Home Secretary's Defence and Security Lecture
This was published under the 2010 to 2015 Conservative and Liberal Democrat coalition government
Theresa May on privacy, security and the threats we face
Thank you, Lord Mayor. I am delighted to have been invited to speak at this prestigious event and to such a distinguished audience. I am particularly pleased to be here at the Mansion House, given the history of policing in the City and the work you do with the Government and others in the fight against terrorism and organised crime.
Tonight I want to talk about the balance between privacy and security but in the full context of the threats we face – because too often, these important issues are discussed in a strange vacuum as if the debate was entirely academic.
The threats we face are considerable: the collapse of Syria; the emergence of the Islamic State of Iraq and the Levant; Boko Harm in Nigeria; al Qaida in the Arabian Peninsula in Yemen; like minded groups in Libya; al Shabaab in East Africa; terrorist planning in Pakistan and Afghanistan; industrial, military and state espionage practised by states and businesses alike; organised crime that crosses national boundaries; the expanding scope of cyber. All these threats and many more should remind us of an obvious old truth. The world is a dangerous place and the United Kingdom needs the capabilities to defend its interests and protect its citizens.
This task is, of course, becoming more complicated. The evolution of the internet and modern forms of communication provide those who would do us harm with new options; they provide those who would protect us – the police, the security and intelligence agencies, the National Crime Agency and others – with new challenges. And they have kicked off new debates about the balance between privacy and security.
The role of the Home Secretary in approving surveillance
I want to start by telling you about a part of my job that nobody really knows about. It is a responsibility that is rarely discussed but it perhaps occupies more of my time as Home Secretary than anything else.
It is my statutory responsibility to give careful consideration to applications for warrants from the police, the National Crime Agency, the intelligence agencies and other law enforcement bodies to undertake the most sensitive forms of surveillance – surveillance that includes the interception of electronic communications and monitoring private conversations.
If the Security Service wants to place a device in the property of a terrorist suspect, or the National Crime Agency wants to listen to the telephone calls of a drugs trafficker, they need my agreement first. On the basis of a detailed warrant application and advice from officials in my department I must be satisfied that the benefits justify the means and that the proposed action is necessary and proportionate.
The warrant application gives me the intelligence background, the means by which the surveillance will take place, and the degree of intrusion upon the citizen. Neither the Security Service nor other intelligence agencies, nor the police, nor other law enforcement agencies, can undertake sensitive surveillance without providing these details and gaining my approval. Ministerial oversight – which I share with the Foreign Secretary and the Secretary of State for Northern Ireland – is a crucial safeguard to make sure that the most intrusive powers are used only when they are necessary and proportionate.
In a typical week, I consider warrant applications against organised criminals involved in drugs, guns and money laundering. I consider warrant applications against people suspected of terrorism. Those applications include intelligence relating to modern slavery, gang violence, kidnapping, intimidation and corruption.
They inform me about terrorist plots that could kill innocent civilians and damage our economy. Many applications now relate to events in Syria and the plans young British people have to travel there to fight. Some applications concern attempts to proliferate chemical biological and sometimes even nuclear technology. Threats in cyber space – from organised criminals and hostile foreign states – are increasingly common.
I do not take my responsibilities lightly. I approve warrants only on the basis of detailed intelligence and a reasoned explanation of their likely benefit. Sometimes I demand more information before taking a decision or I make my approval conditional. On some occasions I refuse the application. But the lessons from this daily inflow of detailed intelligence work are clear.
Our country has faced these threats before and the intelligence agencies, the police and other law enforcement agencies have worked brilliantly to contain them. They have done so not through inspired guesswork but by using sensitive capabilities and skills developed over many years.
This government has preserved individual freedom while defending national security
So I make decisions about the specific use of capabilities every day. But I am also responsible for broader government policy that dictates what powers should be available to the authorities and what safeguards should be in place. And since the formation of this government in 2010 we have made a series of changes because we concluded that some powers were unnecessary and unduly intrusive.
We reduced the upper limit on pre-charge detention for terror suspects by half – from 28 days to 14 days. We replaced control orders – which had been defeated consistently and watered down in the courts – with new measures which better balance the need to control with the overriding priority to prosecute. We cut the time an individual can be examined at our ports and borders under counter-terrorism laws.
We have ended the indiscriminate use of no-suspicion stop-and-search powers granted by the Terrorism Act 2000. And one of the first things I did as Home Secretary was scrap ID cards and destroy the identity database.
Where we believe the authorities need sensitive and intrusive powers we have increased oversight of their use. We have given greater authority to the Intelligence and Security Committee of Parliament to scrutinise in far more detail the operational activity of all the security and intelligence agencies – MI5, MI6 and GCHQ – and to publish their reports. We are making changes to the rules that govern undercover policing. We have new controls on the use of biometric material. We have stopped local authorities using electronic communications data and other surveillance techniques to deal with a raft of relatively trivial problems.
If we take this opportunity to take stock, it is fair to conclude that this government has performed well in preserving individual freedom while defending our national security. But you might not believe that if you listen to some of the things that are said in the debate about privacy and security.
It is alleged that there is a programme of mass surveillance on people in this country; that our intelligence agencies are acting illegally; that there is no effective oversight or control of their activities. It is said that our powers are not only disproportionate but ineffective, that they do not stop terrorist attacks or other serious crimes.
And while we are accused of overstating the threats we face, it is said that the theft and disclosure of sensitive material about the capabilities we have has caused no damage to our national security.
The public is at risk of being misled. It is important that people hear the truth about each of these allegations, because we cannot afford a loss of faith in the vital work of the security and intelligence agencies, and because we need public support and public trust if we are to win the argument about capability.
There is no programme of mass surveillance
Let me start by saying this: there is no programme of mass surveillance and there is no surveillance state. Surveillance of this nature would be illegal, and I only ever sign warrants for limited and specific proposals. If anybody ever attempted any form of mass surveillance, internal controls and external oversight would detect it and stop it and the perpetrators would be prosecuted.
We should be clear about what this accusation actually means. Mass surveillance would require the pervasive and thorough observation of huge numbers of people living in this country.
The very idea that we could or would want to monitor everyone and all their communications, trawling at will through their private lives, is absurd.
Signals intelligence relies on automated and remote access to data on the internet and other communications systems. Computers search for only the communications relating to a small number of suspects under investigation. Once the content of these communications has been identified, and only then, is it is examined by a trained analysts. And every step of the way it is governed by strict rules, checked against Human Rights Act requirements.
That is not mass surveillance.
You do not have to take my word for it. We have an Interception Commissioner whose job it is to monitor the use of powers of interception and collect communications data by all the agencies, including GCHQ. The Commissioner is a man of unimpeachable independent standing. He is the former Court of Appeal judge, Sir Anthony May.
His last annual report, which was published in April, explains that interception requires a warrant from a Secretary of State and must be for a purpose specified in law. There are three such purposes: national security, serious crime and economic well-being when it is related directly to state security. As Sir Anthony says, it would be unlawful to issue a warrant for any other purpose.
In fact, he concludes that “any member of the public who does not associate with potential terrorists or serious criminals or individuals who are potentially involved in action which could raise national security issues for the UK can be assured that none of the interception agencies which I inspect has the slightest interest in examining their emails, their phone or postal communications or their use of the internet, and they do not do so to any extent which could reasonably be regarded as significant.”
He could not be any clearer – there is no mass surveillance programme.
The intelligence agencies do not act illegally
Our critics also allege that the intelligence agencies take advantage of the relationship with their counterparts in the United States to seek intelligence which they cannot obtain legally in the UK.
It is certainly true that we benefit hugely from the intelligence relationships we enjoy with the US and other allies. They have often provided the crucial early warning of terrorist plots against us. They are essential to the protection of this country and we could not do without them.
In this country we do not just have laws governing the use of sensitive capabilities – we also have laws governing the acquisition of information from other countries. Our intelligence agencies – MI5, MI6 and, yes, GCHQ – cannot ask their counterparts overseas to undertake activity that would be unlawful if they conducted it themselves.
This matters, especially in the context of electronic communications. It has been alleged that our agencies rely on their counterparts overseas – notably those in the United States – to provide them with intercepted communications unlawfully. This is – quite simply – untrue.
And again, you do not have to take my word for it. The Intelligence and Security Committee reviewed GCHQ’s alleged use of interception material from the US PRISM programme and concluded that “in each case where GCHQ sought information from the US, a warrant for interception, signed by a Minister, was already in place, in accordance with the legal safeguards contained in the Regulation of Investigatory Powers Act 2000.”
Sir Anthony May has also looked at this allegation and he concluded: “British intelligence agencies do not circumvent domestic oversight regimes by receiving from US agencies intercept material about British citizens which could not lawfully be acquired by intercept in the UK.”
I know that some people have alleged that GCHQ is exploiting a technical loophole in legislation that allows them to intercept external communications – that is, communications either sent or received outside the United Kingdom – at will and without authorisation. This is also nonsense. The definition of external communications was set out clearly in the Regulation of Investigatory Powers Act. It is not new, it is not hidden and it is clear that the interception of external communications by GCHQ requires warrants. They are not signed by me but by the Foreign Secretary. And those warrants have to be accompanied by a certificate, also signed by the Foreign Secretary, that sets out what intelligence analysts in GCHQ are permitted to examine. So there is no loophole and no illegal activity.
There is effective oversight of the agencies
Many of the criticisms of the security and intelligence agencies are based on an assumption that there is only very limited – and ineffective – oversight of what they do. It is often implied that oversight is only provided by ministers and the Intelligence and Security Committee of Parliament. This is also wrong.
Safeguards are built into the system at every level. Oversight begins with each and every employee engaged in operational work in the agencies. Their training about legal issues and compliance is detailed and a matter of course. The agencies’ operating systems are designed to control and limit access to intelligence rather than facilitate it. The work that the agencies do is checked, double-checked and checked again.
I have already explained my role and the role of other ministers in approving applications for warrants. I have also mentioned the Interception Commissioner. There are also Commissioners for the Intelligence Services and for Surveillance. Like Sir Anthony May, they are also former members of the senior judiciary, they are entirely independent, and they publish annual reports. There is also the independent reviewer of terrorist legislation – a position established by statute, with a duty to report to the public on the operation of our counter-terrorism legislation. The reviewer is independent of government, but has access to the most sensitive security information. The position was occupied first by Lord Carlile and now by David Anderson, both of whom are as independent as they are expert in the law.
Last year, when we proposed new legislation relating to access to communications data – which is something I have mentioned already and to which I will return later – a Joint Scrutiny Committee of both Houses of Parliament was established to examine the case for the legislation. In doing so, they heard evidence from a wide range of witnesses, including from the security and intelligence agencies and of course the Home Office.
I have already noted how the Intelligence and Security Committee of Parliament has been given an extended remit and more staff to inspect the work of the agencies. They are, for example, due to report on the circumstances surrounding the terrorist murder of Drummer Lee Rigby in May last year. Their investigation has been extraordinarily thorough and extensive, and the agencies have had to submit huge volumes of material. The agencies’ heads and staff have been questioned at great length. And of course the Committee is working on its own report on issues about privacy and security.
There is also an Investigatory Powers Tribunal, which hears complaints about the activities of the agencies. The Panel is about to consider a legal challenge against aspects of the interception and signals intelligence regime, for example. The Government has submitted and agreed to publish fifty pages of evidence.
This is a comprehensive system of checks and balances with a clear role for elected ministers and Parliamentarians to provide democratic accountability – and I do not believe it is surpassed by any other country.
Our powers and capabilities are necessary and effective
The fourth criticism of the security and intelligence agencies is that their sensitive powers and capabilities are not only disproportionate but ineffective, that they do not stop terrorist attacks or other serious crimes.
We have been asked repeatedly to respond to this criticism by laying out in public and in full our secret capabilities and the effects they have had. In particular we are asked where and when and how terrorist attacks have been stopped. We are asked to submit this information for scrutiny not in Parliament but in public; not by our elected representatives but by unelected, unaccountable and self-appointed arbiters of our national security; not with respect for the need for secrecy but with a cavalier and reckless transparency.
We cannot and will not do so. If we did we would only damage the capabilities we have to protect our country. What we have done and what we will continue to do is set out our capabilities and the benefits they bring – and we will set them out to the people who have the legal and constitutional duty to provide oversight of these necessarily secret activities.
Those people are the Interception Commissioner, the Intelligence Services Commissioner and the Intelligence and Security Committee of Parliament. We will give the Committee all the information they need to do their job, and we will do everything we can to allow them to report on these matters in detail.
And the crucial fact here is that in all their recent reports and evidence, the Commissioners and the Intelligence and Security Committee conclude that the capabilities of the security and intelligence agencies are necessary, effective and used in a responsible way.
We can be more open and explicit about the benefits of communications data because some of this data – which is obtained by the police and others from communications service providers – can be used as evidence by the Crown Prosecution Service in our courts. As I have said before, it is estimated that communications data is used in 95 per cent of all serious and organised crime cases handled by the Crown Prosecution Service. And it has been used in every single major terrorist investigation over the last ten years. Access to communications data is vital for combating crime and fighting terrorism. We would not be able to keep our country safe without it.
The threat we face is real and it is deadly
For a long time, we have been criticised for overstating the threats we face. We need to remember some facts. Between September 2001 and the end of 2013, more than 2,500 people were arrested for terrorist offences in this country. Almost 400 people have been convicted for terrorism-related offences. We have disrupted more than one major attack in this country each year since 2005 and many more overseas.
The terrorist threats to this country and our interests are changing faster than at any time since 9/11. We continue to face possible attacks by al Qaida in Pakistan and Afghanistan. But we face further threats from Syria and now from Iraq where al Qaida, ISIL and others have created a safe haven with substantial resources including advanced technology and weapons. They are on the doorstep of Europe, just a few hours flying time from London, and they want to attack us – not just in Syria or Iraq but here in Britain.
Many hundreds of people from our country have travelled to Syria to fight against the Assad regime. They have ended up fighting for terrorist groups, often against other parts of the opposition rather than against the Syrian government. Some of them will present a real danger to us when they return to Britain.
The investigation of these people will require all of our sensitive capabilities and the skills and resources of the agencies and police. It will involve the further use of the powers I have through the Royal Prerogative to remove people’s passports to stop them travelling – and in a smaller number of cases, I am prepared to use my powers to deprive people with dual citizenship of their British nationality.
We need to focus all aspects of our counter-terrorist strategy on the problem – pursuing groups who are plotting against us; preventing people from being drawn into extremism and terrorism; and protecting our borders and infrastructure.
Organised crime is changing as fast as terrorism. Because of the nature of financial and economic crime, those of you who work here in the City are more aware of these developments than many others. Crime is moving online. Cyber techniques enable organised criminals to carry out crimes from remote locations, often in other countries. They operate at a scale and speed and from a distance that has not previously been possible. I have every confidence in the strategy we have developed to deal with organised crime and in the capacity of our new National Crime Agency. But the threats faced by the NCA are formidable.
In front of this audience I do not want to spend more time pointing out the inadequacy of the argument that the threats we face are overstated. But I do want to make this related observation: those who make this claim find it easy to argue that the disclosure of sensitive capabilities used by the police and intelligence agencies has caused no damage. If you don’t believe in the threat then of course you can be frivolous about the capabilities intended to contain it. Indeed, we are sometimes asked to believe that the disclosure of our capabilities has served a public good.
The fact is that since the theft of NSA and GCHQ documents, and since the allegations about their secret capabilities contained in those documents were made public, this country is at greater risk than it was before.
Maintaining capabilities in a digital age
It is right that we have a debate about security and privacy. But that debate must start with a sensible and considered assessment of the threats we and other democratic states face. As events in Syria and Iraq show, we cannot wish those threats away. If we do not base this hugely important debate upon the threats, nothing we do will seem necessary or proportionate.
We then need to be clear about our capabilities and the challenges we face in maintaining them in a digital age. I want to make three points about this.
First, we are living more of our lives online, using an array of new technology – IP telephony such as Skype and Facetime, social networking such as Facebook, Twitter and Instagram, chat rooms, anonymising services, and a myriad of mobile apps. This is hugely liberating and a great opportunity for economic growth, but this technology has become essential not just to the likes of you and me but to organised criminals and terrorists.
Second, the new technology is generally owned and operated not by states but by communications companies. They are global and they exercise considerable power. They collect data from their services about our online activity and they often use it for commercial purposes. It is often bought and sold. These companies affect – I might even say intrude upon – our lives and our privacy every single day. They can drive a car up your road and put an image of your home online for the world to observe. Of course, they do not need a warrant to do so.
Third – and I cannot emphasise this point enough – far from having some fictitious mastery over all this technology we, in democratic states, face the significant risk of being caught out by it. Governments have always reserved the power to monitor communications and to collect data about communications when it is necessary and proportionate to do so.
It is much harder now – there is more data, we do not own it and we can no longer always obtain it. I know some people will say “hurrah for that” – but the result is that we are in danger of making the internet an ungoverned, ungovernable space, a safe haven for terrorism and criminality.
I know some people like the thought that the internet should become a libertarian paradise, but that will entail complete freedom not just for law-abiding people but for terrorists and criminals. I do not believe that is what the public wants. Loss of capability – not mass surveillance nor illegal and unaccountable behaviour – is the great danger we face.
And that danger is already upon us. We no longer have capabilities upon which we have always relied. Let me give one example. Over a six-month period the National Crime Agency alone estimates that it has had to drop at least twenty cases as a result of missing communications data. Thirteen of these were threat-to-life cases in which a child was assessed to be at risk of imminent harm.
The truth about the way the privacy and security debate has been presented is that it creates myths that hide serious and pressing difficulties. The real problem is not that we have built an over-mighty state but that the state is finding it harder to fulfil its most basic duty, which is to protect the public.
That is why I have said before and I will go on saying that we need to make changes to the law to maintain the capabilities we need. Yes, we have to make sure that the capabilities can only be used with the right authorisation and with appropriate oversight. But this is quite simply a question of life and death, a matter of national security. We must keep on making the case until we get the changes we need.