Government is still a way behind Mark Zuckerberg
Every time society finds new ways of communicating – the letter, the fax, the telephone – there follows a long debate about how, when and why it might be accessed with those tasked with keeping us safe. Today the government is releasing further details of its communications
capabilities development programme (CCDP). The crux of the Bill is to force service providers to collect and store our internet behaviour, which government agencies can then access, to track who is contacting whom, when and where.
The government says: these measures are needed to keep up with modern form of communications, as criminals increasingly use the internet to co-ordinate, arrange, and execute plans. Correct.
The privacy groups say: collecting all this data about us risks overbearing surveillance of the innocent and in many cases will not be useful. Correct.
There is no straightforward solution to this. To discharge their duty, government agencies must be able to keep pace with modern communications, so the Bill is necessary. But the clearest and most stringent lines of authorisation, oversight and retention rules are needed – not just to maintain civil liberties and prevent the overreach tendency of government – but because of the risk that surveillance damages the social and economic benefit of the medium itself.
From what we know, it looks like there will be strong powers for the information commissioner and a panel of senior judges to review unlawful tracking. (Although I worry these will be insufficient, as the Bill appears to still allow internal department sign-off for access, by the police for example). But above all it looks as though the Bill will face considerable scrutiny in Parliament and the intelligence and security committee. That is a very good thing, because all intelligence work is based on the consent of the governed expressed through Parliament, not on arguments between security and privacy advocates. (And credit here does go to the privacy groups that have pushed for this).
But in my opinion, the current Bill doesn't deal with a more fundamental problem, which is how government agencies access the content of our communications. The UK’s Regulation of Investigatory Powers Act (RIPA) 2000, which regulates the state’s power to access personal data, is over a decade old and social media has turned clear distinctions between personal and private spheres into a series of grey shades. And with free, or cheap off-the-shelf software, it is already possible for individuals, local authorities, companies, the police – whoever – to collect enormous amounts of personal information about all of us. Modern social media analytics tools evade the checks that constrain abusive law enforcement practices: limited police resources and community hostility.
Thus, an individual police officer can learn an incredible amount about someone by spending a few minutes online at his or her desk. In the UK, a Superintendent or Inspector is required to authorise directed surveillance in the street. None is required for Googling suspects. And what about a police officer entering a Facebook group covertly – is that the same kind and extent of privacy intrusion as infiltrating an off-line group (and so requires a chief constable sign-off)? Is collecting tweets similar to listening and recording a person shouting in public? What happens if a police officer accidently stumbles upon criminal activity while surfing quasi-private blog sites?
Neither the current RIPA laws or the new Bill attempt to answer these questions. In #Intelligence, a recent report written by myself and Sir David Omand about social media intelligence, we argued that these are the pressing questions in respect of privacy today.
Finding a new settlement to this is even more important than the current proposals, which, by the way, are all rather tame compared to what Google or Facebook know about us already.