Security vendors have responded sceptically to news that the UK government wants to set up a super-database logging every telephone call, email, text message, and website visit made by the country’s 60 million citizens.
The idea has emerged from a Home Office proposal that is being considered for inclusion in the forthcoming data communications bill, due for announcement by ministers in November’s Queen’s Speech.
The authorities have already discussed its plans with large ISPs, which would be required to keep the records for 12 months, handing them over for inspection if a court authorised such action.
The information stored would not include the content of emails and calls, only the fact that they were made from certain endpoints at a specified time. These could be used by police to analyse call and communication patterns by and between suspects.
“You’ve got to admire the government’s gall in attempting to bring in yet another 'super-database' with public confidence still in tatters over recent lapses in data protection,” said Jamie Cowper of PGP Corporation.
“Surely it would be more logical to initially focus on fixing the existing databases and proving their security before introducing new ones?”
In his view logging calls could prove controversial if it involved US companies, which might not trust the government to secure the logs to high enough standards. The potential for abuse, however trivial, would be obvious.
Chris Mayers, chief security architect at Citrix UK, also voiced his doubts: “The Government’s responsibility in these matter is to uphold national security and protect the public. Building a single national database will achieve neither aim.”
“The information will have to come from ISPs and telcos in the first place. Today, law enforcement can simply request that these organisations provide the information under court order. A centralised database merely magnifies the security and privacy risk - and associated costs of strict safeguards," he said. "
“The European Union's Data Retention Directive does not require any centralised database. It is hard to see any public benefit of such a database, whatsoever.”
Security experts agreed that following data leakages such as the HMRC’s loss of 25 million records, the public is unlikely to feel confident in the security of the database.
"It’s hare-brained," said Janice McGinn, research director of CIO Practice, part of the 451 Group. "Apart from any number of issues about privacy and civil liberties, central government has an appalling record in building and maintaining large databases of sensitive information. Assuming co-operation is forthcoming from the ISPs and others, history (at the NHS for example) suggests the project would overrun, with escalating costs."
She added: "Given Whitehall’s serious security breaches, the integrity of data, and the Home Office’s ability to maintain that integrity, is highly questionable. Would you trust them with your data?"
But Richard Archdeacon of Symantec believed that the HMRC CD disc loss had changed attitudes at the highest levels of government.
“There has been a sea change in recent months. A detailed look has been taken, splitting data between systems,” in order to make systems more secure, he said.
“With such a vast amount of data that the Government is looking to store, they have to be very clear with their policies and have a very strict data loss prevention programme in place."