Monday 16 April 2012

They snoop to conquer

I left it a while before blogging this, and I thought my moment had passed, but today's news that MI5 had failed to renew their security certificate gave my thoughts a new lease of life. A furore greeted the government's publication a few days ago of its plans for an inoffensively named “Communications Capabilities Development Programme” i.e. giving themselves the ability to spy on who you're talking to and when and by what medium in real time without having to ask anybody's permission. There was a rapid pull back when they realised that they couldn't just push it through without anybody noticing. Reaction in the LibDem half of the government was satisfying. I sense some coalition politics going on here – probably the Conservative half seeing how far it could get before the LibDem half noticed or reacted. Hardly an inch, I'm pleased to say.

If you do nothing else today, you should sign the 38 degrees petition about it. Here's why.

Rather than just looking at why we might be against these proposals, I want to look at things we like, as Liberal Democrats, and assess whether the proposals match those.

There are things that Liberals are in favour of - things that work, respect for people as individuals, respect for the power of the state, and a relationship on which citizens control the state, not the other way round.

Generally speaking, liberal democracy being quite a pragmatic philosophy, we are for things that work. So that translates into a question: how workable is this idea?

Secondly, we respect people, and therefore we respect data about them. How does this idea deal with our data?

Thirdly, we respect greatly the power of the state. It's only a tool, but it's a massively powerful one that needs to be kept in check, otherwise it can too easily wreck people's lives. So do these proposals apply enough checks to the power of the state? (Some people might say they fear the state. I don't, it's just a lot of people trying to do their jobs. I'm just very, very careful with it, like I would be with a loaded gun.)

Fourthly, we like a system in which people are in charge of the state rather than vice versa, one in which the state works on behalf of the people, not on behalf of itself. Do these proposals do that?

So first I look at these proposals in the light of things that work. This falls into three categories - intrinsic worth, opportunity cost and effectiveness.

Intrinsic worth weighs the cost of doing it in both time and money. Given the amounts of data that people produce, the storage costs will be phenomenal. The biggest data drive I am aware of holds 120 petabytes(120 million gigabytes). The people on my twitter stream could fill that in a week. Multiply that by everybody on Twitter, on Facebook, on Flickr.... Massive data banks in massive buildings, all taking space, all needing to fuelled, all needing to be maintained - the costs will be astronomical. Then there will be the cost of finding data. To track a single person means getting the data via their home ISP, their mobile ISP, and any Internet cafés they use. The data will have to be trawled out of all the billions of other messages. It can be done by computers but there is still a cost. Estimates have been made of the costs of a google search. If the security services are incurring that kind of cost for every search they make, that cost will also be significant. Is it worth it? Some would say security is worth any cost, but our budget is limited and we need to choose what to spend it on, which brings me to the next question.

Opportunity cost means what else could we do with that money. The cost will mount into billions over the years. No doubt the government will try to avoid paying some of the cost by hiving it off on to the ISPs. There is a limit to how far they can do that, and some hundreds of millions will fall on the taxpayer. That money could arguably be spent much better on other forms of policing. There is a role for data gathering to play but it works best as an adjunct to intelligence led policing. Knowing where to look for data is much more effective than a series of fishing expedition. If the police aren't getting the intelligence they need, then they should put more effort and more budget into it. No guessing where I think that budget should come from.

Then I question the effectiveness of the plan. The services will have at their disposal a great deal of information about people like me, who do not choose to disguise our whereabouts. Those who want to disguise what they're doing need only go to local Internet cafés and create extra gmail addresses. With only marginally more sophistication, they will start to use the dark web, and be completely beyond the purview of a scheme like this. The services will spend a mass of their time investigating the innocent in the touching belief that they will accidentally light on somebody guilty when anyone with a modicum of nous will be able to subvert their surveillance with ease. It will be a massive waste of their time, and of our security.

The “does it work” test alone should see off this proposal. But there are other issues - the integrity of our data for one. Of course the services will assure us that our data is completely safe with them. (MI5, where is your security certificate?) The Leveson enquiry should have disabused us all of that one. Any system is vulnerable to both corruption and hacking. Tabloid papers have been able to corrupt any police officer or DVLA clerk they fancy. They won't turn a hair at suborning data clerks in ISPs or whatever corrupt private organisation the government chooses to give this responsibility to - A4E perhaps (demonstrated to have big problems with corrupt practices - still getting government contracts).

Anonymous and others are daily showing that they can get round even hardened security systems. Even a low level hacker with an axe to grind can unlock data with frightening ease. It wasn't just a charity. According to the Guardian, “Jeffery also admitted to detectives that he had identified "vulnerabilities" on a string of websites of major international organisations including the FBI, CIA, West Midlands police, the Houses of Parliament, the US navy, Arizona police and Spanish police.”

Mentally challenged people can get into the Pentagon, with very little trouble. The existence of so much data on so many of us will be like a honey pot to anyone who wants to do mischief. And they will succeed. Our data will not be comprehensively protected.

And while we're on the subject of Gary McKinnon, I cannot believe that:

a) the government of the USA is so asininely blockheaded that it still wants to prosecute him, rather than flying over here, shaking him by the hand and thanking him for demonstrating so openly and conclusively that they needed to take their own security more seriously, and

b) that Teresa May is so craven that she STILL hasn't told the Yanks where to stuff it. A British citizen who, if he has committed a crime, has committed it on British soil, should be tried in Britain. A vulnerable British citizen even more so. She exercises no sense, no reason and no compassion.  You can tell her what you think at the Home Office contact page.

The fact that our data will not be protected links to the third question about the power of the state. When the state makes mistakes, the results can be little more than annoying but they can also be downright catastrophic. The Guildford four and the Birmingham six will vouch for that. Jean Charles de Menezes will vouch for that. Today we hear about ex police constable Sultan Alam, who will vouch for that.The opportunities for the state to make mistakes will be multiplied many times if they are allowed to go on fishing expeditions without having to account for and justify their interest in any specific person. Even now without this legislation, the services want too much. Trevor Timm says in “The UK government's war on internet freedom”: “According to their most recent Transparency Report, Google refused to comply with 37 per cent of user data requests they received from UK authorities in the first six months of 2011, because they didn't comport with "the spirit or letter of the law", likely indicating overly broad requests or that the authorities provided no reasonable suspicion of a crime occurred.” They're already fishing in more than a third of their requests.

Fourthly, we stand for a particular relationship between the citizen and the state. The state should be at the service of the citizenry, not the other way round. It should be answerable to its citizens (and not just once every five years). Citizens, not the state, are the most valuable thing a country has. Citizens should have accessible and practical means of control and redress. That gives rise to the question: how would this proposal affect that relationship? It will inevitably cause a distancing, particularly when the state finds giving us information about it so distasteful (viz constant attempts by many government organisations to block FOI requests).

This also influences deeply the effectiveness of the proposals. Received wisdom of policing is that it works by consent. If citizens do not consent, policing does not work, because information and support simply does not come the way of the police. That principle is formed out of the principle of intelligence led policing, which is the most effective kind. It requires the assistance and confidence of the public at large in order for intelligence to flow towards the police. As long as they are poking about in our data at their discretion, they are, at least potentially, damaging the confidence in the which they need in order to work most effectively.

There may be some powers the services need – it may be sensible to ensure that the scope of legislation is wide enough to encompass all forms of internet communication when necessary, but never without good reason and never without judicial oversight.

Thus, on four counts these proposals fail. Sign the 38 degrees petition about them – you need to keep your privacy in order for policing to work its best.

No comments: