10 February 2015

The UK, the Cyber Revolution, and the Need for Cyber Intelligence

February 6, 2015

Understanding digital intelligence from a British perspective

The Snowden revelations revealed much that was never intended to be public. But to understand them they must be seen in their context, of a dynamic interaction over the last few years between the demand for intelligence on the threats to society and the potential supply of relevant intelligence from digital sources. All intelligence communities, large and small, and including those hostile to our interests, have been facing this set of challenges and opportunities.

First, the challenge of meeting insistent demands for secret intelligence. For the UK this is, for example, to counter cyber security threats and provide actionable intelligence about the identities, associations, location, movements, financing and intentions of terrorists, especially after 9/11, as well as dictators, , insurgents, and cyber-, narco- and other criminal gangs. The threats such people represent are real and – in many respects – getting worse and spreading.

These demands for intelligence have coincided with a digital revolution in the way we communicate and store information. The internet is a transformative technology, but is only viable because our personal information can be harvested by the private sector, monetized and used for marketing. So the digital age is able to supply intelligence about people, for example by accessing digital communications, social media and digital databases of personal information. And for intelligence communities, new methods of supply call forth new demands from the police and security authorities that could not have been met before the digital age. And their insistent demands for intelligence to keep us safe call forth ever more ingenious ways of extracting intelligence from digital sources.

For the democracies (but not for others such as the Russians and Chinese), there is an essential third force in operation: applying the safeguards needed to ensure ethical behaviour in accordance with modern views of human rights, including respect for personal privacy. For the UK, the legal framework for GCHQ is given in: 

The Intelligence Services Act 1994 (Article 3 confers on GCHQ the functions of intelligence-gathering and information assurance with the sole purposes of national security, prevention and detection of serious crime and safeguarding the economic well-being of the UK from actions of persons overseas; Article 4 relates to obtaining and disclosing information). 

The Regulation of Investigative Powers Act 2000 (Article 1 outlines the terms of unlawful interception; Article 5 outlines the powers of the Secretary of State to issue a warrant to make interception legal); Article 8 describes domestic and external warrants; Articles 15 and 16 provide safeguards and controls on storage, handling and retention of data). 

The Human Rights Act 1998 including incorporating a ‘necessity and proportionality’ test to everything GCHQ does. 

Like some elementary experiment in mechanics the resultant of these three forces – of demand, of supply and of legal constraints and public attitudes – will determine the future path of our intelligence communities.

Into that force-field blundered the idealistic Edward Snowden, the Wikileaks-supporting information campaigners Poitras and Greenwald, plus a posse of respectable journalists.

Some are tempted to see Snowden as a whistleblower. But he certainly did not meet the three essential conditions for a legitimate whistleblower as far as the UK is concerned. He did not expose UK wrongdoing, he did not exhaust his remedies before going public, and he did not act proportionately by stealing and leaking so many secrets (including 58,000 British intelligence top-secret documents) to make his main case against the US National Security Agency’s collection of metadata on the communications of US citizens.

Close examination has shown that there is no scandal over illegal interception, or other unlawful intelligence activity, by GCHQ. The three elements of the ‘triple lock’ on GCHQ’s activities – the Foreign Secretary’s authorisations, the oversight by the Parliamentary Intelligence and Security Committee (ISC), and the legal compliance by the independent UK Interception Commissioner and the independent Investigative Powers Tribunal – have each separately concluded everything GCHQ does is properly authorized, and legally properly justified including under Article 8 of the European Human Rights convention regarding personal privacy.

The documents from these different oversight bodies are well worth reading for the unparalleled detail they provide into how interception by the UK authorities is authorized, carried out and audited so as to be always within the law: 
The ISC Report
The Home Secretary has also described her role in authorizing legal interception of UK communications, including by GCHQ, here. 

The inescapable conclusion from these documents is that GCHQ operates entirely within the law, including the 1998 Human Rights Act and therefore the European Charter of Human Rights in respect of freedom of expression and personal privacy.

What the documents do reveal is bulk access to the internet (authorized under Section 8(4) of RIPA 2000) in order to be able to reconstruct communications whose packets have been sent on different routes and to discover new communications of targets (who, to avoid surveillance, will adopt different identities). Targeted surveillance is what is conducted by the UK intelligence agencies. They will continue to need to try to collect intelligence on authorized targets for which the necessary legal authority exists, for example jihadist extremists from the UK who are fighting in Syria and Iraq and who may return to the UK as hardened and dangerous terrorists.

What Snowden and his supporters have failed to do therefore is to distinguish bulk access by computers to the internet – which the US and UK, France, Germany, Sweden and many other nations certainly do have – and so-called ‘mass surveillance’. Mass surveillance implies observers – human beings – who are monitoring the population or a large part of it. As the ISC, the UK Interception Commissioner and the IPT confirm, no such mass surveillance takes place by GCHQ; it would be unlawful if it did.

A similar misconception has arisen over the use of so-called metadata. The media have not explained that the UK uses a strict legal definition of ‘communications data’ (laid down in RIPA 2000) which covers the traditional ‘who called whom, for how long, when and where?’ of old-fashioned telephone billing, not the much looser concept of ‘meta-data’ obtained from internet and social media use. Thus accessing browsing history or other detailed digital metadata, whether from US or UK sources, is for British analysts equivalent to accessing ‘content’ which requires the relevant UK warrant signed by a Secretary of State. For domestic communications (both ends in the UK) that is the Home Secretary and for communications with one or both ends overseas by the Foreign Secretary.

Given the packet-switched nature of global internet communications it is possible that a domestic communication will be picked up in the course of overseas interception – but RIPA 2000 makes explicit provision to allow for this possibility, and provides safeguards (Sections 15 and 16) to ensure the same level of authorization is obtained.

So the issue is not the powerful tools themselves; they are necessary for public and national security. Nor is it the legality of how these tools are used today. The issue is how we the public can be sure that under any future government these tools cannot be misused.

We would be well advised not to have blind trust in the benevolence of any government. ‘Trust but verify’ should be the motto. With increasingly robust executive, Parliamentary and judicial oversight and publication of the results of their work we can and must ensure those tools will only be used in lawful ways that do not infringe beyond reasonable necessity our right to privacy for personal and family life or impose unconscionable moral hazard.

Professor Sir David Omand GCB is a visiting Professor in the Department of War Studies at King’s College London. He was the first UK Security and Intelligence Coordinator, responsible to the Prime Minister for the professional health of the intelligence community, national counter-terrorism strategy and “homeland security”. For seven years he served on the Joint Intelligence Committee. He was Permanent Secretary of the Home Office from 1997 to 2000, and before that Director of GCHQ. During the Falklands conflict he was Principal Private Secretary to the Defence Secretary, and he served for three years in NATO Brussels as the UK Defence Counsellor.

No comments: