DRIP: normalising the surveillance state.

Yesterday’s shameful passing of the Data Retention and Investigatory Powers Act, nodded through without amendment and without even the perceived need for a vote in the House of Lords, was not just very bad news for the UK, it was bad news for the world. The ease with which it was passed, the speed with which it was passed, and the breadth of the powers granted send signals around the world. Some of us have been warning about this effect for a long time – what we do in the UK is being watched around the world. If we, as a supposedly mature, liberal democracy believe that mass surveillance is OK, then that means that anyone could do it. Indeed, that any sensible state should do it.

I’ve been accused of paranoia by making such a suggestion. After all, this is just ‘emergency’ legislation, a mere stop-gap while a proper review of investigatory powers and data gathering goes on. Well,  within a few short hours of the passing of DRIP, its echoes were already being heard the other side of the world. Australia’s Attorney-General, George Brandis, used DRIP as an example, seemingly to help push forward his own proposals for data retention. As reported in ZDNet, he said:

“The question of data retention is under active consideration by the government. I might point out to you as recently as yesterday, the House of Commons passed a new data retention statute. This is very much the way in which western nations are going,”

This is how it goes – and one of the many reasons that the passing of DRIP yesterday was so shameful. If the UK does it, Australia does it. Then New Zealand and Canada.  Each new country adds to the weight of the argument. Everyone’s doing it, why not us? If the UK thinks it needs this to keep its citizens safe, we need it too? By the time the long-distant sunset clause kicks in, the end of 2016, every new country that’s added a data retention law to its books, however temporary, will be another reason to extend our own security services’ powers. It’s a vicious or virtuous circle, depending on your perspective.

Of course the normalisation works in different ways too. Less scrupulous nations will be able to say that if the Brits do it, so can we – and we won’t be able to claim that they’re oppressing their population, if we do the same to our own. Further, our security services will require more and more technology to do the surveillance – and the people who develop that technology will be looking for new markets. They may sell them to the Australians – but more likely they’ll find ready markets in governments with less of a tradition of liberalism and democracy. There’s a fine selection of such nations all around the world. They’ll also find markets of other kinds – businesses wishing to use surveillance for their own purposes… whether scrupulous or not. The very criminals that the supporters of DRIP like to scare us with will be looking too – there are so many uses for surveillance that it’s hard to know where to start.

Well, actually, it should have been easy to know where to start. To make a stand. To try to normalise freedom and privacy, respect for citizens fundamental rights and a willingness for open, honest debate on the subject. That, however, would have required rejecting DRIP. We didn’t do that. Shame on us.

 

DRIP: Parliament in disrepute?

I watched and listened to the parliamentary debate on the Data Retention and Investigatory Powers bill (DRIP) with a kind of grim fascination. The outcome was always inevitable – I knew that, as, I think did all opponents of the bill – but the debate itself seemed to me to be worth paying attention to. Not really in terms of the result, but in terms of the process, and in terms of the way in which parliament was engaging with the issues. There were, it has to be said, some quite wonderful speeches in opposition to the bill, and from many different directions. MPs like John McDonnell, Dominic Raab, Caroline Lucas, Diane Abbott, Pete Wishart, David Winnick, Duncan Hames, Clive Betts, Charles Walker, Dennis Skinner and of course Tom Watson and David Davis were all excellent. Indeed, as someone said at the time, the opponents didn’t lose the debate, they lost the vote.

Therein lies the problem – what was the point of the debate? The chamber was all-but empty for most of it. In the middle of the debate, I got so angry I tweeted a picture of the chamber – with a comment attached. The tweet went a bit wild…. retweeted 870 times at the last count, and included by Liberty in their summary of the debate.

Screen Shot 2014-07-16 at 07.32.41

I did, however, also get some serious criticism for the tweet. Some suggested I had faked it, because I missed out the caption at the bottom. Fair enough – I was too angry to get the screen capture right, but I don’t fake things. I satirise and parody, tease and joke – but I don’t fake. For avoidance of doubt, I took another soon after, this time with the caption:

Screen Shot 2014-07-15 at 16.36.42

Another criticism I received, quite aggressively, was that it was misleading to tweet the picture, and that most of the MPs were likely to be in their offices or their committee rooms, working hard, but following and listening to the debate as it was being broadcast throughout the house. That may well be true – and in no way was I suggesting that MPs don’t work hard. They do – well, a great many of them do – but at this particular moment, and on this particular issue, their attention was elsewhere, as was their physical presence.

I don’t blame the MPs for that part of it. Of course their attention was elsewhere – after all, they’d had this emergency debate foisted upon them at the last minute, and they already have busy lives and huge amounts of work to do, particularly with the parliamentary recess coming up, and with a reshuffle happening at that very moment. Naturally, MPs are distracted by the reshuffle – coalition MPs because their jobs are on the line, Labour MPs because they have to be ready to respond to the reshuffle. Naturally their jobs, their careers, their responsibilities come first.

That, though, is really where my tweet comes in. I said ‘This is how seriously our MPs take our privacy’. I meant it. They showed disrespect to the issue not just by not listening to the debate, but by accepting a process that meant that they only had a few hours of debate to listen to, and almost nothing to read or discuss about it. They accepted an unnecessary fast-tracking, effectively on trust – because they don’t really take our privacy seriously.

Frankly, I’m not convinced that they were listening to the debate – but if they were, that makes their voting even worse. If they listened to the debate and still voted the way they did, in a way that’s even more depressing than the more natural assumption that they were largely ignoring the debate and voting according to the whip. It would mean that they either didn’t understand the strong arguments against the bill, both analytical and impassioned – or they dismissed them as unimportant. Either way, it suggests they didn’t take our privacy seriously. At least, not seriously enough to think it needed proper, lengthy, public debate bringing in expert opinions and analysis. I’m a legal academic, specialising in internet privacy. I’ve written a book on the subject, and I’m one of the signatories of this open letter concerning DRIP – and frankly I haven’t had nearly enough time to properly analyse and understand this bill and its implications. We’ve only had a chance for the most basic of analyses – and if I can’t, how much understanding can MPs have of it?

As David Winnick, a veteran MP and member of the Home Affairs Select Committee put it:

“I consider this to be an outright abuse of parliamentary procedure. Even if one is in favour of what the home secretary intends to do, to do so in the manner in which it is intended, to pass all stages in one go, surely makes a farce of our responsibilities as MPs”

He’s right. It does. It brings parliament into disrepute. MPs should be ashamed of themselves.

Open letter from UK legal academic experts re DRIP

I’m one of the signatories to the letter below – not just a few, but many very serious legal academics, some of the most distinguished in the field.


 

Tuesday 15th July 2014

To all Members of Parliament,

Re: An open letter from UK internet law academic experts

On Thursday 10 July the Coalition Government (with support from the Opposition) published draft emergency legislation, the Data Retention and Investigatory Powers Bill (“DRIP”). The Bill was posited as doing no more than extending the data retention powers already in force under the EU Data Retention Directive, which was recently ruled incompatible with European human rights law by the Grand Chamber of the Court of Justice of the European Union (CJEU) in the joined cases brought by Digital Rights Ireland (C-293/12) and Seitlinger and Others (C-594/12) handed down on 8 April 2014.

In introducing the Bill to Parliament, the Home Secretary framed the legislation as a response to the CJEU’s decision on data retention, and as essential to preserve current levels of access to communications data by law enforcement and security services. The government has maintained that the Bill does not contain new powers.

On our analysis, this position is false. In fact, the Bill proposes to extend investigatory powers considerably, increasing the British government’s capabilities to access both communications data and content. The Bill will increase surveillance powers by authorising the government to;

  • compel any person or company – including internet services and telecommunications companies – outside the United Kingdom to execute an interception warrant (Clause 4(2));
  • compel persons or companies outside the United Kingdom to execute an interception warrant relating to conduct outside of the UK (Clause 4(2));
  • compel any person or company outside the UK to do anything, including complying with technical requirements, to ensure that the person or company is able, on a continuing basis, to assist the UK with interception at any time (Clause 4(6)).
  • order any person or company outside the United Kingdom to obtain, retain and disclose communications data (Clause 4(8)); and
  • order any person or company outside the United Kingdom to obtain, retain and disclose communications data relating to conduct outside the UK (Clause 4(8)).

The legislation goes far beyond simply authorising data retention in the UK. In fact, DRIP attempts to extend the territorial reach of the British interception powers, expanding the UK’s ability to mandate the interception of communications content across the globe. It introduces powers that are not only completely novel in the United Kingdom, they are some of the first of their kind globally.

Moreover, since mass data retention by the UK falls within the scope of EU law, as it entails a derogation from the EU’s e-privacy Directive (Article 15, Directive 2002/58), the proposed Bill arguably breaches EU law to the extent that it falls within the scope of EU law, since such mass surveillance would still fall foul of the criteria set out by the Court of Justice of the EU in the Digital Rights and Seitlinger judgment.

Further, the bill incorporates a number of changes to interception whilst the purported urgency relates only to the striking down of the Data Retention Directive. Even if there was a real emergency relating to data retention, there is no apparent reason for this haste to be extended to the area of interception.

DRIP is far more than an administrative necessity; it is a serious expansion of the British surveillance state. We urge the British Government not to fast track this legislation and instead apply full and proper parliamentary scrutiny to ensure Parliamentarians are not mislead as to what powers this Bill truly contains.

Signed,

 

Dr Subhajit Basu, University of Leeds

Dr Paul Bernal, University of East Anglia

Professor Ian Brown, Oxford University

Ray Corrigan, The Open University

Professor Lilian Edwards, University of Strathclyde

Dr Andres Guadamuz, University of Sussex

Dr Theodore Konstadinides, University of Surrey

Professor Chris Marsden, University of Sussex

Dr Karen Mc Cullagh, University of East Anglia

Dr. Daithí Mac Síthigh, Newcastle University

Professor Viktor Mayer-Schönberger, Oxford University

Professor David Mead, University of East Anglia

Professor Andrew Murray, London School of Economics

Professor Steve Peers, University of Essex
Julia Powles, University of Cambridge

Judith Rauhofer, University of Edinburgh

Professor Burkhard Schafer, University of Edinburgh

Professor Lorna Woods, University of Essex

Theresa May – even more reason to worry about DRIP….

Screen Shot 2014-07-14 at 19.00.29I watched and listened to the session of the Home Affairs Select Committee this afternoon: Home Secretary Theresa May was being questioned about a number of things, including DRIP. The session was, I suspect, intended to reassure us that everything was OK, and that we needn’t worry about DRIP. The result, for me at least, was precisely the opposite: it left me feeling even more concerned.

Theresa May is the minister responsible for DRIP, and her performance before the committee suggested neither competence in managing the process nor an understanding of what the issues were or why people would be concerned. It was a performance that mixed the incompetent with the contemptuous, not just failing to provide answers but suggesting that she didn’t think the questions were even worth asking.

Many things about it were poor. May failed to explain why the legislation had to be rushed through – she could not (or would not) explain why nothing had happened publicly since the ECJ ruling in April, and she could not (or would not) provide details as to why there was pressure now. Next, she could not answer the key question on extraterritoriality – whether the powers in DRIP were in fact new. She claimed to have had advice that the powers did exist before – but couldn’t say whether or not they had ever been used.

Most importantly, though, when pushed by David Winnick on the key point – compliance with the ECJ ruling that struck down the Data Retention Directive, she fumbled and obfuscated when asked about the ruling. She either did not understand or deliberately pretended not to understand that the key point of the ruling was that blanket gathering of data was in conflict with fundamental rights. Ultimately, that’s the real point here – and she either could not or would not answer it.

To put it directly, the ruling said that blanket gathering of data, gathering data on everyone, regardless of suspicion, guilt or innocence, or any particular reason, was not appropriate. That is what the Data Retention Directive (DRD) did, and why the ECJ struck it down. They’re right, too. This isn’t some esoteric or obscure point, it’s a fundamental one, parallel to the idea of the presumption of innocence. The DRD did it, and DRIP does it – which is why at the very least we need to discuss it in much more depth. The session with Theresa May left me thinking that she either didn’t understand it or she dismissed it as unimportant. Now you may disagree on proportionality, and believe that mass surveillance is a proportionate response, but to dismiss the issue as unimportant and unworthy of discussion is indefensible.

Mind you, I don’t think people will be talking that much about this – because Theresa May’s performance when questioned about the appointment and subsequent resignation of Lady Butler-Sloss was even worse, if that can be believed. All in all, Theresa May looked neither trustworthy nor competent. It’s hard to imagine someone less appropriate to trust with the open-ended and extensive powers granted by something like DRIP.

DRIP: a shabby process for a shady law.

[An earlier version of this post appeared at The Justice Gap, here]

Thursday’s announcement by David Cameron and Nick Clegg that the coalition was going to expedite emergency surveillance legislation is something that should concern all of us, not just privacy activists. The speed with which the Data Retention and Investigatory Powers bill (‘DRIP’) is being brought into play, the lack of consultation and the breadth of its powers should matter to everyone. There is a reason that legislation usually requires time and careful consideration – and with a contentious issue like surveillance this is especially true. This is a shabby process, for what seems to be a very shady law. And, as David Davis MP has suggested, the ‘emergency’ is theatrical, not real. The need for new legislation was entirely predictable – and politicians and civil servants should have known this.

A predictable emergency

The trigger for the legislation was the ruling by the ECJ, on 8th April, that the Data Retention Directive was invalid – more than three months ago – but the signs that new legislation was needed have been there for far longer. The ruling by the ECJ exceeded the expectations of privacy advocates – but not that significantly, and the declaration that the directive was invalid should have been an outcome that civil servants and politicians were prepared for. Indeed, the Data Retention Directive has been subject to significant challenge since its inception in 2005. Peter Hustinx, the European Data Protection Supervisor in 2010 called it:

“…without doubt the most privacy invasive instrument ever adopted by the EU in terms of scale and the number of people it affects.”

Across Europe there have been protests and legal challenges to data retention throughout its history, from 30,000 people on the streets of Germany in 2007 to the declaration that data retention itself was unconstitutional in Romania. The challenge that eventually brought down the directive began in 2013.

The signs have been there in the UK too, and for far longer than three months. The Communications Data Bill – more commonly and appropriately known as the Snoopers’ Charter – was effectively abandoned well over a year ago, after a specially set-up parliamentary committee, after taking detailed evidence, issued a damning report. At that stage, even before the revelations of Edward Snowden reared their ugly head, the need for further legislation was evident.

So why, given all these warnings, has this emergency been manufactured, and why is legislation being pushed through so quickly? Is it that those behind the bill are concerned that if it received full and detailed scrutiny, the full scale and impact of the bill will become evident and, like the Snoopers’ Charter before it, it will fail? It is hard not to think that this has played some part in the tactics being employed here. What would there be to lose by delaying this a few months?

Companies like data too…

The suggestion that if the legislation isn’t pushed through this quickly then companies will suddenly start deleting all their communications data is naïve to say the least. Firstly, it’s hardly in most communications providers’ interest to delete all that data – actually, rather the opposite. Back in 2007, Google attempted to use the existence of data retention legislation as an excuse not to delete search logs – companies generally like having more data, as they (just like the authorities) believe they can get value from it. Moreover, businesses don’t often change their practices at the drop of a hat, even if they want to. They might, however, if they’re required to by law – and that may well be the real key here. Legal challenges to specific practices by specific companies in terms of data retention may well be in the offing – but this would take time, far more time than the few days – less than a week – that MPs are being given to pass this legislation.

Fundamental Rights

The underlying point here is that there is a reason that the Data Retention Directive was declared invalid by the ECJ, and a reason that both privacy advocates and academics have been concerned about it from the very beginning. The mass collection of communications data breaches fundamental rights – and DRIP, just like the Communications Data Bill before it, does authorise the mass collection of this data. It has the same fundamental flaws as that bill – and a few extras to boot. With the very limited time available to review the bill so far, it appears to extend rather than limit the powers available through the contentious Regulation of Investigatory Powers Act (RIPA) rather than limit them or modernise them (see for example the analysis by David Allen Green in the FT here – registration needed), and attempt to extend powers outside the UK in a way that is at the very least contentious – and in need of much more scrutiny and consideration.

Most importantly, it still works on the assumption that there is no problem with collecting data, and that the only place for controls or targeting is at the accessing stage. This is a fundamentally flawed assumption – morally, legally and practically. At the moral level, it treats us all as suspects. Legally it has been challenged and beaten many times – consistently in the European Court of Human Rights, in cases from as far back as Leander in 1987, and now in the ECJ in the declaration of invalidity of the Data Retention Directive. Practically, it means that data gathered is vulnerable in many ways – from the all too evident risks of function creep that RIPA has demonstrated over the years (dog-fouling, fly-tippers etc) to vulnerability to leaking, hacking, human error, human malice and so forth. Moreover, it is the gathering of data that creates the chilling effect – impacting upon our freedom of speech, of assembly and association and so forth. This isn’t just about privacy.

Safeguards?

Nick Clegg made much of the concessions and safeguards in the new bill, emphasising that this isn’t a Snoopers’ Charter Mark 2, but it is hard to be enthusiastic about them at this stage. There is a sunset clause, meaning that DRIP will expire in December 2016 – but there is nothing in the bill itself to say that it won’t be replaced by similar ‘emergency’ legislation, railroaded through parliament in a similar way. Moreover, December 2016 is well after the election – and the Lib Dems are currently unlikely to still have any influence at that stage. Julian Huppert in particular, my MP in Cambridge, is in a very precarious position. Without him, it’s hard to see much Lib Dem resistance to either the Tories or the Labour Party who set the ball rolling on mass surveillance state in the Blair years.

The rest of the safeguards are difficult to evaluate at this stage – they were originally said to be contained in secondary legislation that was not published with the bill itself, but when that secondary legislation was actually released, at around 4pm on Friday afternoon, it contained almost none of what had been promised. For example, the suggestion that the number of bodies able to use RIPA was to be restricted, was entirely absent. This list doesn’t just include the police and intelligence services, but pretty much all local authorities, and bodies like the food standards agency and the charities commission – another part of the function creep of RIPA. The breadth and depth of the surveillance that this bill, in combination with RIPA, would not only allow but effectively normalise, is something that should be of the deepest concern to anyone who takes civil liberties seriously.

The shabbiest of processes

This is just one part of the shabbiness of the process. Two more crucial documents,  ‘Impact Assessments’ performed by the Home Office concerning the data retention and interception aspects of the bill, were also released – but without even a mention, so that the first that was heard of them by most concerned people was early on Saturday morning, when vigilant investigators found them all but hidden on the Home Office website. Two documents, full of technical details looking at why the laws were ‘needed’ and what the risks and benefits of the laws would be, the alternatives and so forth, pretty much hidden away. These, together with the Bill itself and the Regulations, combine to produce something with a serious level of both legal and technical complexity – something that needs very careful study and expert analysis. And to do this analysis, we are given essentially one weekend, and no warning.

How serious this is was highlighted by a brief twitter conversation between David Allen Green and MP Julian Huppert this morning:

Screen Shot 2014-07-12 at 18.53.05

 

David Allen Green (@JackofKent) is asking a straight and direct, technical and legal question – and Julian Huppert can’t answer it. Julian is perhaps the most technically expert of the entire House of Commons – if he doesn’t understand the bill, its impact and how it changes the current situation, how much less can other MPs? And yet they are expected to debate the bill on Monday, and pass it almost immediately. This is patently wrong – and highlights exactly why parliament generally has significant time for analysis and for debate, and parliamentary committees call experts to give testimony, to tease out these kinds of answers. Julian Huppert should not be criticised for not knowing the answer to the question – but he should be criticised for supporting a bill without allowing the time for these questions to be asked, investigated and answered. They need to be.

This is an wholly unsatisfactory state of affairs. Indeed, the whole thing is highly unsatisfactory, and in a democratic society, it should be unacceptable. That our MPs seem willing to accept it speaks volumes.

——————–

The key documents can be found here:- study them if you have time!

The draft bill

The draft regulations

The impact assessment for interception

The impact assessment for data retention.

No, Prime Minister

SpooksThe latest story in the Guardian about surveillance reveals something that is deeply disturbing. It seems that David Cameron’s enthusiasm for mass surveillance comes from watching TV dramas. As quoted in the Guardian:

” I love watching crime drama on the television, as I should probably stop telling people. There is hardly a crime drama that is not solved without using the data of a mobile communications device. If we don’t modernise the practice and the law over time we will have the communications data to solve these horrible crimes on a shrinking proportion of the total use of the devices.”

Apart from the obvious questions like how a busy Prime Minister manages to spend so much time watching TV, it does raise a lot of questions about the basis for this kind of policy – and confirms a lot of the suspicions that many of us in the privacy field have had for a while. This kind of policy is based on ‘feelings’ and ‘suspicions’ that this kind of thing works, fuelled by fiction rather than evidence.

Cameron seems to have missed the point that this is fiction, not fact. Watching Spooks is no substitute for studying reality – and finding evidence that this kind of approach works in reality has proved very difficult in recent months. Spies in fiction tend to be far more effective than spies in reality – and drawing any conclusions from their actions is more than just absurd, it’s dangerous and deeply disturbing.

This government has often shown deep disdain for evidence – Michael Gove’s education policies and Iain Duncan Smith’s approach to welfare (which he has recently attempted to justify on the basis of the ‘reality’ TV programme ‘Benefits Street’) seemed to have almost no basis in reality at all, and the evidence often points directly against their effectiveness. Owen Paterson’s badger cull flew in the face of the evidence in almost every way. Theresa May’s approach to immigration ignores almost all the evidence (but sadly it’s echoed by the immigration policies of all the other parties).

This is no way to govern – and the Prime Minister in particular should be ashamed of himself. It’s not just the lack of evidence that surprises me, though, it’s the brazen way that the Prime Minister seems to think it’s OK to offer up fiction to support his arguments. That’s just not right, in so many ways. We need to be clear about that, and tell him so.

No, Prime Minister.

Surveillance and Consent

I was fortunate enough to speak at the Internet and Human Rights Conference at the Human Rights Law Centre at the University of Nottingham on Wednesday. My talk was on the topic of internet surveillance – as performed both by governments and by commercial entities. This is approximately what I said – I very rarely have fully written texts when I talk or lecture, and this was no exception. As you can see, I had one ‘official’ title, but the talk had a number of alternative titles…

Surveillance and Consent

Or

Big Brother is watching you – and so are his commercial partners

Or

What Edward Snowden can teach us about the commercial Internet

Or

To what do we consent, when we enter the Internet?

In particular, do we consent to surveillance? If we do, by whom? When? And on what terms? There are three parts to this talk:

1) Government surveillance and consent

2) Commercial surveillance and consent

3) Forging a (more) privacy friendly future?

1: Government surveillance and consent.

Big Brother is Watching You. He really is. Some of us have always thought so – even if we’ve sometimes been called conspiracy theorists when we’ve articulated those thoughts. Since the revelations of Edward Snowden this summer, we’ve been taken a bit more seriously – and quite rightly so.

The first and perhaps most important question to ask is why the authorities perform surveillance? Counter-terrorism? That’s the one most commonly mentioned. Detection and enforcement of criminal law? Crime prevention? Prevention of disorder? Dealing with child abuse images and tracking down paedophiles? Monitoring of social trends? There are different degrees to all these areas – and potentially some very slippery slopes. Some of the surveillance is clearly beneficial – but some is highly debatable. When looking in the area of crime and disorder this is particularly true when one considers police tactics in the past, from dealing with the anti-nuclear movements in the sixties, seventies and eighties to the shocking revelation about the infiltration of environmental activists more recently. Even this summer, the government admitted that it monitored people’s social media activities in order to ‘head off’ the badger cull protests. Was that right? Are other forms of ‘social control’ through surveillance acceptable? They should at least raise questions.

When looking at government surveillance, we need to ask what is acceptable? Where do we draw the line? Who draws that line? How much of this do we consent to? There are a number of different ways to look at this.

Societal consent?

Do we, as a societies, consent to this kind of surveillance? It is not at all clear that we do, even in the UK, if the furore that lead to the defeat of the Snoopers Charter is anything to go by, or the reaction to Edward Snowden’s revelations in most of the world (though not so much in the UK) is any guide. Do we, as societies, understand the level of surveillance that our governments are performing? It doesn’t seem likely given the surprise shown as more and more of the reality of the situation is revealed. Can we, as societies, understand all of this? Perhaps not fully, but certainly a lot more than we currently do.

Parliamentary consent?

Do we effectively consent by delegating our decisions to our political representatives? By electing them, are we consenting to their decision-making, both in general and in the particular area of internet surveillance? This is a big political question in any situation – but anyone who has observed MPs, even supposedly expert MPs, knows that the level of knowledge and understanding of either the internet or surveillance is appalling. Labour’s Helen Goodman, the Tories’ Clare Perry, the Lib Dems’ Tom Brake, all of whom have been (and still are) in positions of power and responsibility within their own parties in relation to the internet have a level of understanding that would be disappointing in a secondary school pupil.

The Intelligence and Security Committee, who made their first public appearance in November, demonstrated that they were pretty much entirely incapable of providing the scrutiny necessary to represent us – and to hold Big Brother to account on our behalf. Most of the Home Affairs Committee – and the chair, Keith Vaz, in particular, demonstrated this even more dramatically this Tuesday, when questioning Guardian Editor Alan Rusbridger. Keith Vaz’s McCarthy-esque question to Rusbridger ‘do you love your country’ was sadly indicative of the general tone and level of much of the questioning.

There are some MPs who could understand this, but they are few and far between – Lib Dem Julian Huppert, Labour’s Tom Watson, the Tories’ David Davis are the best and perhaps only real examples, but they are mavericks. None are on the front benches, and none seem to have that much influence on their political bosses. Parliament, therefore, seems to offer little help. Whether it could ever offer that help – whether we could ever have politicians with enough understanding of the issues to act on our behalf in a meaningful way, is another question. I hope so – but I may well be pipe dreaming.

Automatic or assumed consent?

Perhaps none of this matters. Could it this kind of government surveillance something we automatically consent to when we use the Internet? Simply by using the net, do we automatically consent to being observed? Is this the price that we have to pay – and that we can be assumed to be willing to pay – in order to use the internet? Scott McNealy’s infamous quote – you have zero privacy anyway, get over it – may be old enough to represent common knowledge. Can we assume that everyone knows they have no privacy? Would that be reasonable, even if it were true? It isn’t true of the public telephone system – wholesale wiretapping isn’t acceptable or accepted, not even of the metadata.

I don’t think any of these – societal, parliamentary or ‘assumed’ really work, or would be sufficient even if they did – because amongst other things because we simply haven’t known what was going on. Our consent, such as it existed, could not have been informed consent, in either of the two ways that can be understood. We did not have the information. We were deliberately kept in the dark. And experience suggests that when we do know more, we tend to object more – as events like the defeat of the Snoopers’ Charter demonstrate.

Do we know what we are consenting to?

Do we understand what the implications of this surveillance actually are? This isn’t just about privacy, no matter how much people like Malcolm Rifkind tries to frame it that way. It isn’t just about individual either – sometimes through this kind of framing it can seem as though asking for privacy is an act of selfishness, and that we should be ashamed of ourselves, and sacrifice our privacy for the greater good – for security.

This is quite wrong – and in many ways framing it in this way is deliberately deceptive. There is a significant impact on many kinds of human rights, not just on privacy. Freedom of expression is chilled – both by overt surveillance through the panopticon effect and through covert surveillance through the imbalance of power that allows control to be exerted. Freedom of association and assembly are deeply affected – both online through the disruption and chilling of online communities, and offline through the disruption of the organisation of ‘real world’ protest and so forth. There’s more too – profiling can allow for discrimination. Indeed, as we shall see, discrimination of a different form is fundamental to commercial surveillance – so can be easily enabled in other ways. Ultimately, too, it can even impact upon freedom of thought – as profiling develops, it could allow the profiler to know what you want even before you do.

So even if we have given consent before, that consent is not really valid. The internet is not like old-fashioned communications. We do more online than we ever did through other forms of communication The nature of the surveillance itself has changed – and the impact of it. Any old consent that did exist should be revoked. If Big Brother wants to keep watching us, He needs to ask again.

2: Commercial surveillance and consent

This is an issue much closer to the common legal understanding of consent – and one that has been much debated. It’s one of the key subjects of the current discussions over the reform of the data protection regime. Edward Snowden, however, has thrown a bit of a spanner into that debate, and those discussions.

To understand what this means, we need to understand commercial surveillance better. Who does ‘commercial’ surveillance? What do I mean by commercial surveillance? Surveillance where money is the motivation – or, to be more precise, where commercial benefit is the motivation. This means things like behavioural tracking – for various purposes – but it also means profiling, it means analysis, all of which are done extensively by all the big players on the Internet, with little or no real idea of consent.

Does commercial surveillance matter?

Commercial surveillance does not often seem to be something people (other than a few privacy geeks like me) care about that much. It’s just about advertising, isn’t it? Doesn’t do anyone any harm? Opt-out’s OK, those paranoid privacy geeks can avoid it if they want, for the rest of us it’s what pays for the net, right? For people like me, there are big concerns – and in some ways it might matter more for most people than surveillance by the NSA and GCHQ. The idea – the one that’s being sold to us – is that it’s about ‘tailoring’ or ‘personalisation’ of your web experience. We can get more relevant content and and more appropriate advertising…

…but that also means that it can have a real impact on real people, from price and service discrimination to an influence on such things credit ratings, insurance premiums and job prospects. Real things that matter to almost all of us. There’s even the possibility of political manipulation – from personalised political advertising to detailed targeting of key ‘swing’ voters, putting even more political influence into the hands of those with the deepest pockets – for it is the deepest pockets that allow access to the ‘biggest’ data, and the most sophisticated profiling and targeting systems.

What Edward Snowden could teach us…

Some parts of the revelations from Edward Snowden should make us think again. PRISM, in particular, should change people’s attitudes to commercial surveillance. This is what Edward Snowden has to teach us. Look at the purported nature of the PRISM program. ‘Direct access’ to the servers of the big Internet companies – including Google and Facebook. Who does commercial surveillance more than Google and Facebook? What’s more, the interaction between governments and businesses is much closer than it might immediately seem. They share technology – and businesses have even let governments subvert their technology, building backdoors, undermining encryption systems and so forth. They share techniques – and even share data, whether willingly or otherwise.

Shared techniques…

Behavioural profiling is just what governments want to do. Behavioural analysis is just what governments want to do. Behavioural targeting is just what governments want to do Is identifying potential customers any different from identifying potential suspects? Is identifying potential markets any different from identifying potential protest groups (such as those involved in the aforementioned badger cull protest)? Or potential dissidents? Is predicting political trends and political risks any different from predicting market trends? Is ‘nudging’ a market that different from manipulating politics? The Internet companies have built engines to do all the authorities’ work for them (well, OK, most of the authorities’ work for them). They just need to tap into those engines. Tailor them a bit. It’s perfect surveillance, and we’ve helped build it. We’ve ‘consented’ to it.

Who is undermining privacy?

So who is undermining privacy? The spooks with their secret surveillance… ….or the business leaders telling us to share everything and that, as Mark Zuckerberg put it, ‘privacy is no longer a social norm’? This ‘de-normalisation’ of privacy – apologies for the word, which I suspect doesn’t really exist – amounts to an attempt to normalise surveillance. The extent to which this desired and pushed-for ‘de-normalisation’ has contributed to the increasing levels of surveillance is essentially a matter for conjecture, but it’s hard not to see a connection.

Paranoid privacy geeks like me have been warning about for a while – but just because we’re paranoid, it doesn’t mean we’re wrong. In this case, it’s looking increasingly as though we were right all along – and that the situation is even worse than we thought.

Is this what we consented to when we signed up for Facebook? Is this what we consent to each time we do a Google search? Is this what we expect when we watch a YouTube video or play a game of Words with Friends? I don’t think so. With new information there should come new understanding – and a reassessment of the situation. We need to decide.

3: A (more) privacy-friendly future?

A three-way consensus is needed. People, businesses and governments need to come to an agreement about what the parameters are, about what it acceptable. About what we consent to. All three groups have power – but at the moment only the authorities seem to be really wielding theirs.

Imagine what would happen if Facebook’s Mark Zuckerberg, Google’s Sergey Brin, Apple’s Tim Cook and their fellows from Microsoft, eBay, Twitter etc all came together and said to the US government ‘No’! Would they be locked up? Would their companies be viciously punished? It seems unlikely – they are much more powerful than they realise. We often talk about the power of the corporate lobbyists – this power could be wielded in a positive way, not just a negative way…

…but it only will if there’s a profit in it for the companies concerned. And that’s where we come in.

We have a key part to play. We need to keep making noises. We need to keep informing people, keep lobbying. Make sure that the companies know that we care about privacy – and not just in relation to governments. Then the companies might start to make a move that helps us.

There are some signs that this might be the case – from the noises from Zuckerberg and so on about how upset they are about the NSA to the current crop of ‘Outlook.com’ advertisements that proclaim loudly how they don’t scan your emails the way that Google do – though it is difficult to tell whether this is just lip service. They talk a lot about transparency, not so much about a reduction in actual surveillance by government – let alone by themselves. If they can wield this power in our favour it could help a lot – but it will only be wielded in this positive way if we make them. So we must be clear that we do not consent to the current situation. We do not consent to surveillance.

Surveillance: Needles in Haystacks…

haystack

I watched and listened to the ‘open’ evidence session of the Intelligence and Security Committee (‘ISC’) yesterday with a sense of sadness more than anything else. It was of course entirely predictable that the session would primarily be about putting as positive as possible a spin on the surveillance activities of the intelligence services but even so I found myself disappointed. The ISC is as close as we currently get to something that scrutinises the activities of the intelligence services – but on the basis of what we saw yesterday they are neither capable of such scrutiny nor to they have the desire to provide it. ‘Supine’ was the word that sprang immediately to mind.

Malcolm Rifkind, chairing the committee, seemed determined that the only result of the session would be vindication of the intelligence services – and demonstrated only that he does not understand why people are concerned, and why they are right to be concerned. The rest of the committee, all of whom have effectively been personally selected by the Prime Minister, were little better – and some were even worse. The way that Hazel Blears in particular practically purred her appreciation of the wonderful job being done by the heads of GCHQ, MI5 and MI6 was deeply depressing to anyone who hoped that this would be the beginning of a new era of openness by the intelligence community. Instead, it seemed that they were determined to continue to misinform and mislead the public.

It’s the metadata, stupid…

A couple of things stood out. One was that, yet again, that old chestnut ‘we’re not reading your emails or listening to your phone calls’ was wheeled out by the spy chiefs – and no-one on the committee picked them up on it.  No-one who understands anything about internet surveillance has an image of old-style spies sitting in darkened rooms with headphones on listening to our every word. It’s not the ‘content’ of the phone calls or the emails that matters so much – it’s the metadata, the information that surrounds the calls, the emails, the web-browsing that really counts. That meta data gives different information about the subject than the contents – but in many ways much better information, more analysable information, more nuanced information. It is much more useful for profiling, for predicting activities, for tracking and so forth. The intelligence chiefs know that very well – and yet they continue to bring out the ‘not listening to your phone calls or reading your emails’ line again and again. The committee ought to know this too – and ought to have called the intelligence chiefs out on it. They didn’t – whether because they don’t understand or because they don’t want to rock the boat it’s hard to tell. Perhaps both.

Surveillance happens at the data gathering stage

The other key aspect of the surveillance that wasn’t touched upon is when the surveillance happens – at the gathering stage, or at the accessing stage. Again, I’m not sure that the committee understood the importance of this distinction, but it’s an absolutely crucial one. The current system assumes that gathering data on all of us is absolutely fine – indeed, that’s the basic premise of the surveillance systems they appear to use, and was the essence of the Communications Data Bill that was defeated last year. Hoover up as much data as possible, then put the checks and balances, the controls, at the access stage. That, however, is a wholly flawed approach if privacy is to be taken at all seriously. It leaves the systems and the data open to abuse, to function creep, to hacking, to human error – and indeed to leaks like the one performed by Edward Snowden that the spy chiefs deplored so vehemently.

The European Court of Human Rights recognised this – in the notable case S and Marper v. the United Kingdom, they concluded that “the mere retention and storing of personal data by public authorities, however obtained, are to be regarded as having direct impact on the private-life interest of an individual concerned, irrespective of whether subsequent use is made of the data.” They are right – and if the neither the ISC nor the spy chiefs know or understand this that is deeply disappointing. If they know it, and don’t see how it applies to their surveillance activities that is even more disappointing. If they do see how it applies, and fail to mention it, that’s still worse.

Needles in Haystacks

The ‘needles in haystacks’ analogy was made a number of times during the session, and it is indeed apposite – but to me it has very different implications to those drawn by the spy chiefs. They don’t seem to understand some key aspects of the old proverb. For a start, needles aren’t generally found in haystacks – and that the point of the proverb is that trying to find a needle in a haystack is a thankless task, and one doomed to failure. More importantly, however, they don’t seem to understand that their approach is what builds the haystack in the first place! It’s the universal rather than targeted surveillance model that generates that huge haystack.

For me, that’s the real point of the proverb – and it applies directly here. If you set yourself a thankless, impossible task, the question you should be asking is whether there might be another way, a better way, to solve the problem. Perhaps you can get another needle from somewhere else. Perhaps you can use another tool instead of the needle. Perhaps the task isn’t worth doing anyway. Perhaps counter-terrorism can be done in cleverer, subtler, less privacy invasive ways.

That question – whether there is an alternative – didn’t seem to enter the minds of any of the members of the ISC yesterday. Whether it has entered the minds of the spy chiefs is another matter – if it has, they certainly didn’t want to mention it. Indeed, finding any kind of suggestion of an alternative to the current approach in yesterday’s open session was as hard as finding a needle in a haystack….

‘Individual privacy vs collective security’? NO!

As reported in the BBC, “Parliament’s intelligence watchdog is to hear evidence from the public as part of a widening of its inquiry into UK spy agencies’ intercept activities.”

Whilst in many ways this is to be welcomed, the piece includes a somewhat alarming but extremely revealing statement from Sir Malcolm Rifkind, the Chairman of the Intelligence and Security Committee:

“There is a balance to be found between our individual right to privacy and our collective right to security.”

This hits at the heart of the problem – it reveals fundamental misconceptions of the nature and importance of privacy, as well as the impact on society of the kind of universal surveillance that the authorities in the UK, US and elsewhere are undertaking.

Privacy is not just an individual right

Privacy is often misconstrued as a purely individual right – indeed, it is sometimes characterised as an ‘anti-community’ right, a right to hide yourself away from society. Society, in this view, would be better if none of us had any privacy – a ‘transparent society’. In practice, nothing could be further from the truth: privacy is something that has collective benefit, supporting coherent societies. Privacy isn’t so much about ‘hiding’ things as being able to have some sort of control over your life. The more control people have, the more freely and positively they are likely to behave. Most of us realise this when we consider our own lives. We wear clothes, we present ourselves in particular ways, and we behave more positively as a result. We talk more freely with our friends and relations knowing (or assuming) that what we talk about won’t be plastered all over noticeboards, told to all our colleagues, to the police and so forth. Privacy has a crucial social function – it’s not about individuals vs. society. Very much the opposite.

Surveillance doesn’t just impact upon privacy

The idea that surveillance impacts only upon privacy is equally misconceived. Surveillance impacts upon many different aspects of our lives – and how we function in this ‘democratic’ society of ours. In human rights terms, it impacts upon a wide range of those rights that we consider crucial: in particular, as well as privacy it impacts upon freedom of expression, freedom of association and freedom of assembly, amongst others.

Freedom of expression

The issue of freedom of expression is particularly pertinent. Again, privacy is often misconstrued as somehow an ‘enemy’ of freedom of expression – Guido Fawkes, for example, suggested that ‘privacy is a euphemism for censorship’. He had a point in one particularly narrow context – the way that privacy law has been used by certain celebrities and politicians to attempt to prevent certain stories from being published – but it misses the much wider meaning and importance of privacy.

Without privacy, speech can be chilled. The Nightjack saga is one case in point – because the Nightjack blogger was unable to keep his name private, he had to stop providing an excellent ‘insider’ blog. In Mexico, at least four bloggers writing about the drugs cartels have not just been prevented from blogging – they’ve been sought out, located, and brutally murdered. There are many others for whom privacy is crucial – from whistleblowers to victims of spousal abuse. The internet has given them hitherto unparalleled opportunities to have their voices heard – internet surveillance can take that away. Even the possibility of  being located can be enough to silence them.

Internet surveillance not only impacts upon the ability to speak, it impacts upon the ability to receive information – the crucial second part to freedom of speech. If people know that which websites they visit will be tracked and observed, they’re much more likely to avoid seeking out information that the authorities or others might deem ‘inappropriate’ or ‘untrustworthy’. That, potentially, is a huge chilling effect. It should not be a surprise that the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Frank La Rue, sees the link between privacy and freedom of expression as direct and crucial.

“States cannot ensure that individuals are able to freely seek and receive information or express themselves without respecting, protecting and promoting their right to privacy. Privacy and freedom of expression are interlinked and mutually dependent; and infringement upon one can be both the cause and consequence of an infringement upon the other.”

Freedom of association and assembly

Freedom of association and assembly is equally at risk from surveillance. The internet offers unparalleled opportunities for groups to gather and work together – not just working online, but organising and coordinating assembly and association offline. The role the net played in the Arab Spring has almost certainly been exaggerated – but it did play a part, and it continues to be crucial for many activists, protestors and so forth. The authorities realise this, and also that through surveillance they can counter it. A headline from a few months ago in the UK, “Whitehall chiefs scan Twitter to head off badger protests” should have rung the alarm bells – is ‘heading off’ a protest an appropriate use of surveillance? It is certainly a practical one – and with the addition of things like geo-location data the opportunities for surveillance to block association and assembly both offline and online is one that needs serious consideration.

A serious debate

All this matters. It isn’t a question of ‘quaint’ and ‘individual’ privacy, a kind of luxury in today’s dangerous world, being balanced against the heavy, important and deadly-serious issue of security. If expressed in those misleading terms it is easy to see which direction the balance will go. Privacy matters far more than that – and it matters not just to individuals but to society as a whole. It underpins many of our most fundamental and hard-won freedoms – the civil rights that have been something we, as members of liberal and democratic societies have been most proud of.

Security matters – of course it does – but even the suggestion that this kind of surveillance improves our security should be taken with a distinct pinch of salt. The evidence put forward to suggest that it works has been sketchy at best, and in many cases quickly and easily debunked when put forward. Much more has to be done to persuade people that this kind of surveillance is actually necessary. The evidential bar should be very high – because the impact of this surveillance can be very significant.

Four fears for authoritarians

“It is not power that corrupts but fear. Fear of losing power corrupts those who wield it” Aung San Suu Kyi: Freedom from Fear

Recent events in the UK have been disturbing for believers and supporters of civil liberties. In many ways it feels as though our civil liberties are under a greater, more sustained attack than at any time since the Blair inspired near-paranoia that led to ideas such as the ID card database, the Interception Modernisation Programme (the predecessor of the Snoopers’ Charter) and 42 day detention amongst other hideously illiberal measures. What is perhaps more dangerous is that today’s attacks are in some ways more insidious, more seemingly disconnected, more apparently ‘reasonable’ when considered individually and hence more likely to gain public support – even by those who consider themselves to be very much supporters of human rights. Make no mistake about it, though: they are connected, and inspired by the same sense of fear that inspired Blair, Straw, Blunkett et al. They’re inspired by the same fear that have enveloped authoritarians for centuries: a fear of losing control.

1) Fear of a strong, independent, determined press

An independent press is the scourge of the authoritarian – and authoritarians know it all too well. The powerful have never liked a free press – from the pamphleteers of the 18th century to Tygodnik Solidarność in Communist Poland, an independent, brave and determined press has been crucial to the resistance to oppression. That’s why, regardless of the legality or otherwise of their actions, the Government’s first supervising the smashing of the Guardian’s laptops and then detaining David Miranda should be viewed very seriously indeed. It’s an attempt to stifle, to cow, to intimidate and to control the press. That’s serious. Very serious indeed.

2) Fear that people will learn what they’re doing

Authoritarians everywhere want their own actions, their own methods, their own systems to remain secret. they don’t want the ordinary people to know what they’re doing – partly because when people know what they’re doing, they generally object, partly because the authoritarians know that what they’re doing is in many ways wrong, partly because if people know what’s going on they can take measures against it. Make no bones about it, the Snowden revelations matter – it matters that we know about the level of surveillance that the authorities are performing, and how much they’re lying about it.

3) Fear that people are hiding things from them

The idea that people are hiding their thoughts, their plans, their associations – even their thoughts and dreams – is perhaps the thing that scares authoritarians the most. That’s why they consistently spy on their own citizens, using whatever methods they can find. In Burma, it was estimated that more than 1/3 of the populace was paid to inform the authorities, whilst the Stasi’s use of informants and other spies is now stuff of legend. The current obsession with internet surveillance – both legally, using the Snoopers’ Charter and its equivalents worldwide and ‘quasi-legally’ using the techniques and systems of PRISM, Tempora and so forth – is a reflection of that same fear, that same concern that people are hiding things. It’s an obsession that amounts, ultimately, to a belief that your entire nation, your own populace, is suspicious. We could all be traitors and enemies of the state – so we should all be watched. Orwell understood this – which is why 1984 hits the nerves so closely, and rings so true.

4) Fear that people can learn too much

A knowledgeable populace is a dangerous populace – so a good authoritarian has to control access to information. That’s why books are burned, that’s why censors are employed, that’s why education is closely controlled – and why, in the current technological climate, the internet is considered so dangerous. That, not the fear of pornography, is the key to the current plans to censor the internet. I’m not saying that the likes of Claire Perry think in these terms: I’m quite sure she doesn’t. Her desires for censorship come from another, not wholly unrelated angle: the idea of controlling the morals of the populace. Claire Perry, however, is being used by others who wish to take greater control over what people can learn – control of pornography is in some ways a Trojan Horse, to allow control over everything. Once the filters are built, the terms upon which they can filter can be (indeed will be) modified. It allows control over information – and hence over the populace.

It’s all about control – and the internet

Ultimately, control is the bottom line. All these events, all these actions, are about control. Controlling the press. preventing people learning about government actions, spying on people in their every action, controlling what they can have access to – it’s all about control. These aren’t separate issues: they all interlink, and the internet is the mechanism through which they link. To control the information people have access to online, you need to know what they’re doing online. To control the newspapers, you have to control the internet, because these days that’s how the newspapers distribute their information, far more than by print. That means, amongst other things, controlling twitter – which is why the authorities are getting keener and keener to control twitter, and why they will latch onto every opportunity to do so, whether that be the desire to stop trolling or abuse, or to control for copyright and so forth.

We need to see this bigger picture – and resist this drive for control. Some of the elements may seem eminently reasonable – most notably the porn-filters and the desire to root out abusive tweeters – but we need to understand the bigger picture too. We need to consider slippery slopes – even if that means we get ridiculed as conspiracy theorists. If the Snowden story tells us nothing else, it should tell us that not all conspiracy theorists are wrong. The stakes here are very high indeed – it’s about freedom itself.