Security services lack the resources to randomly spy on people argues Gavin E L Hall, a doctoral researcher at the University of Birmingham.
On March 1, UK Home Secretary Theresa May announced that the redrafting of the Investigatory Powers Bill was complete, following a call for the written evidence on the original draft in November 2015.
The purpose of the bill is to clarify what activity the British security services and law enforcement can engage in online, either by restating existing practice or by introducing new powers. The ability to seek a year’s worth of Internet browsing history has attracted a good deal of publicity and given rise to public concern. The issue is pressing as existing legislation was ruled unlawful, following a challenge from Members of Parliament Tom Watson and David Davis, and is set to expire on March 31, 2016.
David Anderson QC, the independent reviewer of terrorism legislation, recommends that the so-called “Snooper’s Charter”—the bill’s unofficial name—strikes a balance between freedom and security. Such a positive statement does not appease the critics of the bill who argue, to paraphrase Benjamin Franklin, that liberty is being surrendered in search of temporary security.
Is the public’s fear justified as we enter a new Orwellian age, or do the security services have valid reasons for seeking access to data?
Cyber Reality
The rule of law has developed in the Western world over centuries. The rights of the individual and the demands of the state have been in conflict during this period of legal evolution, and the present Investigatory Powers Bill can be viewed as part of this history—not just a knee jerk. Placing the bill in this historical context is important, as it enables us to establish that the existing laws of the land have been developed over a prolonged period as a series of compromises, while generally maintaining the balance between individual freedom and state security. In other words, what invasions of privacy are permissible in the name of security is well-established, in the real world at least.
Should it be permissible to engage in the same activity in the cyber environment as in the real world, or does this new technology warrant different standards of freedom and privacy? For example, if two known terrorists are meeting at a private house, should a bug be planted? If they speak by phone, should it be tapped? Or if they speak via WhatsApp, should it be hacked? Is there a difference between these examples, or are they fundamentally the same?
The state, in the form of security services, does not randomly spy on people—it lacks the resources. The security services spend their time keeping citizens safe, and mass surveillance requires too much time, both in terms of collation as well as analysis, which would result in the inability to adequately perform the primary security function. While it may technically be possible under the bill to impugn individual freedom, John Bull has little to fear.
The mass collection of data enables the security services to keep us safe by utilizing snippets of information from a variety of sources to develop situational awareness and identify possible terrorists, with seven attacks being prevented in the United Kingdom in the last six months. This is not only in terms of the presence of information, but also the absence of information—identifying negative patterns is equally important to identifying positive ones. For example, if a known terrorist network goes quiet and stops communicating, it can be an indication that they are about to launch an attack.
Three areas are key to analyzing an individual: centrality, between-ness and degree. Centrality refers to how important the individual is; between-ness relates to a person’s access to others; and degree is the number of people one interacts with. These core principles of intelligence gathering have not changed with the advent of new technology. The sole difference of the 2016 world is that an environment outside the real world exists in which information and data can be stored and transmitted.
The Investigatory Powers Bill seeks to ensure that the same powers that exist within the real world are also present in the cyber environment by avoiding potential arguments that certain powers are only legally relevant to the real world.
White Noise
Of 225 individuals charged with terrorism offenses in the United States between 9/11 and January 2014, only 17 were the result of mass surveillance techniques used by the National Security Agency. Indeed, the issue of white noise—too much information cluttering the relevant information being sought—is considered to be a substantial challenge to security services.
Furthermore, the likelihood of this clause being useful against terrorists is minimal, as most are likely to be using TOR, or similar privacy ensuring tools. TOR—the onion router—is a way of connecting to the Internet that masks your IP address by bouncing the connection across a series of proxies.
While the Internet service provider (ISP) record would reveal a connection to TOR, it would not show which sites had been visited. Seeking to explore what an individual has been doing online—a space where social interaction takes place—is akin to seeking information on an individual’s habits in the real world. As such, asking an ISP to provide data is no more or less of an intrusion into individual privacy than asking the proprietor of a business to share customer information, either general or specific.
Companies have been resisting for commercial reasons. They perceive that their customers will not be happy if they agree to data being made available to the government. In a Reuters poll, 46.3% of respondents agreed with Apple’s stance of refusing to unlock the smartphone of an actual terrorist, with 35.5% disagreeing.
The potential for backdoors to be built into software has recently been the subject of sustained dispute between the Federal Bureau of Investigation (FBI) and Apple, and attracts the most public attention. If more specific attention was made toward educating the public as to why the state was seeking such powers and the benefits of formally codifying—in legal practice—the powers of agencies of state security, the public could be more favorable to the UK bill.
This article was originally published by Fair Observer on 10th March 2016.