Friday, April 17, 2015

Another response on surveillance from a prospective MP

I've now had a response from Lib Dem general election candidate, Layla Moran, to my Don't Spy on Us email.
"Dear Ray,


Thank you for emailing me about my and the Liberal Democrat stance on surveillance. 

As you are probably aware, the Liberal Democrats are, and always have been, fierce supporters of civil liberties. For many years we have worked hard to protect the fundamental freedoms of UK citizens from the State.

In this parliament Lib Dem Leader Nick Clegg stopped the Tories from introducing the so-called “Snooper’s Charter”. This would have kept a record of the web browsing history of every man, woman and child in this country. Nick Clegg felt that this was a worrying idea, and I am delighted he blocked these proposals.

We need a mature debate in this country about how to best tackle crime and protect privacy in the internet age. Our security and intelligence services must have the right tools to fight crime and terrorism, but this should never come at the expense of civil liberties. The idea of sacrificing freedom for the sake of security is a false choice.

That’s why Nick Clegg called for a radical revamp of the oversight of the intelligence services last year. Nick argued that there needs to be greater transparency and third party oversight in this area, to make sure that we are striking the right balance between privacy and security. Our intelligence services keep the country safe every day, so it is important that the public has trust in them too.

Liberal Democrats have a great record in government on civil liberties. We have scrapped the previous Labour Government’s disastrous ID card scheme and have legislated for a Privacy and Civil Liberties Board to be established too. The Privacy and Civil Liberties Board would be able to review UK terrorism legislation in the future, and it would look at whether we are properly addressing concerns about liberty.

The Intelligence and Security Committee (ISC) is the body in Parliament that is responsible for looking at how our intelligence and security services are working. In government the Liberal Democrats have made the ISC a Committee of Parliament, given it more powers, and expanded its remit too. These reforms are an important step in the right direction, and we are committed to going further.

The Liberal Democrats want to introduce a “Digital Bill of Rights” after the 2015 election to give people more power over their data too. This will protect us against blanket surveillance without affecting our ability to tackle emerging threats or target criminals. Our online behaviour should be treated with the same respect as our offline behaviour, and that is why I am glad that my party supports a “Digital Bill of Rights”.

The internet has revolutionised the way that we learn things, share new ideas and communicate with people we know. Our intelligence and security services must always keep up with technological change, but we need a reasonable level of oversight to protect the privacy of UK citizens.

Thank you again for contacting me about this important matter.

Best wishes,

Layla"
It reads largely as a cut and paste from a party briefing. My further response below including a request that she commit to work to have innocent people's details removed from the domestic extremist database.
"Layla,


Thanks for your prompt response.

Though the Lib Dems did reportedly block the discredited Communications Data Bill (aka snoopers’ charter) your party’s record in government in this area is not exactly pristine. To name but one example, the ill-informed, unscrutinised and hasty rushing through of the Data Retention and Regulatory Powers Act (DRIPA) in the summer of 2014 was fully supported by the Lib Dems. Now I’m not sure whether you have ever read DRIPA – most Lib Dem, Labour and Tory MPs who voted for it did not read it before voting it through, in a rushed almost unprecedented abuse of parliamentary process and there is little evidence to suggest that they have actually done so since – but it’s quite short (only 8 sections) and I would recommend you do. It’s available at http://www.legislation.gov.uk/ukpga/2014/27/contents/enacted. Not only did DRIPA re-introduce and expand the data retention practices that the European Court of Justice had, just months previously in the Digital Rights Ireland and Seitlinger case, declared so heinous that they should never have existed, it extended the territorial reach of UK surveillance law to cover the entire world. Additionally DRIPA essentially declares anyone with any gadget connected to the internet is now fair game for surveillance.

Another legacy of Lib Dem coalition government is the destructive Chapter 1 “prevent” duty of the Counter Terrorism and Security Act 2015, imposing an ill-defined duty on public servants, including educators, to report people in danger of “being drawn into terrorism”, an ill-defined transgression. Further provisions of this nominal counter terrorism regulation – the 7th major anti-terrorism act in the past 14 years – include section 21 “Retention of relevant internet data” obligations on communications service providers, including mobile phone operators, to retain communications data, the definition of which has been expanded to include “internet protocol address, or other identifier, belongs to the sender or recipient of a communication (whether or not a person)”.  This imposes vast expensive operational burdens on the industry just in case the data may be useful to the government in the future. This kind of approach was ruled to be an abuse of the legal process in English law as far back as 1765 in the case of Entick v Carrington. The precise details of what specific data will be retained under the Act, how this will be done, by whom, under what conditions and other operational issues relating to making such data available to government is to be worked out in secret between the government and the service providers.

I’m aware of the change in status of the ISC. Unfortunately the publication of their recent report on privacy and security does little to inspire confidence that they can provide the requisite degree of scrutiny of government surveillance practices. In particular the repeated claim that the UK is not engaged in mass surveillance merely “bulk collection” of communications data defies credibility. It’s only computers that “see” the data, you see, not real people, mostly. So nothing to worry about. On which basis we could justify putting digital cameras running 24/7, networked to government surveillance systems, in every room in every household – it would not matter, you see, because most of the video footage captured would not be seen by real people.

The Privacy and Civil Liberties Board sounds positive in theory but the specifics of the coalition proposals in this area have been widely criticised by civil rights groups and the terrorism watchdog, David Anderson.

Whilst the Lib Dems nominal pre-election 2015 support for a Digital Bill of Rights is welcome, the promising promises that your party started with at the beginning of the term of the coalition government proved seriously elusive when it came to implementation. How can we be confident it won’t be the same story again if you find yourself in coalition with the Conservative or Labour parties?

The default deterministic construction and deployment of a regulatory and communications infrastructure of mass surveillance is one of the fundamental issues of the information age. This is not an abstract or merely of academic interest. It affects real people, in this constituency, who have found themselves on the government’s domestic extremism database, merely for protesting against the dumping of power station waste into local lakes. So on that note, one final practical question – will you commit to insuring the people who have been tagged by government as domestic extremists, for the appalling sin of trying to protect local lakes and landscapes, have their details removed from the domestic extremist database?

Regards,

Ray"

Eliciting prospective parliamentary candidates' positions on surveillance

The Don't Spy on Us coalition have put together a prospective parliamentary candidate enlightenment programme on mass surveillance. I used the form to email those touting for election in my area to ask where they stand on surveillance.  It is a marginal seat, usually going to Lib Dems or Tories.

Conservative, Nicola Blackwood, edged it by less than a couple of hundred votes in 2010 and I have a fair idea of her perspective, having semi-routinely corresponded with her on the matter, which is largely one of towing the Tory party line.

The Don't Spy on Us email is relatively short and simple.
"I am concerned about the current internet surveillance regime in the UK and would like to see my parliamentary candidates support these changes to the existing system:

1. to ensure that surveillance powers are targeted, necessary and proportionate
2. to increase judicial authorisation over surveillance
3. to improve oversight of the intelligence agencies

Please also read this briefing from the Don't Spy On Us coalition for parliamentary candidates.
https://www.dontspyonus.org.uk/assets/site/dontspyonus/files/PPC_DSOU_briefing.pdf

Yours sincerely

Ray Corrigan"
Interestingly, I had a response from the Labour candidate, Sally Copely, within 16 minutes. Unfortunately, it was non-committal and looks to have been partly cut and pasted from party briefings.
"Dear Mr Corrigan


Many thanks for your email.

I am also concerned by this, as security agencies are supposed to have only limited access to communications, with oversight by the courts. I do understand that there is an issue with growing numbers of terrorists communicating via the internet, rather than on the telephone, and that the authorities need to be able to keep up with changing technologies.  But while the police and security agencies need stronger powers, Labour believe these must be backed by stronger safeguards.

That is why we pushed for David Anderson’s independent review of the legal framework surrounding surveillance, which will complete just before the election. So we are committed to giving David Anderson the time and space to look at these issues and report back.  More should be here soon: Independent Reviewer of Terrorism Legislation «






















I've responded to her further.
"Thanks for the rapid response, Sally.


If you speak to ordinary police and intelligence officers they don’t want stronger powers or more money thrown at supposedly magic terrorist catching computer systems, managed through complex bureaucracies primarily designed to demonstrate management are meeting their targets. They need more appropriately trained and experienced people. The intelligence services currently have the power and capability to data mine the intimate details of the lives of anyone in entire population. They are completely swamped with gigantic quantities of electronic data. They simply don’t have the personnel to track everyone to that degree; not just ordinary people but known dangerous suspects, as we discovered when the close surveillance of Fusilier Lee Rigby’s killers was lifted shortly before the murder.

Yet the three dominant parties, as I understand it, are committed to continuing to cut the number of police officers. Labour and the Tories are committed to expanding mass surveillance powers e.g. through the implementation of the proposed and discredited Communications Data Bill. All three main parties supported the unscrutinised hasty scrambling of the Data Retention and Investigatory Powers Act (DRIPA) through Parliament just prior to MPs’ summer holidays in 2014. Not only did DRIPA re-introduce and expand the data retention practices that the European Court of Justice had, just months previously, declared so heinous that they should never have existed, it extended the territorial reach of UK surveillance law to cover the entire world. Additionally it essentially declares anyone with any gadget connected to the internet is now fair game for surveillance. DRIPA is quite short (only 8 sections) and actually well worth reading – most MPs still have not done so.

David Anderson’s review will be significant but I think you’ll find Mr Anderson is already on record as noting the importance of surveillance powers that are targeted, necessary and proportionate, improved oversight of the intelligence agencies and judicial authorisation of surveillance. I don’t believe it is unreasonable to ask the same commitment from prospective parliamentary candidates. I’m afraid I’ll need something stronger than the non-committal party line and a request to ‘pick me to avoid them’ treatise to consider voting for Labour. :-)

The default deterministic construction and deployment of a regulatory and communications infrastructure of mass surveillance is one of the fundamental issues of the information age. That all the main parties have sought to ignore it as an election issue is unfortunate but doesn’t make it any less important. I’d encourage you to consult your colleagues, Tom Watson and David Winnick, who are amongst the very few Labour MPs who have done any serious degree of thinking on these matters.

Regards,

Ray"

Wednesday, March 25, 2015

Polling booths unfit for purpose

I wrote to the electoral services administration at the local council last week about the equipment, in particular the polling booths, used at my local polling station.
"Dear Sir/Madam,

I’ve been meaning to contact you about a problem with the polling booths in the ********** polling station in ******** for some years. With the general election looming, I feel obliged to do so now. Basically the polling booths are tiny triangular counters which are often arranged facing out into the polling station room. They offer no privacy for casting a vote and are fundamentally unfit for purpose, compared to the rectangular curtained booths that were available when I first moved to ******** ** years ago. The secret ballot introduced to the UK in 1872 is the cornerstone of the electoral process. There has been no meaningful capacity to cast a secret ballot with confidence in the ********** polling station, ever since this completely unsuitable equipment was introduced some years ago.
I would therefore appreciate your confirmation that suitably appropriate and reasonable polling booths will be made available for use in the ********* polling station for the coming general election and indeed future local, general and European elections.

Could you also send me a copy, under your freedom of information procedures, of your most recent review of the ******************* community centre polling place, conducted under section 16 of the Electoral Administration Act 2006 (which amended section 18 of the Representation of the People Act 1983).

Thank you.

Ray Corrigan"
Not only are these counters unfit for purpose, the election ballot paper is often bigger than the surface available to lean it on to record a vote, in pretty much full visibility of anyone in the polling station.

Credit where it is due, however, the electoral services team leader responded within two working days, promising that they are upgrading the equipment.
"Dear Mr Corrigan
Thank you for your email.  I can confirm that we have ordered new polling screens for these elections.
Regards

Electoral Services Team Leader"
Hopefully it means that by the time of the general election, my local polling station will, for the first time in years, have "reasonable facilities for voting", as guaranteed under section 16 of the Electoral Administration Act 2006 (amending section 18 of the Representation of the People Act 1983).

Wednesday, March 04, 2015

The coaltion and computers

The Institute for Advanced Legal Studies recently launched their Centre for Law and Information Policy.

The ever entertaining and informative Daithí MacSíthigh opened proceedings, with a look at the UK coalition government's record over the past 5 years.

They have mostly had a domestic legislation focus. There is a perception that they engaged with technology issues but 5 years on they are looking pretty old and grey. Of the 130 Acts of Parliament adopted since 2010 there are only a few in the tech policy arena.

Daithí suggested three ways to think of this limited degree of regulation - rollback, re-balancing and re-regulation.

Rollback

ID cards were repealed with the Identity Documents Act 2010.

The Protection of Freedoms Act 2012 had something to say about CCTV, DNA retention and RIPA amongst other things. Daithí didn't mention it but this Act has little known provision, s26(5), which I highly recommend every child in the country, based at schools unconscionably collecting biometric data, exploit to its absolute maximum effect:
26 Requirement to notify and obtain consent before processing biometric information
[...]
(5) But if, at any time, the child—

(a) refuses to participate in, or continue to participate in, anything that involves the processing of the child’s biometric information, or

(b) otherwise objects to the processing of that information,

the relevant authority must ensure that the information is not processed, irrespective of any consent given by a parent of the child under subsection (3).
So calling all teens - how would you like to annoy your teachers and possibly even parents and simultaneously strike a major blow against the sickening normalisation of the unethical mass collection of kids' biometrics in schools? Roll out section 26(5), get your mates together and opt out of your school fingerprint (or other biometric) collection systems. Tell your headteachers you are not numbers to be processed and you refuse to participate, any longer, in school schemes that are undermining the fundamental rights of yours and future generations.

The Enterprise and Regulatory Reform Act 2013 was a bit of a mongrel covering a range of disparate issues and apparently included some amendments to the Wireless Telegraphy Act.

In the rollback box there is also some interesting unfinished business relating to the promised repeal of sections 17 and 18 of the Digital Economy Act 2010.

Re-balancing

The Defamation Act 2013 introduced a series of revisions considered pro-defendant including a single publication rule, restrictions on jurisdiction shopping and a fourth type of intermediary protection. That made the tech and media industries happy.

On the intellectual property front, in the summer and autumn of 2014 a series of changes, including recognition of exceptions for parody, format shifting and quotation, were made by statutory instrument to implement parts of the Hargreaves Report. The entertainment industry were not best pleased with the changes and have engaged an expensive collection of m'learned friends in an attempt to quash the private copying changes under a judicial review. Oh yes. Judicial review is still available to those wealthy few who can afford it.

In the recently passed Counter Terrorism and Security Act 2015 there is a provision to set up a Privacy and Civil Liberties Board (not to mention the appalling McCarthyite section 26 "prevent" duty)

Re-regulation

In terms of re-regulation the abomination that is the Data Retention and Investigatory Powers Act 2014 was rushed through Parliament in the week before MPs went off for their summer holidays.

Having sung lalala with their fingers in their ears for months, following the abolition of the data retention directive by the Court of Justice of the European Union, DRIPA was the government's panicked "something must be done" response and its reach was extended to MAC addresses in section 21 of the Counter Terrorism and Security Act, 2015.

Elsewhere on what Daithí was labelling re-regulation, powers of censorship  and online gambling provisions have been extended. And one of the coalition's final provisions is the revenge porn measures in the Criminal Justice and Courts Act. Sections 33-35 are not exactly exemplars of legislative clarity and were passed with no evidence and no scrutiny.

The digital goods add on to the Consumer Rights Bill is still working its way through Parliament.

Big Projects

The final string to the coalition's tech bow was outwith the legislative bandwagon. They don't want to use legislation too readily after all, since it could be seen as at odds with their aim to reduce bureaucracy.

Their big big project is, of course, big data, wherever they can get it.

The Health and Social Care Act 2012 is enabling them to wreak all kinds of ignorant havoc with medical confidentiality, for example. Ross Anderson, only last week described the Hospital Episode Statistics data warehouse and the horrendous care.data programme as residing in the 7th circle of hell, as far as lack of respect for medical confidentiality and privacy is concerned.

Whilst I'm mentioning Ross, could I also highly recommend the Nuffield Council on Bioethics report of which he is a joint author, The collection, linking and use of data in biomedical research and health care:ethical issues. Ross neatly sums up;
As the information we gave to our doctors in private to help them treat us is now collected and treated as an industrial raw material, there has been scandal after scandal. From failures of anonymisation through unethical sales to the care.data catastrophe, things just seem to get worse. Where is it all going, and what must a medical data user do to behave ethically?
We put forward four principles. First, respect persons; do not treat their confidential data like were coal or bauxite. Second, respect established human-rights and data-protection law, rather than trying to find ways round it. Third, consult people who’ll be affected or who have morally relevant interests. And fourth, tell them what you’ve done – including errors and security breaches.
The coalition's other big project was tax relief for the video games industry. Needless to say, the industry approved. So popular was it that the government decided to extend a similar provision to theatres.

Finally, hugely unwelcome all around parliament, Leveson landed upon the government and the effects are still unclear.

Conclusions

Daithí's conclusions on all this brought us back to where he started. The coalition began with some promising promises on technology and civil liberties but it proved all too easy for them to talk in libertarian soundbites on the outside, then quickly succumb to the temptations of power. He was more generous than I would have been in describing the coalition as looking merely old and grey.

Their consolidation and expansion of the mass surveillance agenda and practices (Daithí didn't mention the Snowden affair but I'm sure would have done if time had allowed) and the government's entrenched view of UK residents as industrial raw material, as Ross Anderson so eloquently puts it, to be mined for the response to whatever stick the rabid 24 hour news media are currently beating the government over the head with, will do untold damage to fundamental rights for generations to come.

Update: I expect Daithí would also have included a treatise on the Justice and Security Act 2013 (including reinforcement of secret courts and secret "evidence") and the decimation of legal aid, if he'd had the chance.

Tuesday, February 24, 2015

What were you doing when they were building the surveillance society?

At the behest of my friend and colleague at the Open University, Mike Richards, I penned a piece towards the end of last year in connection with our introduction to cyber security mooc. I realise it is now up on OpenLearn. Copy below.
In the 1600s the founders of New England meticulously laid out their towns so that the relationship of buildings to each other and the town square allowed the Puritan inhabitants to keep a close eye on each other. For practising Puritans, at that time, allowing friends, family and the rest of the community to pry into their private lives was routine. Good behaviour in private was considered to be essential for societal wellbeing. However, that good behaviour would only be forthcoming if people watched each other closely.
This practice was brought into the internet age by a company called NetAccountability in 2002. They enabled people to sign up to have a morally upstanding friend or family member monitor their web surfing habits. The monitor then received regular comprehensive reports of the websites that person visited. There are a multitude of such services today.
In 1791, English philosopher Jeremy Bentham came up with the idea of an “ideal prison” built with a central tower from which watchers could see into every cell but the cell-bound could not see into the tower. Prisoners could never know exactly when they were being watched, would have to assume they were under constant surveillance and moderate their behaviour to avoid severe punishment. Bentham called his design a panopticon.
After the Berlin wall came down, the Stasi were found to have more than 6 million files on East German citizens, more than a third of the population. The German Democratic Republic panopticon, could not, however, when it comes to surveillance, hold a candle to modern practices of the governments of the US and the UK.
The internet, lauded in the 1990s as the force that would free humanity, has been turned into the world’s panopticon, an apparatus of mass surveillance the like of which the world has never known. Thanks to NSA whistleblower, Edward Snowden, we know that the UK and US governments sweep up communications data on an unimaginable scale, not on just a third of their citizens, but their whole populations – and the rest of the connected world.
Now I don’t know about you but I find the thought of permanently being watched oppressive, intrusive and disturbing. 1600s New England, Bentham’s panopticon, the GDR or communities that require me to sign up to constant close monitoring to protect my soul are not places that appeal to me in the slightest. However, as a result of the evolution of technologies and the war on terrorism, the Internet has become a world of incomprehensible surveillance.
Snowden has disclosed that the US National Security Agency (NSA) specifically targets the communications of everyone, ingesting, collecting, filtering, measuring and storing everything by default. The NSA’s counterpart in the UK, the Government Communications Headquarters (GCHQ) has developed a programme called Tempora; a hard wired intercept of the international communications cables entering and leaving the UK. Tempora is capable of collecting all communications content and “metadata” that pass across the UK. The metadata is the details of who is in contact with whom, what devices they are using, when and from where they are communicating, for how long, what websites are visited, searched, clicked etc.
Documents leaked by Snowden indicate data that several years ago GCHQ had the capability to collect 21 petabytes of data every 24 hours. That is equivalent to about 200 times the contents of the entire British Library, every single day. The technology (better) and economics (cheaper) of digital storage mean that their capacity is undoubtedly far greater today.
Yet the thing about the internet is we don’t notice we’re being watched. Sure we know about things called “cookies” tracking us – because of those irritating EU-mandated warnings that pop up on websites – even if we don’t know exactly what cookies are; and to a degree we know our browsing habits allow advertisers to specifically identify each and every one of us for targeted advertising.
But we don’t think about it too much… and when we do we console ourselves with thoughts such as “the government are only interested in terrorists and drug dealers and child abusers and organised criminal gangs – the four horsemen of the infocalypse – not us… and they know what they are doing… and they are the good guys… and most of us most of the time are not conscious of any intrusion… and we’ve got nothing to hide anyway….”
The trouble with the seductive “the innocent have nothing to hide” meme, wielded so freely by politicians and the press so intent on stripping away our privacy, is that is dangerous and wrong.
It is underpinned by two hidden and completely false assumptions.
1.      Privacy is only about bad people hiding bad things, so only bad people want privacy.
Wrong. The need for privacy is a fundamental part of the human condition.
2.      Sacrificing privacy will solve complex problems like terrorism.  
But here’s a news flash from a former senior executive of the NSA, decorated US Air Force and Navy veteran, and whistleblower, Thomas Drakemass surveillance doesn’t work.
We know it doesn’t work because in 13 years of mass surveillance following the 9/11 attacks neither the US nor the UK governments have been able to produce a single example of where it has worked that can withstand robust independent scrutiny. The US has claimed 54 attacks have been thwarted. All these have been rebutted by experts. The UK claims at least two major terrorist attacks every year since 9/11 have been stopped by mass surveillance. No specifics - we just have to trust them on that. Any plots that have come to light in the media have, when examined, been uncovered through conventional targeted intelligence and policing.
You see, finding the four horsemen is a needle in a haystack problem. There may (or indeed may not) be a crime-related communication in today’s 21 petabytes of data, but it is in amongst a colossal amount of completely innocent information. It doesn’t become easier to find the needle by throwing infinitely more needle-free hay on your stack and/or creating multiple giant and exponentially growing data haystacks.
Mass data collectors can dig deeply into the digital persona of anyone but don’t have the resources to do so with everyone. The resultant pursuit of false positive leads mean the real bad guys often get lost in the noise, as happened with the perpetrators of the 9/11 attacks who were known to US authorities but not considered sufficiently important to intercept. Even then, in a time of significantly more limited and targeted surveillance, the intelligence and security services were so inundated with data that the attackers evaded their grasp.
Despite of all of this the Snowden revelations have raised little more than a collective “meh”, in the parlance of my teenagers, amongst the majority of people in the UK. Even when it was revealed that GCHQ were running a system called Optic Nerve, secretly collecting private images from nearly 2 million Yahoo! webcam accounts, - including those of children - general public apathy prevailed.
Security and privacy professionals used to joke about the government wanting to put a camera in everyone’s bedroom – it couldn’t possibly happen – now they’ve done it and we apparently don’t care.
Why is that?
Well I suspect part of the answer is related to Stanley Cohen’s theory that when we as individuals, groups, communities, societies, governments, learn about monumentally appalling things, we go into a state of denial about it. It is too complex/difficult/terrible to comprehend or cope with, so we put it to one side and don’t think about it. In that state we can readily take on board assurances of the powerful to trust them and they will protect us.
And we have the additional bonus that the internet and our gadgets connecting us to it are so attractive, gratifying, responsive, entertaining, accessible, convenient, and educational even – our very own Huxleian soma, the drug that makes us feel better.

More importantly why should we care?
We should care because invasion of privacy is an ecological problem. When I give up a little bit of my privacy I’m polluting the lives of everyone I’m connected to and everyone they are connected to. The NSA deputy director testified to Congress that they look at anyone ‘3 hops’ removed from their targets.  You don’t have to have done anything wrong, just be connected to someone connected to someone connected to someone that falls under suspicion. Then, according to Snowden, the NSA or GCHQ uses their giant personal data haystacks to time travel through a comprehensive record of your digital history and scrutinize everything with a view to deriving suspicion from an innocent life.

And in a way it is not even that concerns me the most.
A lot of this mass surveillance activity is done by good people with the best of intentions but when you build the infrastructure of a surveillance state you cannot guarantee that it is – given the revelations of Edward Snowden and Thomas Drake – or will permanently remain under the control of the good guys. Nor can you guarantee it won’t be exploited by the very horsemen of the infocalypse it was nominally constructed to counteract. Mass valuable personal data databases are irresistible targets for the horsemen. Security backdoors built into standard computer architecture for intelligence purposes quickly become available to nefarious actors too.
The thing that worries me the most, though, is the legacy we are leaving for future generations and the question my kids and possibly their kids will be asking me in 20 years.
“Dad/granddad, what the hell did you think you were you doing when they were building the surveillance society?”
Mass surveillance is incredibly socially destructive and yet we don't seem to care enough to do anything about it.

Tuesday, February 10, 2015

Liberty, PI, Amnesty v Foreign Secretary at IPT

I had a quick go yesterday at explaining the Investigatory Powers Tribunal (IPT) ruling, in Liberty & Ors v The Secretary of State for Foreign and Commonwealth Affairs & Others (Case No: IPT/13/77/H).

When government, for an indeterminate number of years prior to 5th December 2014 has said,
“All of the work of the intelligence and security services is carried out in accordance within a strict legal and policy framework, which ensures that our activities are authorised, necessary and proportionate ...”
they were being economical with the truth. They were, during that period, in fact flagrantly undermining the rights to privacy and freedom of expression under articles 8 and 10 respectively of the European Convention on Human Rights (ECHR).

The government can, according to the IPT however, make that claim now because we are told there is a legal and policy framework. We are not just entrusted with the privilege of knowing what those legal and policy framework rules are.
Secret laws and policies.

For secret government mass surveillance activities.

Approved by a secretive tribunal historically predisposed towards approving of government secrecy, with the sole limited exception being this Liberty & Ors case.
The most recent IPT ruling takes great pains, from the start, to emphasise that they ruled, in December 2014, that the UK security services intelligence sharing with the NSA, in connection with the Prism and Upstream, is lawful.
"Save in one possible (and to date hypothetical) respect"
The limited and hypothetical exception is laid out in paragraph 53 of their 5 December judgement.
"53. The one matter of concern is this. Although it is the case that any request for, or receipt of, intercept or communications data pursuant to Prism and/or Upstream is ordinarily subject to the same safeguards as in a case where intercept or communication data are obtained directly by the Respondents, if there were a 1(b) request, albeit that such request must go to the Secretary of State, and that any material so obtained must be dealt with pursuant to RIPA, there is the possibility that the s.16 protection might not apply. As already indicated, no 1(b) request has in fact ever occurred, and there has thus been no problem hitherto. We are however satisfied that there ought to be introduced a procedure whereby any such request, if it be made, when referred to the Secretary of State, must address the issue of s.16(3)"
But the exception was hypothetical, had not happened and they were therefore "satisfied as to the lawfulness" of the intelligence services' activities relating to Prism and Upstream. From the 6 February decision:
"10. By our Order of 5 December 2014 we made declarations that the Prism and/or Upstream arrangements (subject to the exception referred to in paragraphs 7 and 8 above) did not contravene Articles 8 or 10 ECHR, and further that the RIPA regime in respect of ss. 8(4), 15 and 16 of RIPA similarly did not contravene Articles 8 or 10 ECHR.
By paragraph 4 of the Order, we directed that the parties serve written submissions according to an agreed timetable, and with a view to the two outstanding issues being resolved by the Tribunal, by agreement of the parties, without a further hearing:

“4. i) Whether by virtue of the fact that any of the matters now disclosed in the judgment of 5 December 2014 were not previously disclosed, there had prior thereto been a contravention of Articles 8 or 10 ECHR. (“The First Issue”).
ii) Whether by virtue of the facts and matters set out in paragraph 53 of the judgment of 5 December 2014, there is a contravention of Articles 8 or 10 ECHR.” (“The Second Issue”). "
We'll get to the IPT's specific answers to these questions presently but (spoiler alert) they basically conclude i) keeping the existence of the rules secret was illegal but isn't anymore since we now know the rules exist (it's slightly more subtle than that, in that there is a the question of "adequate signposting" to the rules) and ii) don't worry about it, the government promise to behave.

Perhaps surprisingly, (though I expect the legal representatives advised of the serious possibility of a limited win on the secret rules grounds and decided to focus exclusively on that), Liberty and co chose not to challenge the RIPA regime at this particular stage. So the IPT take the open goal opportunity to pat GCHQ and co on the back,
"12. ... As requested by the Respondents, therefore, the Tribunal can make it clear, for the avoidance of doubt, that the declaration it made on 5 December 2014 in relation to the RIPA regime was that it is in accordance with the law/prescribed by law and was so prior to the Tribunal’s Judgment of 5 December 2014."
They next tackle the question of whether the absence of government acknowledgment of secret rules governing mass surveillance was illegal.
"15. We set out the requirements of Article 8 in paragraph 37 of the December Judgment:
“37. The relevant principles appear to us to be that in order for interference with Article 8 to be in accordance with the law:
(i) there must not be an unfettered discretion for executive action. There must be controls on the arbitrariness of that action.
(ii) the nature of the rules must be clear and the ambit of them must be in the public domain so far as possible, an “adequate indication” given (Malone v UK [1985] 7 EHRR 14 at paragraph 67), so that the existence of interference with privacy may in general terms be foreseeable."
So there must be rules reigning in "unfettered... executive action" i.e. theoretically the government is subject to some controls. The rules don't have to be public but the public must know enough to be able to deduce that our privacy may be undermined.
"16. We continued:
“41. We consider that what is required is a sufficient signposting of the rules or arrangements insofar as they are not disclosed. . . It is in our judgment sufficient that:
(i) Appropriate rules or arrangements exist and are publicly known and confirmed to exist, with their content sufficiently signposted, such as to give an adequate indication of it (as per Malone: see paragraph 37(ii) above).
(ii) They are subject to proper oversight.”
I'll leave you to decide on the difference, if any, between "the nature of the rules must be clear..." etc and " what is required is a sufficient signposting of the rules or arrangements insofar as they are not disclosed" etc.

Bottom line?

Secret rules governing mass surveillance are ok as long as the public know there are rules, even if they are not allowed to know what the rules are and as long as the rules "are subject to proper oversight".

The IPT did get a confidential look at the "arrangement below the waterline" i.e. secret rules, in secret and:
"17. We set out our conclusions, so far as relevant to this question, in paragraph 55:
“55. After careful consideration, the Tribunal reaches the following conclusions:
(i) Having considered the arrangements below the waterline, as described in this judgment, we are satisfied that there are adequate arrangements in place for the purpose of ensuring compliance with the statutory framework and with Articles 8 and 10 of the Convention, so far as the receipt of intercept from Prism and/or Upstream is concerned.
(ii)This is of course of itself not sufficient, because the arrangements must be sufficiently accessible to the public. We are satisfied that they are sufficiently signposted by virtue of the statutory framework to which we have referred and the Statements of the ISC and the [Interception of Communications] Commissioner quoted above, and as now, after the two closed hearings that we have held, publicly disclosed by the Respondents and recorded in this judgment.”
In other words - trust us, there is "adequate" secret oversight of mass surveillance ensuring it complies with human rights.

But don't worry, we've got your back. Not only can we confirm the the existence of adequate secret controls but we realise the fact of the existence of these secret rules must be in the public domain. And hey presto! By way of our wondrous work in getting this information disclosed to the public - i.e. that secret rules exist - the public know that secret rules exist. High fives and self congratulatory kudos all round.

But wait.

Liberty's QC, Matthew Ryder, pointed out that it was only because this case was pursued that the government were forced into releasing the information that secret rules existed that, in turn, satisfied the IPT that the public now know that secret rules exist.

The IPT response?
"19. ... We agree."
Not much to add to that.

Paragraph 20. of the judgement is fun but really for the lawyers. Rough translation:
The government say: leave us alone, there was enough information to deduce that rules existed.

Privacy International barristers, Dan Squires and Ben Jaffey say: maybe but there was not enough information about the nature and ambit of the rules (in the language of the Padfield decision noted in para 15) or sufficient signposting to the content of the rules to give an adequate indication (Padfield & IPT from para 15 & 16) of the ballpark they might reside in.
I won't quote the IPT in paragraph 20 agreeing with Privacy International but the IPT agreed with Privacy International.

We finally reach the heart of the decision so loudly proclaimed as historic by Liberty, Privacy International, Amnesty and The Guardian.
"21. ... We are however satisfied ... that, without the disclosures made, there would not have been adequate signposting, as we have found was required and has now, as a result of our Judgment, been given.
22. Although the first requirement of Article 8, set out in paragraph 37(i) of the December Judgment and in paragraph 15 above, is satisfied, the second requirement, as set out in paragraph 37(ii) of the December Judgment, was only satisfied by the Disclosures being made public in our Judgment.
23. We would accordingly make a declaration that prior to the disclosures made and referred to in the Tribunal’s Judgment of 5 December 2014, the regime governing the soliciting, receiving, storing and transmitting by UK authorities of private communications of individuals located in the UK, which have been obtained by US authorities pursuant to Prism and/or (on the Claimants’ case) Upstream, contravened Articles 8 or 10 ECHR, but now complies."
So,
There are secret rules controlling government action in this area.

There would not have been "adequate signposting" to the secret rules governing Prism & Upsteam intelligence sharing, without the disclosures the government made in this case.

Prior to these disclosures the government were in breach of  Articles 8 or 10 of the European Convention on Human Rights (ECHR), protecting privacy and freedom of expression; as there was inadequate signposting to the secret rules.

The Prism & Upstream intelligence sharing regime, by virtue of government disclosures, as a result of this case, of adequate signposting to the secret rules, now comply with Articles 8 or 10 of the ECHR.
Having shot the government metaphorically in the foot then bandaged the wound so it was no longer noticeable, the IPT move thence to the" hypothetical" Regulation of Investigatory Powers (RIPA) loophole. "Hypothetical" because they are assured by the government that the issue has never arisen.

The RIPA issue in the case is more complicated than the question of the existence of secret rules, so  in deference to the patience and stamina of readers who have got this far, I'm going to take a relatively short run at it. It is addressed in paragraphs 24 to 31 of the decision. Let's skip the hypotheticals on the 1(b) request and the dancing in and out of sections 5, 8, 15 and 16 of RIPA and get to the government promise outlined in paragraph 30.
"30. The Respondents have now given the further Disclosure, as contained in paragraphs 19 and 20 of their submissions:
“19. For the avoidance of doubt, the concern identified by the Tribunal would not arise in the first place if a request were made pursuant to paragraph 1(b) of the Disclosure for material to, from or about specific selectors (relating therefore to a specific individual or individuals). In such a situation, the request would be a “targeted” one and the Secretary of State would therefore have approved it for the specific individual(s) in question. In that case, the proper parallel would be with a warrant under s.8(1) of RIPA, not s.8(4). Thus, the safeguards under s.16 of RIPA would not be at issue even by analogy because s.16 of RIPA only applies to the examination stage following interception under s.8(4) warrants (i.e. “untargeted” interception).
20. In those circumstances, the remaining concern is in relation to such untargeted interception. The Respondents can confirm that, in the event that a request falling within paragraph 1(b) of the Disclosure were to be made and approved by the Secretary of State other than in relation to specific selectors (i.e. “untargeted”), the Intelligence Services would not examine any communications so obtained according to any factors as are mentioned in section 16(2)(a) and (b) of RIPA unless the Secretary of State personally considered and approved the examination of those communications by reference to such factors.” "
This requires careful and repeated reading but purports to be an assurance from the government to close this one lacuna, in a veritable colander of RIPA loopholes. The assurance attempts to give the impression that the Secretary of State must sign off on surveillance targeted at specific individuals.

In other words the government promise to behave... honestly... on this specific RIPA pathway.

Secretary of State approval is now supposed to apply both:
to targeted interception of communications
and to targeted data mining of the giant data silos collected through untargeted interception.
I'm not sure I derive a great deal of comfort from that.

On the latter, just to repeat;
"The Respondents can confirm that, in the event that a request falling within paragraph 1(b) of the Disclosure were to be made and approved by the Secretary of State other than in relation to specific selectors (i.e. “untargeted”), the Intelligence Services would not examine any communications so obtained according to any factors as are mentioned in section 16(2)(a) and (b) of RIPA unless the Secretary of State personally considered and approved the examination of those communications by reference to such factors.”
Privacy International and Amnesty accepted the government assurances explicitly. Liberty were silent on the matter. The IPT takes the declaration as a resolution.
"31. Privacy in their reply submissions, with which Amnesty agrees, accept that “that safeguard is now in place, but was not in place before December 2014”. Liberty does not expressly so accept, but made no submissions to the contrary in their reply. In any event we agree, and the disclosure which resolves the lacuna is now made public in this judgment."
Given the importance the government RIPA promise and the IPT's acceptance that it closes a loophole, they conclude the case at paragraph 32:
"32. In our judgment the appropriate course is to alter the declaration we were otherwise minded to make as set out in paragraph 23 above in respect of the First Issue, so that the declaration we propose to make would recite that “prior to the disclosures made and referred to in the Tribunal’s Judgment of 5 December 2014 and this judgment” the Prism and/or Upstream arrangements contravened Articles 8 or 10 ECHR, but now comply."
So, prior to -
the disclosure of adequate signposting to secret rules governing Prism and Upstream intelligence sharing
And
the government's promise not to exploit one of many RIPA loopholes  
- the UK government, for many years, contravened articles 8 and 10 of the European Convention on Human Rights. Now, thanks to the disclosures and promises extracted as a result of this case, they are no longer undermining the right to privacy and freedom of expression. At least as far as the IPT is concerned, within the narrow confines of the issues it examined in this case.

Update: I meant but neglected to include Caspar Bowden's wonderful description of the decision -

"IPT "illegality" finding a Pyrrhic victory, harpoon hurled at heart of "margin of appreciation". ECtHR reviews "safeguards" not spy methods"

Also Privacy International's note about the secret rules: 
"What was publicly disclosed, therefore, is little more than a Tribunal’s summary of secret policies disclosed in a secret hearing, which policies describe only the broadest of restrictions on the receipt of intelligence material by the UK, and remain buried in a 77-page long decision from the IPT, not enshrined in any accessible law or statute. 
We think that falls far short of what is called for by the “in accordance with law” requirement, and in the coming weeks will be appealing to the European Court of Human Rights to argue our case there, demanding an end to unlawful mass intelligence sharing, and ensuring privacy protections for all. "

Monday, February 09, 2015

IPT on mass surveillance - it's alright now, move along...

On Friday last, Investigatory Powers Tribunal (IPT) ruled, in Liberty & Ors v The Secretary of State for Foreign and Commonwealth Affairs & Others (Case No: IPT/13/77/H), that the UK government had been breaking the law, for an indeterminate number of years, in the context of intelligence sharing operations between the NSA and GCHQ.

Basically the tribunal said mass surveillance was illegal when we didn't know about it. But now we do, as a result of some documents the government were obliged to release during this case, it's entirely fine and hunky-dory. It's perfectly grand, as an old friend of mine used to say. The documents don't tell us about the mass surveillance but they provide "a sufficient signposting of the rules or arrangements insofar as they are not disclosed".

Geddit?

There is... er... might be... mass surveillance er in theory.

If there... er... were mass surveillance, it is under control because there are rules.

We're not telling you the rules.

They are secret.

But trust us, there are rules, aka "adequate arrangements in place for the purpose of ensuring" respect for privacy and freedom of expression under articles 8 and 10 respectively of the European Convention on Human Rights (ECHR).

And we have "a sufficient signposting of the rules or arrangements insofar as they are not disclosed".

Don't worry your fluffy little head about it citizen friend. The good guys are in charge.

So, because the government have finally agreed to tell us there are rules governing mass surveillance, something the IPT ordered them to do following submissions from Liberty & others last summer, and the IPT is satisfied everything is ok, even though it may not have been, er... technically, before they er... agreed to tell us there were rules.

And oh, they were only guilty of not telling us there were rules but now they are not guilty of anything because they have told us there are rules.

We're not, however, allowed to know what the rules are...

The government and intelligence services never comment on matters of national security (except to spread fear and hang on wasn't that the terrorists' intent), other than with the standard boilerplate,
“All of the work of the brave men and women in the intelligence and security services is carried out in accordance with a strict legal and policy framework, which ensures that our activities are authorised, necessary and proportionate ...”
So move along... nothing to see...

From the IPT order on Friday:
"UPON CONSIDERING WRITTEN SUBMISSIONS FROM THE CLAIMANTS AND THE RESPONDENTS
FOR THE REASONS SET OUT IN THE TRIBUNAL’S JUDGMENT OF 5 DECEMBER 2014 (“THE FIRST JUDGMENT”) AND THEIR JUDGMENT OF THIS DATE (“THE SECOND JUDGMENT”)
IT IS DECLARED:
"(i) THAT prior to the disclosures made and referred to in the First Judgment and the Second Judgment, the regime governing the soliciting, receiving, storing and transmitting by UK authorities of private communications of individuals located in the UK, which have been obtained by US authorities pursuant to Prism and/or (on the Claimants’ case) Upstream, contravened Articles 8 or 10 ECHR, but
(ii) THAT it now complies with the said Articles."
It's the first time since it was established in 2000 that the secretive tribunal has formally ruled that the intelligence services acted outside the law. Liberty, Privacy International and Amnesty, who had funded the legal challenge, were keen to note the decision as a historic victory but nevertheless only a small step on the road to reigning in mass surveillance. They plan now to pursue the case to the European Court of Human Rights.

The IPT had previously ruled, in December 2014, that the intelligence sharing had not contravened Articles 8 or 10 of the European Convention on Human Rights.

Friday's decision was more of a technical than a substantive victory for the civil rights groups. Indeed GCHQ expressed their pleasure at the decision in a statement,
"The judgment reaffirms the IPT’s main December ruling which found strongly in favour of the Government. The Court ruled that the legal frameworks governing both the bulk interception regime (found in section 8(4) of the Regulation of Investigatory Powers Act or RIPA), and the intelligence-sharing regime, were fully compatible with human rights, in particular the right to privacy.
The judgment focuses primarily on a discrete and purely historical issue – whether those legal frameworks were also fully compatible at a point before these legal proceedings began.
It confirms the UK’s bulk interception regime was fully compliant with the right to privacy at all times, both before and at the time of the legal proceedings.
A GCHQ spokesperson said: "We are pleased that the Court has once again ruled that the UK’s bulk interception regime is fully lawful. It follows the Court’s clear rejection of accusations of ‘mass surveillance’ in their December judgment."
They went on to dismiss the loss as a technical blip,
"The IPT has, however, found against the Government in one small respect in relation to the historic intelligence-sharing legal regime. The Court has ruled that the public disclosure of two paragraphs of additional detail, voluntarily disclosed by the Government during the litigation, were essential to make the public regime sufficiently foreseeable and therefore fully compatible with the European Convention of Human Rights. They found that to the extent that these two paragraphs were not previously in the public domain, the intelligence-sharing regime prior to that point was in contravention of human rights law.
But the judgment does not in any way suggest that important safeguards protecting privacy were not in place at all relevant times. It does not require GCHQ to change what it does to protect national security in any way."
So who's got the real bragging rights - Liberty & co or GCHQ? Well in a sense they both do. Liberty & co get to say it's historic since the IPT have never ruled against the government before. The Guardian as a bonus get to take out some justifiable angst on their UK mainstream media fellow travellers, who have been undermining their reporting on mass surveillance at every turn.  GCHQ and the government get to say don't worry about it, minor blip, all fixed, nothing to see here anymore, move along.

So everyone wins, right?

Wrong.

As long as the mass surveillance that has become normalised in the past 15 years continues, everyone loses.

Update: some links on the case shared on Twitter on Friday last.