Friday, August 24, 2012

Submission to consultation on Communications Data Bill

I've sent a response to the consulation of the Joint Committee on the draft Communications Data Bill. Having been buried in meetings and battles with bureaucracy it was done at the last minute so may read as something of a tired stream of consciousness. Nevertheless I reproduce it below in the hope that if I've made any errors in the analysis my sharp eyed reader will put me straight.  I incorporated the Open Rights Group's draft letter to parliament on the subject as part of the submission, so that bit at least should be fine!


I would like to register my objection to the Draft Communications Bill.

My key concerns include:

Home Office vague on justifications for the Bill and the Bill does not solve the complex problems it has been posited as addressing

In multiple media engagements the Home Secretary and other supporters of the Bill mention "protecting the public" from all four horsemen of the infocalypse - terrorists, drug dealers, child abusers and organised crime - and more, on several occasions quoting the Met police chief as insisting passing this legislation is a "matter of life and death".

Building multiple massive databases of intimate personal communications data makes the public more vulnerable to the four horsemen not less so. That such mass surveillance will not work can be demonstrated mathematically.

Floyd Rudmin, Professor of Social & Community Psychology at the University of Tromsø in Norway, analysed President Bush’s authorisation of the National Security Agency’s (NSA) secret monitoring of the email messages and phone calls of all Americans (The Politics of Paranoia and Intimidation Why does the NSA engage in mass surveillance of Americans when it's statistically impossible for such spying to detect terrorists? May 24, 2006 by Floyd Rudmin

“The US Census shows that there are about 300 million people living in the USA.
Suppose that there are 1,000 terrorists there as well, which is probably a high
estimate. The base-rate would be 1 terrorist per 300,000 people. In percentages,
that is .00033%, which is way less than 1%. Suppose that NSA surveillance has an
accuracy rate of .40, which means that 40% of real terrorists in the USA will be
identified by NSA's monitoring of everyone's email and phone calls. This is
probably a high estimate, considering that terrorists are doing their best to avoid
detection. There is no evidence thus far that NSA has been so successful at finding
terrorists. And suppose NSA's misidentification rate is .0001, which means that .01% 
of innocent people will be misidentified as terrorists, at least until they are
investigated, detained and interrogated. Note that .01% of the US population is
30,000 people. With these suppositions, then the probability that people are terrorists
given that NSA's system of surveillance identifies them as terrorists is only
p=0.0132, which is near zero, very far from one. Ergo, NSA's surveillance system
is useless for finding terrorists.”

Rudmin takes one basic statistic – 300 million people in the US – and takes a conservative guess at some others e.g. the proportion of terrorists in the population. He then does wonderfully simple analysis to prove mass surveillance is useless for finding terrorists. The kind of conditional probability calculation done here by Rudmin is based on Bayes’ Theorem, taught in most introductory college statistics classes and is mathematically very sound.

Mathematically the 4 horsemen are not problems that lend themselves to data mining. Even highly accurate data mining systems will swamp investigators with false positives when dealing with a large population. Law enforcement authorities end up investigating and alienating large numbers of innocent people. Finding the horsemen is a needle in a haystack problem and you can’t find the needle by throwing infinitely more hay on your stack and/or creating multiple giant and exponentially growing data haystacks.

That such mass databases are useless for finding terrorists is clear. That they also make the public less safe is associated with the impossibility of securing mass silos of valuable personal data. Computer scientists simply do not know how to keep databases of the magnitude of those envisaged in the Bill secure from external hackers or the multitude of insiders who have access to these databases as a routine part of their jobs.  Security experts like Ross Anderson, Peter Sommer, Bruce Schneier and Richard Clayton have written extensively about this.  To understand this you have to think about how such systems can fail - how they fail naturally, through technical problems and errors (a universal problem with computers), and how they can be made to fail by attackers (insiders and outsiders) with malign intentions e.g. the four horsemen. When the inevitable hacks, leaks, data contaminations happen, what then?

Part 1 of the draft bill is indefensible

Part 1 of the draft bill gives the Secretary of State unlimited powers to mould data access regulations in perpetuity without the need to consult parliament in any meaningful way:

(1) The Secretary of State may by order—
(a) ensure that communications data is available to be obtained from telecommunications operators by relevant public authorities in accordance with Part 2, or
(b) otherwise facilitate the availability of communications data to be so obtained from telecommunications operators.
(2) An order under this section may, in particular—
[...]
(b) impose requirements or restrictions on telecommunications operators or other persons or provide for the imposition of such requirements or restrictions by notice of the Secretary of State"

There is no mechanism for amending such Henry VIII orders and they usually get rubber-stamped by Parliament without material scrutiny.  The Secretary of State and her successors get to order anyone to do anything that can be related to facilitating access to communications data:

If you combine this with, as barrister Francis Davey points out (see ‘The Communications Data Bill (first look)’, Sunday, 17 June 2012 at http://www.francisdavey.co.uk/2012/06/communications-data-bill-first-look.html), with the broad definitions given in clause 28 of the bill, e.g.

"“person” includes an organisation and any association or combination of persons
[..]
“telecommunications operator” means a person who—
(a) controls or provides a telecommunication system, or
(b) provides a telecommunications service,
“telecommunication system” means a system (including the apparatus comprised in it) that exists (whether wholly or partly in the United Kingdom or elsewhere) for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electro-magnetic energy,
“telecommunications service” means a service that consists in the provision of access to, and of facilities for making use of, a telecommunication system (whether or not one provided by the person providing the service)"

- this Bill could theoretically, as currently drafted mean that we might be obliged to keep "who, what, when and where" records of family and friends social gatherings which involve listening to music, TV watching, internet or mobile phone use, electronic gaming or just chatting. Unlikely though that might currently seem and far though it may be from the current government’s intentions, the wording of the bill must be viewed in the light of the inevitable progressive function creep (discussed below) and through the lens of a less benevolent future government.

Inversion of innocent until proven guilty principle

The notion that the day to day activity of every citizen should be recorded in the expectation that those records can, in future, be mined for nefarious activity is anathema to a healthy functioning liberal democracy.

Control of my data

I have no control over my data, once it is collected by third parties’ on behalf of the government. The government is placing me at risk without my consent. The risks include
1.         That police have access to a record of my political beliefs and social habits
2.         That these records could be shared with private investigators or journalists
3.         That these records could be unlawfully accessed by foreign governments or criminal gangs, and aid further identity fraud, blackmail or account hacking

This runs counter to everything governments including ours are trying to do through promotion of good privacy practice and data protection policies.

Suspicion should be the test for surveillance

The government of course has the right to intercept and record information when someone is suspected of a serious crime. But these proposals mean collection of data without suspicion: which is in effect mass surveillance. Due process requires that surveillance of a real suspected criminal be based on much more than general, loose, and vague allegations, or on suspicion, surmise, or vague guesses. To instigate the new set of legal norms envisaged in the Communications Data Bill which subsequently give the entire population less protection than a hitherto genuine suspected criminal, based on a standard of reasonable suspicion, is indefensible. The gathering of mass data to facilitate future unspecified fishing expeditions is unlawful.

Accessing big data sets opens up new police surveillance powers

Being able to compare location data, contact histories, websites visited and so on will give the police the generalized ability to track any group, from sports fans to political protesters. This will create extreme risks for whistleblowers, journalists’ sources and legitimate but inconvenient forms of protest.

This is not “preservation” of capacity but a huge extension of policing powers, which deserves proper democratic debate, starting with a full public consultation.

Undermining of Fundamental Rights

The proposals fundamentally undermine the right to privacy guaranteed in the Human Rights Act and article 8 of the European Convention on Human Rights. The Bill also undermines fundamental rights relating to freedom of assembly, speech, religion and association.

Comms data and traffic data cannot be separated simply in the way that the Bill assumes


Function Creep

I can only echo the concerns on function creep expressed by Paul Bernal in his submission to the consultation:

"when a system is built for one purpose, that purpose will shift and grow, beyond the original intention of the designers and commissioners of the system. It is a familiar pattern, particularly in relation to legislation and technology intended to deal with serious crime, terrorism and so forth. CCTV cameras that are built to prevent crime are then used to deal with dog fouling or to check whether children live in the catchment area for a particular school. Legislation designed to counter terrorism has been used to deal with people such as anti-arms trade protestors – and even to stop train-spotters photographing trains.

In relation to the Communications Data Bill this is a very significant risk – if a universal surveillance infrastructure is put into place, the ways that it could be inappropriately used are vast and multi-faceted. What is built to deal with terrorism, child pornography and organised crime might creep towards less serious crimes, then anti-social behaviour, then the organisation of protests and so forth. Further to that, there are many commercial lobbies that might push for access to this surveillance data – those attempting to combat breaches of copyright, for example, would like to monitor for suspected examples of ‘piracy’. In each individual case, the use might seem reasonable – but the function of the original surveillance, and the justification for its initial imposition, can be lost."

The temptation for public and commercial services to use the data gathered for purposes not originally intended will be overwhelming. If it can be done it will be done regardless of original good intentions.

RIPA needs to be fixed first

Data retention is already excessive and creating risks. The access policies for police are too wide and lack judicial supervision. There is no notification policy for people who been placed under surveillance.

These problems should be fixed before the government suggests new surveillance powers.

We are in a recession

Spending billions of pounds surveilling innocent people while cutting back on policing seems wrongheaded. I would rather money is spent on front line intelligence, policing, detection  and emergency response work.

Bad examples to foreign governments

There are no democratic governments that force companies to aid surveillance through collection and creation of new data sets. How can the UK seriously stand up for human rights while abusing the privacy of millions of innocent citizens?

Conclusion

The government has failed to make the case for the need for the new powers proposed in the draft Bill. There is a significant danger in measures like the CDB of stumbling by default into a police state, just because the technology of mass surveillance is now more readily available and nominally more sophisticated. We need to avoid deploying these technologies blindly in response to some perceived threat. Without sufficient reasoned analysis of the purpose and detailed requirements of the technical systems we propose to build to counter these threats, we could find ourselves building technological monsters. Building an infrastructure of surveillance makes our citizens and our state more vulnerable not less so to attacks by criminal elements such as the four horsemen of the infocalypse and rogue states with malevolent intent.