Digital Age Legislation to tackle escalating cyber related crime
The financial cost of cyber crime on the UK economy has been estimated at £27 billion per annum, the main losers at £21 billion are UK businesses which suffer from highest volumes of intellectual property theft and espionage.
When a cyber attack has been reported, the responsibility falls to the prosecution services to act, but unfortunately the Crown Prosecution Service is not able to cope with the increase in the demand for enforcement. Last year for example, it reported that it had prosecuted less than 1,000 cases under the Computer Misuse Act 1990.
One reason for the poor prosecution rate may be that the myriad of potential cyber crime offences can be boundless and complex. Another reason may be that the enforcement agencies have been ill equipped to rapidly respond to the crime reports.
While Panama awaits the litigious backlash from the recent data breach in the UK, all eyes are on the new Government proposals seeking to combat the gargantuan rise in online threats faced by the nation.
On the attack
The statistics suggest that 80% of online threats are avoidable by employing simple best practices, so arguably the responsibility of deterrence is placed upon the user. Should the UK Investigatory Powers Bill be passed, then this responsibility will also extend to internet service providers.
The current investigatory laws available to enforcement agencies lie within various statutes made over the last 18 years. In the main they include: Regulation of Investigatory Powers Act 2000; Police Act 1997; Justice and Security Act 2013; and the Data Retention and Investigatory Powers Act 2014 [DRIPA].
DRIPA 2014 was an emergency statute made as a consequence of a declaration of invalidity made by the Court of Justice of the European Union in relation to Directive 2006/ 24/EC. This is the Directive that governs the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks.
Some of the key elements of DRIPA seek to address the retention of certain communications data and the grounds for issuing interception warrants.
With it being a temporary measure, the shelf life of DRIPA 2014 expires on 31 December 2016, the date of its repeal.
Digital age legislation
On 1 March 2016 the Investigatory Powers Bill was introduced to the House of Commons after having been presented by the Government on 4 November 2015 for consultation. The intention behind the Bill is to adequately replace DRIPA 2014 and provide an improved system for combating high level internet threats. On publishing the Draft Bill, the Rt Hon Theresa May identified that last year 90% of large organisations suffered an information security breach.
With a few swipes of the pen (some 298 pages) the Bill brushes aside the Communications Data Bill of 2012 to make way for this new and improved version that has already been described in the media as a ‘snooping law’.
Whatever we choose to call it, there can be no doubt that proper and clear investigatory powers will be needed by the enforcement agencies to be able to protect the victims and prosecute the offenders in the hope of providing some form of deterrence.
The Bill sets out investigatory powers, such as warranted interceptions of devices, retention of communication data to identify the who, where, when and how, and emergency equipment searches.
A welcome feature of the Bill is that it will seek to unify the several investigatory powers into one statute and under one body that will be supported by Judicial Commissioners and led by a Senior Judge. However, the success of the Bill will require the assistance of Communications Service Providers and overseas companies.
Backlash
The initial response, in particular from the Chief Executive of one leading provider, is that the Bill will actually provide criminals with a ‘back door’ to access personal details and that it is perverse not to have end-to-end encryption. The campaign leaders for civil rights, Liberty, have argued that the Bill is a ‘breathtaking attack’ on Britain’s online security. Clarity has been provided by the Home Secretary, who stated that the Bill does not allow law enforcement access to people’s full web browsing histories, but only the Internet Connection Record of the user, that it is a record of the communications service that a person has used, not a record of every web page they have accessed.
This has been described as, “If someone has visited a social media website, an Internet Connection Record will only show that they accessed that site, not the particular pages they looked at, who they communicated with, or what they said. It is simply the modern equivalent of an itemised phone bill”.
Should the Bill be successful then it is estimated that there will be an increase in public expenditure of £247 million over 10 years from 2015/2016 for the costs of businesses, courts and agencies to comply and enforce the Act.
This expenditure is a mere drop in the ocean compared to the £650 million already spent over the last 4 years for the National Cyber Security Programme that created the dedicated Action Fraud Team who are responsible for recording any online criminal activity.
Conclusion
The scale of the usage of the internet has been recorded as being the biggest shift in history since the coming of railways.
In a society that has had to tolerate or welcome (depending on your view) a Big Brother culture, which has seen the advancement of microchip passports and CCTV, our civilians are being encouraged to focus on how cyber affects homes and businesses 24 hours a day, 7 days a week.
There is a balance to be struck between the rights of the individual for freedom of expression and privacy and the rights of cyber. The weight placed on these competing factors will vary across the jurisdictions where different constitutions and cultures have their part to play.
The new digital age legislation needs to be in force by 31 December 2016 and so we await the results of the scrutiny by both Houses of Parliament, following the normal Parliamentary timetable.
Rebecca Dix
Bivonas Law LLP
www.bivonaslaw.com