Surveillance: thinking outside the box

One of the more common responses to criticism of the Investigatory Powers Bill – and indeed pretty much any extensive surveillance plan or law – is something along the lines of ‘but if it solves a single terrorist plot we should do it.’ The implication is that those of us who criticise the plans are somehow being ‘soft’ on terrorism, or even on the side of the terrorists. Or, more usually, that we’re indulging our own personal, individual and selfish ideas of privacy at the cost of critical security. I’ve written about some aspects of this many times before – about how privacy isn’t an individual right but one that underpins community rights such as freedom of assembly and association, how it’s critical for freedom of speech, and so forth – but there is another crucial side to this. Neither I nor any of those I know who advocate for privacy and more controls over surveillance are suggesting that we do nothing about crime or terrorism. Very much the opposite. When the debate is heard in the media it often seems as though privacy advocates are just blocking the security and intelligence services, and the police, from doing what is needed. That we’re suggesting that the risk of deaths through terrorist atrocities matters less than our abstract, theoretical and ultimately irrelevant ‘rights’. We’re not. What we are asking for is exactly that ‘mature debate’ that Andrew Parker of MI5 has asked for over surveillance.

Targeted surveillance?

There may be some who are calling for no surveillance at all, but very few. Most are calling for targeted rather than mass surveillance – and not just because they believe this would be more proportionate but because it might even be more effective. If you’re already looking for a needle in a haystack, why start by making that haystack as big as it can possibly be. Privacy advocates aren’t looking for there to be *no* strategy to locate and counter terrorist plots. For anyone to say ‘but we foiled this plot this way’ and not to see that the comparison needed isn’t between the (mass surveillance) policy being pursued and nothing, but between the policy pursued and some alternative policy that might even be more effective. We’re not saying ‘stop mass surveillance and do nothing’ but ‘stop mass surveillance and develop an alternative strategy’.

Scarce resources

This argument extends to resources too – particularly in today’s economic climate. One of the many questions that needs to be asked is whether the immense amounts of money, time, people and resources allocated to the current and planned surveillance programmes might be more effectively allocated elsewhere. The Charlie Hebdo killers, for example, had been under direct, targeted, physical surveillance by the French authorities some time before the shooting, but that surveillance had reportedly been dropped because of a lack of resources. How many additional, ‘traditional’ counter-terrrorism officers could be employed for the amount being spent on surveillance programmes? Has the question been asked?

There are other questions to ask too. The full consequences of the current and planned proposals need to be considered. Things like the plans on encryption – insofar as it is clear what those plans actually are – can have many potentially dangerous results, from creating vulnerabilities to encouraging the development and use of more tools to sidestep or avoid the authorities. The forced retention of ‘Internet Connection Records’ (about which I have written before), for example, may encourage the broader use of systems like Tor, by both those who the authorities would like to be able to watch and by those they would not. Tighten the grip and more may slip through the fingers. Has there been any kind of assessment of this?

A new law?

It’s not true that many of those opposed to surveillance are opposed to having a new law – again, quite the opposite. David Anderson QC was quite right when he characterised the current state of affairs as ‘undemocratic, unnecessary and – in the long run – intolerable’.  A new law is crucial – but it needs to be as good as it can be, and for that to happen the debate has to be on the right terms. Straw men – and the essence of the ‘all or nothing’ and ‘my way or the highway’ arguments that are so commonly made is that they are straw men – should be exposed for what they are, if we are to have the debate that we need.

The problem with our debate – well, one of the problems with it – is that it’s couched in such simple, black-and-white, emotive and immature terms. On the one side, people are accused of being Orwellian oppressors, on the other side of being naïve do-gooders who can’t handle the truth and will have blood on their hands. Neither characterisation, it seems to me, is either particularly true or particularly helpful. We need to get beyond them if the debate is to be meaningful. The questions above – whether there are alternative approaches being explored or considered, whether the current plans are an appropriate and effective use of resources – would be a key part of a properly mature debate. Indeed, I hope they will become so as the debate on the Investigatory Powers Bill continues over the next few months. Alternatives must be discussed and explored – and I hope they will be.

16 thoughts on “Surveillance: thinking outside the box

  1. ‘alternatives must be discussed and explored’ – I hope so. What I struggle to understand, especially in light of your illuminating observations, is what is in it for the folk who advocate mass surveillance? That approach has always felt nonsensical, more so now I have read this.

    1. Something must be done, this is something, let us do it …

      The classic example being the Dangerous Dogs Act. Media and Joe and Josephine Public interacted to get politicians to enact a useless piece of legislation.

      All the evidence, despite the predictions of the received wisdom at the time, is that the Act has made no appreciable difference to incidents involving ‘dangerous’ dogs.

    2. I have come across something similar with CCTV.

      The rational, the inexpensive thing to do, long term, is redesign the layout of your shop to design out crime. Instead, people are persuaded to invest in expensive equipment to cover blind spots so they may have the evidence to pursue a case, once an item is stolen. Yes, CCTV may have a marginal deterrent effect, but a redesign should be designed to put your customers in your line of sight. Arguably the latter is the best deterrent against shoplifting. And you may always install a seemingly working dummy camera or two (or let it be known, in the right quarters, that you are monitoring communications when you are not) as part of your redesign.

      I went toe to toe with someone (no names, no pack drill) arguing for public money to put CCTV in shops across our geographical area. My response was along the lines of what was the outcome of your spend to date. They said, we spent the money and people favour CCTV.

      I flawed them by asking whether or not the provision of CCTV had lowered reported crime, a measurable output; reduced insurance premiums, another measurable output; increased profitability, yet another measurable output and reduced fear of crime amongst shop owners, a qualitative outcome. Fear of crime is quite often higher than the incidence of crime so the latter is quite important to measure.

      And, although, the shopkeepers would have to pay 50% of the capital cost of installation, they would have to pay for the full running costs, maintenance etc thereafter. Past experience suggested that many failed to operate the systems not long after the initial installation, in part, because of the ongoing costs.

      I already knew the answer to my questions. They had undertaken no evaluations of spend on previous projects so they could not say it had made any difference. All they could say was that they had a tried and tested method of spending money on CCTV installation in small businesses. They steered clear of the popularity line when one observed that the fear of crime did not feature in the top five issues of concern to small business owners responding to British Chamber of Commerce and Industry surveys.

      I trust you will forgive an ex Civil Servant’s cynicism, but I suspect the intelligence community is equally slapdash in how it approaches its work. Never mind the quality, Home Secretary, feel the width of our work and think how it will play out in the quarters from whence you will need to seek votes in the upcoming leadership election.

      Incidentally, I took the view that spending money, at least to begin with, on improving energy efficiency amongst small businesses would net a greater return for them and us. After all, energy costs are an issue 24/7 and it fitted in with our efforts to promote the Green Industrial Revolution. I did think a logical next step would be to look at small scale, renewable energy generation which is something some local businesses have now done themselves. I know what you are thinking, Government officials engaging in a joined up, evidence led approach … Where might it all end!?

    3. No one advocates “mass surveillance”, Abby. And those of us who broadly support the current approach and this draft bill do so because we believe they strike a good balance between security and privacy, and help fight terrorism and crime. There’s nothing “in it” for us. Like you, we want the best for our society.

      Let’s have the mature debate Paul’s asking for. I’ll try, on my side.

  2. Good points, well made.

    Kelly Fiveash is one of the few journalists to pay attention to the costs. See her pieve in The Register here:

    Meanwhile, the HawkTalk blog has a excellent item on how legislation from 1984 (yes, really!) was used by MI5 to collect telephone records for over a decade with no democratic oversight worth mentioning:

  3. As someone on the other side of this debate, who’s basically happy with current investigatory powers and with the new draft bill, I warmly welcome your approach here. I’m often accused of being some kind of authoritarian, and in the last few days have had Goebbels quoted to me, and told I “sound like a Nazi”.

    So yes, by all means let’s have a mature debate, going beyond what I think is childish rhetoric like “snooper’s charter”.

    You make a fair point about resources and the Charlie Hebdo killers. But it’s important to consider the possibility that those men might have been known to the French authorities by the analysis or surveillance of some form of electronic communications. We’ve had this discussion on Twitter before, and I imagine you’re thoroughly fed up with it. But is there any actual evidence they were not discovered in that way? If they were, then your extra ‘traditional’ counter-terrrorism officers bought with removing the relevant powers might have had no one to tail.

    I’d really like to see a blogpost setting out what powers you think the police and security agencies need, Paul, and the safeguards you’d introduce.

    1. I’m thinking about how to deal with that right now – we have a meeting of the National Police Chiefs’ Council’s ‘Independent Digital Ethics Panel’ this week, where I’m sure it will come under discussion. Not easy, of course. I know I need to learn much more of the practical operational issues.

  4. Agree with the need for a mature and meaningful debate.

    Personally speaking, I think what has been missing from the anti ‘mass surveillance’ camp – perhaps understandably given what the Government has provided – has been a practical and realistic understanding of how and why these datasets are used, and how signals and human intelligence interact in modern intelligence.

    On the latter point, it can no longer be an either/or scenario for any operation. They operate alongside each other, complimenting and informing, and filling in intelligence gaps that the other simply can’t answer. Clearly, there will be circumstances where one is more or less appropriate or offer value for money. Yes, comprehensive physical surveillance might have been able to prevent the Charlie Hebdo murders. But there are always going to be ‘no-go’ areas, conversations missed, and risks of exposure. And as noted in an earlier comment, they may have been identified in the first place by technical means.

    This links into the former point, ‘targeted versus mass surveillance’. I’m yet to see anyone explain how this can be achieved in the foreign intelligence space, given the encryption challenges and nature of how communications flow internationally.

    To continue Paul’s analogy, when looking for a ‘needle’, no intelligence agency tries to make the haystack as big as possible. That makes your already difficult job unnecessarily hard! You select the smallest possible haystack every time. But your agency is looking for multiple needles in multiple places; sometimes you’ll find multiple needles in one haystack over time. Basically, you need to be able to select and look at lots of different haystacks for different reasons – it would be impractical and inefficient to start from scratch on the data front every time you want to find a needle.

    And I think as one final point, it’s important to remember that the range of powers reflect a range of circumstances. Sometimes, you can answer an intelligence question using open source. Sometimes, metadata has the answer. But depending on the nature of what needs to be found out, the location of the target, the encryption they use etc etc, you might need to use more intrusive powers. But those at the extreme end of the scale are for extreme circumstances.

    1. If what’s missing from the ‘anti-mass surveillance’ camp is a practical understanding of how this data is used, that can hardly be the fault of the campaigners – until very recently people weren’t even aware of what was happening, and even now there’s only a tacit and limited understanding of the programmes. MI5, MI6 and GCHQ still operate a ‘neither confirm nor deny’ policy over pretty much the entire surveillance package – reading the cases at the Investigatory Powers Tribunal gives a salutary reminder of quite how unwilling they are to let anyone know even at a qualitative level what they actually do. That can and must change if a mature debate is to happen.

      On the resources front, I don’t think anyone’s saying it should be an ‘either/or’ question of old-fashioned or new-style surveillance, but at the same time to act as though resources are unlimited is both inappropriate and unrealistic. Budgets aren’t infinite. Knowledge and understanding isn’t infinite – and choices *do* have to be made. When making those choices, factors such as effectiveness are key – but so are the consequences of the choices in other fields. Much of this doesn’t seem to be taken into account – or at least allowed into the public (and civil society) debate.

      1. Apologies – it wasn’t intended as a criticism per se. As I noted, its understandable given what has been provided by Govt and the nature of the Snowden leaks. I guess I was trying to offer an informed opinion to help explain the philosophical approach to all of this, not criticise the argument (although in some areas, there has been an unhelpful conflation of domestic/foreign capabilities). I’m also keen for a mature debate!

      2. My apologies too – I know I’m sometimes oversensitive on this. I’ve just been criticised a few times too often for not understanding when I (and others) have done a great deal to try to understand but have been stymied by the very people who are criticising us. Andrew Parker’s call for a mature debate at exactly the same time as his allies were orchestrating a PR campaign of unprecedented scale is just one example. I suspect, however, that the PR campaign won’t be enough – did you watch or listen to the Parliamentary Science and Technology Committee hearing yesterday, where the industry representatives laid into the new bill at length and with both precision and focus? The debate will and is going to happen, whether the proponents of the programme want it or not.

  5. There needs to be a debate about whether or not bulk database acquisition powers without suspicion is needed; Anderson in his report (Appendix 9) states that it is. This is a problem for those who reject this approach.

    If this recommendation is accepted, then the price has to be effective supervision of the use of bulk acquisition powers by incorporating the protection I suggest in my blog (

    I am not convinced that any argument about the need for prior suspicion for mass data collection will ever succeed given the plethora of official reports approving mass data collection without suspicion; however, the argument that there has to be effective safeguards should be one that everybody can agree.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s