No, Mr Hammond, the debate has barely begun…

In a speech to the Royal United Services Institute yesterday (the text of which can be found here) Foreign Secretary Phillip Hammond suggested that the debate over privacy and security, over mass surveillance and the role, tactics and practices of the intelligence and security services, was nearly over. In his words, after the current reviews by the Intelligence and Security Committee (the ISC) and the Independent Reviewer of Terrorism Legislation, both of which are due to report shortly, “we should draw a line under the debate”.  I have one simple and direct response to that. No, Mr Hammond, it isn’t time to ‘draw a line’. The debate isn’t over: it has barely begun.

In his speech, Hammond highlights and praises the role played by the ISC. As he puts it:

“I regard the independent scrutiny and oversight that the ISC provides as a particular and significant strength of the British system.”

Is he talking about the same ISC that put on a public show in November 2013, a public hearing that was little more than theatre, carefully scripted, where the anodyne questions were given in advance to the heads of MI5, MI6 and GCHQ so that they could prepare the answers? The same ISC which failed to notice that, as ruled by the Investigatory Powers Tribunal last month, GCHQ had been acting unlawfully in its surveillance activities for seven years? The same ISC whose chair, Sir Malcolm Rifkind, cheerfully admitted to me at a round table event that formed part of the aforementioned review that he did not understand the most important piece of legislation governing interception and surveillance, the Regulation of Investigatory Powers Act. That same Sir Malcolm Rifkind who had to resign from his position as Chair of the ISC for being duped into offering his services to a fake Chinese company – and even now does not seem to acknowledge that in his position taking a role for a Chinese company might provide some sort of conflict of interest?

No, Mr Hammond, the ISC does not provide the kind of ‘independent scrutiny and oversight’ that is needed – indeed, we don’t just need a review by the ISC, we need a full review of the ISC, so that it has some degree of real independence, so that it has the ability and knowledge, the understanding of the technology and the law that is needed in order to provide real ‘scrutiny and oversight’. Right now, it isn’t a ‘particular strength of the British system’ but very much the opposite. Its existence might suggest we have oversight: in practice, we really don’t.

And how can we draw a line under the debate when even the terms of that debate are still confused? As I’ve written before, the characterisation of the debate is – either deliberately or ignorantly – miscast. Rifkind characterised it as ‘individual privacy vs collective security’ – failing to grasp either that privacy is far from an individual right (indeed, its main function is one about relationships between people, and it underpins collective rights like freedom of assembly and association, and indeed freedom of expression) or that it isn’t really a ‘balance’, or that people want one or the other. People don’t want privacy or security – they want both, and they should be able to have both.

Phillip Hammond continues this mischaracterisation in his speech, referring to the “balancing act between the privacy we desire and the security we need”. No, Mr Hammond, privacy isn’t something we ‘desire’ – it’s something we need. It is a right, a right reflected in all the significant Human Rights documents, and in the Universal Declaration of Human Right and the European Convention on Human Rights in particular, both of which the UK is a party to. A qualified right, of course, but a right nonetheless, and to portray it as something we ‘desire’ is to downplay its significance, something that advocates of authoritarianism appear very keen to do. Privacy isn’t a selfish whim, it’s a fundamental right – and privacy on the internet is becoming more, not less, important these days as we spend more time and put more of our lives online. It is not something to be downplayed, but something to be taken more and more seriously.

So, Mr Hammond, no. No line can be drawn under the debate. As well as the two reviews mentioned in the speech, there are a whole series of legal challenges to the various activities of the intelligence services and others, not just in the UK but all over the world. The debate is only just starting – and if you expect privacy advocates, civil liberties advocates and others to stop campaigning, I’m afraid you’re very much mistaken. Others have recognised this – last Friday I was part of a seminar organised by the Association of Chief Police Officers into the ethics of policing the internet, the debate about which the police believe is only just starting.

Indeed, no line should be drawn under the debate: these debates need to continue forever. The watchmen need to be watched.  The price of liberty is eternal vigilance – and that includes vigilance over the authorities, not just by the authorities.

Knights of the ISC Round Table….

Yesterday I took part in the ’round table sessions’ of the Intelligence and Security Committee of Parliament’s ‘Privacy and Security Inquiry’. It was an interesting event – and an enjoyable one, though I hope that doesn’t mean that I’ve already begun the process of being ‘captured’ by the intelligence community. The round table sessions are part of the bigger inquiry – accompanied by public evidence sessions which are continuing through the week.

The whole thing was very informal – I found myself sitting next to Sir Malcolm Rifkind and opposite Lord Lothian around a small, round table, one of three such tables in the room. Yes, the round table sessions really involved round tables. Essentially, we had an hour to chat about whatever issues we felt mattered to the inquiry – we had been invited on the basis of the written evidence we had submitted to the inquiry, back in February this year (mine can be found here). Around the table were an academic computer scientist, what I would call a ‘real’ programmer, a human rights activist, myself, a former lawyer for MI5 and MI6, and the two members of the committee, Sir Malcolm Rifkind and Lord Lothian.

There were some very positive things about the discussion – both Rifkind and Lothian appeared to agree, after some resistance, on the first major point that we tried to argue (primarily myself and Izza Leghtas from Human Rights Watch): that the privacy invasion, and hence the first set of proper controls, need to be at the gathering stage, not the accessing stage for data. That, in practice, less data should be gathered and held, and for shorter periods. Moreover, that there should be judicial involvement at the gathering stage – indeed, David Bickford, former Legal Director for MI5 and MI6, thought judges should be involved far more in the whole process, from beginning to end, following the French model.

As part of that discussion, they really did appear to take on board that there are serious risks involved in just gathering and holding data – and seemed to be listening as we listed them!

Other points of agreement were that RIPA is, basically, an awful mess. Rifkind readily admitted that he really didn’t understand it. What that says for his (and the committee’s) ability to oversee the intelligence services is another matter. The feeling from all concerned was that whatever else happens, the law needs review and it needs to be clearer what it actually does – whether directly in the law or in accompanying guidance. It would be nice to see – but I am not holding my breath.

Three particularly interesting things that came out of our brief discussion – and it was brief, because the hour we had went very fast. The first was that Sir Malcolm Rifkind made a very clear differentiation between the intelligence services and the other groups who can use RIPA. He made the argument that the intelligence services really can’t do you any harm unless you’re one of the ‘bad guys’ – and though this was perilously close to saying ‘if you’ve got nothing to hide’ he did acknowledge that it was not an argument that worked in relation to the police, to local authorities or to the other various bodies that utilise surveillance or gathered data. He seemed to suggest that all of those bodies – including the police – need much tighter controls. In the light of the current issues regarding police access to journalists’ communications data, this makes sense, but again it will be interesting to see whether it really amounts to anything.

The second was that David Bickford made the specific comment that if corporations do all the data gathering, analysis and so forth, then surely the intelligence services should be able to do the same. Why should we place more restrictions on the intelligence services than we do on Google and Facebook? When I suggested that perhaps this means that we should put more restrictions on Google and Facebook rather than less on the intelligence services, he laughed a bit, but did seem to get the point.

The third was that both Lord Lothian and Sir Malcolm Rifkind noted that the Human Rights Act provided protection – and when I teased him about the planned impending doom of the Human Rights Act, Rifkind almost winced, and said that there’s always the ECHR. I got the distinct feeling that Rifkind is not enamoured of Grayling’s plan for human rights, though he was far too diplomatic to say so.

Much more was said, and overall it was a good and fairly robust discussion – we all seemed to be able to say what we wanted, and the two committee members seemed genuinely to be listening. They are, however, politicians – and they were also very aware of the limitations of their own powers, and how hard it is to change things in this field with any speed. They were keenest of all on increasing transparency, and moving to a position where the default position is that information is disclosed, and is made public, rather than the opposite. I hope this happens….

….but I remain cynical about it all. The question of whether what the committee does actually has any impact on what the security and intelligence services do remains unanswered. Is this all just a PR exercise, or is there some more profound change going on? It will take a lot more than a few round table sessions, even with Knights like Sir Malcolm Rifkind, to convince me. However, I found myself just a smidgen less cynical than I was before the session started. Perhaps I’ve been captured after all.

Surveillance: Needles in Haystacks…


I watched and listened to the ‘open’ evidence session of the Intelligence and Security Committee (‘ISC’) yesterday with a sense of sadness more than anything else. It was of course entirely predictable that the session would primarily be about putting as positive as possible a spin on the surveillance activities of the intelligence services but even so I found myself disappointed. The ISC is as close as we currently get to something that scrutinises the activities of the intelligence services – but on the basis of what we saw yesterday they are neither capable of such scrutiny nor to they have the desire to provide it. ‘Supine’ was the word that sprang immediately to mind.

Malcolm Rifkind, chairing the committee, seemed determined that the only result of the session would be vindication of the intelligence services – and demonstrated only that he does not understand why people are concerned, and why they are right to be concerned. The rest of the committee, all of whom have effectively been personally selected by the Prime Minister, were little better – and some were even worse. The way that Hazel Blears in particular practically purred her appreciation of the wonderful job being done by the heads of GCHQ, MI5 and MI6 was deeply depressing to anyone who hoped that this would be the beginning of a new era of openness by the intelligence community. Instead, it seemed that they were determined to continue to misinform and mislead the public.

It’s the metadata, stupid…

A couple of things stood out. One was that, yet again, that old chestnut ‘we’re not reading your emails or listening to your phone calls’ was wheeled out by the spy chiefs – and no-one on the committee picked them up on it.  No-one who understands anything about internet surveillance has an image of old-style spies sitting in darkened rooms with headphones on listening to our every word. It’s not the ‘content’ of the phone calls or the emails that matters so much – it’s the metadata, the information that surrounds the calls, the emails, the web-browsing that really counts. That meta data gives different information about the subject than the contents – but in many ways much better information, more analysable information, more nuanced information. It is much more useful for profiling, for predicting activities, for tracking and so forth. The intelligence chiefs know that very well – and yet they continue to bring out the ‘not listening to your phone calls or reading your emails’ line again and again. The committee ought to know this too – and ought to have called the intelligence chiefs out on it. They didn’t – whether because they don’t understand or because they don’t want to rock the boat it’s hard to tell. Perhaps both.

Surveillance happens at the data gathering stage

The other key aspect of the surveillance that wasn’t touched upon is when the surveillance happens – at the gathering stage, or at the accessing stage. Again, I’m not sure that the committee understood the importance of this distinction, but it’s an absolutely crucial one. The current system assumes that gathering data on all of us is absolutely fine – indeed, that’s the basic premise of the surveillance systems they appear to use, and was the essence of the Communications Data Bill that was defeated last year. Hoover up as much data as possible, then put the checks and balances, the controls, at the access stage. That, however, is a wholly flawed approach if privacy is to be taken at all seriously. It leaves the systems and the data open to abuse, to function creep, to hacking, to human error – and indeed to leaks like the one performed by Edward Snowden that the spy chiefs deplored so vehemently.

The European Court of Human Rights recognised this – in the notable case S and Marper v. the United Kingdom, they concluded that “the mere retention and storing of personal data by public authorities, however obtained, are to be regarded as having direct impact on the private-life interest of an individual concerned, irrespective of whether subsequent use is made of the data.” They are right – and if the neither the ISC nor the spy chiefs know or understand this that is deeply disappointing. If they know it, and don’t see how it applies to their surveillance activities that is even more disappointing. If they do see how it applies, and fail to mention it, that’s still worse.

Needles in Haystacks

The ‘needles in haystacks’ analogy was made a number of times during the session, and it is indeed apposite – but to me it has very different implications to those drawn by the spy chiefs. They don’t seem to understand some key aspects of the old proverb. For a start, needles aren’t generally found in haystacks – and that the point of the proverb is that trying to find a needle in a haystack is a thankless task, and one doomed to failure. More importantly, however, they don’t seem to understand that their approach is what builds the haystack in the first place! It’s the universal rather than targeted surveillance model that generates that huge haystack.

For me, that’s the real point of the proverb – and it applies directly here. If you set yourself a thankless, impossible task, the question you should be asking is whether there might be another way, a better way, to solve the problem. Perhaps you can get another needle from somewhere else. Perhaps you can use another tool instead of the needle. Perhaps the task isn’t worth doing anyway. Perhaps counter-terrorism can be done in cleverer, subtler, less privacy invasive ways.

That question – whether there is an alternative – didn’t seem to enter the minds of any of the members of the ISC yesterday. Whether it has entered the minds of the spy chiefs is another matter – if it has, they certainly didn’t want to mention it. Indeed, finding any kind of suggestion of an alternative to the current approach in yesterday’s open session was as hard as finding a needle in a haystack….