Tag: Mass Surveillance

Just say no (to blanket data retention)

It’s been a hectic couple of weeks since I last blogged, mostly due to a combination of returning to work and picking up a rotten cold (sadly, I think the two may be connected). Despite this, I’m pleased to say I’ve still managed to keep most of my campaigning commitments with Bournville Labour and even make time to take part in a planning session for Open Rights Group organisers at BOM on Saturday.

Just say no (to blanket retention of personal data)

Despite everything going on, I came away from the ORG campaign day with a renewed sense of purpose to keep on campaigning for digital rights in the year ahead. This boost probably explains why I’ve just spent some time this evening responding to a somewhat soul-destroying Home Office consultation on a code of practice governing the Investigatory Powers Act, the creepily dystopian surveillance and hacking law which shuffled onto the statute books in late 2016.  I’ve posted below the contents of my email below at the bottom of this post, in case anyone is interested in the issues I’ve raised.

Essentially, the consultation is in response to last year’s judgement by the European Court of Justice, which stated that blanket retention of everyone’s personal data was illegal. The court judgement set out restrictions on retaining and accessing personal data, with the aim of making it a targeted system focused on serious crime, and requiring independent authorisation (usually a judge) before authorities can access personal data. Disappointingly but not surprisingly, the Home Office is choosing to interpret the judgement selectively, leaving in place the blanket data retention whilst (grudgingly) conceding the need for independent authorisation.

Stand up for yourself and show solidarity with at-risk groups

Given the well-documented history of surveillance powers being (mis)used against politicians, journalists, activists, whistleblowers and other groups, I encourage you to take part in the consultation and demand that the Home Office honours the court’s judgement and respects our human rights. You’ve got until 11.45pm tomorrow (18 January) to submit your response. click on the link below to speak up.

Rein in the Investigatory Powers Act

Dear Home Office,

This is a response to the consultation on Communications Data code of practice under the Investigatory Powers Act 2016, closing 18 January 2018.

As a UK citizen who believes in the rule of law, I am deeply concerned that you are using this public consultation in order to delay having to implement changes as a result of last year’s ruling of the Court of Justice of the European Union declaring the Investigatory Powers Act’s indiscriminate retention of data illegal.

As well as being concerned about the delay caused by the public consultation, I am also very concerned that you are taking a ‘pick and choose’ approach to the Court of Justice’s ruling. For me, the most important element of the judgement was that it established that indiscriminate retention of personal data illegal. Despite this, you are still proposing to allow blanket retention of everyone’s personal data. By taking this approach I believe you are flying in the face of the court’s judgement and appear to have little or no regard for the rule of law and citizens’ fundamental rights. I urge you to comply with the court’s judgement and end blanket retention.

I am also alarmed that you do not plan to notify people that their personal data has been accessed, even after an investigation has concluded. Given the history of surveillance and anti-terrorism powers being inappropriately used against politicians, journalists, activists, whistleblowers and other groups, I believe introducing a credible notification system is important for rebuilding trust in the system and reducing the likelihood of future abuses. Furthermore, I believe the fact that we as citizens are unlikely to ever know if our personal data has been accessed creates a ‘chilling effect’, whereby just the understanding that authorities could access our personal data with little meaningful oversight discourages citizens from freely expressing themselves.

I read with dismay that you will also not be protecting our personal data by keeping it within the EU. I am particularly concerned that this means you will continue to allow my personal data, along with that of my fellow citizens in the UK, to be transferred to the United States, whose laws afford zero protection to non-citizens’ data. I urge you to reconsider your position and keep personal data within the EU.

Lastly, ask that you adopt a reasonable definition of serious crime so as to ensure authorities adopt a reasonable and proportionate approach to accessing personal data, and which takes proper account of the impact retaining and accessing such data has on our fundamental rights. With this in mind, I ask that you adopt the House of Lords’ definition of serious crime, namely crimes capable of sentences of at least one year, rather than your current, lower, definition of a six month sentence.

I hope that your honour the court judgement and implement it in full rather than the selective approach your current proposals would suggest.

Thank you for your time.

Sincerely,
Francis Clarke

Dismantling the Government’s Arguments in favour of the Investigatory Powers Bill

In my last post, I argued that if campaigners (including myself) are going to take on the Government over its plans for online surveillance and win, we need to dismantle the claims they are making about these powers being necessary for security and crime fighting.

Since then, I’ve done some further online research and had some interesting conversations on Twitter and at last night’s well-attended Open Rights Group Birmingham meetup. This has helped me to develop my thinking on how to frame the argument in a way that convinces politicians and the general public to sit-up and take notice of what’s at stake with the Investigatory Powers Bill.

Winning the argument over the Investigatory Powers Bill – key lines

Security risks created by the Investigatory Powers Bill

  • The new requirement for tech firms to provide  unencrypted communications to the police or security services if requested through a warrant has been widely interpreted as an attempt to weaken encryption.
  • Tim Cook, Apple’s Chief Executive, noted in a recent interview with The Telegraph : “If you halt or weaken encryption, the people that you hurt are not the folks that want to do bad things. It’s the good people. The other people know where to go.
  • As Tim Cook explains, “Any backdoor is a backdoor for everyone. Everybody wants to crack down on terrorists. Everybody wants to be secure. The question is how. Opening a backdoor can have very dire consequences.”
  • Criminals and other bad people will still be able to access widely available open source encryption tools, while regular people who are less technically sophisticated will be left more vulnerable to data thefts and identity crime, notes security researcher. Paul Bernal, Internet privacy law researcher at the University of East Anglia, notes: “Savvy criminals already use encryption and software like Tor to hide their online activities, so storing web records won’t help combat this.
  • In addition to the weakening of encryption, the bill will create more opportunities for cybercrime. Requiring ISPs to store everyone’s Internet connection records for 12 months will create huge amounts of personal data, which will be highly attractive to criminals. How much more personal data could criminals could have stolen from TalkTalk, had the new collection system been in place? Timothy Brown, Executive Director of Security with Dell Software Group noted: “this only creates larger and more attractive targets for hackers and leaks.
  • The bill proposes granting the security services broad powers to hack computer systems. Doing so will leave critical infrastructure at risk, as the same vulnerabilities used by security services will be exploited by criminals. As Tim Cook  noted: “Any backdoor is a backdoor for everyone.”

Questionable security gains from expansion of surveillance powers

Damage to the UK economy

Expense

  • Internet service providers (ISP) have called into question the cost of implementing a key element of the Investigatory Powers Bill, the mandatory collection and retention of every citizen’s Internet Connection Records.
  • The Home Office has budgeted for £175 million but this is only intended to cover the initial up-front equipments costs, not the ongoing cost of running the system.
  • Matthew Hare, Chief Executive of ISP GigaClear said “the indiscriminate collection of mass data is going to have a massive cost
  • Asked about the feasibility of implementing a system of mass data collection, James Blessing, the chair of the Internet Service Providers’ Association (ISPA),  said ISPs would find it “very feasible – with an infinite budget”.

Human rights and international reputation

Sources

Amnesty International UK, Mass Surveillance by another name, 6 November 2015 (accessed 12 November 2015)

Ars Technica UK, Snooper’s Charter: UK gov’t can demand backdoors, give prison sentences for disclosing them, 6 November 2015 (accessed 12 November 2015)

BoingBoing, UK law will allow secret backdoor orders for software, imprison you for disclosing them, 10 November 2015 (accessed 12 November 2015)

Committee on Legal Affairs and Human Rights of the Parliamentary Assembly of the Council of Europe (PACE), Mass Surveillance Report, 26 January 2015 (accessed 12 November 2015)

EDRi, European Court overturns EU mass surveillance law, 8 April 2014 (accessed 12 November 2015)

IT Pro, Snooper’s Charter puts data at risk even with encryption, 4 November 2015 (accessed 13 November 2015)

Liberty, Investigatory Powers Bill: Spoiler Alert – this is terrifying, 4 November 2015 (accessed 12 November 2015

New Scientist, UK spying rules may drive criminals to use stronger encryption, 11 November 2015 (accessed 13 November 2015)

Schneier on Security, Data Mining for Terrorists, 9 March 2006 (accessed 12 November 2015)

The Guardian, Obama must finally end NSA phone record collection, says privacy board, 29 January 2015 (accessed 12 November 2015)

The Guardian, Broadband bills will have to increase to pay for snooper’s charter, MPs are warned, 11 November 2015 (accessed 12 November 2015)

The Telegraph, Apple’s Tim Cook declares the end of the PC and hints at new medical product, 10 November 2015 (accessed 12 Nov 2015)

To stop the Investigatory Powers Bill, campaigners will need to make a strong case for targeted, not mass surveillance

On Wednesday, after months of speculation and a flurry of off-the-record ministerial briefings and some pretty cringeworthy attempts at PR by GCHQ, the UK Government finally published its surveillance bill, which has been given the more innocuous title of the Investigatory Powers Bill.

The Guardian has produced a clear summary of the main points here. You can also check out BBC News for a less opinionated assessment.

Here’s a round-up (pun intended) of reaction to the Investigatory Powers Bill and how campaigners can  build a coalition to oppose the bill, but only if they take on the Government directly on the claims it makes on security and crime prevention.

An extended itemised phone bill or another step towards mass surveillance?

Not surprisingly, the Government’s assessment of the Investigatory Powers Bil was markedly different to that of privacy activists and human rights campaigners.

While Theresa May wants us  to  “try to think of the new powers [the requirement for all companies to keep a record of every citizen’s internet history for a year] as just an extended itemised phone bill”, Amnesty International UK were warning that the bill “would effectively legalise mass surveillance, which by definition inherently fails the test of proportionality required by international human rights laws that the UK government must adhere to.”

Liberty also performed strongly, promoting its 8 point Safe and Sound plan for targeted surveillance, which they say would keep us safe while respecting our privacy.

At Open Rights Group we punched above our weight, with Executive Director Jim Killock featured television and radio news programmes, including Radio 4’s World at One (jump to 15 min, 35 secs).

Where was Labour?

More surprisingly (and particularly disappointingly for me as a Labour member), there hasn’t been much evidence of the much talked-about ‘a new kind of politics’ from the Labour Party under Jeremy Corbyn. I cringed as I read Andy Burnham’s response to May’s proposals, wishing Labour had at least chosen to express caution and reserve judgement:

“From what the Home Secretary has said today, it is clear to me that she and the Government have listened carefully to the concerns that were expressed about the draft Bill that was presented in the last Parliament … It would help the future conduct of this important public debate if the House sent out the unified message today that this is neither a snooper’s charter, nor a plan for mass surveillance.”

After Burnham’s initial comments on the bill in the House of Commons, Labour has seemingly made no effort to communicate to the public its position on the Government’s plans for new surveillance powers. In echoes of Nineteen  Eight-Four, there is no comment whatsoever on Labour’s Twitter account of the Investigatory Powers Bill. Given the serious nature of the comments  by Amnesty and Liberty, it’s disappointing Labour doesn’t feel the need to engage on the issue, at least not in public view.

Presenting a detailed operational case for targeted, not mass surveillance

As a member and activist with the Open Rights Group, you’d expect me to be suspicious of the Government’s plans for surveillance and to be instinctively sympathetic to the arguments Amnesty and Liberty have made about the risks the Investigatory Powers Bill poses to our individual rights and civil society. But I am not so naive as to believe that a majority of the public share my outlook. I voted for Ed Miliband to become Labour leader, after all.

From talking  to friends, family  and strangers about the work of the Open Rights Group, I know how easily arguments about the need for security, mixed in with frightening examples of horrible criminal activities, more often than not crush appeals to protect privacy and other human rights. If campaigners such as myself are to convince others to oppose the Government’s plans, we need to go beyond principled appeals to protect human rights.

In particular, campaigners need to show that a ‘collect it all’ approach, which puts all of us under surveillance, is not just legally and morally unacceptable, it does not actually keep us any safer.

So far the only person I’ve seen take on this argument is Peter Ludlow, former Professor of Philosophy at Northwestern University in the United States. Here’s a clip of him refuting the effectiveness of the NSA’s bulk data collection / mass surveillance approach. While Ludlow is talking about the United States, surely it is possible to do something similar here in the UK?

This clip comes from the excellent documentary, Killswitch: The Battle to Control the Internet, which I highly recommend you support.

While Ludlow is a passionate speaker, it’s a shame he doesn’t back up his point of view with hard evidence, at least not on the documentary itself.

Fortunately, campaigners do have evidence which they can draw on to help them make the case for targeted and not blanket surveillance. Back in  2013, for example, The Guardian reported on a Senate hearing in the United States which suggested the NSA had been systematically overstating the effectiveness of bulk collection of metadata.

More recently, in January 2014, the United States Privacy and Civil Liberties Oversight Board (PCLOB – great acronym, by the way) ruled that that the bulk phone records collection had not stopped terrorist attacks and had “limited value” in combatting terrorism more broadly. The board also ruled the programme as illegal but, as an unnamed ministerial source said to The Sun last week, “It would be totally irresponsible of government to allow the legal system to dictate to us on matters as important as terrorism. (link goes to The Register, not The Sun)”.

While David Anderson, in his review of the UK’s existing investigatory powers, accepted the case for continued bulk data collection, he did at least say the Government would need to set out a ” detailed operational case” before any new surveillance powers could be introduced.

Given the lack of strong political opposition to the Government’s plans, coupled with the public’s valid concerns over security, it would be foolish to think at least a plausible will not be presented. If campaigners here in the UK are to successfully oppose the bill, they must take a similar approach and try, as far as possible, to present a detailed case for the kind of system Liberty presents in its Safe and Sound plan.

3 Reasons why you should be worried about the Investigatory Powers Bill

Last Wednesday I arranged for Jim Killock, Executive Director of the Open Rights Group, to give a talk to Open Rights Group Birmingham about the threat mass surveillance poses to our human rights and democratic society.

I was spurred on to organise the talk because of the UK government’s plans to introduce new surveillance legislation this autumn, known as the Investigatory Powers Bill, which will (amongst other things) give the government legal power to collect, analyse and retain in a gigantic database for 12 months everyone’s electronic communications interactions (phone, email, web history, text and WhatsApp messages, etc) regardless of whether you are suspected of committing a crime.

The surveillance debate – even boring by  C-SPAN standards?

Photo of old mattress left out on the street. Photo by colleen_elizabeth
Bulk data collection or bulk waste collection. Remind me what’s the difference again? Photo by colleen_elizabeth

Cleverly, the government has managed to couch the surveillance debate in language that is, to quote Jon Oliver, “even boring by C-Spann standards”. Talk of bulk data collection is more likely to evoke a service your local council might offer to help you get rid of an old mattress than a scene from The Lives of Others. And even if you can get your head around the opaque language being used, most of the attention in the debate focuses on the (rightly) emotive issues of terrorism and serious crime, leaving little time to consider the effect mass surveillance has on innocent citizens and the health of our democratic society.

In the interests of balancing out the surveillance debate ,  I’d like to borrow liberally from Jim’s talk to share with you 3 reasons why you should be worried about the government’s plans, especially if you think the Investigatory Powers Bill won’t affect you.

1. Mass surveillance undermines democratic accountability

An aerial image of the Government Communications Headquarters (GCHQ) in Cheltenham, Gloucestershire. Photographer: GCHQ/Crown Copyright
Aerial photograph of the Government Communications Headquarters (GCHQ) in Cheltenham, Gloucestershire. Are MPs in a position to hold GCHQ to account if they didn’t even know their communications were being eavesdropped? Photographer: GCHQ/Crown Copyright

Up until last week, MPs and members of the House of Lords believed their communications were protected by the so-called ‘Wilson Doctrine’ and so were not subject to the same eavesdropping as the rest of the general population.

Last week, the Investigatory Powers Tribunal announced these assurances had been:

“a political statement in a political context, encompassing the ambiguity that is sometimes to be found in political statements”

Furthermore, even if the statements of protection had been given in good faith, it is not technically possible to offer these assurances in an era of bulk data collection of the entire population’s electronic communications.

The tribunal’s ruling has, predictably, led to much soul searching by politicians of all stripes, with Labour’s Chris Bryant even managing to secure an emergency debate on the issue on Monday.

For me, the confusion caused by the ruling reveals the extent to which the surveillance agenda has managed to circumvent conventional democratic accountability.

Essentially, all of us, including the vast majority of elected politicians, are told to trust the authorities who tell us mass surveillance is necessary to protect national security and not to ask too many questions.

In this culture of secrecy, asking questions is deemed to be undermining the effectiveness of the authorities’ work and giving tacit cover or support for terrorists. Consequently, it becomes impossible to have an open, democratic debate about how we best go about balancing the security needs of our country with respect for our human rights.

We should be extremely wary of allowing the Investigatory Powers Bill to pass without having an open and democratic debate about the kind of country we want to live in and where the balance lies between the powers of the state and the rights of individual citizens.

2. The Investigatory Powers Bill will undermine the free press and civil society

3 police officers guarding Downing Street. Photo: Egghead06
3 police officers guarding Downing Street. Should the police have used surveillance legislation intended for anti-terrorism work to investigate the Plebgate scandal? Photo: Egghead06

While you may feel you don’t have much to worry about in terms of the authorities accessing your records, there are and will always be people who do need privacy protection.

Journalists need privacy protection. Imagine, for example, you are a journalist and you have received a tip off about Police wrongdoing. Would you be brave enough to investigate the allegation if you thought your communications could be accessed by the very same organisation?

This is precisely what happened in the case of the Plebgate scandal.The Metropolitan Police were able to use existing surveillance legislation known as Ripa, which was intended to be used in terrorism cases, to access the mobile phone records of The Sun’s political editor without first getting a warrant. By doing so, they were able to discover which officers inside the police had been talking to the journalist and take disciplinary action against them.

Whatever you think of The Sun and Rupert Murdoch’s News International operations, I hope you’ll agree that it’s not right that the UK’s surveillance legislation can be used to hamper the media. If that is what is possible under today’s legislation, we should think carefully before expanding the amount of data authorities can gather on all of us.

Even if you think that journalists by virtue of the job they do are fair game for the authorities, their sources still need to be protected. The Investigatory Powers Bill, by expanding data collection and giving the police and other authorities more rights of access, will make normal, everyday people more reluctant to come forward and report wrongdoing.

3. Mass surveillance is a golden opportunity for criminals

Illustration of a thief running away with a bag containing 0s and 1s of data. Photo: Perspecsys Photos
Will increased personal data collection and weakened encryption create more opportunities for criminals? Photo: Perspecsys Photos

Even if you are personally comfortable with the idea of the government passing more surveillance legislation without proper democratic debate and don’t care all that much about the rights of journalists and whistleblowers, chances are you wouldn’t be too keen about criminals getting hold of your personal information.

By obliging Internet Service Providers and other communications companies to collect greater amounts of personal data and store it for longer periods of time, the government risks creating more tempting opportunities for criminals to steal our data and use it to facilitate a range of crimes.

As well as increasing the total amount of personal information for criminals to target, government efforts to weaken encryption will make it easier for criminals to break into that data. While the government may wish to believe it can demand a special key or ‘backdoor’ to unlock encrypted that only it can use, the reality is criminals will discover this vulnerability and, in so doing, undermine the encryption that not only protects our privacy but is essential for online banking and secure e-commerce payments.