The UK government says it wants to let private enterprise take care of privacy online, while it interferes with the technologies and servers meant to keep data secure.
Does your privacy online matter to the government? As more personal devices with the ability to track your daily habits go online, government and the agencies that advise it say they want to put more of the responsibility for ensuring personal privacy and data security into the hands of private enterprise.
The UK government in particular claims to be keen to stop further data privacy laws being introduced and potentially even roll them back, in contrast to the European Union which wants to tighten up the legal protection for privacy at a time when attacks on companies such as Experian in the US have exposed the personal details of millions. The EU’s approach was recently bolstered by the European Court of Justice’s decision to make it harder to export personal data from Europe to the US, which has much looser rules.
In a February 2014 policy paper prepared for the prime minister’s office, the government-appointed Business Taskforce argued: “When small and medium-sized enterprises are crucial to creating new jobs, it doesn’t make sense for the EU to extract £300 million from UK businesses alone to implement new data protection rules.”
The rules include the assignment of a data protection officer (DPO), to report data breaches within 24 hours of discovery and to delete an individual's data on their request. “There are also less clear-cut rules such as the requirement to include data protection in the design of business processes rather than adding it as an afterthought,” says Mike Spykerman, vice president of product management at security-software company OPSWAT.
The new EU regulation will probably use the threat of fines to encourage companies to find more secure ways to handle internal data transfers and employee communications. “By using FTP and email to transfer sensitive data, an organisation is clearly not incorporating data protection into their business processes and quite frankly is ignoring the importance of keeping their customer and employee information safe,” Spykerman adds.
Specific rules that the UK government said it wanted to be removed include those that force companies to analyse the impact of breaches of customer data, unless there is a risk of “specific harm”. It is unclear how companies are meant to determine specific harm without performing some kind of assessment.
Yet, even if the UK government wins concessions from the EU, many technology businesses will see little loosening in the practical requirements. Spykerman says: “Since any company with EU customers needs to comply with the EU Data Protection Regulations, many UK businesses will have to meet these standards anyway.”
The US approach
The UK government’s proposed moves would take it closer to the US in terms of official attitudes to online privacy, where the issue is framed mainly as a question of individual choice. Privacy is conducted at the level of contract law. This has led to the situation where, in its current 'privacy check-up', Google claims you have more control over what the company actually stores by signing in to a personalised account and telling the company what to keep of your search history than if you use the search engine while signed out. Continuing to use the service ‘anonymously’, the company is apparently able to use browser information, cookies and IP tracking to maintain its profile of your use.
The US Department of Justice funded an illustrated guide for consumers on preventing identity theft including helpful guidance such as a warning to not write down sensitive financial information and put it where it might be stolen. How consumers are meant to determine the chances of their data being leaked by any of the institutions with which they do business is not covered. However, the US Federal Trade Commission (FTC) has committed to tighten up corporate attitudes to privacy in the face of numerous data breaches using these contracts.
Professor Rahul Telang of Carnegie-Mellon University says: “From the penalty side and regulation, the FTC is one of the most prominent taking a more aggressive approach and be willing to fine firms for privacy violations.”
But University of Cambridge security researcher Professor Ross Anderson sees the FTC’s approach primarily as a 'truth in advertising' scenario where the agency is only able to prosecute cases where the supplier has failed to honour its commitments to privacy. “If they say ‘we will sell your data to spammers, have a nice life’, it's hard for the FTC to go after them.” Anderson says.
In general, faced with an increase in the number and variety of personal devices that will exchange data online, public agencies working for the UK government themselves largely favour a laissez faire approach to recommendations, operating on the basis that industry should do the right thing rather than be told what to do. “We are keen to find ways to develop commercial solutions that will solve the policy problem. That’s the best approach if we can get there. If industry does not come up with a solution, there will be government and regulatory responses that won’t work as well. The ultimate responsibility is with government and regulators but we are not well placed to come up with solutions,” Steve Unger, CTO and group director of Ofcom said at a recent conference on IoT security organised by the NMI business organisation.
Ian White, technical director of CESG, the information security arm of GCHQ, argues that the corporate world has the duty to pay more attention to privacy and security because “government doesn’t have the depth and reach to look at high tech. Companies have a responsibility and can’t transfer that to government”.
White says government is concerned that legislating might affect competition in emerging areas such as smart utility meters: “There is a risk of over-reacting on privacy grounds. There is a risk that that will make it harder to realise the benefits of the programme [on smart meters].”
Privacy and national security
Although government appears to be happy to let industry self-regulate on the basis of a lack of expertise, its attitude changes and becomes distinctly interventionist and apparently highly experienced in technological issues when the phrase 'national security' pops up. In this area, governments seem only too willing to introduce laws that security experts see as weakening an already fragile data-security infrastructure and which impinge on the administration’s claimed free-market aims.
In its criticism of early proposals for the EU Data Protection Regulation, the government argued that it would be best to have two directives – one for businesses and one that provides greater freedom for the police and other government agencies to collect and store data. The intervention extends to the research and deployment of security technologies.
“There is huge hypocrisy,” says Anderson. “They want to direct research and disrupt start-ups with export controls yet they profess to be in favour of free enterprise. As a result people wanting to do security start-ups might well consider doing them overseas. After Snowden, who would want to buy any product from a company based in Britain? They will be aware that companies will have their arms being twisted to hand information to GCHQ.”
Michael Froomkin, professor of law at the University of Miami, described a similar inconsistency in the US government’s attitudes in a paper for the Ohio Law Journal, contrasting desires for a privately organised “identity economy” – built on the ability to secure anonymity online – with the White House’s International Strategy for Cyberspace that demanded police oversight of activities carried out on the Internet.
To ease the jobs of interception, government is keen to scrutinise proposals intended to beef up security on the Internet. For example, Vodafone is working on a protocol that the company intends to submit to the cellular standards body 3GPP that will make it possible for simple IoT to borrow some of the security features from the SIM cards in mobile phones.
Manufactured in a handful of accredited fabs, the cryptoprocessors in SIM cards today carry a high degree of trust. This could be translated into a scheme that supports high-quality encryption between IoT devices and cloud servers. Steve Babbage, Vodafone’s chief cryptographer, says: “One of the big research and development efforts for us is the cellular IoT. One possibility we are moving towards today is to have the end-to-end encryption keys provisioned with our help using keys generated by the SIM.
“It’s not standardised yet. But they are ideas that we are taking into the 3GPP standards group. But there are issues around lawful interception, which may be less straightforward if messages are encrypted all the way into the home network.”
The interference can extend to demanding backdoor accesses to cryptographically protected communications channels to make it easier to eavesdrop.
“They want to be able to collect data more easily but we don’t even know when agencies get information how useful it is to the agencies,” says Telang.
“There is a growing number of people in the USA including former directors of the NSA who are becoming more vocal, saying that demanding backdoors is a significant strategic mistake. The backdoors make it easier for agencies such as the FBI but also easier for Chinese militants to find backdoors in government infrastructure. This is, unfortunately, not a debate that’s happened so far in Britain, though you may start to see that shift in the autumn,” Anderson says, referring to the debates that may surround the introduction of a surveillance bill.
The role of government
Telang says concerns over state actors getting involved in commercial cybercrime is convincing corporations that governments should be more involved in legislating for greater security by enterprises. “It’s a double-edged sword from private companies’ perspective. They feel they spend too much money on security. So they want government to play a more active role when it's Chinese hackers trying to perform the attacks. Firms would like government to take a more aggressive approach on this and maybe do more diplomatically at an urgent level. They want government to do more. But not when it’s intruding on their network or forcing them to provide data about consumers.”
One bill meant to let US corporations and government cooperate over cybersecurity and attempt to fend off the more sophisticated, well-funded attackers has become mired in controversy. Proponents argue The Cybersecurity Information Sharing Act (CISA), if passed, will make it easier to track down and prosecute hackers and cybercriminals by reducing the risks of corporations sharing attack details with each other and law-enforcement agencies. But civil rights groups in the US, such as the Electronic Freedom Foundation, are campaigning against the introduction of the CISA bill in its current form because they regard it as being providing little protection for individual privacy. Many US senators have balked at amendments to the bill that appear to be designed to make it easier for government agencies to capture and store personal data.
It is not yet clear whether more legislation of the private sector would effectively clamp down on data breaches that seem to happen almost on a daily basis. One set of laws designed to make companies take privacy and security more seriously is along the lines of one originally enacted in California which forces companies to disclose publicly when they have suffered a breach. That has focused attention on the problem of breaches.
Anderson believes the disclosure legislation is beginning to work: “It’s had a real effect and we have research on this coming in. There are costs. Writing to 150 million people costs a lot of money and corporate insurers starting to pay attention to the problem. It’s creating a market for reinsurance so those companies are starting to develop portfolios.”
This, in turn, says Anderson is pushing companies to take the potential cost of breaches more seriously because it is being factored into their insurance policy costs. “So the techniques for regulating cybercrime used in banks are beginning to spread into the wider corporate world. More and more people being asked to do security audits. It’s getting there. It’s a slow process but breach disclosure is a very important part of the mix and one that Europe is getting wrong because of lobbying.”
Anderson adds: “We’ve been pushing for disclosure in Europe. But the whole thing got hijacked by GCHQ. Instead of having to disclose publicly, the proposals call for breaches only to be reported to the three- and four-letter agencies. It’s not a means of empowering the consumer but empowering the state.”
Although the CISA bill has stalled, Telang expects the US to move further in the direction of sharing data about hacking attacks. “There is a lot of movement in that direction. I fully expect that we will reach some consensus, where the firms perceive that it’s safe to share information. Today, firms are worried about sharing because of bad news and getting lawsuits.”
But a bill such as CISA makes the core of the problem clear, Telang add: "There are two large elephants: one is security, the other is privacy. Try to improve one and often you are hurting the other. It’s a difficult question or otherwise we would have solved it by now."
Dealing with the problem of squaring security and privacy will take skilful legislation. Whether governments have the will let alone the wherewithal based on their current approaches to technology looks doubtful.