Yesterday I took part in the ’round table sessions’ of the Intelligence and Security Committee of Parliament’s ‘Privacy and Security Inquiry’. It was an interesting event – and an enjoyable one, though I hope that doesn’t mean that I’ve already begun the process of being ‘captured’ by the intelligence community. The round table sessions are part of the bigger inquiry – accompanied by public evidence sessions which are continuing through the week.
The whole thing was very informal – I found myself sitting next to Sir Malcolm Rifkind and opposite Lord Lothian around a small, round table, one of three such tables in the room. Yes, the round table sessions really involved round tables. Essentially, we had an hour to chat about whatever issues we felt mattered to the inquiry – we had been invited on the basis of the written evidence we had submitted to the inquiry, back in February this year (mine can be found here). Around the table were an academic computer scientist, what I would call a ‘real’ programmer, a human rights activist, myself, a former lawyer for MI5 and MI6, and the two members of the committee, Sir Malcolm Rifkind and Lord Lothian.
There were some very positive things about the discussion – both Rifkind and Lothian appeared to agree, after some resistance, on the first major point that we tried to argue (primarily myself and Izza Leghtas from Human Rights Watch): that the privacy invasion, and hence the first set of proper controls, need to be at the gathering stage, not the accessing stage for data. That, in practice, less data should be gathered and held, and for shorter periods. Moreover, that there should be judicial involvement at the gathering stage – indeed, David Bickford, former Legal Director for MI5 and MI6, thought judges should be involved far more in the whole process, from beginning to end, following the French model.
As part of that discussion, they really did appear to take on board that there are serious risks involved in just gathering and holding data – and seemed to be listening as we listed them!
Other points of agreement were that RIPA is, basically, an awful mess. Rifkind readily admitted that he really didn’t understand it. What that says for his (and the committee’s) ability to oversee the intelligence services is another matter. The feeling from all concerned was that whatever else happens, the law needs review and it needs to be clearer what it actually does – whether directly in the law or in accompanying guidance. It would be nice to see – but I am not holding my breath.
Three particularly interesting things that came out of our brief discussion – and it was brief, because the hour we had went very fast. The first was that Sir Malcolm Rifkind made a very clear differentiation between the intelligence services and the other groups who can use RIPA. He made the argument that the intelligence services really can’t do you any harm unless you’re one of the ‘bad guys’ – and though this was perilously close to saying ‘if you’ve got nothing to hide’ he did acknowledge that it was not an argument that worked in relation to the police, to local authorities or to the other various bodies that utilise surveillance or gathered data. He seemed to suggest that all of those bodies – including the police – need much tighter controls. In the light of the current issues regarding police access to journalists’ communications data, this makes sense, but again it will be interesting to see whether it really amounts to anything.
The second was that David Bickford made the specific comment that if corporations do all the data gathering, analysis and so forth, then surely the intelligence services should be able to do the same. Why should we place more restrictions on the intelligence services than we do on Google and Facebook? When I suggested that perhaps this means that we should put more restrictions on Google and Facebook rather than less on the intelligence services, he laughed a bit, but did seem to get the point.
The third was that both Lord Lothian and Sir Malcolm Rifkind noted that the Human Rights Act provided protection – and when I teased him about the planned impending doom of the Human Rights Act, Rifkind almost winced, and said that there’s always the ECHR. I got the distinct feeling that Rifkind is not enamoured of Grayling’s plan for human rights, though he was far too diplomatic to say so.
Much more was said, and overall it was a good and fairly robust discussion – we all seemed to be able to say what we wanted, and the two committee members seemed genuinely to be listening. They are, however, politicians – and they were also very aware of the limitations of their own powers, and how hard it is to change things in this field with any speed. They were keenest of all on increasing transparency, and moving to a position where the default position is that information is disclosed, and is made public, rather than the opposite. I hope this happens….
….but I remain cynical about it all. The question of whether what the committee does actually has any impact on what the security and intelligence services do remains unanswered. Is this all just a PR exercise, or is there some more profound change going on? It will take a lot more than a few round table sessions, even with Knights like Sir Malcolm Rifkind, to convince me. However, I found myself just a smidgen less cynical than I was before the session started. Perhaps I’ve been captured after all.
Paul Bernal's Blog 
‘Perhaps I’ve been captured after all.’
I hope not! 🙂
Not Chatham Rules then?
Nope – I asked very specifically!
Very interesting – I hope I have time to go into this in more detail, but …
”
The second was that David Bickford made the specific comment that if corporations do all the data gathering, analysis and so forth, then surely the intelligence services should be able to do the same. Why should we place more restrictions on the intelligence services than we do on Google and Facebook? When I suggested that perhaps this means that we should put more restrictions on Google and Facebook rather than less on the intelligence services, he laughed a bit, but did seem to get the point.”
Very revealing. Revealing of a way of thinking, but that way of thinking does not reflect the reality it addresses.
In fact it is lazy thinking. Bickford has no idea what the intelligence communities or the mega internet companies do. This fact is reflected in this thought.
In either case, what is gathered and what manner of analysis is made?
For the intelligence community ————-
Gathering:-
Since intelligence services have unfettered access to internet traffic they can, and do, gather everything.
Analysis:-
Presumably that which is inconveniently encrypted they store until they know they don’t need or work out how to decrypt or realise it is not possible. Who knows what information is ‘leaked’ by encrypted data that cannot truly be called metadata.
Moreover there is the interesting moment as the secure connection is brought up and when it is dropped. Not to mention other ways in, the whole PKA CA architecture is broken in terms of weak links in the chain of security.
And, in talking about privacy, these points have to be made because in these terms we must assume there isn’t privacy, just the panopticon. And why did Benthal suggest that mechanism? Because of the element of shame in exposure as much as the possibility of punishment for the miscreant.
In other words there is a chilling effect that really we have no choice but to live with.
But we are talking about the law. It is possible, hypothetically, to change the law, and then some actions of the intelligence community would be against those new laws if they didn’t comply with them.
Given the de facto situation I cannot see that happening.
For the mega internet companies ————–
Obviously they gather and store far less data and in a totally different fashion. Nevertheless it is vast.
Moreover, the stream of data they gather is a very useful source for intelligence services.
But they are only interested in certain things. For instance they will not gather information by making probes, when secure connections are brought up or dropped.
They will just be interested that their infrastructure is working correctly, and gather data to support that.
Very different.
When it comes to analysis it is totally different as well.
There are business and ethical constraints on them as well. These are fussy, but that doesn’t mean they don’t exist.
I do think that the deleterious effect of scrutiny is found in mega corp web sites. This is an important phenomenon that cannot be unwound in a few sentences.
There is a sort of cat and mouse going on. Tories in particular have not wanted to be left behind by industry, so they say industry does so we should. But then sometimes government leads, since they are unrestricted in many dimensions, computing power, access to the T1 data, access to bright talent. There, of course, they are in a bidding war with mega corp.
Nevertheless changes in the law would be helpful.
But would changes go so far as to make the legislate that data we create is really inalienably ours?
There are many factors I haven’t discussed just here that give me to think this.
I think this is the piece of legislation we should be looking for.
Not to say other efforts are not worthwhile, and I do not seeing this happening, but it is what we should have in mind.
Perhaps in the end, in twenty years, it will be seen how important such a piece of legislation would be, that is if we can pull back from slipping into tyranny.
At the moment the signs are not good.
us to legislate that …