This article is more than 1 year old

UK cyber-spy law takes Snowden's revelations of mass surveillance – and sets them in stone

'You can't just uninvent encryption'

Number 10 is out of touch with technology

Nigel Hawthorn, European spokesperson at cloud security company Skyhigh Networks, argues that the bill provides more evidence that the government is out of touch with technology.

"Any law which bans end-to-end encryption will break data protection regulations and decrease security on the internet," Hawthorn said.

"There's a complete misunderstanding of how end-to-end encryption works. It's wrong to assume that forcing technology companies to break their own security is going to please the average man on the street, and this is not even technically possible in many instances. It's not the first time the government has been wholly ignorant of technology, and despite the inevitable backlash from technology experts, politicians continue to announce these ill-thought-out unworkable proposals."

Encryption is more important than ever, Hawthorn argued.

"With the number of successful state-sponsored cyber-attacks and high-profile data breaches ever increasing, is now really the time to lower encryption capabilities? You can't just uninvent encryption, so if this government stops innocent people using unbreakable encryption via legitimate businesses, the only people left using it will be the criminals."

Greg Aligiannis, senior security director at message encryption provider Echoworx, expressed fears that citizens' internet records collected for the cops may be snatched by hackers; just look at the attacks on ISP TalkTalk, the US government's Office of Personnel Management (OPM), and others.

"In addition to the concerns of privacy we must also consider how this may put people at risk," Aligiannis explained.

"History has shown that the government is subject to attacks just as much, if not more so, than other organisations that look after data for their customers. All of the data collected by the government will need to be stored somewhere – what's to stop someone hacking into and exposing that data?"

Bharat Mistry, cybersecurity consultant at Trend Micro, argued that requirements for the blanket retention of "internet connection records" covered elsewhere in the bill will put a huge load on service providers.

"Unfortunately this legislation unlocks more questions than it answers," Mistry explained.

"If a CSP is required to capture this data and store it, there is a question around who is going to fund the infrastructure costs. This isn't just about the physical infrastructure assets, but environmental such as power, cooling, and physical security costs also have to be considered.

"CSPs are already saying that data storage repositories are growing at an unmanageable rate – so how can this quantity of data be managed and securely transferred and stored? Will the data be in one central repository or multiple, and what about backup and storage? Another challenge will be keeping audit trails of who, what, when, and where in relation to the data. Moreover, how and when will the data be purged?" ®

More about


Send us news

Other stories you might like