The debate around the Data Retention and Investigatory Powers (DRIP) Bill has centred on how much the state should be allowed to know about us, but it is not just the state that would like to know who we have called, emailed, or instant-messaged in the past year.
Cyber-criminals and hacker groups frequently target phone and internet companies in search of this information with increasing success.
Clause 4 of DRIP forces foreign internet or phone companies with UK customers to comply with interception warrants, store personal data outside of the UK in data centres around the world where it could be exposed to greater risks from hackers.
DRIP will require more information to be stored, processed, accessed, backed up and deleted with more people having either access or control over it. The more people involved, the more steps involved, the more likely that an accidental breach or disclosure may occur: it is not inconceivable that such capabilities will be attractive to criminals.
The extra-territorial nature of the law places requirements on foreign companies to store data on UK nationals.
What is unclear is the level and type of protection those foreign organisations will have to put in place to protect the stored data. Questions about data protection such as the applicability of local or UK data protection law, the type of security controls required to protect data, supplier/customer relationships and the ability to gain legal redress should a breach occur are all unanswered.
Furthermore, the bill extends the provisions within the Regulation of Investigatory Powers Act (RIPA) for foreign organisations to build interception capabilities into their infrastructure: such capabilities are attractive targets for hackers and cyber-criminals and access can often be gained through the compromise of user accounts or knowledge of manufacturer's default passwords.
We have seen that even the biggest internet and phone companies are vulnerable to online attacks; in June 2014 hackers stole details about the date, time, duration of customer calls from telecoms giant AT&T, while Orange recently suffered a massive phishing attack when cyber-criminals used promotional ads to steal the email addresses, phone numbers and birth dates of 1.3 million users.
Securing the Cloud
Critically, the emergency Bill extends RIPA's definition of 'telecommunications services' to include webmail (possibly even including instant messenger and social media) meaning the Bill increases the amount of our personal communications that must be saved, further widening the array of targets for hacker groups.
Once webmail is included in the legislation's net, you include all manner of companies that supply these services, not just the big telcos whom we would expect to at least have decent security in place.
Webmail is now a cloud-based service for many and cloud security as we know is a variable beast: security lapses have led to a cloud service provider closing in recent weeks, so our concern is not just the amount of data being stored; it is the kind companies being required to store it.
With the DRIP Bill increasing the amount of data that must be held and the number of companies that must hold it, we could potentially see more frequent and devastating data breaches in the future.
UK data at the mercy of foreign laws and foreign intelligence agencies
The extension of RIPA to include a duty on foreign-based internet companies with subsidiaries in the UK to cooperate with UK surveillance requests, raises disturbing legal questions over how that data is to be protected in foreign jurisdictions that are not governed by our data privacy laws.
Forcing overseas companies in foreign jurisdictions to store more details of UK customers raises the question of who will be held responsible in the event of a data breach in those jurisdictions and how we can guarantee that this data will be protected according to UK data protection standards.
It is estimated that the new DRIP Bill could increase the average cost of government surveillance by £8.4 million a year (partly due to the cost of paying ISP's to store extra data), but if the UK government is paying for this storage, how does the UK government know that the data is being protected according to best practice?
DRIP's requirement that foreign companies comply with UK interception warrants may mean that more of our communications data will be retained in countries where it could be accessed by foreign states.
We have already seen allegations that European customer data stored in US datacentres was given to the NSA by foreign companies including Apple and Facebook. The DRIP Bill could make this even worse.
The debate around DRIP has focused on UK state surveillance; yet the true legacy of DRIP could reach much further, with perhaps the unintended consequence of making our data more accessible not just to the UK but also intelligence agencies, governments, organisations and criminals across the globe.
Dr Adrian Davis is the EMEA Managing Director at infosecurity professionals body (ISC)<sup>2.