Month: November 2015

Paris…

The aftermath of the events in Paris has shown many of the worst things about the current media and social media. I’ve been watching, reading and following with a feeling, primarily, of sadness.

What depresses me the most – and surprises me the least – is the way that the hideousness has been used to support pretty much every agenda. I’ve seen the events used to ‘prove’ that we should leave the EU (‘control our borders’ etc) and that we should stay in the EU (‘solidarity’ with France), that we need less surveillance (it didn’t work this time, why not direct the effort and resources elsewhere) and that we need more surveillance (the threat is real, we must do everything needed). I’ve seen it said that we need to clamp down on Islam, that we need to support moderate Islam, that terrorists are all Muslims, that the vast majority of the victims of terrorism (and of ISIS in particular) are Muslims, that terrorism has no religion and so on. I’ve seen attacks on Corbyn, on Cameron, on a wide selection of journalists and ‘commentators’ for their responses to the events. I’ve seen the blame placed on Syria, France, Saudi Arabia, the US, the UK and of course Israel. We’re at war, I keep reading, though whether with ISIS, ‘terror’ or Islam as a whole seems a little unclear in the words of some.

I see some saying this shows how pointless the drone-killing of ‘Jihadi John’ was, and how this was in part revenge for it, and others saying how it shows the need for more such attacks. I read that this means we need to bomb Syria now – and then how it shows that bombing just makes it worse, and makes us a target. I hear that we’re too soft on refugees, and let the terrorists in under cover – and then that this just shows what the refugees have to suffer at home every day. It’s our fault for being too soft, it’s our fault for being too brutal, it’s not our fault at all.

All I can do is sigh. And feel more sadness. I see the points that everyone has. And yet all I feel is sadness. There isn’t an easy solution to any of this. There aren’t easy answers. There really aren’t, no matter how tempting some of the ideas might be. I wish there were.

Surveillance: thinking outside the box

One of the more common responses to criticism of the Investigatory Powers Bill – and indeed pretty much any extensive surveillance plan or law – is something along the lines of ‘but if it solves a single terrorist plot we should do it.’ The implication is that those of us who criticise the plans are somehow being ‘soft’ on terrorism, or even on the side of the terrorists. Or, more usually, that we’re indulging our own personal, individual and selfish ideas of privacy at the cost of critical security. I’ve written about some aspects of this many times before – about how privacy isn’t an individual right but one that underpins community rights such as freedom of assembly and association, how it’s critical for freedom of speech, and so forth – but there is another crucial side to this. Neither I nor any of those I know who advocate for privacy and more controls over surveillance are suggesting that we do nothing about crime or terrorism. Very much the opposite. When the debate is heard in the media it often seems as though privacy advocates are just blocking the security and intelligence services, and the police, from doing what is needed. That we’re suggesting that the risk of deaths through terrorist atrocities matters less than our abstract, theoretical and ultimately irrelevant ‘rights’. We’re not. What we are asking for is exactly that ‘mature debate’ that Andrew Parker of MI5 has asked for over surveillance.

Targeted surveillance?

There may be some who are calling for no surveillance at all, but very few. Most are calling for targeted rather than mass surveillance – and not just because they believe this would be more proportionate but because it might even be more effective. If you’re already looking for a needle in a haystack, why start by making that haystack as big as it can possibly be. Privacy advocates aren’t looking for there to be *no* strategy to locate and counter terrorist plots. For anyone to say ‘but we foiled this plot this way’ and not to see that the comparison needed isn’t between the (mass surveillance) policy being pursued and nothing, but between the policy pursued and some alternative policy that might even be more effective. We’re not saying ‘stop mass surveillance and do nothing’ but ‘stop mass surveillance and develop an alternative strategy’.

Scarce resources

This argument extends to resources too – particularly in today’s economic climate. One of the many questions that needs to be asked is whether the immense amounts of money, time, people and resources allocated to the current and planned surveillance programmes might be more effectively allocated elsewhere. The Charlie Hebdo killers, for example, had been under direct, targeted, physical surveillance by the French authorities some time before the shooting, but that surveillance had reportedly been dropped because of a lack of resources. How many additional, ‘traditional’ counter-terrrorism officers could be employed for the amount being spent on surveillance programmes? Has the question been asked?

There are other questions to ask too. The full consequences of the current and planned proposals need to be considered. Things like the plans on encryption – insofar as it is clear what those plans actually are – can have many potentially dangerous results, from creating vulnerabilities to encouraging the development and use of more tools to sidestep or avoid the authorities. The forced retention of ‘Internet Connection Records’ (about which I have written before), for example, may encourage the broader use of systems like Tor, by both those who the authorities would like to be able to watch and by those they would not. Tighten the grip and more may slip through the fingers. Has there been any kind of assessment of this?

A new law?

It’s not true that many of those opposed to surveillance are opposed to having a new law – again, quite the opposite. David Anderson QC was quite right when he characterised the current state of affairs as ‘undemocratic, unnecessary and – in the long run – intolerable’.  A new law is crucial – but it needs to be as good as it can be, and for that to happen the debate has to be on the right terms. Straw men – and the essence of the ‘all or nothing’ and ‘my way or the highway’ arguments that are so commonly made is that they are straw men – should be exposed for what they are, if we are to have the debate that we need.

The problem with our debate – well, one of the problems with it – is that it’s couched in such simple, black-and-white, emotive and immature terms. On the one side, people are accused of being Orwellian oppressors, on the other side of being naïve do-gooders who can’t handle the truth and will have blood on their hands. Neither characterisation, it seems to me, is either particularly true or particularly helpful. We need to get beyond them if the debate is to be meaningful. The questions above – whether there are alternative approaches being explored or considered, whether the current plans are an appropriate and effective use of resources – would be a key part of a properly mature debate. Indeed, I hope they will become so as the debate on the Investigatory Powers Bill continues over the next few months. Alternatives must be discussed and explored – and I hope they will be.

A few words on ‘Internet Connection Records’

There are many things in the new draft Investigatory Powers Bill that need very careful attention – some of which may be cautiously welcomed, some of which need to be taken with a distinct pinch of salt. The issues surrounding ‘Bulk Powers’ (which we’re not supposed to call ‘mass surveillance’) and ‘Equipment Interference’ (which I presume we’re not supposed to call hacking) will be examined in great detail, and quite rightly so because they’re of critical importance, and clearly recognised as such. The issue of ‘Internet Connection Records’, on the other hand, does not yet seem to have been given the attention it deserves – but I am sure that will change, because the collection of them has massive significance and represents a major change in surveillance, for all that they are described in the introduction to the bill as just ‘restoring capabilities that have been lost as a result of changes in the way people communicate’. They don’t restore capabilities: they provide hitherto unprecedented intrusion into people’s lives.

Internet Connection Records (ICRs)

The description of ICRs in the bill leaves quite a lot to be desired. In the introductory explanation they are set out as:

Screen Shot 2015-11-05 at 09.33.33

In accordance with the bill, these ICRs will be captured and stored for a year by the communications providers. This means, essentially, that a rolling record of a year of everyone’s browsing history will be stored. Not, it seems, beyond the top level of website (so that you’ve visited ‘www.bbc.co.uk’ but not each individual page within that website, nor what you have ‘done’ on that website). The significance of this data is very much underplayed, suggesting it is just a way of checking that so-and-so accessed Facebook at a particular time, in a similar way to saying ‘so-and-so called the following number’ on the phone, and thus the supposed ‘restoring of capabilities’ referred to. That, however, both misunderstands the significance of the data and of the way that we use the technology.

The latter part is perhaps the most easily missed. Our ‘online life’ isn’t just about what is traditionally called ‘communications’, and isn’t the equivalent of what we used to do with our old, landline phones. For most people, it is almost impossible to find an aspect of their life that does not have an online element. We don’t just talk to our friends online, or just do our professional work online, we do almost everything online. We bank online. We shop online. We research online. We find relationships online. We listen to music and watch TV and movies online. We plan our holidays online. Monitoring the websites we visit isn’t like having an itemised telephone bill (an analogy that more than one person used yesterday) it’s like following a person around as they visit the shops (both window shopping and the real thing), go the pub, go to the cinema, turn on their radio, go to the park, visit the travel agent, look at books in the library and so forth.

That, however, is only part of the problem. The other aspect is perhaps even more important – the inferences that can be gleaned from analysis of the ICRs. There are two different sides to this:

  1. The first is the ‘logical’ analysis of web browsing data: the kind of inferences that can be made by looking at the kinds of sites visited, the times that they are visited and so forth. This can be very direct, like using knowledge that a person visited sites connected with a particular religion to ‘guess’ their own religion, or that they visited sites connected with a particular health condition to ‘guess’ that they might be concerned about their own health. It can also be less direct but similarly logical – men who spend a lot of time watching Top Gear might be thought to have sympathy for Jeremy Clarkson’s views on ‘political correctness’ or be skeptical about climate change, or people who visit a lot of ‘news’ websites might be particularly interested in politics. People who visit pizza delivery websites regularly might be ‘guessed’ to have unhealthy lifestyles. The number of possibilities are huge – and not just relating to the actual sites visited, but the time and pattern of those visits. Browse a great deal in the middle of the night, and that says something very different to browsing only during working hours.
  2. The second is perhaps even more concerning: the ‘big data’ analysis of ICRs. One of the critical aspects of ‘big data’ is that it picks up traits and establishes correlations rather than seeking to find logical connections for things. This has been studied by academics, with some surprising findings – the story from one such study that ‘liking’ (in Facebook terms) curly fries correlates to higher intelligence makes the point. This kind of data – and it really is ‘big data’ – allows far more inferences to be drawn than are immediately obvious. Moreover, it is a kind of analysis that is being worked on, and worked on extensively, by some of the biggest, most powerful and most technologically advanced corporations in the world. What Google, Facebook and others develop in order to identify target audiences for advertising or markets for products is just as suitable for identifying people with particular political views.

The problems with these inferences should not be underestimated. If they’re accurate, they represent major intrusions into people’s privacy – sometimes they allow the analysts to predict behaviour better than the people themselves can predict it – whilst if they’re inaccurate they can mean that terrible decisions are made about people. When this is confined to advertising the impact is rarely that significant (though it can be, as the non-apocryphal stories of revealed pregnancies and sexuality have shown) but if decisions are made on a similar basis by law enforcement or security services they could be hideous.

So we should not underplay the importance of Internet Connection Records. They matter a great deal – and gathering them is a major step in surveillance. What is more, asking communications service providers to gather and hold them adds a whole raft of new vulnerabilities. The Talk Talk hack – and Talk Talk are precisely the kind of company who would be forced to hold this kind of data – should make the vulnerability to hacking crystal clear. This kind of data is perfect for identity theft, scamming, blackmail (Ashley Madison style) and far more crimes, and the servers holding it might as well have big red signs on them saying ‘hack me please’. The chance of individual misuse of the information should also not be downplayed – in the initial draft of the Bill it looks as though access to the data will not be via warrant, but through the ‘Designated Person’. The past has shown how individuals can misuse systems for personal reasons – this kind of data can be very tempting.

The chance of ‘function creep’ is perhaps even more concerning. Where systems are built and data gathered for one purpose, it is hard to resist using it for another, seemingly obvious and sensible reason. That’s how RIPA ended up being used for dog fouling, fly-tipping and school catchment enforcement when it was intended for terrorism and serious crime. If you build it, it will be used, and not just for the original purpose.

None of this is to say that Internet Connection Record should definitively not be collected – but that the ‘mature debate’ that has been called for on surveillance should be about what they can really be used for, and the depth of the intrusion into people’s lives that they really represent. The bar should be set very high here, and the case to gather and hold this information needs to be a very good one indeed. The arguments put forward so far do not seem strong enough to me – perhaps more will be provided in the process through which the bill is scrutinised over the next few months. If not, this is a part of the bill that should be opposed very strongly.