UK surveillance bill under fire as data security risk

A 2015 data breach of UK ISP TalkTalk should serve as a warning to the government that its proposed new surveillance legislation risks creating vulnerable pools of data that could be exploited by hackers, a parliamentary committee has warned.

The Culture, Media and Sport (CMS) committee makes this observation in its report into the October 2015 data breach of TalkTalk, published this month.

The Investigatory Powers Bill has already passed through several rounds of debate in the House of Commons with its provision for so-called Internet Connection Records (ICRs) intact.

The bill’s provision for ICRs would require ISPs to hold data on the websites and services accessed by all their customer for a full 12 months. It’s one example of how the bill would create honeypots of personal data that will present an inevitable target to hackers, such as the pair of teenagers who perpetrated the 2015 TalkTalk hack.

In its report into the latter hack the committee notes that during an oral evidence session the UK’s data protection watchdog, the Information Commission’s Office, issued what it couches as “a stark warning” about the IP bill.

“The ICO said that it creates a “haystack of potential problems” given the huge pools of personal data that it would create and their vulnerability to attack and theft leading to personal data breaches. We also received evidence from academics who agreed on this point,” the committee writes, going on to urge the government to address the problem the draft legislation will create.

“The vulnerability of additional pooled data is an important concern that needs to be addressed urgently by the government,” it states.

At the time of publication a spokesman for the Home Office had not responded to a request for comment on the government’s intention vis-a-vis the committee’s recommendation. We’ll update this post if/when they do.

The committee suggests that “part of the response” could be for the government to require “enhanced security requirements and background checks for those with access to large pools of personal data”.

“Data controllers should seek to control and limit access to such pooled data,” it notes.

However the wider point about the TalkTalk data breach is that external hackers perpetrated the attack and made off with users’ personal data — aka people who were not authorized to access the data in the first place. So the recommendation that ISPs should seek to control and limit internal access to pooled data is a rather weak provision.

A far better scenario for protecting personal data — as the ICO has previously suggested — is not to collect the data in the first place. So the exact opposite of what the IP bill in its current form proposes to do.

And at this point the bill’s passage through parliament does not appear to be heading for significant upset. The official opposition Labour party has opposed some elements of the draft bill, and trumpeted winning some concessions earlier this month — including that the bulk powers set out in the bill will be independently reviewed by QC David Anderson.

However the party has been largely supportive of ICRs, focusing concerns on the threshold for accessing these records — wanting this to be limited to only investigations of “serious” crime, not “any crime” as is currently the case. It has not out-and-out opposed the collection of the data in the first place.

We’ve reached out to the Labour party for comment on the CMS report and will update this post with any response.

The CMS committee is just the latest parliamentary scrutiny body to warn about the IP bill. Earlier this month the Human Rights committee warned the bill in its current form has been too broadly drafted. While, back in February, the Intelligence and Security committee slammed it in a highly critical report warning of privacy failures and overly broad intrusive powers.

A joint select committee of MPs also had substantial concerned when it reported earlier this year. As did the Science and Technology committee.

Despite multiple parliamentary committees raising a raft of concerns the IP bill easily passed its third reading in the House of Commons, after the Labour party voted with the government to support it — professing itself pleased with concessions from the Home Secretary.

These included the government agreeing to set up Anderson’s review into the bill’s highly intrusive and controversial bulk powers, due to report this summer; as well as an “overarching privacy clause” being enshrined in the legislation. The wording of this has yet to be made public.

The government has also said it will provide assurances that the ‘double lock’ intercept authorization process set out in the bill will include power for Judicial Commissioners to scrutinise the decision to issue a warrant, not just the process.

Full judicial oversight of intercept warrants was a measured called for by Anderson in his prior report last year, ahead of the drafting of the IP bill.

The bill is now set to be considered by the UK’s second chamber, the House of Lords, which may push for further amendments. The government’s aim is to get legislation onto the statute books before the end of the year when emergency surveillance legislation, 2014’s controversial DRIPA, sunsets so its timetable is fairly tight. That may present an opportunity for the Lords to secure additional amendments as the government seeks to minimize delays.