The expense of extended internet snooping powers and data retention included in the Investigatory Powers Bill will cost the UK taxpayer £174m over the next 10 years, a Home Office official has revealed.
The bill, also known as the Snoopers' Charter, details a restructuring of domestic surveillance by giving police and the government extended surveillance powers while seeking to legitimise a number of techniques that law enforcement has been using for years.
The proposals will also force UK service providers to store huge amounts of data for 12 months at considerable cost, as explained by Richard Alcock, director of communications capability at the Home Office, during the first Select Committee scrutiny of the bill by MPs including Lord Strasburger, Baroness Browning and Dr Andrew Murrison.
"We have got a very good relationship with the communication service providers on which we serve notices, and we have worked with them throughout the summer to think about the likely data volumes and work out estimated costs for the retention of internet connection records specifically," he said.
"It's £174m over a 10-year period in relation to the internet connection records."
Alcock stressed that the figure is an estimate, but added that the Home Office "looks at the likely data volumes and the costs associated with that volume growth over time, so even though I gave the example of £17m a year the costs may go up over time".
Paul Lincoln, director of national security at the Home Office, explained that the costs are necessary to subsidise the affected service providers.
"What we have tried to do, and it's what we have done in the past, is to make sure that companies are not materially disadvantaged by having to meet the requirements of government," he said.
When questioned about whether the proposals would leave UK service providers at a competitive disadvantage, he said: "That's one of the reasons we provide costs back to the companies."
A previous government snooping scheme, known as the Draft Communications Data Bill, was estimated to cost £1.8bn in full.
12 months the right data retention length
Home Office officials claimed that the 12-month period of data retention strikes the right balance between privacy and aiding police work.
"The UK decided to adopt for 12 months when it first introduced legislation in this area. It was considered to be the right balance between the levels of intrusiveness in terms of holding the data," said Lincoln.
"You could go further than that, and there are other nations which have gone further. The Australians recently passed legislation to go for 24 months' worth of data retention, but we thought 12 months struck the right balance."
Not every internet provider currently holds the data the government wishes to collect. The names of these providers are not in the public domain, but the Investigatory Powers legislation would force every UK firm to start retaining internet record data regardless of capability.
"Some [providers] do not at the moment and the purpose of the legislation is so they can when served under notice," said Alcock.
"In all our conversations with those providers at no point have they said it was impossible to implement. They will say it's possible, they will say it's hard, they will say there's more work to be done because their systems are constantly changing."
The government's official position on encryption remains unclear, especially around products such as iMessage and WhatsApp that use end-to-end encryption.
However, Lincoln told the committee that, despite some companies offering end-to-end enabled products, decryption must always remain an option.
"We will ask people to decrypt information, and people do that for us. If you are providing a service to UK customers and we think it is a necessity, those companies should be required to provide that in the clear," he said.
"We should be in a position where, just as in the physical world, you don't want there to be places where people are allowed to go unpoliced and ungoverned. The same should apply in the internet world.
"We are not setting out for anyone to say how they should do that. The government doesn't want to hold keys to encryption or anything like that. That debate happened a long time ago."
Keith Bristow, director general of the UK National Crime Agency (NCA), echoed recent comments by FBI director James Comey that increased anonymity tools hinder police work, commonly referred to as ‘going dark'.
"Technology has changed the way we all lead our lives and that's mostly a good thing for the law-abiding majority," Bristow told the committee.
"The reality is that the serious and organised criminals in particular that we target as an agency also see very significant advantages. That presents us with very real challenges because the infrastructure of the internet provides some of these people with significant levels of anonymity. The reality is that law enforcement is experiencing a widening gap."
Interestingly, Bristow believes that the Investigatory Powers Bill proposals surrounding internet data retention do not go far enough.
Some websites, including those that offer communication services or host illegal content, are open to law enforcement data requests, but others, such as travel booking websites, will not be accessible by the NCA.
"We need to be clear that there will be data retained by service providers that we cannot request access to," he said. "That does limit some of our ability to protect the public and fight crime."
Data protection woes
The committee openly questioned the ability of law enforcement agencies to keep any new data secure in the wake of numerous data breaches this year alone, including at Target, the US Office of Personnel Management and TalkTalk.
"The vast majority of the communication data is held by the providers and we can only access it in certain circumstances," explained Chris Farrimond, deputy director of intelligence collection at the NCA.
"When [communications data] comes in it's held in the same systems as all of the other evidence that we have, so it's treated in exactly the same way to exactly the same specification, which is at a very high level."
However, the NCA website continues to be a target for hackers. "Although there have been various attempts to get onto our website they have only managed the outward facing one and never managed to get anywhere near the inward facing one. Now, that's not a challenge, but we are satisfied with the security of our system," Farrimond said.
Bristow believes that the NCA has the necessary security in place to stay protected despite the increased risk of cyber attack.
"Of most of the attacks we get on our outward facing website the catalyst is that we have taken on some cyber criminals, so the community that supports people like that do a denial-of-service attack on our website to try to get us to take it down," he explained.
"We spend considerable resources and energy making sure that we keep that site secure, but that is not the system where we retain our intelligence and our evidence."
Indeed, the NCA website was knocked offline by hacking group Lizard Squad in September after six alleged members of the group were arrested by the agency.
There is plenty of opposition to the Investigatory Powers Bill from civil liberty groups and privacy advocates, but it is clear that UK law enforcement is increasingly keen to throw its full weight behind the surveillance proposals.
And, yep, it'll run Android rather than RiscOS
US engineering giant's cost-cutting outsourcing plan is on the rocks, according to insiders
HP Envy X2 laptop only affordable if you've got loadsamoney
Counterfeit code-signing certificates enabling hackers to hide malware being sold by cyber criminals
Certificates can be used as part of layered obfuscation to evade detection by anti-virus software