UK passes controversial data retention bill

A controversial data retention bill which was fast-tracked by the UK parliament has now passed into law, after being revealed to the public just one week ago.

The controversial DRIP (data retention and investigatory powers) bill passed through the House of Lords without amendment yesterday, effectively being rubber-stamped into the legislative books overnight and receiving royal assent several hours later.

The legislation - which has an expiry date of the end of 2016 - requires communication service providers (CSPs) to retain customer data for up to a year, whilst granting UK security services access to that information, including metadata related to phone and IP calls, emails and social media interactions.

It will also mandate non-UK companies - such as Facebook and Google - to hold information on web activities if their users are based in the UK.

The Act had many critics in the House of Lords this week, but peers seemed unable to stop its passage into legislation.

The House of Lords' constitutional committee warned that the bill handed the Home Secretary extraordinary new powers to expand future surveillance systems without having to put it to a vote.

"One is right to be deeply suspicious of emergency legislation that appears in this way," Lord King, former British Airways chairman, said in the debate last night.

"I should also say, deeply cynically, that that is even more the case when such legislation comes with all-party agreement. That is a time to fasten your seat belts and wonder what the background to it really is."

Lord King's concerns were echoed by Lord Butler - who has served as private secretary to five Prime Ministers and has been a member of the UK's Intelligence and Security Joint Committee since 2010 - who remarked that the issues the bill addressed had been known about by the government for several months.

"Why has parliament been given so little time to consider this bill?" he said.

Professor Sommer - a UK digital forensics expert - said the decision to make DRIP an emergency bill was inexcusable.

"Home Office officials would have known for many months that a well-thought-out and negotiated contingency plan was needed," he said.

Adrian Davis, the EMEA managing director of infosec not-for-profit (ISC)2, said the DRIP legislation could leave UK personal data at greater risk from cyber-criminals.

"The debate around the DRIP bill has centred on how much the state should be allowed to know about us, but it is not just the state that would like to know who we have called, emailed, or instant-messaged in the past year," he said.

"Cyber-criminals and hacker groups are frequently targeting phone and internet companies in search of this information with increasing success."

The new law will require more and more information to be stored, processed, accessed, backed up and deleted with more and more people having either access or control over it - with the more people and steps involved, the more likely that an accidental breach or disclosure may occur, he said.

The Australian Government is currently considering similar legislation, which would force telecommunications providers to store customer data for a minimum of two years in order to aid law enforcement investigations.

The proposal has yet to arise in a bill, despite support from the both the Liberal and Labor parties, but is under "active consideration" by the Government, Attorney-General George Brandis said yesterday. 

This article originally appeared at scmagazineuk.com