Thursday, February 11, 2016

Scenes of Reason: The Haystack

A group of  young journalists have taken on the admirable task of trying to explain issues relating to government surveillance of digital communications and the Investigatory Powers Bill to a young audience. They are making a crowd funded documentary on the subject.

Trailer:



Why? From their website:
"We’re young journalists, and our audience is young and digitally led. We therefore have a responsibility to report exactly what this proposed Bill means for us as avid technology users and break down the associated technical jargon. Do we have anything to worry about? Is this really just about catching terrorists?

So the Scenes of Reason team, four young women in their twenties working both in front of and behind the camera would like to introduce you to the THE HAYSTACK. With exclusive access to some of the most high-profile players in the surveillance space, we have and will continue to investigate the workings of intelligence agencies in the wake of the Snowden revelations, and in the midst of debate on the groundbreaking Investigatory Powers Bill.

Read more at:https://www.byline.com/project/42"
What a terrific initiative.

Best of luck to the Scenes of Reason team and thanks to their political editor, Bobbie Mills, for alerting me to the project.

Wednesday, February 03, 2016

Response from Nicola Blackwood on Investigatory Powers Bill

I sent Nicola Blackwood MP, Chair of the Commons Science and Technology Committee, a copy of my submission to the Draft Investigatory Powers Bill Joint Committee.

I received her response this morning -
"Dear Ray,

Thank you for contacting me about the Investigatory Powers Bill and for attaching your submission to the Joint Committee. Please accept my apologies for the delay in my response, which is due to the high volume of correspondence I’ve received in recent weeks.

You raise some interesting points which will most certainly be considered by the Joint Committee. I look forward to hearing their response in due course. I have consistently said that it is absolutely essential that powers to monitor communications are confined to what is entirely necessary and proportionate to protect our national security. Accountability is a key factor in this respect.

As you mention, the Science and Technology Committee has been conducting an inquiry into the technology aspects of the Draft Investigatory Powers Bill. It is clear that new tools are needed to fight terrorism and crime in the twenty-first century, but the potential impact that the draft Bill will have on our communication sector must be carefully scrutinised. Our inquiry, exploring the technological implications of the new powers proposed by the Home Secretary, and their consequences for privacy and data security, is vital to ensure we have robust mechanisms and safeguards in place. We will be publishing our report in the coming weeks.

More broadly, there have been three independent reviews of investigatory powers: by David Anderson, the Intelligence and Security Committee of Parliament, and the Royal United Services Institute (RUSI). All have agreed that agencies should have the power to acquire and use data in bulk. The Home Secretary has also emphasised that the Investigatory Powers Bill will not mean that security services have full access to look through an individual’s browsing content, but rather would be able to access the domains that have been visited i.e. bbc.co.uk but not the page itself. The broad range of evidence the Committee has received from differing areas of industry has highlighted the issues we face with this Bill, including definitions of ‘communications data’ (which you mention) and Internet Connection Records (ICRs), which could be seen to make it difficult to assess which data could fall into these categories. It is of course vital that we analyse this and assess whether access requirements and safeguards are appropriate.

I have received assurances from ministers that access to the data itself will be tightly controlled. The Home Secretary has announced that there will be a ‘double-lock’ authorisation process, meaning that warrants for the most intrusive powers available to the agencies (such as the interpretation of communications) will be subject to approval by a judge as well as by the Secretary of State. My Committee is due to publish our report shortly. You can see the evidence we have received to date, and the report will be published online, via our website.

Thank you again for taking the time to contact me and I hope my response has been useful. I would encourage you to read our report when it is published, and I will also be following the Joint Committee’s progress very closely. Please don’t hesitate to get in touch if you have any further questions.

Kindest regards,
Nicola

Nicola Blackwood MP
Member of Parliament for Oxford West and Abingdon"
The Science & Technology Committee has, in recent days, published its report, Investigatory Powers Bill: technology issues. The report raises concerns about broad and vague definitions in the Bill and the potential impact on industry. From the conclusions and recommendations -
"1.While we are encouraged to learn of the Government’s ongoing engagement with the internet industry, there seems still to be confusion about the extent to which ‘internet connection records’ will have to be collected. This in turn is causing concerns about what the new measures will mean for business plans, costs and competitiveness...
2.The Government, in seeking to future-proof the proposed legislation, has produced definitions of internet connection records and other terms which have led to significant confusion on the part of communications service providers and others. Terms such as “telecommunications service”, “relevant communications data”, “communications content”, “equipment interference”, “technical feasibility” and “reasonably practicable” need to be clarified as a matter of urgency. The Government should review the draft Bill to ensure that the obligations it is creating on industry are both clear and proportionate. Furthermore, the proposed draft Codes of Practice should include the helpful, detailed examples that the Home Office have provided to us. (Paragraph 31)...
6.As ever, the fight against serious crime should be appropriately balanced with the requirement to protect and promote the UK’scommercial competitiveness. We believe the industry case regarding public fear about ‘equipment interference’ is well founded. The Investigatory Powers Commissioner should carefully monitor public reaction to this power and the Government should stand ready to refine its approach to ‘equipment interference’ if these fears are realised. Taking into account security considerations, the Investigatory Powers Commissioner should report to the public on the extent to which such measures are used. (Paragraph 51) ...
7.Given the speed with which this legislation must be in force, the Government must work with industry to improve estimates of all of thecompliance costs associated with the measures in the draft Bill, for meeting ICR-related and other obligations, as a matter of urgency. Should the measures in the draft Bill come into force, it will be important for Parliament to have access to information on actual costs incurred in order to assess the proportionality and economic impact of the investigatory powers regime and its effectiveness. (Paragraph 65)
8.Larger CSPs may be able to take some assurance from the Government’s commitment to meet their “reasonable” costs and avoid putting any affected businesses “at commercial disadvantage”. However, smaller CSPs may not be certain that they will be served with a notice tocollect ICRs and, if they do have to, whether their costs will in fact meet the Government’s ‘reasonable costs’ criteria for reimbursement. The Government should reconsider its reluctance for including in the Bill an explicit commitment that Government will pay the full costs incurred by compliance. (Paragraph 66)"

Tuesday, January 19, 2016

Thoughts on Eric King interview with Bill Binney & SIA bureaucracies

Eric King, Director of Don't Spy on Us and Deputy Director of Privacy International, recently interviewed former Technical Director at the NSA, Bill Binney, following the latter's testimony before the Joint Committee on the Draft Investigatory Powers Bill.

The interview is available in 3 parts on YouTube and embedded below.







Binney is very clear in his belief that mass surveillance costs lives. He is also clear on the need for targeted, judicially supervised, necessary and proportionate surveillance.

The thing that strikes you about Binney and other life long intelligence careerists turned whistleblowers like Thomas Drake, is the absolute commitment they had to their craft, preserving, protecting and defending the US Constitution. Binney spent over 30 years with the NSA. Drake had a long career in military intelligence, the CIA, private contractor intelligence and finally the NSA.

Now there are discussions to be had about the activities, efficacy and adherence to constitutional, ethical and/or other nominal constraints of their respective employers during their careers. Both men, however, believed themselves to be working for institutions concerned fundamentally with operating within and protecting the Constitution.

We know that large organisations are subject to regime change. Regime change can and repeatedly does put even the core structural principles and values of any institution in jeopardy. Institutional memory fades and anything can be sacrificed to the agenda of the realpolitik of the new crew at top table.

Binney and Drake will have seen many internal organisational regime changes during their lives. They absorbed the associated slings and arrows and, it seems, for most of that period maintained the capacity to do their jobs to their own satisfaction. Around the turn of the century, though and after the 9/11 attacks, that changed. Both consider the power brokers within the NSA and other agencies took advantage of the times to throw off any and all historic constitutional leashes and committed their agencies wholesale to mass surveillance.

Admiral Poindexter, as the Director of the Defense Advanced Research Projects Agency (DARPA) Information Awareness Office (IAO), brought his Total Information Awareness programme to Congress where even the congress-critters eventually rejected it. Yet the intelligence agencies went ahead and essentially built and operated the infrastructure of mass surveillance in secret anyway.

When the NSA, both considered, ditched the Constitution and engaged in waste, fraud and crime on an industrial scale, to a degree neither could stomach any longer, Binney retired in 2001 and Drake resigned in 2008. Drake went on record in 2011 to suggest the agencies' activities had outstripped the criminality of former president Richard Nixon.  Both were subsequently pursued by federal authorities with criminal investigations relating to their whistleblowing. Binney wasn't charged but Drake faced a long stretch in prison before all the serious charges against him were finally dropped in 2011.

When asked why the agencies and the UK's GCHQ insist that bulk collection of communications data is so essential to their operations, Binney has a simple answer - power, control and money. Eric King puts to him that the military industrial complex is perhaps not so well established in the UK as the US, so it seems reasonable to ask why GCHQ would be so insistent about the importance of their continuance of bulk communications data collection and retention for target development.

Without bulk collection, the argument goes, they can't find new threats. Binney insists this is "absolutely false." They never start with an empty slate. If they take a targeted approach instead, they can define rules of association round social networks and associated zones of suspicion.

General Alexander of the NSA said we want to "collect it all". So he commits the agencies to gathering more and more data every year and therefore the government to the non-audited and unlimited ongoing funding of same. It means an ever increasing budget for any agency involved in such activities, including for GCHQ. So that, asserts Binney, is their motive for mass surveillance.

It's hard to believe any ethical institution would behave in a way - e.g. using mass instead of targeted surveillance - that jeopardises its core functions - e.g. preventing terrorist attacks - and instead devote its energies to protecting and growing the institution.

Yet you don't need to be an expert in management or organisational behaviour, in the writings of Geoffrey Vickers, Russell Ackoff or other systems experts, to know that this is exactly how both public and private sector bureaucracies do behave.

The driving forces in the DNA of every bureaucracy are the twin desires for survival and growth.

When you divide complex, deeply interconnected and interdependent public service systems up into competing quasi-autonomous silos - some bigger and more glamorous than others - and then instruct the leaders of those silos they will be evaluated on the basis of single figure simplistic targets or metrics - e.g. A&E waiting times or police response times - you cannot be surprised when the silos focus on those metrics at the expense of everything else; including the effective operation of the individual silo.

Some bureaucracies are prepared to shrink temporarily if that's what it takes to survive. An IT department, under scrutiny, can cut a third of its employees, thereby cutting nominal costs. But if simultaneously cuts 90% of the services it used to provide to the institution and declines to deal with complex problems because they undermine their "success rate", then the rest of the institution suffers. The IT department might "fix" most of the 10% of simple problems they are prepared to deal with, apparently faster and cheaper than ever before, but the real costs are absorbed by everyone else.

The intelligence agencies are a special kind of bureaucracy, not subject to the same level of scrutiny as other government agencies; and sometimes with a shared interest, with political overseers, in expanding the perceived level of threat. Home Secretaries don't get headlines by claiming all is calm, all is bright. And intelligence agencies don't get money for SIGINT, HUMINT and other activities, effective or not, by reporting we live in the safest era in the history of the west.

There is a lot of political kudos and media exposure to be gained from spreading fear and declaring toughness in the face of it. There is a lot of political kudos in being seen to be "doing something" involving spending a lot of money on security services. It would be naive to think that senior career bureaucrats in the security and intelligence agencies would not be inclined to take advantage of that psychology.

Time and again in the wake of terrorist attacks since and including 9/11, Madrid, 7/7, the murder of Lee Rigby and attacks in Paris last year, we learn of intelligence failures relating to known suspects getting lost in the morass of data and limited front line resources of the agencies. Time and again the "answer" is more extensive powers and more expansive investment in more mass communications surveillance. As Binney says, the agencies have been engaged in mass surveillance since 9/11 and it doesn't work.

In the case of GCHQ, I'm not sure I entirely accept his critique of their motivation being all about power, control and money. But I can see how they would be caught in the perennial affliction of bureaucracies through the ages, relating to survival and growth.

The current Home Secretary is absolutely determined to get the Investigatory Powers Bill on the statute books, thereby codifying most of the SIAs' ongoing communications surveillance activities into law. It would, therefore, be uncharacteristically remiss of the suits in the agencies not to take advantage of the prevailing political winds, to maximise their current and future survival and growth capital. Whether the Investigatory Powers Act, as it will become, will enhance their capability to counter threats to national security is another question entirely, one Mr Binney would presumably answer in the negative.

It does beg the further question, though, what is a 20, 30 or more years career veteran of a hugely valued public service institution to do, when said institution rejects and ejects the fundamental values and principles which underpinned its operations from inception?

Binney and Drake resigned and went public, at significant personal cost. Martin Luther King Jr might have approved, as he noted -
"Our lives begin to end the day we become silent about things that matter"
So, whether you stay and fight for what's important, lay low until you can tap the next regime change for a re-establishment of the foundational values (though when bad institutional behaviour becomes normalised it is notoriously difficult to change) or accept the institution is irrevocably damaged and depart for more productive shores, don't be silent.

Friday, January 08, 2016

Scrambling for Safety 2016 remembering Caspar

Scrambling for Safety 2016 was organised at short shrift by Ross Anderson and Julian Huppert in response to the government's publication of the draft Investigatory Powers Bill. The conference took place yesterday and a livestream is available. Embedded copy below.


There were some lovely tributes to the wonderful Caspar Bowden.


I just hope this deeply principled, tenacious, generous, determined, passionate, inspirational, brilliant, warm-hearted, thoroughly decent, kind and knowledgeable gentleman - a real force of nature - had some inkling of how widely respected and appreciated he was by people from all corners of his universe, allies, combatants and observers alike.

Evidence to Joint Committee on Investigatory Powers Bill

The Joint Committee on the Investigatory Powers Bill yesterday published all of the written evidence it received. Over 120 submissions were received, in spite of the incredibly tight timetable. My evidence is available on the website and, as promised, I include a copy below. Apologies for the occasional typographical errors.

Strangely, my opening note about working for The Open University but submitting the evidence in a personal capacity got truncated from the version the committee published.
To the members of the Draft Investigatory Powers Bill Joint Committee,

Thank you for the opportunity to make a submission to your inquiry the Draft Investigatory Powers Bill.

My name is Ray Corrigan. I’m a Senior Lecturer in the Maths, Computing & Technology Faculty of The Open University, though I write to you in a personal capacity.

Summary

The Joint Committee is being required to analyse the long and complex Draft Investigatory Powers Bill in an unreasonably short timescale.

This submission to your inquiry is divided into 6 sections covering:

·         Bulk collection & retention of personal data by computers
·         Privacy
·         Legality of bulk collection and retention
·         ICRs and relevant communications data
·         The base rate fallacy and the lack of efficacy of bulk data collection
·         Complex system security and equipment interference

The first section challenges a fundamental misunderstanding – the idea that collecting and retaining bulk personal data is acceptable as long as most of the data is only “seen” by computers and not human beings. This is a line that has been promoted by successive governments for some years and seems to be widely accepted. Yet it is seriously flawed.

Next I suggest a simplified version of US scholar Daniel Solove’s model of privacy, to help provide a framework for thinking about information and data processing, in the context of communications surveillance.

Then the April 2014 European Court of Justice Digital Rights Ireland decision, invalidating the Data Retention Directive, is reviewed. Viewed carefully, the decision could be considered an aid to framing surveillance legislation. The draft Investigatory Powers Bill in its current form would be unlikely to meet the tests, laid down in the case, regarding compatibility with privacy and data protection rights, guaranteed by articles 7 and 8 of the EU Charter of Fundamental Rights.

The fourth section examines the tangled web of “internet connection records” and “relevant communications data”. Technology law expert, Graham Smith, has identified and mapped 14 different interlinked definitions in the Bill that are connected to “relevant communications data”. It is difficult to see how the bulk retention of data under the broad and dynamic scope of “relevant communications data” or “internet connection records” could meet the tests of necessity or proportionality laid down in the Digital Rights Ireland case.

The penultimate section looks at the base rate fallacy, a statistical concept that policy makers must familiarise themselves with if intending to approve the indiscriminate bulk collection, retention and processing of personal data. Finding a terrorist is a needle in a haystack problem. You don’t make it easier to find him/her by throwing industrial scale levels of the personal data, of mostly innocent people, on your data haystack. Section 150 of the Bill, Bulk personal datasets: interpretation, states “the majority of the individuals are not, and are unlikely to become, of interest to the intelligence service in the exercise of its functions”. Explicit recognition innocent people would be subject to indiscriminate surveillance under proposed powers.

The final section discusses security in general and the inadvisability of giving government agencies the powers to engage in bulk hacking of the internet. It is advocated that targeted surveillance practices are more effective than mass surveillance approaches and recommended that Part 6, Chapter 3 of the draft Bill be removed in its entirety.

I conclude with an appeal to frame surveillance laws within the rule of law, rather than attempting to shape the law to accommodate expansive, costly, ineffective and damaging population-wide surveillance practices. 
Bulk collection & retention of personal data by computers

1.       To begin I would just like to note that it is a mammoth task to expect parliamentarians to analyse this long and complex Bill in the short timescale you have been given.

2.        I would also like to tackle a fundamental misunderstanding at large in Westminster – the idea that collecting and retaining bulk personal data is acceptable as long as most of the data is only “seen” by computers and not human beings; and it will only be looked at by persons with the requisite authority if it is considered necessary.  This is a line that has been promoted by successive governments for some years and seems to be widely accepted. Yet it is seriously flawed.

3.       The logical extension of such an argument is that we should place multiple sophisticated electronic audio, video and data acquisition recording devices in every corner of every inhabited or potentially inhabited space; thereby assembling data mountains capable of being mined to extract detailed digital dossiers on the intimate personal lives of the entire population. They won’t be viewed by real people unless it becomes considered necessary.

4.       Indeed with computers and tablets in many rooms in many homes, consumer health and fitness monitoring devices, interactive Barbie dolls, fridges, cars and the internet of things lining up every conceivable physical object or service to be tagged with internet connectivity, we may not be too far away from such a world already.[1]

5.       The Home Office, on 16 December 2015, rejected a freedom of information request[2] asking for the “metadata of all emails sent to and from the Home Secretary for the period 1st January 2015 - 31st January 2015 inclusive.” They rejected the request on the grounds that the request “is vexatious because it places an unreasonable burden on the department, because it has adopted a scattergun approach and seems solely designed for the purpose of ‘fishing’ for information without any idea of what might be revealed.”

6.       Yet the same Home Office considers it acceptable to have powers, in the Investigatory Powers Bill, to engage in bulk data collection, retention and equipment interference, to assemble information about every member of the population, in the hope of conducting contemporaneous and/or post hoc ‘fishing’ activities to look for evidence of misbehaviour.

7.       I would contend that this approach is unnecessary, disproportionate and incompatible with the rule of law. It is additionally very costly and technically, mathematically and operationally ineffective. If all that was not bad enough, it risks undermining the security of our already frail and insecure communications infrastructure.


Privacy

8.       Individual and collective privacy underpins a healthy society but privacy is hard to define. We understand the conceptual protection of a person’s home being their castle and what is behind closed doors being private. But privacy was the default state in the pre-internet world and we didn’t think too hard about its subtleties.  With mass personal data processing, however, we need a better understanding of privacy. US scholar Daniel Solove has helpfully characterised privacy as a collection of problems.[3] Privacy harm, Solove argues, is triggered by –

·         Information collection
·         Information processing
·         Information dissemination/sharing
·         Privacy invasion and erosion

9.       We now teach a simplified model of Solove’s taxonomy to our 3rd level information systems students at The Open University a visual depiction of which I include below.


10.    One of the key issues clarified by Solove’s model is that the initial privacy harm originates at the point of collection of personal data, whether that collection is done by a computer, other device or a person. In the context of investigatory powers it can be helpful to ask whether the specifics under consideration relate to information collection (& retention), information processing, information dissemination or privacy invasion. Whichever of these processes are at issue their collective effect is the stripping bear of the digital persona of anyone who comes into contact with devices connected to the internet.

11.    Information collection is the surveillance done by commerce, governments and other agents, such as criminal gangs. Solove suggests it also covers the interrogation of the information collected.

12.    Commerce, governments and others are involved in information processing – the storage, use (or misuse), analysis and aggregation of lots of data, secondary use of data, the exclusion of the data subject from knowledge of how information about them is being used and exclusion from being able to correct errors. Solove expresses particularly concern about bureaucracy. Surveillance bureaucracy makes life-changing decisions based on secret information, while denying the subject/s of the data the ability to inform, see or challenge the information used. The privacy problem here is all about information. The privacy harms are bureaucratic – powerlessness for the subject, indifference to them, error, lack of transparency and accountability.

13.    On that front, when giant data mountains are conveniently sitting around, there is not a safeguard in existence that will prevent (possibly even well-intentioned) future incarnations of a bureaucracy from tapping that data for secondary uses not originally envisaged by those behind the IP Bill. A related case in point is the expansive interpretation of s7(4) of the Intelligence Services Act 1994 and the Equipment Interference Code of Practice 2015 to justify the equipment interference activities currently undertaken by the security and intelligence services (SIS). Provisions for equipment interference and bulk equipment interference included in part 5 and 6 of the IP Bill present serious economic wellbeing and security risks.

14.    Information dissemination – Data viewed out of context can paint a distorted picture. The novelist researching criminal behaviour might be flagged for buying too many of the wrong kinds of books from an online bookshop. In the UK collection of information ‘of a kind likely to be useful to a person committing or preparing an act of terrorism’ is a criminal offence, under Section 58 of the Terrorism Act 2000. We might expect an analyst to recognise a known novelist but processing purely by algorithm may lead to distortion and faulty inference. We also get dissemination through leaking and misappropriation through stealing of personal information, which can lead to exposure to identity theft, fraud, blackmail, and further distortion.

15.    Privacy invasion is about the information activities and their aggregation mentioned above but also amounts to intrusion into the personal sphere. Overt surveillance, direct interrogation, junk mail, unsolicited phone calls are all disruptive intrusions and cause harm. But there can be a decision making element to this intrusion too. For example someone may be reluctant to consult a doctor if current plans on the sharing of health data through the ill-considered care.data scheme progress further. Innocents may be inhibited from using the internet if they feel under constant surveillance.

16.    Whether or not mass indiscriminate personal data collection and retention is only “seen” by computers it remains mass indiscriminate personal data collection and retention, repeatedly found unlawful by the Court of Justice of the European Union [Digital Rights Ireland, 2014; Schrems 2015], the European Court of Human Rights [Zakharov, 2015] and multiple high courts including Romania (2009), Germany (2010), Bulgaria (2010), the Czech Republic (2011) and Cyprus (2011). Mass indiscriminate personal data collection and retention has been variously described by these courts as unconstitutional and/or a disproportionate unjustified interference with the fundamental right to privacy, free speech and confidentiality of communications.

Legality of bulk collection and retention

17.    On 8 April2014 the Grand Chamber of the European Court of Justice, (ECJ) in joined cases C-293/12 and C-594/12, issued a landmark decision declaring the 2006 data retention directive invalid. The Grand Chamber of the Court effectively condemned pre-emptive, suspicionless, bulk collection and retention of personal data and consequent "interference with the fundamental rights of practically the entire European population". The Paragraph 37 of the judgment noted the interference with articles 7 (data protection) and 8 (privacy) of the EU Charter of Fundamental Rights caused by mass data retention “must be considered to be particularly serious.”

18.    Paragraph 58 of the decision criticises the mass surveillance of innocent people not remotely connected to serious crime. Then in recognition of the need for targeted rather than mass surveillance the Court states:

"59.  Moreover, whilst seeking to contribute to the fight against serious crime, Directive 2006/24 does not require any relationship between the data whose retention is provided for and a threat to public security and, in particular, it is not restricted to a retention in relation (i) to data pertaining to a particular time period and/or a particular geographical zone and/or to a circle of particular persons likely to be involved, in one way or another, in a serious crime, or (ii) to persons who could, for other reasons, contribute, by the retention of their data, to the prevention, detection or prosecution of serious offences."

So the Court considers it unnecessary and disproportionate to engage in bulk collection of innocent communications in order to find serious criminals.

19.    Finding a terrorist or serious criminal is a needle in a haystack problem – you can’t find the needle by throwing infinitely more needle-less electronic hay on the stack.  Law enforcement, intelligence and security services need to use modern digital technologies intelligently in their work and through targeted data preservation regimes – not the mass indiscriminate data collection, retention and equipment interference proposed in the Investigatory Powers Bill – engage in technological surveillance of individuals about whom they have reasonable cause to harbour suspicion. That is not, however, the same as building an infrastructure of mass surveillance or facilitating the same through the legal architecture proposed in the Bill.

20.    The ECJ follows up this mass surveillance critique with a clear declaration in paragraph 60 that the data retention directive had no limits on access to and use of retained data to the purpose of fighting serious crime and no criteria for determining such limits. Paragraphs 60 to 68 could be read as a lesson on how to write a data retention law in a way that might be acceptable to the Court. The data retention directive declared invalid by the Court did not –

·         include procedures on determining access to data or its use or even limiting these to crime fighting
·         limit the number of people with access to the retained data to those strictly necessary
·         subject access to the data to the prior review or oversight of a court, in order to limit access to that which is strictly necessary
·         oblige member states to set down such procedures.
·         make any distinction between categories of data
·         attempt to justify the arbitrary period of retention chosen of between 6 months and 2 years
·         lay down clear and precise rules governing the extent of the interference with the fundamental rights to privacy and data protection
·         provide for sufficient safeguards to ensure effective protection of the data retained against the risk of abuse
·         provide for sufficient safeguards to ensure against any unlawful access and use of that data
·         specify a high enough data security threshold
·         require the irreversible destruction of data at the end of the retention period
·         require data to be retained within the borders of the EU
·         ensure control of data protection and access to the retained data by independent authority

21.    Big and complex as the Investigatory Powers Bill is, it too falls at many of these hurdles in relation to the bulk data collection and retention powers proposed. IT fundamentally fails to take into account data protection principles, in particular data minimisation.[4] Not only does the IP Bill eschew data protection principles, it promises to offer its own version of data processing rules to deal with bulk data which will appear as a code of practice. A guide to what this code of practice will look like is included in Schedule 6, section 3 of the Bill.

22.    The Court concluded:
"69. Having regard to all the foregoing considerations, it must be held that, by adopting Directive 2006/24, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter.
70. In those circumstances, there is no need to examine the validity of Directive 2006/24 in the light of Article 11 of the Charter.
71.  Consequently... Directive 2006/24 is invalid."
23.    In short, the data retention directive presented a disproportionate interference with the fundamental rights to respect for private and family life and the protection of personal data. Consequently the directive was invalid, null and void. And because it was invalid on privacy grounds the Court didn't see the need to pursue the question of whether it also might be invalid on the grounds of Article 11 of the Charter of Fundamental Rights relating to freedom of expression.

Internet connection records and relevant communications data
24.    The Home Office appear to have briefed the Joint Committee that the retention of “internet connection records” is the only new power in the Bill.  As far as I can tell the phrase “internet connection records” is mentioned only in section 47 of the Bill (“Addition restriction on grant of authorisations”) which does not deal with data retention.  Section 71 (Powers to require retention of certain data) deals with data retention and uses the term “relevant communications data” rather than internet connection records.

25.    “Relevant communications data” has a six part definition in s71(9)(a)-(e) relating to the purposes of section 71. “Internet connection record” has a two part definition in s49(6)(a)-(b) relating to that section. The components of the “relevant communications data” definition them acquire different meanings or definitions depending on what part of the Bill they appear in.

26.    Graham Smith has done a remarkable job of tracking these down. In a blogpost on Sunday, 29 November 2015, Never mind Internet Connection Records, what about Relevant Communications Data[5], he identified and mapped 14 different interlinked definitions in the Bill that are connected to “relevant communications data”.

27.    It is hardly surprising therefore that industry representatives, such as BT’s Mark Hughes, have testified to the joint committee that the definitions in the Bill are unclear.

28.    Relating “relevant communications data” back to the Solove model (at the beginning of my submission) implicates it variously in data collection, retention, processing and dissemination. Unfortunately even that doesn’t help identify exactly what “relevant communications data” is going to mean in practice.

29.    Government representatives have told the joint committee that definitions of ICRs and relevant communications data are “clear” and industry have insisted they are unclear in the Bill. It appears that what they really mean in practice will be worked out in private discussions through the “very good relationship” the government maintains with industry.

30.    Does the joint committee get to oversee these discussions? So who gets the final say on who gets to program the computers for surveillances and what are the specific 'selectors'/filters? Who decides what the selectors should be? Who decides who decides what the selectors should be? With the best will in the world most parliamentarians are not technical experts, so how can the committee effectively or Home Secretary or judicial commissioners scrutinise the technical aspects of this work? How do you measure the efficacy of these filters given it is widely known in the tech community how ineffective electronic filters can be? How, when someone is tagged as suspicious via these secret algorithms applied to bulk datasets, does the information on that individual then get further processed? What happens when someone is wrongly tagged and how do they retrieve their innocence and clean bill of electronic health?

31.    It is difficult to see how the bulk retention of data under the broad and dynamic scope of “relevant communications data”, or “internet connection records” if that is to be the common phrase to be alluded to regardless of its definition in the Bill, could meet the tests of necessity or proportionality laid down by the Court of Justice of the European Union in the Digital Rights Ireland case in 2014. Given that the final text of the EU’s new General Data Protection Regulations (GDPR) just been agreed, it will further complicate the committee’s efforts in trying to understand the implications of the proposed IP Bill.

32.    One last note on this section on the differences of opinion over the clarity or otherwise of the Bill. The drafters of the Bill have gone to some length to try to distinguish communications data (or meta data) from content. Paul Bernal and others have explained to the joint committee why there is no simple way to distinguish the two, given the complex overlapping nature of both e.g. does an email address mentioned in the main text of a document constitute content or communications data. Could I, on this point, just commend to you the presentation of your special adviser, Peter Sommer, from the 2012 Scrambling for Safety conference, Can we separate “comms data” and “content”– and what will it cost?[6]

Base rate fallacy
33.    The whole Investigatory Powers Bill approach to signals intelligence – giant magic computerised terrorist catching machine that watches everyone and identifies the bad guys – is flawed from a mathematical as well as operational perspective.
34.    Time and again from the dreadful attacks on the US on the 11th September 2001 through to the recent attacks in Paris the perpetrators were previously known to the security services but they lost track of them in the ocean of data noise they were then[7] and are now[8] drowning in.
35.    Even if an IP Bill mandated magic terrorist catching machine, watching the entire population of the world, was 99% reliable, it would flag too many innocents for the security services to investigate and swamp the services in unproductive activity.
36.    But it is not even as simple as that mathematically. Is your machine 99% reliable at identifying a terrorist, given they are a terrorist? Or is it 99% reliable at identifying an innocent, supposing they are truly innocent? In general your machine will have two failure rates

·         A false positive where it identifies an innocent as a terrorist
·         A false negative where it identifies a terrorist as an innocent

37.    The reliability of your identification further depends on the actual number of terrorists in the population as a whole – the base rate. The problem is particularly acute when the base rate is low. Let’s stick with the 99% reliability for both failure rates (though they will rarely be the same – if you adjust your machine to catch more terrorists, it will falsely accuse more innocents; and if you adjust it to catch less innocents it will let more terrorists go). So assume both a false positive and false negative rate of 1%. Suppose also there are 100 terrorists in every collection of 1 million people.[9] Your terrorist catching machine, watching these 1 million, will flag 99 of the 100 terrorists, giving one a free pass; but it also flags 1% of the remaining 999,900 innocents i.e. 9,999 innocent people get tagged as terrorists. So the 99% reliable machine flags 99 + 9999 = 10,098 people for suspicion. Only 99 of these 10,098 are real terrorists, giving your magic machine a hit rate of 99/10098 = 0.0098 approximately. Your 99% reliable machine is not 99% reliable but less than 1% effective at identifying terrorists.

38.    The numbers underlying this base rate fallacy[10] – the tendency to ignore known base rate statistical data (e.g. the low probability someone is a terrorist in a large population) in favour of an interpretation of specific data (my magic machine is 99% accurate) that seems as though it might be right – are slightly counter intuitive but need to be understood if you purport to deploy techniques involving the surveillance of entire populations.

39.    Denmark, following 7 years of ineffective bulk collection of data equivalent to the IP Bills internet connection records, in 2014 repealed the law requiring the collection and retention of these records.[11] Because of the base rate fallacy and the fact that terrorists are relatively few in number compared to the population as a whole, mass data collection, retention and mining systems, such as those proposed in the IP Bill, always lead to the swamping of investigators with false positives, when dealing with a large population. Law enforcement authorities end up investigating and alienating large numbers of innocent people. That’s no good for the innocents, for the investigators or for society. In Denmark, over half a million records per citizen were retained in 2013 but the system proved an ineffective tool for law enforcement and security and intelligence services.

40.    If the government has £175 million over ten years (about equivalent to Wayne Rooney’s wages and as industry and others have pointed out to the joint committee, this will not come close to paying for what the IP Bill requires) to invest in terrorism prevention, then it would be better spent on more security services people not magic terrorist catching computer systems. You need more human intelligence and better targeted and managed signals intelligence.

Complex system security and equipment interference
41.    Our communications infrastructure is complex, fragile and insecure.  Large and complex systems like the internet are extremely difficult if not impossible to secure.  Security is hard and complexity kills it. When you make any changes to complex systems, they produce unintended emergent effects. But it is a really bad idea to undermine the security of an already fragile and insecure communications infrastructure deliberately, by giving government the power to undermine that security directly, through the equipment interference measures in the IP Bill.

42.    There may be a case [though it has not been made] for carefully targeted and judicially supervised and controlled, necessary and proportionate equipment interference, to pursue known suspects, about whom the intelligence or law enforcement services have reasonable cause to harbour suspicion. That applies generally to the bulk data collection and retention and equipment interference regime of the IP Bill. The requisite authorities need to use modern digital technologies intelligently in their work and through targeted data preservation regimes – not the mass surveillance regime they are currently operating and the government is proposing to expand under the draft IP Bill – engage in technological surveillance of individuals about whom they have reasonable cause to harbour suspicion.

43.    Targeted equipment interference does however, compromise digital forensic evidence that may be used in law enforcement cases.

44.    Although equipment interference better known as hacking was avowed by the government with the publication of the draft Equipment Interference Code of Practice early in 2015, government legal representatives at the recent Privacy International Investigatory Powers Tribunal hearing denied that the government had yet admitted engaging in bulk equipment interference.

45.    The justification for bulk equipment interference appears to be based on stretching interpretations of the Anderson and Intelligence & Security Committee reports, and the Intelligence Services Act 1994 and the Police Act 1997, beyond breaking point. Anderson, in what I consider one of the few weak/evidence-light parts of his otherwise thorough and impressive report,[12] approved of bulk collection and retention of communications data.  In no part of the Anderson report is there expressed or implicit approval for bulk equipment interference.

46.    Government are claiming bulk equipment interference (mass hacking of the internet) is their attempt to "build on recommendations made by David Anderson QC and the ISC".  Generally speaking giving the government the power to hack the internet is really bad security hygiene, undermining communications infrastructure for everyone. Professor Mark Ryan of Birmingham University informed the Joint Committee that equipment interference is “a huge power” which would result in innocent people being targeted. Professor Ryan also described it is an "extremely dangerous game".

47.    Numerous other computer scientists and security experts, including Jon Crowcroft at Cambridge University, have described the Bill as a hacker charter, a description recognisable in part 5 and part 6, chapter 3 of the Bill. The 2015 Equipment Interference Code of Practice appears to have stretched the meaning of s7(4)(a) of the 1994 Intelligence Services Act's "acts of a description specified in the authorisation" to mean it covers bulk hacking. Section 7.11 of the Code of Practice claims s7(4)(a) "may relate to a broad class of operations" i.e. anything? Part 6 Chapter 3 would appear to be aimed at codifying this in the new law.

48.    There is no case for the open ended bulk equipment interference powers outlined in part 6, chapter 3 of the Bill. These powers seem to be aimed at facilitating the hacking of overseas communications data and equipment. But wherever bulk hacking is aimed it has no place in the toolbox of government authorities. Following an investigation into the Edward Snowden leaks in 2013, President Obama’s Review Group on Intelligence and Communications Technologies recommended that intelligence agencies should focus on defending rather that engaging in attacks on network and computer security.[13]

49.    Part 6 Chapter 3 should be removed in its entirety from the Bill. Part 5 needs significant amendment if it is to remain.

50.    Securing systems of the magnitude of those used by security agencies and industry, and effectively proposed in the IP Bill, from external hackers or the multitude of insiders who have access to these databases (850,000 including Edward Snowden in the case of the NSA), is incredibly difficult. The joint committee will be familiar with the recent TalkTalk hack compromising the personal data of 157,000 customers.[14] You may be familiar with the even more serious and potentially life threatening compromise of the systems of US government’s Office of Personnel Management.[15] The complete dossiers of tens of millions of US federal employees, their families and others who had applied for government jobs were stolen.

51.    When you create large and valuable databases they attract attackers. Whereas, in addition to respecting data protection principles, minimising the collection and processing of personal data to that required for the specified purpose, is also good security practice.

52.    Security experts like Ross Anderson, Bruce Schneier, Peter Neumann and others have written extensively about this.  And to understand the problem of securing these systems you need to think about how such systems can fail - how they fail naturally, through technical problems and errors (a universal problem with computers), and how they can be made to fail by attackers (insiders and outsiders) with malign intentions. And sometimes, like the case of Edward Snowden, one of 850,000 security cleared people with access to NSA secrets, those insiders or outsiders may have, what they believe to be, benign intent. Snowden’s stated intention was to disclose unconstitutional and/or illegal government agency practices. Whatever an attacker’s intent, no information to which nearly a million people have access, as a routine part of their job, is secure.

53.    The mood amongst western governments has been leaning towards deliberate mandates to undermine communications infrastructure security, providing security vulnerabilities for law enforcement and intelligence services to exploit. Anderson, Schneier, Neumann and other world renowned security experts recently published Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications.[16] The paper explains, in commendably accessible detail, why this is a bad idea.

54.    From their conclusion: “Even as citizens need law enforcement to protect themselves in the digital world, all policy-makers, companies, researchers, individuals, and law enforcement have an obligation to work to make our global information infrastructure more secure, trustworthy, and resilient. This report’s analysis of law enforcement demands for exceptional access to private communications and data shows that such access will open doors through which criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend. The costs would be substantial, the damage to innovation severe, and the consequences to economic growth difficult to predict. The costs to developed countries’ soft power and to our moral authority would also be considerable. Policy-makers need to be clear-eyed in evaluating the likely costs and benefits.”


Conclusion

55.    The government has the right to intercept, retain and analyse personal information, when someone is suspected of a serious crime. However, current operations and the powers and processes proposed in the draft IP Bill involve collection of personal data indiscrimately, in bulk and without suspicion, in addition to network security decimating equipment interference. This is, in effect, mass surveillance.

56.    Due process requires that surveillance of a real suspected criminal be based on much more than general, loose, and vague allegations, or on suspicion, surmise, or vague guesses. To operate the mass data collection and analysis systems proposed in the IP Bill, thereby giving the entire population less protection than a hitherto genuine suspected criminal, based on a standard of reasonable suspicion, is indefensible.

57.    250 years ago, Lord Chief Justice Camden decided that government agents are not allowed to break your door down and ransack your house and papers in an effort to find some evidence to incriminate you (the case of Entick v Carrington (1765) 19 Howell’s State Trials 1029, 2 Wils 275, 95 ER 807, Court of Common Pleas).
58.    The good judge also declared personal papers to be one’s “dearest property”. It is not unreasonable to suspect he might view personal data likewise in the internet age. I understand Lord Camden's reasoning in Entick became the inspiration behind the 4th Amendment to the US Constitution which offers protection from unreasonable searches and seizures. The 4th Amendment itself underpins the 46 recommendations of the Report of President Obama’s Review Group on Intelligence and Communications Technologies. For a quarter of a millennium, fishing expeditions, of the type that are proposed in the IP Bill but at a scale and scope which Lord Chief Justice Camden could barely have imagined, have been considered to fundamentally undermine the rule of law. It's time Parliament brought these modern costly, ineffective and damaging surveillance practices into line with that rule of law rather than, as with the IP Bill, attempting to shape the law to facilitate and expand them in scale and scope.











[1] Executive Office of the President President’s Council of Advisors on Science and Technology Report to the President, [May, 2014], Big Data and Privacy: A Technological Perspective
[2] https://www.whatdotheyknow.com/request/300685/response/745953/attach/html/3/FOI%2037410%20Response.pdf.html
[3] Solove, DJ, [2006], A Taxonomy of Privacy, University of Pennsylvania Law Review, Vol.154 No.3
[4] https://ico.org.uk/for-organisations/guide-to-data-protection/principle-3-adequacy/
[5] http://cyberleagle.blogspot.co.uk/2015/11/never-mind-internet-connection-records.html
[6] http://www.pmsommer.com/sf2012_sommer_commsdata_content.pdf
[7] The NSA’s Call Record Program, a 9/11 Hijacker, and the Failure of Bulk Collection https://www.eff.org/deeplinks/2015/04/nsas-call-record-program-911-hijacker-and-failure-bulk-collection
[8] Intelligence and Security Committee Report on the intelligence relating to the murder of Fusilier Lee Rigby http://isc.independent.gov.uk/committee-reports/special-reports
[9] Various spokespersons of successive UK governments have referred to 6000 dangerous people at large in the UK, so I’ve chosen 100 per million as equivalent to 6000 in 60 million.
[10] For a fuller description of the base rate fallacy see  Richards J. Heuer, Jr., Psychology of Intelligence Analysis,
Chapter 12 Biases in Estimating Probabilities, available at https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/psychology-of-intelligence-analysis/art15.html
[11] Details available from http://itpol.dk/consultations/written-evicence-ipbill-scitech-committee IP-Pol submission to the Science and Technology Committee inquiry into the Investigatory Powers Bill.
[12] A Question of Trust: Report of the Investigatory Powers Review by David Anderson Q.C., June 2015
[13] Richard A. Clarke, Michael J. Morell, Geoffrey R. Stone, Cass R. Sunstein, Peter Swire [13 December 2013] Liberty and Security in a Changing World: Report and Recommendations of The President’s Review Group on Intelligence and Communications Technologies
[14] http://www.bbc.co.uk/news/business-34743185
[15] https://www.opm.gov/cybersecurity/cybersecurity-incidents/
[16] https://dspace.mit.edu/bitstream/handle/1721.1/97690/MIT-CSAIL-TR-2015-026.pdf