We are facing crunch time on mass surveillance. For years the Snoopers' Charter agenda has been pushed by politicians of various stripes, first as the Intercept Modernisation programme, then the Communications Data Bill. Now we are facing it again with a proposed Investigatory Powers Bill. However this time it has been set as a key priority by a majority Tory government cocky from an unexpected election victory. We have just months to head off a major defeat under very difficult political conditions.
Even so, all the expert advice on surveillance is pointing in the opposite direction at the moment. Court rulings have found both operation and legislation itself unlawful. Reports commissioned by parliament and the man formerly known as Deputy Prime Minister are calling for a root and branch reform of intercept legislation to properly balance privacy and security.
Perhaps the titles of the reports from David Anderson the Independent Reviewer of Terrorism Legislation, and from the Royal United Services Institute (RUSI) set out the challenge best. “A Question of Trust” and “A Democratic Licence to Operate”. It is trust and democracy that have been so lacking, and are so vital for legitimacy.
They are also clear about what's needed to make surveillance legislation fit for purpose . Ending the current chaos of confusing intercept laws by starting from scratch. Judicial authorisation for surveillance warrants. Strong oversight from a new powerful body that is transparent and public facing. Clear principles and tests for any intercept powers. Prompt avowal of existing and future surveillance capabilities. An Advisory Council for Digital Technology and Engineering so ministers actually know what they are talking about for once.
This isn't liberal bourgeois civil liberties groups or political radicals talking, its lawyers and security experts.
Anderson is pretty forceful about the current situation:
“RIPA... has been patched up so many times as to make it incomprehensible... This state of affairs is undemocratic, unnecessary and – in the long run- intolerable.”
This is not a trivial point. Throughout the Snowden crisis the line from the Security and Intelligence Agencies (SIAs) has been that they operate under a strict legal framework. But in practice there is no such thing. This helps no-one, whether its British citizens, the police or GCHQ.
Similarly on encryption, it's clear that forced backdoors or banning WhatsApp and Apple products are not serious options. Cameron's statement that there should be no “safe space” for terrorists to communicate online was always deliberately ambiguous.
The tech sector has widely ridiculed any notion of 'banning' encryption as unfeasible, economically catastrophic, and not least a security threat. As hosting and datacentre provider Bytemark put it “A UK-specific cryptographic 'back-door' would become a huge target for criminals.” Anderson pointed out the reality: “few now contend for a master key... such tools threaten the integrity of our communications and of the Internet itself”.
RUSI went further: “We do not believe that the police, law-enforcement agencies and SIAs should have blanket access to all encrypted data, by legally requiring the handover of decryption keys, for example...”. How this squares with RIPA powers on keys I don't know, and the report doesn't address that. Which demonstrates again the confusion there is at every level about what the law is and what it permits.
In fact, Cameron, or rather the Home Office, probably have something else entirely in their sights with the “no safe space” doctrine. In February 2015 the government brought out the draft Equipment Interference Code of Practice. This is essentially the first proper acknowledgement that the security services are engaging in computer network exploitation (CNE), or hacking if you will. It had already been reported that by 2015 GCHQ hoped to have cracked codes used by 15 major internet companies and 300 VPNs.
The deal set out will most likely be this- if those of us who object to backdoors in encryption are to have our way, then CNE will have to be accepted along with legal powers to require encryption keys. This may be hard to swallow, particularly for my colleagues who have said “you will prise my crypto keys out of my cold dead hand”. But at this crunch time we may have to face up to some unpalatable political choices. Equally, the powers that be should not underestimate how visceral the desire to defend cryptography has become for a significant group of tech and political influencers.
This is just one of the points of conflict in what Anderson fairly characterises as a “bitterly contested” debate.
The question of the alleged loss of capabilities for the security services is in many ways the most fundamental one. For law enforcement, the concern has been that the shift from phones has lead to a degrading of the ability to monitor communications. The FBI's director James Comey calls this “going dark”. On the other side, privacy advocates point out that there are more opportunities than ever to snoop on us as our devices track our lives in excruciating detail. At the same time the Snowden revelations point to capabilities of unprecedented scope.
In fact, it is possible for both of these points of view on the surveillance debate to be true simultaneously. The question is actually what should and can be done.
On closer examination, in the most recent reports the “going dark” narrative rather breaks down. RUSI sees the capability gap in terms of diversification and technical change making it difficult to keep up, the problem of multiple jurisdictions, and that terrorists are 'early adopters'. None of those points can be simply be solved with new laws. Frankly the answer to diversification and early adopters is step up, do your job, and focus resources properly.
The thrust of the recommendations to government on intercept is not really about dealing with a supposed crisis situation in intelligence gathering. Rather they are about confirming, codifying and overseeing the extensive powers that already exist. After all, at the time of writing Anderson pointed out that 20 bulk warrants were in force. This shows Security Minister John Hayes' comments that “suicidal people, missing children” will be in danger in their thousands because of the High Court ruling against DRIPA are as puzzling as they are cynically manipulative.
I suspect we may spend months arguing about the meanings of “bulk”, “blanket” and “mass” surveillance, and what the legal and technical implications are. But that is precisely why the debate needs to happen in an open way.
Which brings us back to trust and democracy.
Anderson quite rightly points out that the British public at large are not overly concerned about the surveillance issue, particularly compared to other countries. We in the privacy camp need to take this on board as our failure to communicate in a clear and urgent way. But a lack of trust is deeply entrenched in a significant sector of the community, those that work in the tech and communications industries. In other words, the very people who will be at the sharp end of carrying out the Investigatory Powers Bill if it becomes an Act. Let alone the many others who are concerned about the direction this country is headed in.
That's why it's particularly regrettable that the RUSI report missed an opportunity to rebuild some trust. Rather fittingly for a document commissioned by Nick Clegg, it is disappointing and does not achieve what it set out to do.
'A Democratic Licence to Operate' points out the “neither confirm nor deny” position from the government on Snowden has actually made it hard for the SIAs to defend themselves from any allegations as they can't been seen to acknowledge them. Be that as it may, RUSI have also allowed this to scupper their own report as they don't explore adequately what the capabilities alleged by Snowden mean for the principles they set out. What has been at the heart of the lack of trust in the government post PRISM and TEMPORA is the massive disconnect between the alleged “going dark” and constant assurances that GCHQ operates within a strict framework, with the huge scope of these programmes and their apparent lack of oversight.
I don't expect or even need anything that reveals GCHQ operational capacity. What I am interested in is the principles behind intercept capabilities, if we are to make new legislation. What RUSI should have done is proceed from the assumption that none of the Snowden allegations were true, but formed interesting hypothetical cases.
For example let's assume about OPTIC NERVE that in fact GCHQ operatives weren't freaked out “that a surprising number of people use webcam conversations to show intimate parts of their body to the other person”. But theoretically, would the interception of millions of webcam images of users of a popular internet service who were not suspected of any crime, be compatible with RUSI's tests of necessity, proportionality, restraint and effective oversight? Similarly, would it be acceptable to use other capabilities which could potentially entirely short circuit the warrant procedure proposals because of an ability to directly access communications data?
I defy anyone who was the slightest bit concerned about the Snowden story to read the RUSI report and feel any more reassured.
This is because trust has to be earned and democracy operates in a broader context. It will not be enough to draft a logical piece of legislation however well balanced. We need it to be acknowledged how far the breach of trust has gone and that there be consequences where there are breaches.
How was it possible that UK/US bulk communications sharing operated unlawfully for years? In 2013 InSec considered whether an unlawful warrant or authorisation could be successfully issued. That would “require ineptitude or conspiracy on a massive scale” was the conclusion. Then which was it in the case of Amnesty International being illegally spied on? Why was the then coalition government so stubbornly deaf to all appeals that rushing through DRIPA would lead to legal chaos?
There is still the chance to take “a system characterised by confusion, suspicion and incessant legal challenge and transform it into a world-class framework” as Anderson puts it. Not least as there is a broad consensus that the security/privacy pendulum has swung too far away from fundamental rights.
But at the end of the day security and privacy should not be contradictory. Lax oversight of data leaves us vulnerable to attacks of all kinds. A regime characterised by suspicion and draconian laws is a spur to radicalisation. Tech companies and CSPs views' should be respected if we are to have a safe digital environment.
It is now up to the government once and for all to start listening. Ultimately, the surveillance crunch time is for them and the decisions they make in the months ahead.