Servants of the people with our website history

BCS has never been against digital surveillance - even on a population-scale - as a matter of principle. This is an area that often puts us at odds with the tech zeitgeist, which tends to be a bit more on the liberal side of the spectrum.

That’s a huge, sweeping, generalisation, but the reality is that a lot of tech rights campaigners I know personally (and like, and respect) wouldn’t be comfortable with what the home secretary has introduced as a bill almost in any form. Yet it is clear that the general public are more sanguine. Difficult.

Looking back on ‘intercept modernisation’, of which the draft investigatory powers bill is the latest incarnation, our main critiques have focused on three areas: public debate, proportionality, and governance / oversight. On each area the government have made major steps forward since the last go-around.

While some might characterise it as a PR campaign for the bill, there has been an undeniable increase in the openness and debate from the government and their agencies on this issue. Our primary criticism in previous iterations - a lack of public debate - has been, as far as I can see, fully satisfied. That does not mean there is no further discussion needed - quite the reverse - it means the discussion is much more constructive. That said, it remains disconcerting that an apparent disparity exists between the home secretary’s statement at the despatch box and what is written in the bill about the ‘double lock’ - more on that later.

Proportionality of mass data collection is a very difficult issue on which to find the balance. There are legitimate views that it is unnecessary and intrusive, or the opposite. For BCS, we can only look at this in the broadest terms and comment when the technical elements are out of kilter with the stated aims - it’s not our job to answer what is fundamentally a political question. If you think it is proportionate or disproportionate then that’s ok.

Nevertheless, the data collected and scope has been reduced, so it is fair to say that proportionality has been improved - although there is more to say about how it is put into practice. The argument that insiders put is that they can be trusted with broad powers because they won’t use them unless necessary. That’s an understandable position if you’re in an insider, just as a certain scepticism amongst those outside is also understandable; it’s not as though Snowden’s material gives rise to confidence. Irrespective, culture around use of these powers is incredibly important.

That brings us neatly to oversight. At first glance the home secretary’s statement  seems a major step forward; political and judicial authorisation (with a time-sensitive protocol) and an integrated oversight of interception. This sounds good. However when it comes to the headline-grabbing ‘double lock’, there is already debate about what the home secretary said in her statement and what is written in the bill. The Rt. Hon. David Davis highlighted that the bill states that judicial commissioners have to make decisions based on judicial review principles, not on the basis of the evidence. That’s a big deal, and we would like the government to clarify the situation; a judicial process-check having little value when compared to more usual warrant-issuing processes.

Authorisation can be blanket or specific, and public trust in pragmatic accountability is shaky. Enlightened self-interest on the part of security and law enforcement agencies would suggest that unless they want a much more aggressive oversight like in the USA they need to keep within the boundaries. We’re back to culture again.

I remember some years ago debating with an official my view that mass government surveillance would lead to mass encryption, and I was rather sneered at - ‘it hasn’t happened so far’. I think a bit of humility and thoughtfulness outside the immediate context of counter-terrorism goes a long way. For those working on protecting us, they will use to the fullest extent any means they have at their disposal to achieve their (righteous!) aim. That is why we don’t let them set the powers - their perspective is too close to the threat. I’m hoping that the public debate is a result of a realisation that trust and consent of the public is important and can be won.

This brings us on to an important point of realpolitik. There is an element of normalisation in this bill; it is about ‘regularising’ what is already done. We have tasked the security and law enforcement agencies and they are doing what ‘we’ have asked of them; this bill gives them air cover just as it gives all of us some reassurances. It will only work if all parties stick to that covenant. Many will suggest that trusting what happens out of our sight is impossible, but it is necessary. If we trust those with access to these powers to obey the spirit of the law and do no more than necessary, then no range of powers is too much. If we do not trust them to honour the law, then any powers set out in law are irrelevant.

The last topic is about the implementation and operations. It will be an extremely bad move if we give individuals the ability to abuse the system, as that will more or less guarantee abuse. The way the bill is put into practice has to assume fallible humanity - this is ‘infosec for dummies’. The offence around misuse is welcome, but a law only has impact if those breaching it fear enforcement. We can also use technology to make abuse difficult.

There are lots of simple and even more clever ways of enhancing privacy while achieving the outcome. A simple example; there is no reason that staff at the communications service providers need access to unencrypted data. They could simply pass over what’s lawfully been requested in encrypted form. There is no reason that any individual - or team - need have the ability to decide on their own what to look at and get it without reference elsewhere. What I mean is that you can design the tech solution to reflect proper governance and make it a practical impossibility for people to routinely abuse the data. If we accept the assumption that well-encrypted personal data is not dangerous, then we can minimise the circumstances where the data is in the clear to the point of creation and the point of lawful use.

If it is implemented in a less competent manner, then we have created the largest and most dangerous honey pot of personal data we realistically could. Primary legislation is not a good place to enshrine technical detail, but there is one important twist here. Designing a system that created a massive risk that known techniques would prevent is reckless - and recklessness will become a criminal offence.

So perhaps we should seek to define on an ongoing basis the practices we expect a sensible design would involve, to help those building and maintaining this system avoid prison if they do it wrong.

This bill is also a waypoint - there remain many unanswered questions. We still haven’t got much of a collective grip on what we think about encryption. A number I have spoken to think it is vital that end-to-end encryption under the sole control of the user is protected, and they see this bill as the start of a massive and detrimental unravelling. I see the point, but at this stage I’m not sure that’s what the bill demands.

At a point where terrorism in the West is very much at the forefront of our minds, the public are unlikely to be too worried by esoteric-sounding issues of encryption. They want to be protected. As an organisation here for the public, we need to think hard about how much we accept that or whether we need to try and lead public opinion on an issue of rights. For now, examining the bill and its implications is a massive piece of work that we’ve barely started, but I find myself coming to the conclusion that the government have made progress on each of our tests at BCS , which is encouraging. Still some way to go though.

What do you think, BCS members? Have we got that right? All to play for at the moment…

About the author

Thoughts on membership, the profession, and the occasional pseudo-random topic from the BCS Policy and Community Director.

See all posts by David Evans
October 2017

Search this blog