As if having their metadata kept on file for 12 months is not bad enough, now British broadband users are being informed that if passed, they may have to deal with the reality that the snoopers charter will likely mean a hike in prices for their internet usage. That is because the huge level of data retention demanded from Internet service providers under the investigatory powers bill (aka snoopers charter) would likely force ISPs to put British broadband bills up – ISP’s have warned a House of Commons select committee.
According to ISPs, what the government does not realize is that the sheer quantity of data created by each and every Internet user is so vast, that the job of sifting through it for metadata will inevitably force prices up. The government has, apparently, already set aside a whopping budget of £175 million to pay for that data retention. Officials within the industry, however, do not agree that this enormous sum of (taxpayers) money will actually cover the costs. Matthew Hare, who is on the chair of the Internet Service Providers’ Association (ISPA), has already warned that,
‘On a typical 1-gigabit connection we see over 15TB of data per year passing over that connection … If you say that a proportion of that is going to be the communications data, it’s going to be the most massive amount of data that you’d be expected to keep in the future. The indiscriminate collection of mass data is going to have a massive cost.’
In Switzerland, where ISPs have for some time had to keep records of (some) metadata, ISPs have to pay for that data retention out of their own pockets. Yes, it is true that the government does reimburse Swiss ISPs. However, Internet service providers have been very vocal about the fact that the reimbursement sum is only a token gesture that does not even get close to covering the actual cost of complying. Using Switzerland as a case study – makes you wonder – where does the British government envisage the money coming from?
This is not the only criticism of the proposed new bill either. Under the snoopers charter, it would effectively become illegal to discuss any ongoing surveillance, even in a court of law. That is because inside the 300 pages of the proposed new bill, is a section (189) called ‘technical capability notice’. The snoopers charter allows the UK’s home secretary to enforce ‘an obligation on any relevant operators’, under the proviso that ‘the Secretary of State considers it is reasonable to do so.’ So what does that mean?
Let us use as an example the premise of the white hat hacker. A white hat hacker is someone that makes a living by helping a business to shore up their systems. This is achieved by carefully penetrating that system in order to find any troubling security holes in it. Those are the gaps in a system that could allow malicious hackers (like those that did the recent Talk Talk hack) to penetrate the system and wreak havoc.
Let us now assume that having found a problem in a computer system (that the white hat hacker would usually be ethically bound to tell his employer about), the security researcher is approached by GCHQ. The UK’s intelligence agency informs the “white hat” that it was GCHQ that left the ‘backdoor’ there – to do surveillance work relevant to an ongoing enquiry. At that stage, despite wanting to do so, the white hat hacker is bound by the snoopers charter not to tell his employer about the security risk.
Now, consider the implication of a criminal cyber-attack subsequently taking place – causing the white hat hacker’s employer to say ‘why didn’t you notice the security problem?’ Sadly, at that point, the security researcher would still be bound by the investigatory powers bill to stay mute on the subject – making himself look useless at his job – despite the fact that he was aware of the problem all along.
Does that not seem a little peculiar? Considering the fact that just last week GCHQ hosted the IA15 cybersecurity event? An event whose mission is to forge a safer future for the UK – by developing better cybersecurity practices across the board.
How can the UK’s intelligence services, on the one hand, bemoan that the UK’s national security is under attack by cybercrime. Promoting in favour of academia, industry, and government working together to make the nation more cyber-secure. While at the same time, seeking to pass legislation that would stop security researchers from doing their job – as long as the ‘Secretary of State considers it is reasonable to do so’ – utter and flabbergasting nonsense.
As everyone knows, the problem with having backdoors in a system is that those backdoors do not only let in who you want. They also allow anybody with the understanding of those systems to penetrate.
George Danezis, an associate professor of security and privacy engineering at University College London, has already pointed out that this is not a workable solution if you actually wish for effective cyber security. Not only are backdoors unsafe, but the snoopers charter (section 190-8) would make it illegal for security researchers to even talk about those security flaws – making it punishable with 12 months in prison if they do break their silence – even though to do so puts their entire consultancy business at risk.
‘Secret backdoor notices (I mean ‘technical capability notices’) will be issued, and any enterprising geek that wants to open a debate about them will either know nothing about them or be breaking the law. There will be no debate about what kind of backdoors, or of when they should be used – all will be happening in total secrecy,’ comments Danezis, in an example that nobody could deny starts to make Britain sound like a totalitarian regime.
Unfortunately, the concern does not stop with just those two issues either. John Shaw, who is vice president of product management at the security firm Sophos, also mentions that the snoopers charter could cause a backlash from software designers. This, he reasons, because the snoopers charter could call for an end to strong encryption in the British Isles. Shaw explains, that this is because the bill has clauses in it that effectively require any software created (or issued) within the UK to also have backdoors in it. Shaw points out that this could cause software designers to look at the UK with disdain, and pressure them into moving their businesses abroad,
‘For UK-based companies that serve non-UK customers, there’s some evidence, from what is happening to Microsoft right now in the US, that that can really undermine the trust of non-UK customers’ he said.
Matthew Hare from ISPA concurs with this opinion, ‘if I was a software business, I would be very worried my customers would not buy my software, because [they] would be worried that there was a backdoor built into this software that would allow the UK to look into my software’.