Some day when you find yourself with a couple of hours free,
sit down in front of your computer and watch a debate in parliament on
something you know a little about. I couldn’t spare a couple of hours but
nevertheless couldn’t resist the Science
and Technology Select Committee’s hearings
on the draft Investigatory
Powers Bill published by the government last week.
My very own MP, Nicola Blackwood, the recently installed
Chair of the committee, opened proceedings with a briefing from the Home
Office. She assured us that the Home Office had assured her that there were no
plans for new powers to ban encryption deployed by overseas companies. I assume
that was rushed to Ms Blackwood in advance of the briefing, following Apple
chief Tim
Cook’s dim view of the Bill headlining the front page of the Telegraph that
morning. The only new power in the bill, Nicola assured us, was the
facilitation of access to internet connection records. Given the amount of
public relations there has been in the run up to the publication of the bill, I
was assured that Nicola was assured and that MPs had been assured that all was
ok and they need not worry too much about what that bill actually says.
One problem with watching parliamentary proceedings on the
Internet, however, is that no, not that the spies/police might be watching when
the IP Bill passes, but that the Parliamentlive streaming service can be
decidedly flaky. I spent a fair and irritating chunk of my couple of hours
watching a buffering circle on my screen.
First up in the witness chairs were Matthew Hare, Chief
Executive Officer, Gigaclear, John Shaw, Vice President, Product Management,
Sophos, and James Blessing, Chair, Internet Services Providers' Association.
All three tried valiantly to enlighten but separating an MP in thrall to a
party briefing from a clear view of the world is a bit like trying to separate
a toddler from a beloved comfort blanket.
Witnesses:
- High speed internet connections could result in an annual storage requirement of 15 terrabytes of data, just relating to a single home
- The amount of data the IP bill requires service providers to collect, indiscriminately, is huge and costly and will not meet the aims of the bill
- Serious criminals are already using strong encryption the IP Bill won’t address
- Keeping massive stores of data safe and secure is really difficult... cough… TalkTalk cough…
- Definitions in the bill are ridiculously broad – not even clear what a service or a service provider is
- The Bill disadvantages UK companies which appear obliged to hand over data overseas companies do not
- Internet protocol data networks are not run the same way as telephony networks and assuming they do is a fundamental error
- Engaging in a population wide data dragnet in order to engage in a historical data fishing expedition at some point in the future is inappropriate
- What is being proposed in the IP Bill is what has already been done in China
- With port mirroring everything delivered to a customer can be delivered to 3rd party (MPs eyes glazing over)
- It’s going to cost taxpayers a lot of money
- Targeted rather than mass surveillance is a more effective, efficient and practical approach to the aims of the bill. If service providers get a request to intercept traffic to a particular IP address they can and do do that today.
- The removal of electronic protection aka nobble encryption clause is a baaaaad idea
- The Bill talks about 3 layers of data – communications data, content and one or the other. Unfortunately, once you capture comms data it becomes content, when you analyse it, it becomes information. (MPs glazing over again)
- The IP Bill, as it stands, potentially makes it a criminal offense for service providers to share information about security vulnerabilities
MPs:
- But, but, but…
- We’re already paying to be spied on – that’s how we fund the secret services
- It’s ok to have a dragnet for the internet because we have a dragnet for phones and it’s just the same
- Stella Creasy enthusiastically jumped in to share her knowledge of IPv6 which would fix everything by allowing the “spearfishing” of the baddies’ data from giant data stores and thereby making everything ok with bulk personal data collection. Unfortunately, as the techies heroically tried to explain, IPv6 generates vastly more data and makes everything more not less complicated technically
- But, but, but…
- It’s ok because we don’t intend to do all those things you’re complaining about
Just as the ever excellent Professor Ross Anderson of
Cambridge opened for the second collection of witnesses of the day, my dreaded
buffering circle kicked in again… The second group also included Professor Mike
Jackson, Birmingham City Business School, Dr Joss Wright, Oxford Internet
Institute, and Professor Sir David Omand, King's College London.
My feed came back online just in time to hear Nicola
Blackwood emphatically declaring that there was no place for ethics in the
hearing. The committee was here to be educated purely on the technology
issues. Prof Omand open by profoundly
disagreeing with everything Prof Anderson had just said.
Ah shucks. What did I miss?
As far as Prof Omand was concerned the
questions underpinning the bill were not ethical in nature but empirical.
Unfortunate though the revelations of former NSA contractor, Edward Snowden, were, they demonstrated, empirically and without question, that the intelligence
authorities were very good at handling large quantities of data.
Prof Omand went on to explain that in his opinion the main
“fuzziness” in the bill was in the distinction between communications data and
content. It was, however, a fuzziness with minimal practical relevance. The
bill was as close as you can get to clear on the distinction between the two. The word "clear" did draw some sharp intakes of breath in the room but he ploughed on. The
real significance was in the authorisation process for intercepting or
accessing the data; and since that could be worked out by the insiders with the
appropriate expertise, there was nothing to be concerned about.
Joss Wight respectfully disagreed with the good Prof about
there being a clear practical line between metadata and content. His main
opening concern was with mass retention or “bulk” retention which the
government likes to call it. Dr Wight would want to see some respect for
proportionality. Prof Omand was a little irritated with this and noted that the
mistake the Home Office made in last 5 years was to not update interception and
surveillance codes of practice. If the public had known there were secret codes
of practice governing everything, all would have been ok and then the Snowden
wouldn't have been such a shock.
Prof Anderson was invited back into proceedings again and
decided it was time to ground all this abstract stuff in something the MPs might
understand – their Google calendars – Google calendar data relating to who they
were meeting with, where and when would be within the scope of what the Bill
would consider content. Prof Omand jumped in insisting that this was not
intended and accusing critics of the bill of using “worst
case” examples to undermine it. Theoretically, the Infinite Power (sic) Bill
could be abused but trust us, it won’t be.
Dr Wight noted a fundamental misunderstanding underpinning
the bill being the assumption that metadata (or communications data) is less
sensitive than content. Prof Omand was, metaphorically at least, on his feet
again – the authors of the bill (by this stage observers must have been
wondering if he was one) were not disagreeing that communications data might be
sensitive but "most of the time" it is not.
Dr Wight insisted that comparing web communications data to
telephony data is ridiculous. A better analogy is to real life - what shop,
home, workplace, place of leisure you visit are all captured. That provides a much
more intrusive picture of life than telephone billing records. Content data is
not more sensitive than
communications data. It is merely differently sensitive.
An MP ventured a really good question (that was not of the variety ‘can
you confirm how clever I am’) – how do we frame this kind of surveillance legislation so it is practical
now and future proof?
Prof Anderson bluntly explained you can't. The technology is changing too
quickly and parliament will have to continually revisit access to personal data issues for the
foreseeable future. Technology and policy are inextricably interlinked and guess what? The
internet of things is about to hit us. Also whether we like it or not, the
networks are international in nature and Prof Anderson strongly encouraged international
cooperation in their regulation.
Dr Wight then pointed out that from an investigatory
perspective a targeted approach to surveillance was more effective and more
practical. Though he understood the seductive attractions of creating a time
machine with which to explore, at some future point, the intimate details of
anyone’s past life, it was somewhat unethical.
Prof Anderson agreed. There may be information gold in them there communications
data hills but that didn’t make it ethical to build them.
Prof Jackson
confirmed that even as you continue to construct these data mountains you’ll find
only a tiny amount of the data is useful. This is mass surveillance.
Nicola Blackwood was now getting tired of reminding these
techies that the panel was here to discuss technology not ethics.
And Prof Omand was having none of it from his fellow
witnesses. The British government simply does not and would not indulge in mass
surveillance. It’s not the done thing. Mass surveillance is the persistent
surveillance of all or large part of population. And since it is only computers
that are engaged in the persistent recording, storage and analysis of the
intimate details of everyone's lives, that’s
perfectly fine. Human beings only look at a small amount of the data you see. [By which measure, incidentally, you could make an argument for installing the most sophisticated modern video cameras, filming 24/7 in every corner of every room and space in the country - it will be ok if nobody looks at it].
Prof Jackson pointed out that when mass databases exist
that opens the personal data to the post hoc (rather than real time) equivalent
of mass surveillance. Dr Wight agreed – proponets of the IPbill might be
claiming there is no mass surveillance going on because human beings only see a
small proportion of the data but computers can do a phenomenal amount with mass
data before humans ever get involved in the loop. We also need to be cognisant
of the clear and empirically measured chilling effects of a population’s
awareness of constant surveillance.
Ms Blackwood: No ethics please, we’re here to discuss
technological issues!
Profs Anderson, Jackson & and Dr Wight: The elephant in
the room here is the destruction of privacy and you cannot deal with this bill
without discussing it.
Prof Anderson tried again to bring the discussion back to
something the MPs would understand. There are, he noted, significant
sensitivities around medical records for example. Likewise bank records – did
the MPs want police or other public services trawling through people’s bank
records?
Prof Omand was in no doubt that of course we do – it was
perfectly reasonable. It was perfectly unreasonable for Prof Anderson to be
attempting to scare people witless about abuse of these powers with worst case
scenarios. It won’t happen because we will now have stronger oversight
including the involvement of judicial oversight. We listened to our US cousins
on that one.
Dr Wight, at this point, disputed the notion that the IP
Bill was not expanding existing powers. It would additionally lead to a
reluctance on the part of commerce to do business in the UK and people seeking
to subvert what the bill is trying to do would simply use services overseas.
Prof Anderson again noted that if we’re to get a handle on the
regulation of these technologies we have to have international cooperation.
Something along the lines of an international cyber evidence convention is called for.
Prof Omand: The security of the internet is the number one
priority. The policy in the bill is extremely clear. You simply cannot remove
the right of the authorities to deal with pedophiles and the IP bill might give
the police and security services a chance to catch them. We do note, however,
that the judicial commissioners involved in the oversight processes will need a
lot of technical expertise.
Prof Anderson: Yes and the problem with the proposed set up
is that the experts on the advisory board will have representatives from police,
security services and service providers. No one from civil society or academia is entitled to even a look in –
no representatives, in short, for Jo Public. Given big data is manna from heaven for government
and commerce, that appears somewhat unbalanced.
Nicola Blackwood watching the clock, with relief, summed up: We’re out of time.
We need to give the security services what they need. We need to insure
proportionality in the deployment of these powers. She also thanked the witnesses for
their heated advice. [Actually it was all reasonably civilised even though there was a split in opinions on the panel]
So, in summary where did we actually get to?
Profs Anderson, Jackson and Dr Wight: The government are
collecting digital dossiers on the intimate details of the personal lives of
the entire population. Whatever you
choose to call it that is mass surveillance
MPs: But, but, but…
Prof Omand: No it isn’t and it is irritating that people
keep saying so
MPs: Ah that’s a relief... and they vacated the room, party briefing comfort blankets still tightly clenched.
Update: The Science and Technology Committee has invited written submissions on the Investigatory Powers Bill by Friday 27 November. As Nicola Blackwood repeatedly reminded her witnesses, they are looking for submissions that focus on technology issues, including:- The technical feasibility and costs of meeting the obligations imposed by the Bill
- The impact on communications service providers and related businesses
- The likely consequences for citizen/consumer use of ICT services
You can submit your thoughts via the UK Parliament website.
Update 2: A full official transcript of the hearings is now available.
Update 2: A full official transcript of the hearings is now available.
1 comment:
Thanks for posting this extended summary.
I see they've somehow managed to make the Parliament Live web site worse, which I would not have thought possible. Previously it relied upon Silverlight, a proprietary Microsoft technology, but at least it worked reasonably reliably. They now seem to have "upgraded" the site, and now it imperiously tells me that my browser is not on a short list of "officially supported" browsers. Someone needs to introduce them to the concept of Open Standards. *sigh*
http://www.anybrowser.org/campaign/
Cheers,
Andrew
Post a Comment