The Data Retention Investigatory Powers (DRIP) bill has scampered into law. Much concern was registered by many over the House of Commons breakneck approach to the passing of the measure. Even the House of Lords chimed in before passing into law the other day, despite its original reservations over its fast- track passage.
The House of Lords opined that DRIP was a knee-jerk response to the European Court of Justice’s ruling in April on data retention. All constituencies voiced concern with the presentation of such a bill after waiting several months to act. However, the die is cast,the bill clearing the HofL and is now law. But it is still mired in controversy. The latest being that DRIP may make UK citizens’ data more attractive to hackers according to security experts.
This may well be a long-term consequence of DRIP as UK data’s territorial reach is extended to foreign firms which hold UK citizen’s information. Those firms can now be served with a warrant to hand over information. The government added that proviso to give the law more teeth, as the current law only had ’an implicit extraterritorial effect’. This takes some of the ambiguity out of the equation, as it was expressed by ’some of the largest communications providers’.
The law could lead to data being stored in more locations worldwide, hence increasing chances that hackers will be able to access it, according to cybercrime expert Dr. Adrian Davis. He privately worries that some companies storing the data may not be up to snuff security-wise- at least not of the same caliber as UK companies:
’Because of the extraterritorial reach in the DRIP bill, it requires foreign internet service providers, who may be providing webmail services to British citizens(read expats living in Spain or Florida and using national ISPs), to store data about those British citizens in data or storage centers outside the jurisdiction of the UK Data Protection and other relevant Acts. As a result, we don’t know how that data is stored,processed, accessed or protected…Hackers may view foreign ISPs storing British citizen’s data as a ’soft target’- the levels of protection may be different and the penalties for stealing or compromising data could be lower.’
Pointing to a House of Commons standard note about the DRIP, some fear that since ’webmail” services will have to retain data, they will become a more attractive target for criminal hackers as there will now be more voluminous material. Prof Alan Woodward of the computing department at the University of Surrey is more sanguine about the prospects of the new law. He says that the data which companies are being compelled to store may not be all that attractive to malicious hackers.
He contends that that this is so because the information does not contain the actual content of communications- only who spoke to whom, when and from where. ’ I’d expect hackers to be more interested in fuller data sets”, he said. But II suppose also there will be someone who tries to do this to make a point.’
Dr Woodward agrees, though that the possibility existed before DRIP and was joined in this regard by Richard Clayton, a security expert from the University of Cambridge Computer Laboratory. Clayton added that it may make some data more attractive to journalists attempting the illegal gathering of information.
In the opinion of Jim Killock, executive director of the Open Rights Group, certain clauses of the bill are problematic and ’should be deleted entirely.’ Specifically clauses 4 and 5 of the law, which extend the governments reach to US and foreign companies, and which increase the kind of web services for which intercept warrants can be issued, should be deleted in Killock’s view.
This discussion is, of course, now moot now that the measure is law. That it was brought up and passed so fast is still a bone of contention for opponents, though. As is the fact that this is apparently just another loss for privacy advocates and a reason to remain increasingly vigilant in the ongoing battles which lay ahead. It gives another reason for concerned users to investigate legal means of ensuring privacy- such as the use of VPNs.