Cybercrime at £10 billion as UK spies break rules
GET Safe Online have reported that the UK lost £10.9 billion to fraud and cybercrime in the year leading to April, costing every adult £210 each.
While the campaign have used this latest figure to reiterate their calls for people to take due care online, it's interesting to note that their warnings are being released at the same time as the Investigatory Powers Tribunal (IPT) have ruled that UK spy agencies had been collecting people's data unlawfully.
In particular, the IPT judged that GCHQ, MI5 and MI6 had been harvesting masses of personal data without "statutory oversight" [PDF], thereby putting this data at risk.
Even though no direct link has been explicitly demonstrated between mass data collection by the security services and the occurrence of cybercrime, such action groups as Privacy International claim that bulk personal datasets (BPDs) increase the risk of online crime.
As a result, even though it's always necessary for individuals to act with caution on the internet, data security requires the Government to ensure that intelligence agencies also act with caution and restraint.
The new Wild West
Otherwise, the £10.9 billion figure may be higher next year.
As it stands, much of this sum (53%) is reportedly the result of phishing campaigns. These involve people receiving authentic-looking but ultimately fraudulent emails, which claim to be from their bank, phone company or even university.
Such emails ask them to enter their bank and personal details, ultimately with the aim of transferring their money into the hands of cyber criminals.
Another frequent ruse at 28% simply involves people being contacted, often by phone, by someone who tries to persuade them to hand over their personal details. Unsurprisingly, the object here also involves the theft of money.
Then there are somewhat lesser dangers such as having email or social accounts hacked (at 10%), and being the victim of ransomware, which at 3% essentially deactivates a user's computer via a Trojan virus and demands payment for having it reactivated.
These are all very genuine threats, and the face of them many people would indeed benefit from following the safety guidelines that Get Safe Online advocate.
Such guidelines include ensuring the greatest possible strength and variety of their passwords, ideally using a password manager. They also include backing up files, checking social media privacy settings, updating applications and security software, and making sure children are also aware of the possible dangers of the internet.
By taking such precautions, people will significantly reduce their risk of falling victim to phishing, identity theft, or online fraud.
However, as the IPT's ruling on Monday made clear, this might not be enough to completely stamp out the possibility of cybercrime when the UK's security agencies are collecting masses and masses of personal data without using all the necessary safeguards.
Following a formal complaint from Privacy International, the Tribunal examined how exactly GCHQ, MI5 and MI6 collected and handled the UK's personal data.
In their investigations, they discovered that, while statutory oversight was "concerned with the
authorisations to access the communications data obtained," it was not "concerned with ... the arrangements for the retention, storage and destruction of the data."
In other words, there was no indication whatsoever that any of this data was being collected in a way that would guarantee its safety.
As such, the Tribunal ruled that the system of mass data collection "failed to comply" with the European Convention on Human Rights. It violated Article 8 of the Convention, which states, "Everyone has the right to respect for his private and family life, his home and his correspondence."
In response to such a ruling, the Government and the security services would affirm that an official policy on how BPD should be collected came into legal effect from February 2015.
Compliant with the ECHR, this policy would, in theory at least, protect future lapses of data security from occurring.
No Human Rights Act
However, two things are worth noting.
The first is that Brexit is happening, and that the Government has confirmed that the Human Rights Act - which was based on the ECHR - will be scrapped and replaced a "British Bill of Rights."
Accordingly, the Government may very well end up watering down their commitment to necessary oversight and necessary respect of basic privacy, especially when it comes to passing the so-called Snoopers Charter.
And secondly, even if it largely kept with the basic principles of the ECHR, this wouldn't necessarily prevent instances of negligence and mishandling from occurring.
For example, between 2014 and 2016, two MI5 and three MI6 agents were disciplined for mishandling mass personal data.
These weren't isolated incidents either, since over the same duration, 47 occasions of non-compliance either with MI5's own codes and rules were detected.
This goes to show that, even with laws in place, the nature of the work conducted by the intelligence services means that breaches and blunders will occur.
And if these breaches and blunders lead to personal data falling into the hands of, say, Russian hackers, then so too will more acts of cybercrime occur with them.