Wishful thinking?

I was part of a panel at the Internet Service Providers’ Association (ISPA) conference earlier today, discussing the Communications Data Bill – and whether it struck an appropriate balance between security, privacy and industry. This blog post is a summary of my talk…

Wishful Thinking

Two words characterise the Communications Data Bill for me: wishful thinking.

This wishful thinking has a number of different dimensions.

Three that mean it’s a huge risk…

It is wishful thinking….

…that data and systems won’t be vulnerable. They always are! – and even those who we should most trust to look after our data and our systems have failed to do so. HMRC, responsible for all our tax and benefit data, lost more than 25 million people’s data on a couple of CDs. The MoD, responsible for the defence of the realm, has lost a whole number of laptops, including some with the personal and financial details of all serving and pensioned members of the Armed Forces. Swiss Banks have lost the most private financial data of their most valued clients.

…that the ‘good guys’ won’t abuse the system. The bill provides almost no accountability – no warrants or equivalents are needed so long as a sufficiently ‘senior’ officer authorises access. Precisely what this ‘seniority’ means is undefined – it’s up to the service involved. Have we learned nothing from phone hacking and Leveson? From Hillsborough? Trusting the police is good, but we also need transparency and accountability. Two new examples found this morning highlight this: in Sweden, for example, this autumn 15 officers have been reported for inappropriate access to data bases… (link in Swedish), while from the US, a female police officer has just won a case worth $1 million against colleagues who accessed their database to look at her photo ID.

…that there won’t be any function-creep. There are very few limits in legislation – and there has almost always been function creep where ‘anti-terror’ legislation is concerned, and indeed where new tech has been brought in. It is easy to slip from dealing with terrorists and paedophiles to fly-tipping, dog fouling and trying to get your child into a particular school…

Two that mean it’s unlikely to work…

It is wishful thinking….

…that the real ‘bad guys’ will be caught. They rarely are – and the sort of people that we’re talking about are experts at concealment and so forth. Terrorists, paedophiles, even, if you consider them as bad, file-sharers. Again, the recent evidence over child abuse over the last 30 years from the Savile and North Wales stories should give people pause for thought What’s more, those incompetent enough to be caught by this bill could be caught in any number of other ways!

…that it will be possible to enforce on many foreign-based providers. Some will be unwilling to comply, some unable to comply, some impossible to force. For this tactic to work, it has to be universal – and in reality it won’t be. If these tactics fail, not just will the whole process fail but pressure will be put on UK ISPs to gather the data in some other way.

Others that need to be considered very carefully

It is wishful thinking…

…that there won’t be any unforeseen consequences – there generally are, and often bad ones. Just as one example, systems developed could well end up being sold to oppressive regimes. What we do here could impact upon the rights of those already suffering in oppressive regimes. It might even be that the costs are a result of wishful thinking – my discussions with the real experts at ISPA suggest that they almost certainly are!

This is not how legislation should be written…. or conceived.

Some elements of these bits of wishful thinking can be addressed by better and more carefully written legislation – more checks and balances, more precise and appropriate determinations of who should be allowed access to what and so forth – but others are inherent in the overall approach.

Any system based on universal gathering has these kinds of problems. All data, however held, may be vulnerable. Function creep can only be guarded against by not building the systems or drafting the legislation in the first place… What’s more, the ‘normalising’ effect of supporting the whole idea of universal surveillance is not something that can be addressed by tinkering at the edges or by more carefully drafting the legislation.

Making the idea of online surveillance somehow acceptable, numbing us to the ideas, is something that needs to be taken very seriously indeed. As well as the direct impact, it has the potential for significant chilling effects, and implications not just for privacy but freedom of expression, freedom of assembly and association, even freedom of thought and religion.

None of this is to say that the idea is not inconceivable – we should be willing to consider all ideas – but to be justifiable, in this context, the benefits would have to outweigh the risks. As the risks are so significant, that means the benefits would have to be very great – and demonstrated to be very great. In practice, there doesn’t seem to have been any demonstration of benefit at all – instead, we are expected to take it all on trust.

That’s the last, and most important issue of wishful thinking. A liberal democracy is predicated on a degree of trust – but more importantly on appropriate checks and balances, transparent systems, and accountability.

Conclusion

My overall conclusion – the whole thing should be abandoned. Instead, we should look at:

• Targeted rather than universal surveillance
• Warrants or their equivalent before the collection
• The idea that we should have the right not to be monitored – the default should be no surveillance.

This last is the key for me. We should normalise privacy, not normalise surveillance. That not only respects people’s rights, but it can help build trust. When we have more trust, we have a better environment for people, for business, and even for the intelligence services.