Widespread encryption and stopping bulk collection of communications data will cripple intelligence agencies, says a former top UK spy.
“Everything can’t be private or we’ll end up regretting it,” said Sir David Omand, director of the UK’s signals intelligence agency GCHQ from 1996-97, speaking at University College London January 15.
“Very serious damage” will be done to the ability to carry out foreign espionage and police domestically if “you have the right to have your private iChat and nobody has the right to intercept it,” Omand, now a visiting professor of war studies at King’s College London, added.
If civil libertarians get their way and bulk Internet communications data collection comes to an end, he said, they will “have taken human rights a step way, way beyond the UN Declaration or the European Convention on Human Rights, which are both explicit that privacy is not an absolute right – it’s a qualified right.”
“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence… Everyone has the right to the protection of the law against such interference.”
“Everyone has the right to respect for his private and family life, his home and his correspondence… There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic wellbeing of the country.”
Both Article 12 of the UN Declaration of Human Rights and Article 8 of the European Convention on Human Rights enshrine the right to privacy.
At the moment public debate confuses bulk communications data collected under the NSA’s PRISM and GCHQ’s Tempora programs with mass surveillance, Omand said. “You need bulk data access in order to search through and find the communication of a particular IP address of, say, a particular terrorist in Syria,” he said. “If you don’t have the bulk access,” he continued, “you can’t put the packets together – which are all whizzing around the global networks.” Packets of data are exchanged via TC/IP Protocol to connect individual computers to a search engine and can be routed through different server hubs to get there.
When authorities dip into the pool of packet data they collect, it is targeted Omand said. “You go into that haystack,” he said, “with a particular magnet that will only pick out the material that you’ve got a warrant to pick out and is legally authorized.”
However, numerous examples demonstrate that these “particular magnets” have often been used without a warrant and represent a powerful temptation for misuse. This week the Guardian examined untapped documents from the Snowden trove that show internal emails from the BBC, Reuters, the Guardian, the New York Times, Le Monde, the Sun, NBC and the Washington Post were scooped up in a test of GCHQ’s tools.
Since September the Press Gazette, a UK media industry newspaper, has run the Save our Sources campaign, backed by editors across the political spectrum, after London’s Met police force acquired the phone records of journalists using the surveillance tools without a warrant under the Regulation of Investigatory Powers Act (RIPA).
Sir David Omand Credit: Chatham House/Flickr
Last November it was revealed at an Investigatory Powers Tribunal that surveillance tools have also been used by MI5, MI6 and GCHQ to break lawyer-client privilege. And in 2013 it was revealed the NSA broke privacy rules on nearly 3,000 occasions over a one-year period and that its employees tracked and gathered intelligence on former lovers.
“It’s a very powerful set of tools,” said Omand. “In the wrong hands, with the wrong government,” he adds, “you could turn that into mass surveillance…but I wouldn’t take the tools away.”
Right now Omand is part of a committee organized by the UK’s deputy Prime Minister Nick Clegg at London’s Royal United Services Institute for Defence and Security Studies (RUSI). It is tasked with drafting recommendations to improve intelligence agencies after the May 2015 UK election. “My focus has been on the oversight and being sure that even if we were mad enough to elect certain kinds of government they couldn’t misuse the system,” said Omand. The first layer of protection is within the culture of the agencies themselves, he said, adding that the agencies need more staff and government needs more technically competent advisors.
Despite sparking a worldwide social debate, Omand is steadfast Edwards Snowden’s revelation of the scope and specifics of the NSA and GCHQ programs that dip into the data, warrant in hand or not, has done great damage to national and international security. As a result of his leaks “the bad guys have been able to adapt quite quickly,” he said, switching up the choice of app they use to communicate because “they can see which are the ones that the authorities are more able to get at.”
There are, however, many who disagree. “Not long ago we were told that the WikiLeaks revelations were harmful in the same language they used with Edward Snowden,” Guardian editor-in-chief Alan Rusbridger said January 19 speaking at RUSI. “A British official I met recently,” he continued, “waved his hands rather dismissively at the mention of WikiLeaks saying they were not that serious, which absolutely wasn’t what governments were saying at the time. The national interest cannot only be defined by the state.”
Rusbridger pointed out that at Chelsea Manning’s trial the U.S. prosecution provided little evidence of harm from her leaks. He also cited a senior Obama administration official who told him Snowden’s leaks “have had zero effect on national security.”
Others within the American government question whether bulk data collection is really necessary for intelligence agencies to do their jobs. One of the architects of the Patriot Act which authorized bulk Internet data collection in the U.S., Representative James Sensenbrenner, told the New Yorker this past week that he still hasn’t “seen any evidence that the dragnet surveillance of Americans’ personal information has done a single thing to improve U.S. national security.”
The same article quotes Patrick Skinner, a former C.I.A. case officer, now with security and intelligence consultants The Soufan Group. Bulk surveillance, he said, “gives a false sense of security. It sounds great when you say you’re monitoring every phone call in the United States. You can put that in a PowerPoint. But, actually, you have no idea what’s going on.”
Germany, France, and Sweden, however, all deal in bulk communications collection, Omand stressed. “That’s how you do modern intelligence,” he said. Cyber criminals, pedophiles, terrorists, and foreign military forces – all of them are using the same mobile devices, the same IP protocol, that each of us uses when we check our email, use Skype, store files in the cloud, or search online. The Internet then “doesn’t just consist of innocent communications, it also has everything else that might be of interest,” Omand said.
What is dangerous, he added, is that “the companies who – in the past – were cooperative and helping law enforcement, thanks to Edward Snowden, are all shutting down their cooperation to the bare minimum of the basic warrant.”
A bill known at the Snooper’s Charter, or Counter-Terrorism and Security Act, up for debate Monday, January 26, in Britain’s House of Lords seeks to change that by requiring Internet Service Providers to store their users online traffic and pass it to government without a warrant.
One problem with the bill is that bulk access also scoops up the communications of parliamentarians, journalists, doctors, lawyers, and anyone else who has a privileged client relationship, said Rusbridger. The Home Office “has decided that in future the state will not feel bound by these conventions or promises,” he said, adding the police will be “free to authorize themselves the access to the emails of journalists or priests, or lawyers and even MPs.” What is clear to many, he said, is "that the old system of oversight needs to be adapted to the 21st century.”
Leaving these tools available without a warrant, or with a warrant signed solely by a member of the executive appointed within the ruling government, or the law enforcement agencies themselves, without stringent oversight, creates the conditions and opportunity for abuse.
“Legislators need to promote privacy and data protection in their norms,” according to a recent European Union Agency for Network and Information Security study that recommends tight security should be baked into all software.
“Privacy and data protection,” the report said, “constitute core values of individuals and of democratic societies.”