Imagine you’ve just been appointed the head of the online secret police for an oppressive dictatorship. Your leader comes to you with a worried expression. The internet bothers him, he tells you. People get to say whatever they want, to talk to whoever they want, and it’s spreading dissent and destabilising the government. ‘It’s a disaster,’ he says. ‘What are you going to do about it? We need to keep this under control.’
You think about it a bit and then come up with a plan. Our main problem, you tell him, is that we don’t know enough about what is going on. We need to monitor everything. ‘If we know who is talking to who, what sites they’re visiting on the internet, which social networking systems they’re using, and for what, then we can start to take back control.’
A smile starts to appear on the leader’s face. ‘What next?’ he asks.
‘Next we need to set up a system to be able to search through all that information – some kind of filtering system to find what we want to find.’
‘You mean like a kind of Google for private communications and internet activities?’
‘Exactly. We can search for whatever we want – and whoever we want. But there’s more: we can use that information to do much more. They think the internet’s a tool for their free speech – we can turn it into a way to find them, to arrest them, to block them, to find out who likes what they say. We can access their activities in real time and respond to them before they know what’s happening. We can turn the tables on them.’
Your leader smiles and rubs his hands together. ‘Go for it,’ he says.
——————————————-
A dystopian vision?
This may seem like a dystopian vision – but it is, in essence, exactly what the Communications Data Bill is designed to do. It is set up to allow full access to all internet activities, both in a stored form for later access and analysis and a ‘real-time’ feed, allowing monitoring of what people are doing while they’re doing it. It then legislates for a filtering system to be created, a system by which those in authority can search through all the data gathered to find what they want, using whatever terms they want. No warrants are required so long as the person mandating the search is sufficiently senior – and currently, precisely what level of seniority is required in each relevant authority is not specified in the bill, leaving it to the discretion of the authorities concerned.
There are similar initiatives around the world: two prime examples are those proposed in the current review of Australia’s National Security laws and, to a certain extent, the existing Swedish FRA-Law. The United States does it a bit differently: it seems that the National Security Agency (NSA) is just doing all the surveillance, if a key whistleblower is to be believed, without an official legal basis. It’s something that ‘authorities’ seem to have decided is well worthwhile – primarily, it seems, for reasons described above.
One of the characteristics of these laws and systems is that the politicians who put them forward and vote for them appear to be ignorant of both what they do and what they imply. Indeed, politicians often appear not to understand the digital world much, which is one of the reasons we end up with messes such as the Digital Economy Act – but their secret policemen are not in the dark. That’s why it is the ‘intelligence services’ that seem to be the driving force behind the Communications Data Bill, more so even than the police, and why the NSA in the US, as noted above, appears to do pretty much exactly the same, without even a pretence of a legal basis.
Panicking about the Internet
In many ways, the authorities are panicked about the internet. It seems to be too much out of control – and too much beyond their understanding. They used to be able to tap phones and intercept mail, to watch people on the street and to interrogate their friends and connections – now that seems to be much harder. When they sort out systems to tap into one form of communication, the internet develops another – so laws like the Data Retention laws cover email and phones, but they don’t cover social networking sites or instant messaging, because those weren’t sufficiently understood or developed when the laws were drafted. They’ve learned a lesson from that: don’t try to specify too carefully. Instead, gather everything.
There is a logic to it – new forms of communication are being developed all the time and people will find new ways to use existing forms. Conversations can develop in the comments on a blog or even a newspaper article – so all that would need to be monitored. Even reviews of products on Amazon are being used for creative conversations – so that needs to be monitored too. In the end, if you follow this path, the only conclusion is to monitor everything.
One particular red herring in the bill is that it won’t monitor the ‘content’ of communications. That’s fine if you’re looking at conventional forms of communication – emails and phone calls etc – but when you start looking at websites, even a site’s URL can indicate its contents. More to the point, by monitoring people’s behaviour you can profile them – and tap into already highly-developed behavioural-targeting systems. These have been created for advertising, but can be used just as effectively for political, racial and religious profiling.
This kind of universal data gathering, from the perspective of the secret policeman, is both logical and necessary – but it has huge implications, and not just for the obvious issue of privacy. The first and most important effect is a real and direct one: people can be located and prevented from exercising their freedom of expression. Two immediate examples spring to mind. The first is the Nightjack blogger, whose blog provided rare insight into the real life of the police, as well as being fascinating and well enough written to win the Orwell Prize for blogging. His blog was shut down because he was ‘outed’ by The Times – nefariously – and he was unable to operate without the anonymity that his blog provided. If there is universal surveillance, and if we know there is universal surveillance, it will be much easier to break people’s anonymity and pseudonymity. That alone will have a chilling effect, deterring people from blogging if they feel they’re likely to be easy to locate. For some, of course, it’s more than a chilling of speech – it can be deadly. Bloggers in Mexico regularly face very real danger and anonymity is crucial to their safety. Many have been hunted down and executed by drugs cartels. Systems like the one being proposed would make it far easier for them to be found, and given the likelihood of collusion between the cartels and certain elements of the police, the consequences could be hideous.
Function creep – and other risks…
The legal implications may just be the tip of the iceberg. The idea that the police and others authorised to take action under this kind of legislation will only use it for the purpose originally specified is naïve to say the least. Have we learned nothing from the phone-hacking saga, particularly about the way the police can potentially be subverted by other ‘interests’? Function creep is real, both in terms of legislation and in the use of the technology itself.
It is also important to understand that this kind of profiling could be extended to other areas of the internet. People could be ‘steered away’ from particular sites without knowing it. If a large number of ‘suspicious’ people visit a particular website, the site could end up being blocked – or worse, those who create and support that site could be located and arrested. Other forms of data can make the whole thing even worse – from facial profiling of photos on the net to geo-location data that can be used not just to locate people in real time but to analyse their movements over a period in order to predict where they might be. When you combine that with the kind of social networking and related data that might also be gathered, the opportunity to control and even shut down protests or other gatherings becomes more extreme – again, the effect on free expression, on political discourse both offline and online, could be significant.
Experts doubt whether systems like this will even work. The real ‘villains’ – the terrorists and paedophiles that are generally used to justify such proposals – are likely to know how to evade the surveillance. They often have a great deal of practice in covering their tracks and generally take more precautions to avoid being caught.
Stimulating a trade in surveillance technology?
There is another key potential impact of the Communications Data Bill: the law supports the development of technology for surveillance and control. The bill currently estimates that it will cost £1.8bn (US$2.9bn) to implement: that’s £1.8bn on research, development and production of surveillance technologies. Companies will be queuing up for a share of that money – and when they use it, what will they do with it? The products developed – both hardware and software – won’t only be used by our ‘good’ government. Companies will want to sell them elsewhere – or at the very least use the expertise that they’ve developed while building them in further contracts. Who will those contracts be with? There will be a ready market for this kind of surveillance system in any regime with even the smallest degree of an authoritarian streak. Not only will free speech be chilled in our own country, but elsewhere around the world. The concept of universal surveillance will be given the green light.
Universal internet surveillance not only impacts upon privacy, it impacts upon our whole lives – particularly as more aspects of our lives either take place online or have an online element. It chills speech. It can block free association and free assembly. It allows each and every one of us to be pro- filed in great detail. It puts tools of immense power into the hands of exactly those people who can be least trusted to use it – and it should be stopped. The question we must ask is what kind of a society do we want – one with freedom, or one where all the power is in the hands of the authorities?
———————-
(This story first appeared in Index on Censorship – Digital Frontiers – which you can buy here)
Paul Bernal's Blog 
There’s just the small-but-important matter that it can’t actually work – or at least, while it would take a vast amount of time, effort and money to set up and maintain, it’s nigh-on trivial to defeat. More info in my piece in the collated Written Evidence from the consultation…
I do hope you’re right – I have to admit I haven’t read your evidence. I will! Would it be trivial to defeat for even the technically ‘less-than-expert’?
There’s sufficient infrastructure distributed around the Internet, and software bundles created and available for free download (originally intended so that dissidents living under repressive regimes could get information to the wider world without being traceable back), that getting information out of the UK without its intended final destination being traceable, requires maybe 10 minutes of download and setup on a laptop (I’m not aware of free software for tablets and smartphones, yet).
The trickier bit, is arranging for that eventual destination to be able to forward the information back in, according to direction and employing similar mechanisms to frustrate endpoint detection – there are some anonymous remailers still around, although if you are reasonably happy building an Internet-based server of any worthwhile nature, you can not only set your own up to do this pretty easily, but if you’re up to speed on cloud services, you can even move your server around the world rather flexibly. All it takes is a credit card to cover the hosting, the right free downloads, and the knowledge to hook the bits together… and if you want to do a thorough job and take the time to definitely bounce communications through a couple of selected further countries en route out and back, you could seriously ruin an surveillance officer’s day.
It all makes sense, and confirms my general understanding that it won’t catch the people it purports to catch, just what David Davis described as the innocent and the incompetent…
I agree with Dave. It’s easy to get around this kind of thing – Tor being one example at least for browsing – and it’s not really a competence issue (depending on how serious you are about being undetectable) but more a knowledge/principle issue. The danger with things like this is that the vast majority of people just won’t bother masking their activity, believing (wrongly) as they do that if they have nothing to hide then they don’t need to hide anything. Quite sad. Good piece though Paul, thanks for posting
Agreed – the real ‘bad guys’ won’t get caught, just ordinary people doing stuff which they should be allowed to do…
A quick question: Is there really no legal basis for such surveillance in the US? Or is The Patriot Act a legal basis? Or could it even be a “pretence of a legal basis”?
Dave Levy’s answered your question – it’s generally true that the US gives more protection to its own citizens than it does for foreigners, and this is a prime example, at least in terms of law. At least that’s as I understand it!
@Dave Is there a URL for your evidence?
@Tristan The Patriot Act is the legal basis for the Federal Govt. to spy on non Citizens. The 4th Amendment is the citizen’s protection against them spying without a warrant which shall not be issued without probable cause. It says, “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”
Arguably the ECHR is better, guaranteeing a right to privacy (Article 8) , and defining the right to free speech as including the right to receive information (A10) which digital rights activists are using to build the right to use the internet; but those pesky founding fathers, they got some things right with an admirable economy of words.
@DaveLevy: Hiya :-).
My written evidence isn’t available as a discrete document, but the full text is included in http://www.parliament.uk/documents/joint-committees/communications-data/formatted%20written%20evidence.pdf , starting on page 463. Unfortunately this document doesn’t include the original questions, which I (and some others) wrote my response in the form of answers to; these questions are available at http://www.parliament.uk/business/committees/committees-a-z/joint-select/draft-communications-bill/news/call-for-evidence/ .
I’m no expert on civil liberties – I’m happy to trust Dr Bernal and others to present appropriate arguments in this context – so instead kept my answers apolitical and focussed entirely on technical analysis, reaching the conclusion that, barring highly unlikely secret advances in cryptanalysis, any CCDP-like system applied to that portion of Internet infrastructure within the sphere of control of any nation-state cannot be effective. I also contacted my MP (as all witnesses in my group were advised to, when outside the chamber) to the effect that I’d given evidence to the Joint Committee, and followed-up (on request) with some thoughts on the Report.
Further, I did a little thought experiment – “start with a blank sheet of paper, and design a scalable internetworking system from the ground up, with a primary design requirement of the ability to conduct lawful metadata analysis” – and reached the conclusion that such a system would have to be circuit-switched, rather than packet-switched. I think this explains a few things…
Thanks! That’s my understanding, at least in principle.
Oh yeah! Congress has reinforced the US Governement’s right to spy with additonal laws, such as FISA since Obama’s first election.
Quality articles or reviews is the secret to interest the users to visit the web site, that’s what this web page is providing.