Saturday, October 18, 2014

ISC round table

Following written a submission to the Intelligence and Security Committee's inquiry into privacy and security, I was invited to take part in a round table discussion with the Committee that took place earlier this week.

It did actually involve a round table or three to be precise. The members of the committee split themselves amongst the tables to explore the written evidence of a collection of people from academia, industry and NGOs.

At my table were Conservative MP, Dr Julian Lewis and Lord Butler, along with Caspar Bowden, Eric King of Privacy International and Andrew Watson. Dr Lewis came armed with print outs of our submissions with various parts underlined which he wanted to quiz us about in further detail.

Discussions were interesting and I came away slightly more positive than I had expected. I was impressed in particular at Lord Butler's capacity to grasp some of the key issues and ask insightful questions.

I've sent Dr Lewis and Lord Butler some follow up comments in an effort to clarify some of the points I made at the meeting.

"Dear Dr Lewis and Lord Butler,

Thank you for the opportunity to meet in the context of the ISC's inquiry into privacy and security.

If I may, I'd like to make an effort to further clarify two or three points I don't believe I articulated very clearly at the meeting.

On the question of the impossibility of securing giant databases, another way to look at it is to understand that information systems are socio-technical systems. They are made up not just of the technology but the organisational processes and people used to build, deploy and operate them. It's the giant information system as a whole that is impossible to secure. Generally computer scientists will tell you that these systems can have two of three key features - security, usability and scale - they can be secure and usable OR secure and scalable OR usable and scalable but never all three.

On the difference between information technology and information systems you can think of it as the difference between radar (information technology) and the British air defence system (information system) that was crucial to winning the Battle of Britain during the World War II. By 1939 Britain had created an integrated information system to collect the raw data on approaching enemy aircraft, from their chain of radar stations (IT) and (visuals from) the Observer Corps (human IT). This raw data was passed on (via the radio telephone and teleprinter networks) to Fighter Command Headquarters filter room and an integrated set of operations centres, where it was assessed, filtered, analysed and turned into useful information at varying levels. This then facilitated the scrambling of the right fighter squadrons and even more specific instructions to be radioed to the RAF pilots once in the air, to enable them to intercept their enemy at the earliest opportunity.

The Germans had better information technology (radar). The British had the better information system i.e. radar, human intelligence, signals intelligence, and an integrated, purpose-developed system, allowing the situation to be viewed holistically, as well as delivering the right information to the right users, at the right levels, in a useful format and in sufficient time to act on it.

Dr Lewis, you seemed a little offended by my characterisation of the data mining of the mass trawl of personal data collected by government as a "post hoc fishing expedition." I apologise if I offended you - that was never my intention.  My point essentially is that government has never had the power now at its disposal to peer into the intimate details of people's lives. The mass collection of data is in itself a fundamental problem in practice and in law.  Privacy as a check on government power represents a democratic requirement that limited government must have limited power to access our daily lives. An omniscient government is too powerful for rules, regulations or laws to restrain. There will progressively always be another public official who will be able to make a compelling case for access to the rich trove of information in a valuable giant government database. If the security services find it useful why shouldn't law enforcement or revenue officials or social security officials and so on. You have to take a look at the 14 year history of the Regulation of Investigatory Powers Act to see this kind of mission creep in this context.

It seems increasingly to be the belief amongst MPs that blanket data collection and retention is acceptable in law and that the only concern should be the subsequent access to that data. Assertions to this effect are simply wrong both in relation to more modern human rights law and also long standing English law.

The April European Court of Justice (ECJ) judgement restated the position clearly that mass indiscriminate data retention "constitutes in itself an interference with the rights guaranteed by Article 7 of the Charter." (Para 34 of the decision). Article 7 of the Charter of Fundamental rights, as you know, guarantees everyone “the right to respect for his or her private and family life, home and communications”. The European Court of Human Rights (ECtHR) laid down the same prohibition of blanket retention in the S. and Marper v UK case in December 2008.And I've already alluded, in my original submission, to the principles laid down in the Entick v Carrington case of 1765 with which this mass personal data collection is incompatible.

Please do not be misled into the erroneous belief that retention is acceptable and access is therefore the only problem. Underpinning any future regulatory framework in this area with such a fundamentally flawed assumption would be a big mistake on many levels. Both retention and access in and of themselves present serious article 7 and article 8 challenges, as the ECJ, the ECtHR and many other national courts have made clear.

On the question of whether ISPs have a moral obligation to cooperate with law enforcement, commerce doesn't do morals, only have bottom lines. Directors of business have a fiduciary duty to maximise return to shareholders. They only guaranteed way to get telecommunications companies to cooperate is to make it their legal duty. There is no reason why ISPs should not be required to cooperate, in relation to a court supervised warrant, regarding particular information relating to a specific individual about whom there is reasonable cause to harbour suspicion that they may be or have been involved in criminal activity.

Lord Butler, I very much commend your comment to the effect that the case for targeted rather than mass personal data signals intelligence collection seemed compelling. If that idea alone has come out of the Committee's consultation process then it will have been very worthwhile.

Thank you for taking the time to meet and I hope you found it useful. If you need any further clarification of the above points or I can provide any further assistance please let me know. I wish you all the best with your ongoing deliberations.



Paul Bernal was at one of the other tables, as was Suw Charman, though I was not familiar with other attendees.

The subsequent public session the committee held with the Home Secretary just depressed me again. We have a seriously long way to go in the UK before we start getting a rein on mass surveillance. The ISC is the prevailing key line of defense in Parliament against the worst excesses of this. Mrs May's appearance is yet another indication that they are desperately in need of more resources to perform their duties and in particular permanent and extensive independent technical expertise.

Update: Andrew Watson has asked me to point out that his submission and engagement with the ISC was purely in a personal capacity and the views were his and not those of his employer. My apologies to Andrew for any confusion caused in the original version of this post.

No comments: