Saturday, 18 April 2015

The cost of privacy

The cost of privacy

Jim Killock analyses the Privacy and Security report from the UK's Intelligence and Security Committee

The mammoth Privacy and Security report from the UK's Intelligence and Security Committee (ISC) is an object lesson in how the establishment works. Faced with overwhelming evidence of a vast extension of surveillance powers, it’s a call for rationalised laws and greater explanation of what GCHO is doing.

It’s a remarkable report. The ISC might never admit it, but the report owes its existence to Edward Snowden. Faced with detailed information about precisely what GCHO is doing, the ISC has been forced to respond with its own description, including a lot of reassuring words that explain that its work is necessary, proportionate and lawful, in between, it makes some startling admissions:firstly, that 'bulk personal datasets' exist and are largely legally unregulated; and secondly, that the choices of technologies that underlie GCHO’s Internet break-ins lack any democratic oversight.


The ISC is a'Parliamentary' committee. Until now, it’s been appointed by the Prime Minister. In the future, the Prime Minister will draw up a list of acceptable candidates, and Parliament will appoint the committee from that list. The argument is that the head of government must ensure the members are trustworthy, as they will see secret material. However, in practice, it means the PM can select people whose views are sufficiently close to those of the agencies. The current ISC is dominated by a mix of trusted hands, such as former Cabinet Secretary Lord Butler, along with Hazel Blears and former Foreign Secretary Sir Malcolm Rifkind. Nobody on the committee could be said to be a sceptic.

In other countries, including the USA, oversight committees are directly elected by democratic representatives, and some of the committee members include leading critics.

The result is a committee that fundamentally trusts the agencies.

Nevertheless the new report is a step change. There are parts that are downright awful - such as its attempt to smear privacy groups as being in favour of deaths through terrorism - and some parts that are relatively thorough. On the future job that the ISC should be doing, the committee is silent; perhaps it feels it shouldn't judge its own work, but it's been the most important failure within the system. As the body charged with oversight of GCHO, it should have spotted the growth in capabilities, especially 'bulk collection’, or TEMPORA as it's known to those of us who read the papers. Eitherthe committee didn't spot the change, or it didn't think it was important enough to tell Parliament. Either way, it's the ISC that should have insisted on a democratic mandate for these powers to hold vast amounts of personal information, and sift and share it.

As such, it isn't surprising that the ISC gives the agencies and their new found capabilities a clean bill of health. Alongside judgements from the highly limited Investigatory Powers Tribunal, which have found no more than procedural wrongdoing, this gives the media and MPs the impression that there's little to worry about.

British institutions are, in my view, tremendously well trained in assessing the minimum concessions needed to contain a problem. In surveillance, there has been legal recognition of our agencies since 1989, but surveillance laws were properly codified for the first time in 2001. The pace of change has been glacial.The ISC report offers us the next logical step: clearer, tidier laws, and improved transparency from the agencies. On the substantive issues, however, it doesn't even call for a public debate about the nature of its powers.

There's a vast conceptual gap between the ISC and human rights campaigners about what the ISC calls 'bulk collection'.The ISC claims that bulk collection is restrained to what's necessary because, for instance, only some of the Internet is harvested by GCHO.

The information within it is only seen after careful 'selection' criteria are applied. Targets are distinguished between UK and foreign communications. An email from one UK resident to another would be domestic, but a Facebook post would be foreign.

The ISC acknowledges that the underlying data will contain all kinds of information, including privileged communications. The case for its methods being justified relies on two arguments: firstly, that what is seen (or kept for the long term) relies on 'selectors' such as email addresses being applied.

The second argument is that data mining and analysis tools are able to use pattern analysis to find new suspects and intelligence.

It's a beguiling argument, and it's hard to argue that agencies should give up powers they'know' work against dangerous criminals. That’s why Rifkind and Blears asked human rights groups if they would be willing to see terrorists kill people, as the price for individual privacy. Perhaps unwisely, some said that yes, in a free society you have to accept that dangers will occur, and that rights such as privacy shouldn't simply be abandoned. Or, as Benjamin Franklin said/those who would give up essential liberty, to purchase a little temporary safety, deserve neither liberty nor safety'.

The ISC then got itself aTimes front page headline condemning irresponsible human rights groups, yet it's the ISC itself which must assess whether different security policies are endangering lives; and everyone accepts that all policies are designed to minimise risk while preserving our essential democratic life. It would be perfectly possible to reduce free movement, association and privacy to a point where terrorism was virtually impossible, but we would then be living in a police state.

The ISC’s job should be to assess the actual risks, costs and benefits that the agencies are assessing in their decisions, which simply isn't discussed in the report. If the ISC acquired the expertise to understand the risk models, it would be in a much better position to understand the claims made for data analysis. A simple objection to putting the vast majority of the UK's cash into data gathering should be that human intelligence is failing to keep on top of current threats.

More broadly speaking, gathering and analysing vast amounts of data implicates us all, and this fact alone requires a real debate, prior to building the tools.The same is true for other, difficult questions. The tools we discussed last issue, that enable direct exploitation of computer equipment, rely on the general insecurity of computers. Sometimes GCHO may be contributing to this insecurity. How justifiable would that be? And who should oversee these decisions? The ISC says there's no oversight, and GCHO should tell ministers if a problem may arise.

There are other missing discussions. The UK's data sharing arrangements include giving the NSA access to raw data streams; how is that managed?

Who in the UK might be looked at? What are the strategic implications of integrating GCHO and the NSA at a technological level? How will the UK manage the military and offensive capabilities that GCHO has developed on the back of invasive techniques? If you can control a computer, you can disrupt as well as conduct surveillance.The overall impression is that the ISC hasn't yet worked out the job of surveillance oversight in the digital age.