On 4th November 2014 our new GCHQ chief Robert Hannigan drew some aggressive battle lines for the fight against terrorism (both old fashioned and cyber).
The sides in this fight are not the forces of evil and the forces of good, but the government and tech companies. According to Hannigan;
Privacy has never been “an absolute right”
US tech companies are “the command and control networks of choice” for terrorists.
Tech companies are “in denial” about the way they enable terrorists to communicate and act.
There’s no denying;
- Good encryption makes surveillance, for whatever purpose, hard
- Precise, real-time filtering of bulk data to identify traffic relating to crime or criminals is subject to huge limitations and a substantial risk of false positives. Therefore our data will be held for later analysis.
- Big players in the secret services need cross-border legislation as a mandate to start to tackle the bulk data access and analysis problems.
- The media message is morphing from anti-pedophilia and anti-terrorism, to pro-business, but anti-tech (for tech read encryption).
- Confidence in the oversight and controls in place appears very low.
- Only secret service bosses know whether there are clear and present threats justifying the legislation and attendant media circus.
Perhaps there are not clear and present dangers. Perhaps this is about shifting public opinion to accept more data access for our own good. Predicated on the fact that some scruples and restraints are a luxury we can’t afford. After all, our international competitors and enemies may not exercise the control over personal freedom and privacy that campaigners see as an inalienable right.
Stewart Baker (Former NSA general counsel) claimed that moves by Google, Apple and others to encrypt user data were more hostile to western intelligence gathering than to surveillance by China or Russia.
“The state department has funded some of these tools, such as Tor, which has been used in Arab Spring revolutions or to get past the Chinese firewall, but these crypto wars are mainly being fought between the American government and American companies,”
On the 3rd of November, at Standford University, Admiral Mike Rogers, NSA director and commander of US Cyber Command was banging the same drum. In a talk ostensibly about the shortage of cyber security skills, he went on to say;
The U.S. is struggling to come to “a broad policy and legal consensus on how we deal with some of these issues. Is it going to take a crisis to wake us up?”
“I don’t want to be at the end of another 9-11 commission saying ‘How did we get here?'”
The example given of an essential enabler for the fight? Cyber legislation the NSA is working to pass, namely the Cybersecurity Information Sharing Act. It would mean telecom, security and Internet companies monitoring their traffic for malicious software and other attacks and then sharing details with the intelligence community in real-time through the Department of Homeland Security (DHS).
“It’s very critical for us. Without it, cyber becomes a huge cost for us as a nation.” said Rogers
Encryption was also raised at the meeting as an issue. Sitting in the front row was Whitfield Diffie, one of the world’s foremost cryptographers. Diffie said he was disturbed by Snowden’s charges that the NSA had “tinkered with” some widely-used cryptographic programs, presumably to make them easier for the agency to circumvent.
As you can imagine the EFF and other privacy and civil liberties groups are up in arms.
Back in July there was much noise about the new US bill. Like the UK Data Retention and Investigatory Powers act (much vaunted as NOT being a rehash of the Communications Data Bill), the new US legislation had a forerunner. Quoting from a 12th July Guardian article by Trevor Tims (Guardian US columnist and executive director of the Freedom of the Press Foundation);
One of the most underrated benefits of Edward Snowden’s leaks was how they forced the US Congress to shelve the dangerous, privacy-destroying legislation– then known as Cispa – that so many politicians had been so eager to pass under the guise of “cybersecurity”. Now a version of the bill is back, and apparently its authors want to keep you in the dark about it for as long as possible.
Going back to Mr Hannigan and the UK furore, Martha Lane Fox (former government tsar for digital inclusion), gently pointed out some home truths today:
“It was a bit reactionary and a bit inflammatory”
Going on to say his Financial Times opinion piece “cleverly” signposted his agenda for GCHQ in the coming months/years. An agenda with access to data at it’s heart.
In another restrained but impactful statement, she drew out the real crux of public fear. Pointing out that there is little distinction between between peoples’ online and physical lives any more.
“I wouldn’t want GCHQ to rummage in my front room. I feel the same way about my iPhone”
For the UK, the data retention and access agenda was intrinsically linked to the successful and ultra-rapid passage of the Data Retention & Investigatory Powers Act. An agenda under unwanted negative scrutiny because of on-going revelations about privacy intrusions. Both about bypassing of control and oversight designed to protect access to our data and doubt over the real crime-fighting value of bulk data retention.
On 24th November 2014 the UK government published their findings following an nquiry into the death of Lee Rigby. It highlights a range of investigatory mistakes by MI5, but all media outlets are leading with the refusal of a US internet company (Facebook according to the Guardian) to release incriminating electronic communications from perpetrators of this horrific crime.
Also this week there’s a debate on the UK government’s Counterterrorism Security Bill. In a Radio 4 interview Malcolm Rifkind was challenged about the timing of these two events. He stated the report release had been scheduled for some time, inviting the reporter to ask the government the same question about the debate.
As a US company being asked by UK secret services to share user communications, they were under no obligation to do so. The crucial question? Could Lee’s death have been prevented? The media message coming out of Number 10 and GCHQ seems to be ‘Yes’ if that data had been shared.
For context, the conversation in question took place months before the actual crime and no-one is definitively stating that this would have effectively triggered preventative action by security services. In fact, while discussing MI5’s mistakes, Mr Rifkind reminded us that sifting through mountains of data and identifying credible threats is a herculean and inexact task.
Will making tech companies responsible for filtering and sharing ‘suspect’ communications content make that science more exact? The current limitations of technical and manual data analysis suggest not, but tech firms continue to innovate tools to tame bulk data at an ultra rapid pace. Will means to demand proportionality and challenge the inevitable mistakes and misteps keep up?
Without friends in ultra high places we are forced to form our own opinions and right now it looks like a re-run of the nuclear arms race, just driven by different technology;
- Privacy and civil liberties campaigners want unilateral disarmament. Demanding robust oversight and control for data access and use, as befits a democratically elected and accountable government.
- Governments want a deterrent capability. Getting the mandate for ‘against the day’ access to all data.
- Globally this forces all administrations (democratic, dictatorial, oligopolistic) to follow suit and tool up. No-one wants to be the visibly weak force in the commercial, national security, or political intelligence data war (and frankly the difference between those fighting fronts is getting very blurred).
Whichever way this cookie crumbles private individuals will struggle to hold ground. There are monolithic powers behind these moves and little people won’t be given the means to truly understand all sides of the argument. Nor should we. National security has a necessary layer of secrecy. What is fundamental is the lack of confidence in the existence, effectiveness, and transparency of accountability, oversight, and control.
We should all be watching that space with interest.