A little over a week ago, GCHQ gave us a show. A giant poppy, part of the 2014 Armistice Day appeal. It was spectacular – and, for me at least, more than a little creepy.
The poppy display seems to have been part of something bigger: the term that immediately sprang to mind was ‘charm offensive’. GCHQ has, over the last year or so, been trying to charm us into seeing them as purely positive, despite the revelations of Edward Snowden. They’re trying to appear less secretive, more something to be admired and supported than something to be concerned about and made accountable. The poppy was an open symbol of that. Look at us, GCHQ seemed to be saying, we’re patriotic, positive, part of what makes this country great. Support us, don’t be worried about it. Love us.
I assume that the speech by Robert Hannigan, the new Director of GCHQ, was intended to be part of that charm offensive. For me, however, it had precisely the opposite effect. The full speech was published in the FT here – but I wanted to pick out a few points.
Privacy an absolute right?
The first, which made the headlines in the Guardian and elsewhere, is Hannigan’s statement that ‘privacy is not an absolute right’. He’s right – but we all know that, even the staunchest of privacy advocates. Privacy is a right held in balance with other rights and needs – with freedom of expression, for example, when looking at press intrusions, with the duty of governments to provide security and so forth. That’s explicitly recognised in all the relevant human rights documents – in Article 8 of the European Convention of Human Rights, for example, it says of the right to a private life that:
“There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others”
So we already know that privacy is not an absolute right – so why is Hannigan making the point? It’s hard to see this as anything but disingenuous – almost as though he wants to imply that foolish privacy advocates want to help terrorists by demanding absolute privacy. We don’t. Absolutely we don’t. What we want is to have an appropriate balance, for the interference in our privacy to be lawful, proportionate and accountable. At the moment, it’s not at all clear that any of that is true – there are legal challenges to the surveillance, deep doubts as to its proportionality and little evidence that those undertaking the surveillance are properly accountable. On the accountability front, it’s interesting that he should make such a speech at a time when the Intelligence and Security Committee of Parliament, are undertaking a consultation – it made me wonder whether he’s trying to steer the committee in a particular direction.
Facebook – a tool for terrorists?
The other headline from the speech is the way Hannigan seems to be attacking Facebook and others for being too helpful to terrorists – which is an interesting reverse from the more commonly held view that they’re too helpful to the authorities. The argument seems to go that the ‘old’ forms of terrorists, exemplified by Al Qaeda, use the ‘dark web’, while the ‘new’ forms of terrorists, exemplified by IS, are using the social media – Facebook, Twitter and so forth. It’s an interesting point – and I’m sure there’s something in it. There’s no doubt that ‘bad guys’ do use what’s loosely called the dark web – and the social media activities of ‘bad guys’ all around the world are out there for all to see. Indeed, that’s the point – their visibility is the point. However, on the face of it, neither of those ‘facts’ support the need for the authorities to have better, more direct access to Facebook and so forth. Neither, on the face of it, is any justification for the kinds of mass data gathering and surveillance that seem to be going on – and that GCHQ and others seem to be asking us to approve.
By its very nature, the ‘dark web’ is not susceptible to mass surveillance and data gathering – so requires a more intelligent, targeted approach, something which privacy advocates would and do have no objection to. Social media – and Facebook in particular – don’t need mass surveillance either. To a great extent Facebook is mass surveillance. All that information is out there – that’s the point. It’s available for analysis, for aggregation, for pretty much whatever the authorities want it. And if Hannigan imagines that the secret activities of IS and others are undertaken on Facebook he’s more naive than I could imagine anyone in the intelligence services could be – they can’t have chosen to use Facebook and Twitter instead of using the dark web, but in addition to it. The secret stuff is still secret. The stuff on Facebook and Twitter is out there for all to see.
What’s more, there are already legal ways to access those bits of Facebook and Twitter than are not public – which is why the authorities already request that data on a massive scale.
Charming – or disarming?
Hannigan must know all of this – so why is he saying it? Does he think that the charm offensive has already worked, and that the giant GCHQ poppy has convinced us all that they’re wonderful, patriotic and entirely trustworthy? They may well be – I’m no conspiracy theorist, and suspect that they’re acting in good faith. That, however, is not the point. Trust isn’t enough here. We need accountability, we need transparency, we need honesty. Checks and balances. Not just charm.
Paul Bernal's Blog 
They won’t so anything that isn’t lawful, they claim. Why then they’ll just change the law, probably by making it as vague as possible (just like the US anti-terror legislation is, eg the Patriot Acts), and then everybody, absolutely everyvbody, is a suspect.
I read GCHQ’s press as much as a veiled threat as a friendly appeal to the public.
I think it’s both. A threat to Facebook etc, and an attempt to get us on the side of GCHQ against Facebook. Both are ill-conceived.
You don’t know what his agenda is, how he has been briefed.
These are my speculations.
No doubt this speech was prepared long before Robert Hannigan came into post.
Who is he taking a swipe at?
Well explicitly US tech giants.
That sounds more like turf war with back room griping by the european suppliers to GCHQ.
The NSA has unequal access that they don’t share here?
Does anyone know how the CA system works?
It seems that private keys are held by key holding authorities (CAs) that may, essentially, be arms of government, but without the legal framework in place.
I think part of his agenda would be to lay the foundation for the legal operation for private key gathering.
Just to recap, my understanding is that the Internet was conceived as a public open space, but is was soon found that it supported various forms of private communication, with various levels of difficulty and complexity.
Some of our concerns are about the definition of legitimate private activity, or, indeed, what is private.
Other concerns are the means by which what appears to be private is rendered into the hands of authorities. An attendant problem to that being which authority, the US, UK or CCP of the USSR (whoops doesn’t exist anymore).
Another is that simply making what is thought to be securely private available to security authorities when they use methods to penetrate the secure generally makes it less secure, since a weakness has been exploited.
I these terms legal penetration would be better, if there were attendant transparency of the act of sequestration. That is if the security agencies were to stop at that and remain within a transparent and legal framework.
But personally I don’t think there would be that transparency nor that they would stop at that.
All the evidence suggests otherwise.
So it is an odd juxtaposition of the new security chief talking up GCHQ and at the same time casting aspersions on the business practices of large companies whose primary legal domicile is in the US.
I think he will gain more traction converting hearts and minds here than making a difference to those practices there. So yes, it’s a rather fatuous charm offensive.
The British way would be to have a BBC of the Internet – perhaps not such a bad idea. But certainly there is no idea of other possible solutions (that would deal with the issue concerning CAs as well) because Robert Hannigan would not see that Panopticon style surveillance is itself a problem.
But this is both a technical issue – it is technically possible to build huge data processing facilities with vast computing power and gather the data from the main data arteries such as NSA have – and a human society issue. Why do we behave in this way, is it productive in terms of peace and security?
Without debate how can we know?
Resources:-
Viewpoint Privacy on the Data Web Considering the nebulous question of ownership in the virtual realm.
by Kieron O’Hara and Nigel Shadbolt discusses some of the commercial issues.
This draft paper submitted in 2012 to TPRC (author information: http://www.ivir.nl/staff/overview.html) gives an overview of security issues.
Certificate Authority Collapse
Regulating Systemic Vulnerabilities in the HTTPS Value Chain
Universiteit van Amsterdam, Faculty of Law, Institute for Information Law
Axel M. Arnbak & Nico A. N. M. van Eijk
Thanks – a lot to digest!
Maybe a bit paranoid, but certainly part of the message here is “we’ve lost access to a lot of data now.” Belief in this is advantageous to tech companies impacted by public distrust, and to spies wanting their targets to trust these companies.
At the same time, man-in-the-middle attacks from provider/carrier routers, as exposed by Snowden and the recent Hacking Team leaks to The Intercept, as well as other possibilities, make it unlikely that privacy has made the very significant gains that a naive reading of Hannigan implies.
Basically, after all the backpedalling, obfuscation, dissembling and outright lying we’ve seen from guys like this, I wouldn’t trust them to tell the time straight.
In Good Faith?
Nah! in Blind Faith…….
🙂
Paul,
Interesting point about privacy. Instead of privacy, put in the human person. Does the human person exist outside of the state? According to all modern political theory the answer is no. All human beings have names and those names are registered with a state. To move between states you need passports or some identification. Although the more remote regions of the world, which lack modernity’s “advantages” do not have such identification, they too have systems to identify human beings as human beings. To paraphrase Heidegger who was paraphrasing Aristotle, Man is a related being.
The problem for privacy is that we need to be protected by the state that creates us as individuals. However, if we do not want to accept that view, for some this sounds a bit much, we still have the view that we are created by God. However, that gets a bit much for some folks because of what it requires. Finally, there is a group that says, we are created by Nature (the ancient Greeks believed they were born from the ground). Again, this presents a problem because we manipulate nature and we believe that we can control nature because of modern natural science as enabled by the modern state.
Now let’s look at Article 8, it focuses on public authority. This is state power. As you have argued elsewhere, what about corporations? They are not public authorities. They are private enterprises and they amass a lot more information and use it more in a more invasive way. The GCHQ is not running a loyalty programme to see if a person has bought condoms or social media site that tracks your associations and what you have said to whom and what you have posted and whether that meets the private group’s terms and conditions. Thus, it becomes a bit strange to see their role, which is to protect the regime, and by extension, the common good seen in way that appears disingenuous.
What this boils down to me is that the terms and conditions, the social contract, is being made explicit. You are a subject of the Crown and not a citizen. This is her majesty’s government and parliament, the army and the police, take an oath to her. The GCHQ are making explicit, willingly or unwillingly,what they have to do to keep their part of the bargain, the fundamental bargain in ALL liberal democracies (the right to be kept safe from harm). This is as old as Thomas Hobbes, the father of modern liberalism and the father of the idea of the modern nation state. Yet, we seem to think that this is too intrusive. However, we never ask how intrusive government already is and how intrusive it has to be to meet what the common good, what we all want at a basic level as subjects (citizens). We have to register our birth, our marriage, our council tax, our water rates, our tv licence, our education, our NHS number, our NINO number, and so on. Yet, these never raised much of a concern.
Now, however, the GCHQ to meet it part of the fundamental bargain, to keep us safe, has to monitor signals intelligence outside and within the UK as required by law and required by the sovereign rights inherent in ANY government. You do want to be safe, yes? To do this, they have to occasionally access systems and communications that while nominally “private” are actually conducted through private corporations, who can do as they will under their terms and conditions, and in response to a legal request to disclose the information. Thus, the issue is less about GCHQ than about the role of government and who decides when the state will be authorized to access “personal” communication that occurs within the regime that will affect the security of the regime. For the moment, it is state officials with oversight from political representatives who are Crown representatives. The follow up question, is “To what purpose is it being used?” So far, no one has provided evidence that is being used for any other purpose than national security. However, if the tabloids are any measure of what people will do with a sliver of power and personal data, we would be in trouble.
If we go by what the tabloids, the the mainstream press, have done with personal data in the UK, then I think people have to be worried. The question though is what is the evidence that political blackmail has occurred from national security agencies. We have seen it from the police officers who have been dismissed or abusing systems. We have seen it in the way the DVLA has been abused. We have seen it in the way local government has been abused. The underlying question, which privacy campaigners rarely address, is to what end? The tabloids have used this information in the “public interest” to destroy people and sell newspapers. Even when they supposedly want to help people on a campaign, Sarah’s law, they still found it necessary to hack the person they were “helping”. Which gets us back to the stated purpose or intent of the GCHQ and the state.
So far the GCHQ and the state have acted as they agreed. They have used the information in a limited fashion for national security purposes. We trusted them, and they delivered for the most part (up until 7/7 but then they were aware but did not act) on their promise.
What they require now is not unreasonable and it shows us less about how well they are doing as much as how weak they are in the giant sea of communications data. ISIS are acting publicly and privately with encryption and without encryption. ISIS are sophisticated and the public message, the exoteric message is as important as the esoteric, hidden message. (consider Leo Strauss’ Persecution and the Art of Writing to see how philosophers did this in the past. Competent cryptographers can provide more advanced approaches today. However, the point is still a communications issue and getting behind that list to find out who they are linked to and in what way as well as who is receiving these messages.
Like David Eggers silly book on The Ciricle, with its utopian TruVu, if you can find a way to show me the difference between an enemy and a friend in the digital domain, in a way that we do in the physical then you will have solved the sovereigns’ inherent dilemma. Until then, the sovereign, as it does with passport control, police on the street, intelligence agencies, and council workers and neighbors who ensure the person obeys the laws and if they fail to obey the laws, or present a threat to the community, then they are reported. In other words, people are known by their acts. The challenge for GCHQ is that they have no way to know, yet, whether someones’ communication with a possible threat is benign or malignant. This leaves aside the question of encryption which presents its own problems.
Until the sovereign can identify friend from enemy and find the information it requires to maintain the public opinions within the public domain (ie intercept signals threats that go through the digital domain) it will need intelligence agencies to have the ability to monitor for possible threats and do more invasive investigations if the possibility of a threat starts to manifest. The only alternatives are the following. Destroy the web and go back to paper based system. (not going to happen) Weaken the state to the point it cannot defend its citizens. Find some reasonable way to maintain the social contract between the sovereign and the subjects (what is being proposed in the speech).
I think the speech starts the process and it is time for people to go back to school and read up on society’s terms and conditions to figure out why they have a government and what is required to keep them safe so that they can be free and enjoy the convenience of a physical life and a digital life.
Good post.
Mr Hannigan says “GCHQ is happy to be part of a mature debate on privacy in the digital age.” Great. However, we can only have a properly-informed “mature debate” if we know all the ways that GCHQ wishes to encroach on everyone’s privacy in order to defend us.
To take one specific example – they’re going to have to tell us more about how they’re systematically undermining the security of the critical national infrastructure that we increasingly use to run our bank accounts and file our tax returns. Only once we’re in full possission of these facts can we judge which is worse – the terrorist threat that Mr Hannigan talks about at length, where theobjective is to terrorise us, or the threat posed by hackers using GCHQ-created security flaws, where the objective is to steal all the money from our bank accounts.
I did a longer analysis of this particular issue in my ISC submission last year:
Click to access 2014_ISC.pdf
(By the way, I was sorry not to get the chance to meet you at the ISC round-table session last month, having arrived late because of a transport Snafu).
Thanks! I’ll read your submission – and sorry to miss you too!