Like many others in the privacy field, I had waited for the Intelligence and Security Committee report ‘Privacy and Security: A modern and transparent legal framework’ with some trepidation – though after having made a submission myself, and participated in the ISC’s ’round table’ events that formed part of the consultation I had felt a little less overwhelming pessimism than I had previously. Having read it through after its release yesterday I feel a little underwhelmed. It isn’t quite as bad as I had feared – but it does come close. The general feeling I had, though, was that the ISC is still essentially out of touch, out of date, and unable to fulfil the critical role of scrutiny that it is tasked with.
One particular paragraph made the point most directly – and it concerned one of the most important areas of the review insofar as it relates to the areas that I work in. Paragraph 80 began with this startling sentence:
“We were surprised to discover that the primary value to GCHQ of bulk interception was not in reading the actual content of communications, but in the information associated with those communications.”
Surprised? Really? No-one who has paid any attention to the field over the last decade at least should have been surprised that the ‘information associated with those communications’ – essentially what is generally referred to as ‘metadata’ these days – is what GCHQ would be interested in. Academics and privacy advocates have been going on about it for years and years – and if the ISC were ‘surprised’ that this is what GCHQ are most directly interested in then it means one of three things: either they’ve not been paying attention (which is their main role), they don’t understand the technology at all (which is critically important to their role), or they’re deliberately dissembling about it (which means they can’t be trusted in their role).
That they even make the admission that they were ‘surprised’ in the official report suggests that they don’t understand the gravity of that admission, and how much it shows that they don’t understand what is happening. They compound that admission later on in the report, in paragraphs 136 and following, when they ask the question of whether Communications Data is ‘as intrusive’ as content, and essentially dismiss the possibility, hence giving the authorities much more freedom. They seem to have forgotten at this point what they had learned in paragraph 80, that the primary value is in the ‘information associated with’ the communications – their surprise didn’t illicit the kind of questions that it should have.
To be clear, the argument made by people like me is not that this information is more intrusive than content – but that it is more useful, for a number of reasons, from the fact that it can be analysed algorithmically (rather than by rooms full of old-fashioned spies pouring over reams of print-outs, which seems to the the ISC’s idea of surveillance), and that qualitative information can be gleaned from it. Profiling information – the kind of information that the massive internet advertising industry uses – that can be automatically processed and used. That, however, was something else that indicated how much the ISC was out of touch – they didn’t seem to acknowledge or understand the nature of the current, commercial, surveilled nature of the internet, and the critical role played by the corporations. Bruce Schneier put it most eloquently when talking about the NSA:
“The NSA didn’t wake up and say, ‘Let’s just spy on everybody.’ They looked up and said, ‘Wow, corporations are spying on everybody. Let’s get ourselves a copy.”
The corporates are much more interested in metadata because they understand its value – and so do GCHQ. The profiling techniques used by advertisers to find customers are the same sort of thing that GCHQ might use to find terrorists – just using different parameters. That the ISC doesn’t understand this – or didn’t understand this – is deeply revealing. One of the brighter spots of the report, however, is that they do at least make a tentative step towards recognising it through their new category of ‘Communications Data Plus’ in their recommendations. As they put it:
- It is essential to be clear what constitutes CD. In particular, there is a ‘grey’ area of material which is not content, but neither does it appear to fit within the narrow ‘who, when and where’ of a communication, for example information such as web domains visited or the locational tracking information in a smartphone. This information, while not content, nevertheless has the potential to reveal a great deal about a person’s private life – his or her habits, tastes and preferences – and there are therefore legitimate concerns as to how that material is protected.
- We have therefore recommended that this latter type of information should be treated as a separate category which we call ‘Communications Data Plus’. This should attract greater safeguards than the narrowly drawn category of Communications Data.
Personally, I suspect that the ‘grey area’ defined in this way will turn out to be the vast majority of what was previously considered ‘communications data’ – when data aggregation is considered, in particular, most data can be highly revealing. If the ISC had paid more attention to the advertising industry – effectively, if it had understood the context in which surveillance happens these days – it would not have had such a surprise. I look forward to hearing what these ‘greater safeguards’ it will attract will be.
There is much more in the report that should ring alarm bells – the discussion of encryption, the seemingly new idea of ‘bulk personal datasets, the casual dismissal of arguments against the fundamentally intrusive nature of ‘bulk collection’, and the attempt to characterise those who seek privacy as being happy to accept a few terrorist atrocities as a fair price to pay for a little personal privacy – and I am sure they will be written about extensively elsewhere. There was one other thing that struck me, though. At no point in the report, as far as I can see, did they mention the fact that the Data Retention Directive was declared invalid in April 2014, and that the reason for its invalidity was that:
“It entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary.”
Did the ISC not know about this, or not think it was relevant? If the former, they’re incompetent, if the latter, they’re dismissive of what are considered to be fundamental rights. Mostly, though, my suspicion is that they thought it was not within the terms of their review – and that, itself is revealing. Again, the words that spring to mind are ‘out of touch’. In a body charged with oversight of the intelligence services, being out of touch is a fundamental flaw.
The fall of the Chair of the ISC, Sir Malcolm Rifkind, through his being duped into selling his services to a fake Chinese company set up by journalists, highlights the point even more. Time for a change – and a root and branch change. The ISC is right to call for better transparency – but we need better oversight too, and the starting point of that better oversight should be a replacement of the ISC. More technical competence, more people ‘in touch’ with the real world, less subservience to those in authority who are supposed to be subject to their oversight, more openness to new ideas, more willingness to listen to people who don’t immediately fit into their world view.
We’ve had the review by the ISC. Now it’s time for a review of the ISC.