Friday, March 18, 2016

Circles of suspicion and the Investigatory Powers Bill

I attended an absolutely terrific conference in Cambridge, Oversight or Theatre? Surveillance and Democratic Accountability, in early February which I've meaning to write up here but simply haven't found the time. It was organised by John Naughton and Nora Ní Loideáin from the Technology and Democracy CRASSH project at Cambridge University and Ross Anderson live blogged it.

The recordings of all the panels and the subsequent well-informed question and answer sessions with the audience are now available at the CRASSH website. I particularly recommend the contributions of Conor Gearty, who opened proceedings, David Anderson, Richard Clayton, Lorna Woods, Ross Anderson and Nora Ní Loideáin.

The whole day constituted the most informed public debate on the Investigatory Powers Bill I've witnessed to date. Significantly higher quality than most the discussion on the 2nd reading of the Bill in the House of Commons earlier this week.

A copy of my slides from the second panel on the day -
I talked about internet connection records (ICRs) and recommended they be removed from the Bill but set up the discussion by considering the very persuasive case Professor David Omand makes for the bulk powers in the Bill.

Prof Omand, quite reasonably, suggests the guilty forfeit their right to privacy in connection with nefarious activities and the authorities are entitled, also, to collect and peruse the data of the suspicious. Those in the suspicious category may be innocent but if law enforcement and the security services have a justifiable cause to harbour suspicion, they have a duty to investigate such persons. The data of the innocent gets tangled up in all this but that's not a problem, the good professor suggests, since law enforcement and the security services are not interested in the innocent.

I figured it would be interesting to get a picture of the relative proportions of guilty v suspicious v innocent by throwing some hypothetical numbers at the problem. Since successive government spokespersons for the past 16 years have talked in terms of thousands of dangerous individuals here, I started with the hypothesis that there might be 6,000 dangerous people and 600,000 suspicious types resident in the UK, in a population of a little over 60 million. If that is anywhere close to the real numbers the relative areas of our guilty, suspicious and innocents' circles look like this -

So the collection of everyone's data in bulk for investigatory purposes begins to look somewhat disproportionate. If the numbers of guilty rise to 600,000 and the suspicious to 6 million the picture changes again -

By playing around with the relative numbers we can get a picture of how big we think the guilty and suspicious circles have to get, before we consider it proportionate to justify the bulk powers in the Investigatory Powers Bill.

Even with that latter diagram assuming 600,000 guilty and 6 million suspicious, it doesn't look reasonable to me that the remaining 54 million or so innocents get dragged into the digital net of suspicion.

The bottom line is that we only start to get a real picture of what the Investigatory Powers Bill bulk powers mean when we get into the detail of how they will operate or are expected to operate in practice. As far as ICRs go, the government should not be collecting, indiscriminately, for perusal and analysis, primarily electronic or otherwise - the excuse being the data will only be "seen" by computers - the reading, viewing and listening lists and other online activities of the entire population. Especially not those of tens of millions of innocents.

No comments: