Security fears over UK 'snooper's charter'

UK.gov to spy on Joe Public, pass data overseas

  • alert
  • submit to reddit

SANS - Survey on application security programs

Human rights watchdog Privacy International (PI) will today warn a House of Lords conference that government proposals to stockpile details of all phone calls and Internet access made by the entire population of the UK will create grave dangers for both privacy and security.

A number of orders - called 'Statutory Instruments' - currently being considered by Parliament will create a legal basis for comprehensive surveillance of communications and establish a regime for warehousing acquired data - phone numbers and email addresses contacted, web sites visited, locations of mobile phones etc. - about every UK subject.

The regulations will allow an extensive list of public authorities access to records of individuals' telephone and Internet usage (under the Regulation of Investigatory Powers Act). This communications data will be available to government without any judicial oversight.

Not only does government want access to this information, but it also intends to oblige companies to keep personal data just in case it may be useful (under provisions of the Anti-Terrorism, Crime and Security Act).

This sensitive information, together with account and financial data, will eventually be available on request to investigation authorities in most other European countries, PI warns.

The potential for overseas countries to access this sensitive data comes about through a range of international treaties, such as the recent Council of Europe (CoE) Cybercrime Convention. The convention, signed by 37 countries so far, allows for "minimum standard mutual law enforcement assistance between nations".

Albania, Estonia and Croatia have already ratified the treaty, thus bringing it into legal force. The UK has signed the treaty, but no date has yet been set for its incorporation into British law.

Russia has been arguing in the G8 for a data retention regime, PI notes. If successful, it too would have access to UK data under the mutual assistance treaties.

Privacy International warns that the "low standard of evidence or authentication demanded for these transfers creates exceptional dangers to many ethnic and other groups in the UK". The conditions for sharing this information mean the intelligence could be about offences that are criminal only in the requesting country and not in the UK.

"In the G8, the CoE and under other mutual legal assistance agreements, there are no requirements for dual-criminality. In fact, the CoE convention on cybercrime dissuades governments from allowing for dual criminality before data is required to be shared," Privacy International argues.

"There are grounds for refusal, but they are limited," it adds.

Agents for overseas powers

Current procedures in the UK do not require dual-criminality when responding to requests from other countries. In fact, sometimes only very basic information is required to inform the UK officials of the purpose of the data to be transferred.

And the situation is set to get worse if plans to compel service providers to keep communications data for at least a year go ahead.

Provisions in the Regulation of Investigatory Powers Act (Part I, Chapter I, Section 5) allow for the "disclosure of interception and communications data" under mutual assistance agreement or for intelligence purposes.

So the passage of the current orders and the implementation of data retention would make data regarding UK subjects available to governments around the world with "little oversight or control", PI warns.

"This data will be made available without regard to dual-criminality, and it may in turn be kept by foreign governments as they see fit. Countries such as the US that do not have data retention schemes will benefit from the vast store of information available on UK citizens even when similar stores are not available on their own citizens."

PI's Director, Simon Davies, warned: "The governments plan to stockpile this massive amount of sensitive information poses a risk to a great many people. The proposals should be abandoned immediately.

"The proposals are ill-considered, unnecessary and unlawful," he added.

The government's proposals will be debated at a meeting (Wednesday, 5 November) in the House of Lords, organised by Privacy International and the Foundation for Information Policy Research. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story


Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.