Thursday, October 19, 2017

The law we all thought a safe “zombie” bill is alive – key things you need to know about the Snooper’s Charter

by Ben Rafferty, Global Solutions Director, Semafone

You could be forgiven if the introduction of The Investigatory Powers Act, or the “Snooper’s Charter” managed to slip by you under the cover of Trump’s election as President and the UK Brexit.

However, considering the magnitude of its impending impact in the world of data security, particularly for communications providers, I don’t think the subterfuge will have worked.

If you, like most businesses, are storing your customers’ data, here are some key points that you should bear in mind.

What are the motivations behind the law?

The government has passed the IP Act with the intention of using it as a tool to fight terrorism after an increasing number of terror campaigns hit Europe over the last few years.

However, several industry experts have voiced their fears that in the act’s attempt to curb terrorism, it will seriously infringe upon people’s privacy. Hence the nickname: ‘Snooper’s Charter’.

How is the government addressing these privacy concerns?

One feature of the IP Act is the ‘double lock’, which aims to tackle the criticism from security experts by regulating the ease with which governmental employees can apply for a warrant to access people’s data.

The double lock means that ministerial authorisation is required before anyone can request a warrant. A panel of judges, who are given the power to veto, then assess the warrant, all of which is overseen by the Investigatory Powers Commissioner, who will act as a senior judge.

What are the implications for communications service providers (CSPs)?

All communication service providers, including telecommunications service providers, will need to store complete web records of every customer from the last 12 months.

With a warrant, the police and 50 other public bodies, including the Food Standards Agency and the Competition and Markets Authority, can request this information. With the types of data that can be requested ranging from NHS records to internet history, companies are going to have to store huge amounts of their customers’ data.

Once a warrant has been granted, all encrypted data, including information sent via apps such as Whatsapp and iMessage, must be un-encrypted by the CSP, and sent to the relevant government body.

Additionally, these public bodies have been given the right to apply for a warrant to hack into computers, mobile devices and networks without alerting the owner.

Additional pressure to keep data safe

Considering the numerous breaches that global companies have experienced over the last few years, combined with the new onus on businesses to retain more data under the IP Act, big investment in IT security will be needed to ensure that customers’ data is kept safe.

Thanks to this, companies that fall under the umbrella of the new policy will find themselves facing a substantial economic burden. And this is before they even begin to consider the financial impact of complying with the EU GDPR when it comes into effect in 2018.

The EU GDPR throws up another challenge in the form of conflicting legislation. While the IP Act requires companies to store complete records of web data for each customer, one of the key functions of the GDPR includes allowing consumers to have the ‘right to be forgotten’.

Clearly, there are some competing priorities. Yet this only begins to scratch the surface of how these two laws are likely to butt heads.

In an ideal world, all personal information and data should not have to be stored by communications service providers. However, the IP Act is forcing communication companies to hold enormous amounts of personal data, and appears contrary to recent warnings in the media.

For example, Labour MP Meg Hillier, Chair of the Commons Public Accounts Committee, recently stated that handling of personal data breaches by the government has been “chaotic”, which undermines confidence in the government’s ability to protect the UK from cyber-attacks.

With this in mind, creating new data ‘honeypots’ that the IP Act demands of each ISP seems like creating a set of hugely desirable jackpots for hackers! With the act now enshrined in law, it is therefore paramount that companies take data security seriously.

Ultimately, customers’ sensitive information should be kept under lock and key behind several layers of security.

A rock and a hard place

To truly lock down data securely, companies need to take advantage of the latest and greatest technology, such as tokenisation, truncation, or “salting and hashing” the data (adding random data and encrypting the mix), whilst ensuring that robust processes are in place to consider things like non-repudiation and the principle of least privilege are implemented to safeguard that only the very few that are granted access do so with full auditable access.

While this is certainly best practice, to make the security process all the more complicated, companies have to ensure that they can still access the data and un-encrypt it quickly in the event that it is requested by a governmental body.

As the world of data security continues to grow in complexity, laws and regulations around information protection and storage are not going away. So, whether you are a communications service provider, a public body or just a business handling customer data, you need to take heed.

Keeping up to date with the ever-growing list of regulations and taking action to make sure you are compliant with them is the only way to avoid the damaging economic and legal consequences.