The select committee reviewing the Draft Investigatory Powers Bill has this month finished taking written and oral evidence, and it is already clear that it will have a significant impact on mobile network operators (MNOs), over-the-top (OTT) service providers and crucially, consumers.
There are five key elements of concern for communication service providers (CSPs):
- Web and phone companies will be required to store records of websites visited by their customers for 12 months, and make these available to police, security services and other public bodies.
- It gives security services powers to covertly obtain bulk data such as telephone call, email or messages transmitted using OTT mobile messaging apps like WhatsApp, iMessenger and Facebook Messenger.
- It gives explicit powers to security services to hack or bug computers and smartphones.
- It legally obliges communication service providers to have capabilities in place to intercept and collect personal data passing over their network.
- It requires communications service providers to take all reasonable practical steps to help authorities access communications data they have been approved to obtain, whether encrypted or not.
Given the huge amount of data CSPs have to store, it is almost certain data security will be big headache once the bill becomes a law.
Despite the fact that it will not necessarily be sensitive information being stored, from this simple data it is easy to piece together a profile of a person. To hackers, this could be valuable information and worth the effort of extracting it from storage.
The draft tries to cover this and compels CSPs to put appropriate technical and organisation security measures in place. CSPs will have to keep a massive amount of data safe, while guaranteeing accessibility to government agencies. This presents a challenge.
For OTT players, there is a further problem. Whose duty is it to unscramble communication data? Skype, WhatsApp, iMessenger and other similar applications use end-to-end encryption and data carriers do not have the ability to decrypt it.
While the draft is not clear as to where the responsibility lies, this is one of the major concerns raised by MNOs such as Vodafone, EE and O2.
In addition to the cost of data storage, the running cost of keeping security up-to-date and dealing with access requests will be an additional burden. In 2014 alone, Home Office figures show 517,236 authorisation of requests for communications data, and 2,765 interception warrants.
Despite the challenges, the Bill has merits. It consolidates current surveillance powers, including:
- The Telecommunications Act 1984, which gives the secretary of state the power to obtain bulk communications data from Telcos in the interests of national security.
- The Regulation of the Investigatory Powers Act 2000 (RIPA), which gives powers to public bodies to order ICPs to hand over a person’s communication data, monitor people’s Internet activities using surveillance equipment, and demand for the keys to protected information.
- The Data Retention and Investigatory Powers Act 2014 (DRIPA), which requires communication service providers to retain certain communications data for 12 months.
It also simplifies the oversight body. Currently, there are different commissioners overseeing the interception of communications, the surveillance and the intelligence services. The draft bill replaces these three with a single control body, the Investigatory Powers Commission (IPC) to be headed by a senior judge.
Although the proposed legislation will undoubtedly create a financial burden for CSPs, the main concern will be data security. Already an issue, the staggering amount of additional data storage will make CSPs an increasingly hot target for cybercriminals. Organisations across the board should already be planning how to manage the security risk this Bill presents.