LONDON – Security vendors have responded skeptically to news that the U.K. government wants to set up a ‘Big Brother’ super-database logging every telephone call, e-mail, text message, and Website visit made by the country’s 60 million citizens.
The idea has emerged from a Home Office proposal that is being considered for inclusion in the forthcoming data communications bill, due for announcement by ministers in November’s Queen’s Speech.
The authorities have already discussed the logging with large ISPs, which would be required to keep the records for 12 months, handing them over for inspection if a court authorized such action.
The information stored would not include the content of e-mails and calls, only the fact that they were made from certain endpoints at a specified time. These could be used by police to analyze call and communication patterns by and between suspects.
“You’ve got to admire the government’s gall in attempting to bring in yet another ‘super-database’ with public confidence still in tatters over recent lapses in data protection,” said Jamie Cowper of PGP Corporation.
“Surely it would be more logical to initially focus on fixing the existing databases and proving their security before introducing new ones?”
In his view logging calls could prove controversial if it involved U.S. companies, which might not trust the government to secure the logs to high enough standards. The potential for abuse, however trivial, would be obvious.
Richard Archdeacon of Symantec was also skeptical about security, although he believed that the recent loss of a CD disc full of revenue department information had changed attitudes at the highest levels of government.
“There has been a sea change in recent months. A detailed look has been taken, splitting data between systems,” in order to make systems more secure, he said. “With such a vast amount of data that the Government is looking to store, they have to be very clear with their policies and have a very strict data loss prevention program in place.” BT, presumably a major participant in the scheme should it come to pass, was typically noncommittal, saying in an email that “We have been aware of the proposal for some time and are in discussion with the Home Office about implementation.” What might cause more problems is the opinion of the country’s Information Commissioner, Jonathan Bamford. “This would give us serious concerns and may well be a step too far. We are not aware of any justification for the state to hold every UK citizen’s phone and internet records. We have real doubts that such a measure can be justified, or is proportionate or desirable,” he was quoted as saying. “We have warned before that we are sleepwalking into a surveillance society. Holding large collections of data is always risky — the more data that is stored the bigger the problems when the data is lost, traded or stolen.” Bamford was embarrassed when it emerged that had he had not been properly informed of the HMRC incident by the department, despite their being a requirement for such serious breaches to be reported to him immediately. To make such a database a reality would mean a re-engineering of networks in Britain, with the result that many service providers would simply move abroad, according to Ross Anderson, chair at the Foundation for Information Policy Research, a think tank for Internet policy in Britain. “It’s an enormous power grab by the Home Office, and to think it will become a reality is wishful thinking,” Anderson said.