Let’s talk about surveillance, and in particular the new Investigatory Powers Bill promoted by the Home Secretary, and which seems destined to become law in due course.
Time was snooping was a very different process. Homes were bugged, phones were bugged easily in the days when BT was nationalised and copper wire meant the telecoms industry would do whatever the spooks wanted. Anyone wanting to discuss anything confidential did so in a very open space so nobody could be listening in, but anyone who remembers Coppola‘s fine film The Conversation will tell you the buggers could trap you even there with triangulated telescopic microphones.
But then came mobile phones and the Internet, and rules changed – and so did the powers to enable snooping. It has been a running battle ever since as the technology moved on and our intelligence community and police force struggled to keep up with it. Ever wonder why we now have itemised phone bills, where at one time all were lumped in together?
Equally, the defence against intrusions to our private lives have been strong, since the instinct of British citizens is to prevent “Big Brother” from listening in and recording our every activity and proclivity on the grounds that it is none of their business – unless and until we have done something wrong. The thought that we may be snooped upon without our knowledge, as secret services kept a file on each and every one of us is the stuff of dystopian nightmares, with Orwell‘s Nineteen Eighty Four our vision of the bottom of the slippery slope.
The whole point about intelligence is to gather information to prevent, for example, terrorist attacks, but in the course of doing so some groups of people can be exposed and put in danger. Investigatory journalists and whistleblowers must protect their sources, and if they can’t there are appalling truths that may never surface. The point about secret services are that they are secret, so the public interest is defined in a very different way from those who would expose wrongdoing in the public domain.
Remember Ed Snowden? By leaking many documents he exposed many illegal activities conducted by GCHQ, an organisation supposedly subject to parliamentary scrutiny. A common security database was voted down in Parliament, yet Snowden told us it happened anyway. Who do you trust the most?=
In that context, Theresa May‘s bill makes legal many of the practices Snowden pointed out were previously being conducted illegally, and gives a whole host of new powers to police and intelligence communities. It’s not merely a case that they will be able to access more sources of information in new ways, but once the bill is passed they will have the power to interfere with equipment and secretly compel assistance in ways that once you would have thought the stuff of science fiction – and that includes the ability to demand the breaking of end-to-end encryption, which you will recall was the subject of a heated debate between Apple and the FBI.
Maybe the powers will be used wisely, but there are some viable circumstances that few will realise are possible. Here are a few scenarios to consider:
- From the 1980s GCHQ had call detail records, and from the 90s mobile data, including location, call data and SMS traffic. The new bill allows them to demand “snowball searches” which take in far more than an individual caller. For example, all people calling or texting or using other messenger services at location A and B, who sent Gmail to whom, and when.
- Not just “show me the websites visited by these two bad people,” but “show me everybody else who visited them.”
- Targeted surveillance is better than bulk surveillance – even Snowden agrees on that – but legalised hacking will potentially include the ability to force the download of malware to enable devices to be bugged. In the US, John Gotti’s car microphone – and even his granddaughter’s Barbie doll – were hacked; the new bill means the rights to do hack will include all these and more.
- Designated people can ask companies for anything. If the Chief Constable of Liverpool believes there is too much gun crime in his city, he could hypothetically request Google to download malware to all Android phones in the city.
- The use of “secret technical capability notice” means no UK company could be trusted in future. How do you know any company has not handed the government a golden key and been forced to keep quiet about it?
- Will the same rights be extended to individuals? Could the state compel me to damage my neighbour’s things or trespass on his property?
- Could a company request surveillance of an individual employee who might become a whistleblower by claiming they are a security threat?
- Our rights under the Data Protection Act and as protected by the Information Commissioner are subservient to the Investigatory Powers Act, if it becomes law – which means our rights can be waived if there is deemed to be a valid justification, or even not if we are captured within a wider search and happen to be caught in the net.
- Worst of all, the stuff of fiction: how can we know whether the ownership of these rights is not in the power of a dark and malevolent force? How do we know who might be harmed by our data?
- You wonder if the next stage will be a Kafkaesque justice system in which evidence gathered in these ways is held in camera so the data sources or those responsible are not revealed.
This is not a debate to be taken lightly, though whether it is the “snooper’s charter” we fear remains to be seen. The bill comfortably passed its first reading, but Shadow Home Secretary Andy Burnham raised six areas of concern:
- “Presumption of privacy” – in spite of Mrs May’s insistence that privacy is “hard wired into the bill.”
- Specific powers to view Internet Connection Records (ICRs) – and a closer definition of “national security” to justify the pursuit of the records of an individual.
- Closer definition of ICRs, which the bill perhaps deliberately kept vague to allow for changes in technology.
- Bulk powers – “it is for the government to convince the public that these powers are needed.”
- Judicial oversight: further improvements to ensure the requests merit data retrieval.
- Misuse of powers and the need for a specific criminal offences to protect against misuse.
As has been widely reported, some sections of the bill attract particular concern. Section 71 demands web and phone companies to store records of websites visited by every citizen for 12 months for access by the police, security services and other public bodies; in other words, your domain browsing history, thought not necessarily the specific actions you took on each site – and which would override the “private browsing” option. In the new world, your actions would be there for scrutiny, and you would have no way of knowing whether or not they were being scrutinised and for what reason.
Where do the powers outweigh the risk posed, and what would be the response of those whose livelihoods depend on not being exposed? Journalists will probably return to the methods of yore, meeting sources in public places and retaining no data on phones or computers. Worse still, Apple says stripping back encryption will aid criminals who can exploit poor security. Is that a price worth paying?
The cliche often applied in these circumstances is that we are “sleepwalking into a police state,” though we have clearly moved well beyond the other cliche – “if I’ve done nothing wrong, I’ve got nothing to fear.” Can you be sure of that? If this is a fine balancing act, will privacy die with it? You could argue that if we lose our privacy and freedoms, the terrorists have won.
I’m reminded of a former CIA director, Richard Helms, who famously said, “we are honourable men, you simply have to trust us.”