Imagine that the Government required the companies that issue us with our front door keys to keep itemised copies of them for a year. Would we be confident that these would not be stolen and our homes ramsacked?
The parallel with parts of last year’s Investigatory Powers Act is not exact. But is suggestive. Under the terms of the Act, communication service providers are compelled to retain internet connection records for a year, which detail which websites internet users visit (though not the particular pages and full browsing history). The possibility of us being locked out of our own computer systems – the parallel with our homes – with our own personal data stolen, before blackmail demands are issued, arises from last week’s ‘biggest ransomware offensive in history’ – which struck at about a hundred countries, including Britain. Here, hospitals and GP surgeries were hit. Patients were turned away, operations cancelled, staff forced to resort to pen and paper.
It will be claimed that hackers are unlikely to go after institutions rather than a mass of individuals, and that the security of our records will not be breached. But the first claim is arguably wishful thinking, and the second far from guaranteed. Jeremy Hunt is being criticised this morning for failures in NHS computer security; we simply do not know if the internet providers would do any better.
The security services argued while the Act was being drafted that they need the powers it contains to help combat Islamist terror. Civil libertarians mocked what they claim is the ineffectiveness of state trawling operations, searching for the needle of terrorist plotting amidst the haystack of communications data, and said that extremist groups would simply resort to encrypted systems instead – of the kind that Amber Rudd recently said the security services should be entitled to break.
But let us take the security services’ part here, recognising the work they do to keep us safe from the likes of ISIS and Al Qaeda – and presume that the provisions laid out in the Act, which allow the police and security services to see these records without a warrant in some cases, are important to the work that they do. If this is so, we’re left with a trade-off between, on the one hand, allowing the state the tools that it needs to help protect our lives and, on the other, placing the security of our data at risk. The state itself may invade our privacy, as some public bodies did when they abused the powers available to then under the Regulation of Investigatory Powers Act. Or criminals may seek to do so in order to steal and blackmail.
Or a foreign power may do. Our readers will need no reminder, in the wake of Donald Trump’s sensational sacking of James Comey, of allegations about Russia in that regard.
Indeed, where criminal activity ends and state subversion begins is a nice question: read this piece from Wired if you want to get the flavour of some of the claims. It would be an exaggeration to claim that “the hacker will always get through”, just as it was one to say that “the bomber will always get through”, when Stanley Baldwin made that claim. None the less, the hacker will sometimes do so – perhaps often. We should be asking ourselves whether the law is putting our data more at risk than the balance between collective and personal security justifies.