Emergency surveillance bill puts public at risk of cyber criminals

Customers' personal information could be more vulnerable to cybercrime if the emergency surveillance law is passed, industry experts have warned.

Analysts have raised alarms about the lack of detail on data protection in the bill, given it significantly increases the amount of customer information which will be held and the number of companies who will be legally required to do so.

The international nature of the law places requirements on foreign companies to store data on UK customers' habits, but it does not mention whether they will also come under UK data protection law, what security measures would be used to protect the data or options for legal redress if a breach occurs.

Experts also warned that the interception systems being forced on foreign firms made particularly attractive targets for hackers and cyber criminals.

"Access can often be gained through the compromise of user accounts or knowledge of manufacturers' default passwords," Adrian Davis, cybercrime expert and European director of (ISC)2, the world's largest association of infosecurity professionals, said.

"We have seen that even the biggest internet and phone companies are vulnerable to online attacks; in June 2014 hackers stole details about the date, time, duration of customer calls from telecoms giant AT&T, while Orange recently suffered a massive phishing attack when cyber criminals used promotional ads to steal the email addresses, phone numbers and birth dates of 1.3 million users.

"Critically, the emergency bill extends Ripa's [the Regulation of Investigatory Powers Act] definition of 'telecommunications services' to include webmail – possibly even including Instant Messenger and social media.

"The bill increases the amount of our personal communications that must be saved, further widening the array of targets for hacker groups.

"Once web mail is included in the legislation's net, you include all manner of companies that supply these services, not just the major telecoms giants whom we would expect to at least have decent security in place."

The data retention and investigatory powers bill (Drip) completed its Lords committee stage without amendment today and is likely to be be rubber-stamped by the Commons into law by the end of the day.

Peers issued protests against the use of emergency legislation on such a controversial topic, but seemed powerless to stop it.

The progress of the bill came despite analysis by experts and the Lords' constitutional committee warning that it  handed the home secretary extraordinary new powers to expand future surveillance systems without having to put it to a vote.

The bill also creates a 'snoopers'-charter-lite', by applying current surveillance to overseas firms and expanding the definition of 'telecommunications' so that services such as Facebook are included.

The new powers contradict the assurances of ministers, who claim the bill is merely a continuation of existing surveillance laws.

Peers said they were unconvinced by government claims that the legislation needed to be forced through in a matter of days, especially because the court judgement which triggered the need for the law occurred months ago.

"One is right to be deeply suspicious of emergency legislation that appears in this way," Lord King said in the debate last night.

"I should also say, deeply cynically, that that is even more the case when such legislation comes with all-party agreement. That is a time to fasten your seat belts and wonder what the background to it really is."

Lord Butler, who had served as private secretary to five prime ministers, said the issues the bill addressed had been known for months.

"Why has parliament been given so little time to consider this bill?" he asked.

"If the government could reach a conclusion about the necessity for this legislation one week before the House of Commons went into recess, it beggars belief that they could not have reached that conclusion three weeks before the recess, thus giving parliament proper time to consider the bill."

He added that many people would conclude that the government had failed to get the snoopers charter though parliament and decided to smuggle it into law using emergency legislation instead.

"Those who take a conspiracy view of government might be tempted to speculate that having burned their fingers through consultation on the communications data bill, the government thought it wiser to bounce parliament rather than to run the same risk again," he says.

"The minister owes the House an explanation of that."

Lord Knight added: "The government's handling of this bill has been a disgrace."

The bill has been condemned by United Nations high commissioner for human rights Navi Pillay, who said the law did not address the concerns about privacy expressed by the European court of justice.

Dr Siraj Shaikh, reader in cyber security at Coventry University, told Politics.co.uk it would result in communications companies and security agencies amassing ever more information about the public.

"At a commercial level there'll be heightened collection," he said.

"Parts of the sector will feel legitimised. Privacy will be the least of their concerns from now on."