It was of course complete coincidence that the UK Government chose to publish the controversial draft Investigatory Powers Bill only days after one of the country’s biggest ISP’s, TalkTalk, admitted to losing the personal data of 1.4 million customers in another corporate data breach.
Normally, surveillance legislation and data breaches are completely separate topics, one a matter of law, the other of criminality, one about having data stolen, the other about the legal and technical framework for gathering it. But as privacy groups angst over the Government’s plans, it is probably a moment to ask an unsettling question – which of these represents the biggest threat to the privacy of the average Briton?
Worried about UK government surveillance? - what’s in the bill?
After digesting three separate reviews of existing legislation, the Government’s stated intention to ‘clean up’ the clutter of old laws under a single piece of new law. This, it claims, will make the powers and their inner workings more transparent and easier to understand, both for the security services and the public.
Police and intelligence services will be able to obtain warrants to monitor everything an individual has done online in the previous 12 months using data ISPs will be required to store. There is a lot of argument about the fine detail of this provision, but there’s no escaping the fact that the legislation will allow police and security services to monitor a person’s catalogue of online behaviour, including who they communicate with and which websites they visit. ISPs won’t have to store actual site content but there are other ways of getting that anyway – police will also be able to directly hack an individual’s computers using remote surveillance software.
Good idea, bad idea
A clear statement of where we stand has been overdue and was been welcomed by more thoughtful commentators who worry that some of this has been going on anyway in a grey area not addressed by current legislation. Terrorism, organised crime and illegal Internet access all leave a digital trail that needs to be followed. Edward Snowden tweeted that Conservative MPs were “taking notes on how to defend the indefensible,” an extreme position that makes him sound like a privacy fundamentalist. If GCHQ is intent on carrying out illegal surveillance on journalists, dissenters and whistleblowers without warrants then frankly they could do that anyway by simply breaking the law.
What we end up with is a strange duality whereby the Government says that it needs the new powers to track criminals. Campaigners argue that this risks weakening privacy. Which side is right? Arguably, both of them, which has left a lot of people mightily confused about striking a balance.
What about Google and TalkTalk?
But government surveillance of digital information as only one way personal data about citizens is at risk of abuse. Two others are data legally stored by companies about us in databases – the sort of data lost by TalkTalk during its recent data breach - and the often intimate personal silently data handed over to large companies as we use Internet services and social media.
It is frankly bizarre that a complex debate ensues every time governments propose legislation allowing qualified access to personal data and yet the negligence of large companies in looking after much of the same information is seen as merely annoying. The fact that dangerous cybercriminals are now using stolen names, dates of birth and addresses to piece together identities of ordinary citizens across the world is not something Britons should simply ignore because its dangers haven't yet become apparent.
Ciitizens justifiably recoil at the idea of unknown public officials accessing their web and phone history but seem entirely oblivious to the ease with which cybercriminals can get their hands on even more detailed browsing history by breaking into a poorly-secured Google account.
Do consumers even grasp how much data exists on almost every one of us and how easy it is to piece it together perfectly legally to reveal quite personal information on our lives? If they do, perhaps they don’t care until it is abused, at which point it is too late.
Governments are only one dimension of the worry over personal data and the complacency about the wider dangers seems to be almost routine. Citizens rightly demand that governments keep to high standards when they access records about our lives but unless we adopt the same standards for all data then privacy will become meaningless long before it is abused by governments.