Effective surveillance of electronic communications relies on the ability of tech companies to successfully comply with new duties
The appalling attacks in Paris last November intensified debates around state powers of mass surveillance. In the UK, Liberal Democrat peer Lord Carlile advocated for fast-tracking of the Draft Investigatory Powers Bill – or ‘Snoopers’ Charter’ – currently under parliamentary scrutiny.
After the Charlie Hebdo attacks in January 2015, the French government legislated in favour of highly intrusive surveillance powers, criticised by both the UN Human Rights Committee and Amnesty International for their ‘excessive’ remit and lack of safeguards. 130 people later lost their lives in Paris, at the hands of individuals apparently already known to authorities both within and beyond France.
The case in favour of blanket surveillance persists. Are we convinced?
Bulk collection of communications data has been in clandestine effect for years. Edward Snowden lifted the lid on a raft of secret operations involving mass data collection by British and American intelligence agencies. The Draft Investigatory Powers Bill largely consolidates and regulates existing practices – but also expands powers of bulk data collection to require retention of all our internet connection records for twelve months.
Formally sanctioning this level of intrusion surely requires clear and compelling evidence that the activities concerned are both necessary and effective. It is disappointing, then, that the Home Office, calling in 2012 for legislation authorising surveillance of electronic communications, expressed necessity in terms of a 25 per cent ‘capability gap’ that could not be explained when probed further.
After a terror attack, authorities often assert that the perpetrators were known to them beforehand, the killers of Lee Rigby and at least two of the 7/7 bombers amongst them. This prior knowledge did not prevent those attacks, and in both these cases and in situations where plots have been foiled, it seems that no-one has explained whether and how far bulk data collection played a part in identifying the individuals concerned.
Nor do we know how many dead ends transpire, relative to successful leads. Reports from the US do not inspire confidence – the sheer volume of metadata generated through blanket surveillance could actually jeopardise counter-terror efforts by overloading analysts, which a former technical director at the NSA confirms is a notorious issue, and which was reported some years ago as hampering post-9/11 investigations.
Making the haystack bigger won’t necessarily make it easier to find the needle, and expanding existing powers seems rather futile if our security, intelligence and law enforcement agencies struggle to meet the surveillance responsibilities they already have.
Perhaps most unsettling is the potential harm caused by intruding on the lives of innocent people. Whatever the rationale, mass surveillance practices imperil our rights to privacy and freedom of expression. The UK’s Independent Reviewer of Terrorism Legislation himself warned that taking missteps could sow divisions in society and incubate the problem of ‘home-grown’ terrorists.
Why? Because extremists thrive on exploiting disenfranchisement and grievance. We are told so by former members of Islamist extremist groups. Taking blanket surveillance even further than it already goes is a calculated risk at best, and right now, the sums aren’t adding up.
Effective and secure surveillance of electronic communications relies on the ability of tech companies to successfully comply with the duties foisted upon them. Some of the sector’s major players have condemned the danger the bill poses to encrypted communications, as the interception and ‘equipment interference’ activities permissible with a warrant demand that this robust layer of protection – the protection preventing our credit card details falling into the hands of criminals – is penetrated.
The problem with proposing encryption ‘back doors’ as a means to retrieve this information is that encryption, by its very nature, is either accessible to none or accessible to all. It can even obscure the metadata the government wants collected and retained en masse, significantly weakening the ‘effectiveness’ case for such measures. It is easy to imagine bungled attempts to obtain encrypted data compromising us all to one degree or another.
Are we truly confident that this system can be selectively dismantled without falling apart altogether?
Only the experts can answer that. A joint written submission from Microsoft, Google, Yahoo!, Facebook and Twitter advises the bill’s review committee that encryption is a ‘fundamental security tool’.
Apple makes no bones about the matter, saying, ‘[t]he creation of backdoors and intercept capabilities would weaken the protections built into Apple products and endanger all our customers’.
The Dutch government this month dealt a blow to the necessity argument by rejecting the idea of forcing technology firms to bypass encryption. Service providers have further challenged the government over the ‘massive’ cost of meeting data retention requirements.
BT fears consuming most of the proposed industry-wide budget for its efforts alone. If this call goes unheeded, pressure to comply with the law could drive firms to hike consumers’ fees – or even cut corners.
Claiming that the Draft Investigatory Powers Bill is needed, and will work, to defeat terrorism is a statement in need of substantial qualification. The bill pits our safety against our human rights, when in reality they are on the same side.
The evidence is not sufficient, on ethical, legal or practical grounds, to demonstrate that bulk data collection is an effective anti-terror tool, or that it is necessary enough to warrant infringing the rights of innocent people. The measures are far too serious to wave through on the basis of misplaced optimism, political subterfuge or failure to find an alternative.
Laura Westwood is a campaign volunteer with the Labour Campaign for Human Rights