UPDATE 25th November: Today the inquiry into the death of Lee Rigby published it’s report. It highlights a range of mistakes by MI5, but all media outlets are leading with the refusal of a US internet company (Facebook according to the Guardian) to release incriminating electronic communications from perpetrators of this horrific crime.
Also this week there is a debate on the UK government’s Counterterrorism Security Bill. In a Radio 4 interview Malcolm Rifkind was challenged about the timing of these two events. He stated the report release had been scheduled for some time, inviting the reporter to ask the government the same question about the debate.
As a US company being asked by UK secret services to share user communications, they were under no obligation to do so. The crucial question? Could Lee’s death have been prevented? The media message coming out of Number 10 and GCHQ seems to be ‘Yes’ if that data had been shared.
For context, the conversation in question took place months before the actual crime and no-one is definitively stating that this would have effectively triggered preventative action by security services. In fact, while discussing MI5’s mistakes, Mr Rifkind reminded us that sifting through mountains of data and identifying credible threats is a herculean and inexact task. Will making tech companies responsible for filtering and sharing ‘suspect’ communications content make that science more exact? The current limitations of technical and manual data analysis suggest not, but only time will tell.
This international information arms race (described in the original post) is really hotting up.
On 4th November our new GCHQ chief Robert Hannigan drew some aggressive battle lines for the fight against terrorism (both old fashioned and cyber).
The sides in this fight are not the forces of evil and the forces of good, but the government and tech companies. According to Hannigan;
Privacy has never been “an absolute right”
US tech companies are “the command and control networks of choice” for terrorists.
Tech companies are “in denial” about the way they enable terrorists to communicate and act.
There’s no denying;
- Good encryption makes surveillance, for whatever purpose, hard
- Filtering bulk data to identify traffic relating to crime or criminals is nigh on impossible and is impossible in real-time. Therefore our data will be scooped and held for analysis.
- Big players in the secret services need cross-border legislation as a mandate to start to tackle the bulk data access and analysis problems.
- The media message is morphing from anti-pedophilia and anti-terrorism, to pro-business, but anti-tech (for tech read encryption).
- Confidence in the oversight and controls in place appears very low.
- Only secret service bosses know whether there are clear and present threats justifying the legislation and attendant media circus.
Perhaps there are not clear and present dangers. Perhaps this is about shifting public opinion to accept more data access for our own good. Predicated on the fact that some scruples and restraints are a luxury we can’t afford. After all, our international competitors and enemies may not exercise the control over personal freedom and privacy that campaigners see as an inalienable right.
Stewart Baker (Former NSA general counsel) claimed that moves by Google, Apple and others to encrypt user data were more hostile to western intelligence gathering than to surveillance by China or Russia.
“The state department has funded some of these tools, such as Tor, which has been used in Arab Spring revolutions or to get past the Chinese firewall, but these crypto wars are mainly being fought between the American government and American companies,”
On the 3rd of November, at Standford University, Admiral Mike Rogers, NSA director and commander of US Cyber Command was banging the same drum. In a talk ostensibly about the shortage of cyber security skills, he went on to say;
The U.S. is struggling to come to “a broad policy and legal consensus on how we deal with some of these issues. Is it going to take a crisis to wake us up?”
“I don’t want to be at the end of another 9-11 commission saying ‘How did we get here?'”
The example given of an essential enabler for the fight? Cyber legislation the NSA is working to pass, namely the Cybersecurity Information Sharing Act. It would mean telecom, security and Internet companies monitoring their traffic for malicious software and other attacks and then sharing details with the intelligence community in real-time through the Department of Homeland Security (DHS).
“It’s very critical for us. Without it, cyber becomes a huge cost for us as a nation.” said Rogers
Encryption was also raised at the meeting as an issue. Sitting in the front row was Whitfield Diffie, one of the world’s foremost cryptographers. Diffie said he was disturbed by Snowden’s charges that the NSA had “tinkered with” some widely-used cryptographic programs, presumably to make them easier for the agency to circumvent.
As you can imagine the EFF and other privacy and civil liberties groups are up in arms.
Back in July there was much noise about the new US bill. Like the UK Data Retention and Investigatory Powers act (much vaunted as NOT being a rehash of the Communications Data Bill), the new US legislation had a forerunner. Quoting from a 12th July Guardian article by Trevor Tims (Guardian US columnist and executive director of the Freedom of the Press Foundation);
One of the most underrated benefits of Edward Snowden’s leaks was how they forced the US Congress to shelve the dangerous, privacy-destroying legislation– then known as Cispa – that so many politicians had been so eager to pass under the guise of “cybersecurity”. Now a version of the bill is back, and apparently its authors want to keep you in the dark about it for as long as possible.
Going back to Mr Hannigan and the UK furore, Martha Lane Fox (former government tsar for digital inclusion), gently pointed out some home truths today:
“It was a bit reactionary and a bit inflammatory”
Going on to say his Financial Times opinion piece “cleverly” signposted his agenda for GCHQ in the coming months/years. An agenda with access to data at it’s heart.
“I wouldn’t want GCHQ to rummage in my front room. I feel the same way about my iPhone”
For the UK, the data retention and access agenda is intrinsically linked to the successful and ultra-rapid passage of the Data Retention & Investigatory Powers Act. An agenda under unwanted negative scrutiny because of on-going revelations by Edward Snowden. Both about bypassing of control and oversight designed to protect access to our data (things that swayed parliament enough to pass the DRIP bill) and casting doubt over the real crime-fighting value of bulk data retention.
Without friends in ultra high places we are forced to form our own opinions and right now I feel like I’m watching a re-run of the nuclear arms race, just driven by different technology;
- Privacy and civil liberties campaigners want unilateral disarmament. Demanding robust oversight and control for data access and use, as befits a democratically elected and accountable government.
- Governments want a deterrent capability. Getting the mandate for ‘against the day’ access to all data.
- Globally this forces all administrations (democratic, dictatorial, oligopolistic) to follow suit and tool up. No-one wants to be the visibly weak force in the commercial, terrorist or intelligence data war (and frankly the difference between those fighting fronts is getting very blurred).
Whichever way this cookie crumbles, tech companies and private individuals will struggle to hold ground. There are monolithic powers behind these moves and the little people (you and me) won’t be given the means to truly understand all sides of the argument. Nor should we. National security has a necessary layer of secrecy. What is fundamental is the lack of confidence in the existence, effectiveness, accountability and transparency of oversight and control.
We should all be watching that space with interest.