Now it’s time for a review OF the ISC

Screen Shot 2015-03-13 at 06.45.25Like many others in the privacy field, I had waited for the Intelligence and Security Committee report ‘Privacy and Security: A modern and transparent legal framework’ with some trepidation – though after having made a submission myself, and participated in the ISC’s ’round table’ events that formed part of the consultation I had felt a little less overwhelming pessimism than I had previously. Having read it through after its release yesterday I feel a little underwhelmed. It isn’t quite as bad as I had feared – but it does come close. The general feeling I had, though, was that the ISC is still essentially out of touch, out of date, and unable to fulfil the critical role of scrutiny that it is tasked with.

One particular paragraph made the point most directly – and it concerned one of the most important areas of the review insofar as it relates to the areas that I work in. Paragraph 80 began with this startling sentence:

“We were surprised to discover that the primary value to GCHQ of bulk interception was not in reading the actual content of communications, but in the information associated with those communications.”

Surprised? Really? No-one who has paid any attention to the field over the last decade at least should have been surprised that the ‘information associated with those communications’ – essentially what is generally referred to as ‘metadata’ these days – is what GCHQ would be interested in. Academics and privacy advocates have been going on about it for years and years – and if the ISC were ‘surprised’ that this is what GCHQ are most directly interested in then it means one of three things: either they’ve not been paying attention (which is their main role), they don’t understand the technology at all (which is critically important to their role), or they’re deliberately dissembling about it (which means they can’t be trusted in their role).

That they even make the admission that they were ‘surprised’ in the official report suggests that they don’t understand the gravity of that admission, and how much it shows that they don’t understand what is happening. They compound that admission later on in the report, in paragraphs 136 and following, when they ask the question of whether Communications Data is ‘as intrusive’ as content, and essentially dismiss the possibility, hence giving the authorities much more freedom. They seem to have forgotten at this point what they had learned in paragraph 80, that the primary value is in the ‘information associated with’ the communications – their surprise didn’t illicit the kind of questions that it should have.

To be clear, the argument made by people like me is not that this information is more intrusive than content – but that it is more useful, for a number of reasons, from the fact that it can be analysed algorithmically (rather than by rooms full of old-fashioned spies pouring over reams of print-outs, which seems to the the ISC’s idea of surveillance), and that qualitative information can be gleaned from it. Profiling information – the kind of information that the massive internet advertising industry uses – that can be automatically processed and used. That, however, was something else that indicated how much the ISC was out of touch – they didn’t seem to acknowledge or understand the nature of the current, commercial, surveilled nature of the internet, and the critical role played by the corporations. Bruce Schneier put it most eloquently when talking about the NSA:

“The NSA didn’t wake up and say, ‘Let’s just spy on everybody.’ They looked up and said, ‘Wow, corporations are spying on everybody. Let’s get ourselves a copy.”

The corporates are much more interested in metadata because they understand its value – and so do GCHQ. The profiling techniques used by advertisers to find customers are the same sort of thing that GCHQ might use to find terrorists – just using different parameters. That the ISC doesn’t understand this – or didn’t understand this – is deeply revealing. One of the brighter spots of the report, however, is that they do at least make a tentative step towards recognising it through their new category of ‘Communications Data Plus’ in their recommendations. As they put it:

  • It is essential to be clear what constitutes CD. In particular, there is a ‘grey’ area of material which is not content, but neither does it appear to fit within the narrow ‘who, when and where’ of a communication, for example information such as web domains visited or the locational tracking information in a smartphone. This information, while not content, nevertheless has the potential to reveal a great deal about a person’s private life – his or her habits, tastes and preferences – and there are therefore legitimate concerns as to how that material is protected.
  • We have therefore recommended that this latter type of information should be treated as a separate category which we call ‘Communications Data Plus’. This should attract greater safeguards than the narrowly drawn category of Communications Data.

Personally, I suspect that the ‘grey area’ defined in this way will turn out to be the vast majority of what was previously considered ‘communications data’ – when data aggregation is considered, in particular, most data can be highly revealing. If the ISC had paid more attention to the advertising industry – effectively, if it had understood the context in which surveillance happens these days – it would not have had such a surprise. I look forward to hearing what these ‘greater safeguards’ it will attract will be.

There is much more in the report that should ring alarm bells – the discussion of encryption, the seemingly new idea of ‘bulk personal datasets, the casual dismissal of arguments against the fundamentally intrusive nature of ‘bulk collection’, and the attempt to characterise those who seek privacy as being happy to accept a few terrorist atrocities as a fair price to pay for a little personal privacy – and I am sure they will be written about extensively elsewhere. There was one other thing that struck me, though. At no point in the report, as far as I can see, did they mention the fact that the Data Retention Directive was  declared invalid in April 2014, and that the reason for its invalidity was that:

“It entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary.”

Did the ISC not know about this, or not think it was relevant? If the former, they’re incompetent, if the latter, they’re dismissive of what are considered to be fundamental rights. Mostly, though, my suspicion is that they thought it was not within the terms of their review – and that, itself is revealing. Again, the words that spring to mind are ‘out of touch’. In a body charged with oversight of the intelligence services, being out of touch is a fundamental flaw.

The fall of the Chair of the ISC, Sir Malcolm Rifkind, through his being duped into selling his services to a fake Chinese company set up by journalists, highlights the point even more. Time for a change – and a root and branch change. The ISC is right to call for better transparency – but we need better oversight too, and the starting point of that better oversight should be a replacement of the ISC. More technical competence, more people ‘in touch’ with the real world, less subservience to those in authority who are supposed to be subject to their oversight, more openness to new ideas, more willingness to listen to people who don’t immediately fit into their world view.

We’ve had the review by the ISC. Now it’s time for a review of the ISC.

7 thoughts on “Now it’s time for a review OF the ISC

  1. Good analysis.

    As we left that round-table session in October 2014 I told a member of the ISC that (in my view) it had fallen victim to regulatory capture (which the Wikipedians define as “a form of political corruption that occurs when a regulatory agency, created to act in the public interest, instead advances the commercial or special concerns of interest groups that dominate the industry or sector it is charged with regulating”).

    He bridled visibly.

    At the time I was worried that I had over-stated my case, as I read the ISC’s report I’m increasingly convinced that this is indeed the case.

    This Bloomberg blog post is about regulatory capture in the financial sector, but much of it applies to oversight of the intelligence agencies (both here and in the USA):

    1. Regulatory capture – and I would agree about it here – is much more likely where the regulator doesn’t fully understand the thing it’s trying to regulate, so is more easily persuaded by those who appear to them to be experts. That’s what I see here: they don’t know enough and probably don’t even know that they don’t know enough, so are easily taken in.

  2. OK, so there is a term for what I’m writing about “regulatory capture”.
    I think you only have to be an interested external observer but otherwise entirely ignorant of the complexities and detail, such as myself, to deduce this.
    And it can be read out, as it were, from the personalities, status, position and pronouncements of this group, the ISC, that this is, in fact, the case.
    Of course such people bridle at being confronted with this reality.
    Why is this?
    Let’s go to Paul’s first prominent point, third possible explanation.
    ” [ … ] if the ISC were ‘surprised’ [ sic ] they’re deliberately dissembling about it [ … ] ”
    I think that what we have is a group of highly compliant people. Compliance and conformity are interesting subjects, of course at the core of any left wing enquiry into law and society.
    In fact I have just been at a psychotherapy conference about ethics and actually these issues were very central here. A number of attendees work on the NHS in one way or another, and seemed to me to be very aware of the fascistic potential of the State (in which connection Orwell was quoted a couple of times, and oh yes, Spinoza who, in the 17th century, pointed out the role of the State in generating fear in the populace in order maintain control).
    I don’t think people should never comply or conform, I do think that there should be the possibility to reflect on the nature of that compliance and conformity.
    It is that possibility that I see myself as defending.
    I find it impossible to be reassured that a nominally powerful committee that in fact rubber stamps decisions and merely echoes attitudes fed to it is in a position to takes it due part in the defence of the ability to reflect.
    This means that, with regard serious issues such as people’s entitlement to construct their own identities, be that in terms of religion or otherwise, the state has huge intrusive and destructive potential that can only multiply problems.
    There is almost no chance that the ISC will be reformed, this is because the criteria to do so will be formulated in terms of process, which is faceless, not tied to individual concerns.
    However, because of the technical nature that properly belongs to the oversight function, there is the possibility that someone who is more broadly informed about these issues could enter here.
    Such a person may be in dialogue with the broader technical community. Technologists are not always the worse people to look at such issues, and they may work with others from different backgrounds.
    Arguments here should be made in conjunction with the need to reverse the attacks on the civil service, which has been denuded of skills and undermined in authority.
    I realise that I don’t know very much about this specifically, but the impression is that, once again, the commercial interests of suppliers combined with the need for efficiency savings on the part of government plus a real agenda to alter the way in which government does business by instituting cost as the sole criteria without any concept of quality or outcome has hijacked our expectations of institutions.
    I think that government is most vulnerable to this sort of argument for positive change because this is directly connected with the indifference that so many people feel for politics. Specifically, why would people be interested when the quality of their work outcomes is so poor? Government, of what ever hue, simply does not do a good job. HS2 may be sold on the basis of tangible benefit, but what about the tangible benefit of a better quality of government? That is the vulnerability that should be exploited even though it will forever be met with the manipulations of fear in the immediate.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s