it will have on businesses that rely on CSPs when it comes to outsourcing data and services. If a CSP is instructed to provide customer data to one of the 50 organizations, at what point do small and medium enterprises get drawn into this process? How will they explain this to consumers in the face of the increasing instances of data breaches?
Obviously, CSPs are not the only stakeholders who need to sit up and take notice. Businesses need to ensure they have technology and processes in place that can help them understand exactly what customer information they are storing, and where this data is held.
Although the new law is clearly a complex beast, it introduces no concepts that are new or surprising to anyone working in the IT industry. In a sector where marketers compete for ever larger quantities of data about customer demographics, location and behavior, it is disingenuous to express astonishment that the government may also wish to access this information. I suggest that we get over it, and get on with it.