Security and privacy in the internet age
This was published under the 2010 to 2015 Conservative and Liberal Democrat coalition government
The Deputy Prime Minister, Nick Clegg, gave a speech at the Royal United Services Institute on security and privacy in the internet age.
The internet is of course an awe-inspiring achievement.
Look at what it does - it allows people to access vast amounts of information and to connect across the globe in ever more complex ways. It is a fantastic tool for innovation and creativity, with digital startups and clusters in every corner of the UK, creating jobs and driving growth, and it has been instrumental in supporting the push for greater freedom, civil liberties and democracy around the world.
The security services are similarly awe-inspiring. Look at what they do: GCHQ has an illustrious history, from the code-breakers who defeated the Enigma machine and shortened the Second World War by at least 2 years, through to the contemporary fight against terrorism. As Deputy Prime Minister I have of course visited all 3 intelligence agencies and met the public servants who work there, and I have huge admiration for their talent and for their dedication.
International terrorism continues to present major challenges. Since 9/11 we have seen serious attempts at major acts of terrorism in Britain typically once or twice a year. Most of these plots have been thwarted and around 330 people have been convicted of terrorism-related offences. New threats arise all the time from new sources – we face a new source now from people travelling to Syria, becoming radicalised and then returning to the UK. But it is not just terrorism. The threats we are facing are many and varied. They include the dangers posed by rogue and failing states, nuclear proliferation, transnational serious and organised crime, and cybercrime.
In an increasingly interconnected world, where the threats to our safety are also globalised, we rely more and more on intelligence-led security interventions to protect our people from harm. That means agencies who understand the internet, who understand how those who would do us harm use it, and who have the capability to identify and pursue them.
There will always be a question about how we balance the competing principles of freedom and security, and how – in a democracy – we achieve widespread political consent for the way in which we strike that balance.
This has been true in every age. But it is a particular question for now, as the potential and opportunities of the internet stretch out before us, as new technologies connect us ever closer together, and as terrorists, criminals and the authorities who try to track them down become ever more sophisticated in their operations and techniques.
Unfortunately, this debate has become caricatured in a way I believe is neither helpful, nor allows us to make progress on some of the vital questions of principle that are at stake.
This is not a binary debate between good and evil, between the forces of freedom, democracy and civil liberty on the one hand; and on the other a surveillance state, concerned only with mass collection of information on its citizens for the purposes of social control.
It is, rather, a debate about the strength of our democracy and its interaction with parts of the state that are, by their nature, secret.
It is this set of questions:
- are the capabilities of the state proportionate to the risks we face?
- do we have the right legal frameworks to protect our citizens’ human rights, freedom of communication and privacy, even as technology develops?
- do we have the right oversight regime so that the agencies and those who work in them are held to account for their activities within those frameworks?
- are we completely unstinting in the pursuit of transparency so that we are always confident that secrecy – where it is used – is a necessity, rather than simply a habit?
As President Obama has done in America, it is time to bring these questions into the mainstream of political debate.
This is a set of questions that I have been involved in for a long time, and one that requires constant discussion and challenge.
The public debate that has surrounded the Snowden leaks came on the back of a long running public and parliamentary debate about communications data.
Again, this was a debate that some caricatured in very black and white terms. But again, viewing this debate only from its 2 poles misses the point.
My challenge to the Home Office’s comms data proposals was not an argument with law enforcement about the need for investigations to keep pace with new modes of communication on the internet. But in a world where internet freedoms are so highly fought for and highly prized, had we found the right, proportionate response to this capability challenge? Had we struck the right balance? My answer to this was no, and so I said that the proposed Comms Data Bill could not proceed.
There is another reason that I think we should be talking about this now. Over the past several years we have seen many of the pillars of our society deeply weakened through crises that eroded public trust. Parliament through the expenses scandal, the press through phone hacking, our banks, the BBC, the police. In each case we are having to work hard to rebuild public confidence. From these examples we have also learned that unless we act quickly to strengthen public support for these institutions, these failures can quickly become corrosive for the future. I do not want the agencies to suffer the same fate.
It is vital for the future safety and security of our country – as well as the rights and freedoms of our citizens – that we work tirelessly to sustain and support public trust in the security services, and secure widespread political consent for their activities and reach. And we should not be afraid if this means greater openness, and reform.
Privacy is integral to a free, fair and open society. A society in which views can be freely expressed in public and in private, whether it’s criticism of the government or an idea for a new business. A society in which people can move around freely and associate with whomever they please. A society in which people can reach their full potential, where no-one is enslaved by ignorance or conformity.
None of these is possible if we are constantly worrying about who might be reading our words, watching our movements, or monitoring the company we keep.
This idea - the notion that privacy is fundamental to democracy – is enshrined in article 8 of the European Convention on Human Rights, the right to private and family life. Crucially, it is not what is termed an absolute right. Your private affairs are protected, but only up to a point: if you’re intent on breaking the law and harming others, the state can invade your privacy.
This is a balancing test – the public interest in preventing crime has to justify the level of intrusion that the state wishes to impose.
Or as John Stuart Mill put it:
…the only purpose for which power can be rightfully exercised over any member of a civilized community, against his will, is to prevent harm to others.
Our intelligence agencies work within this legal and ethical framework in the defence of a liberal, open society. They have a duty to uphold the privacy of law-abiding citizens as well as the responsibility for investigating and disrupting threats to our national security.
The question is not whether the agencies uphold these values or comply with the framework. I don’t doubt that. The question we need to ask ourselves is whether the frameworks we have set for them are fit for the internet age.
The agencies’ practices, of course, have evolved along with the communications they seek to intercept: first telegrams, then telephones, fax, email. When the internet went mainstream in the late 1990s, a new information medium was born and with it new modes of communication: discussion forums, web-based email, instant messaging, voice and videostreaming over IP, social networks, blogs, and micro-blogs.
The online world engulfed and digitised established technologies like video, music and print. Encryption flourished as individuals and businesses became increasingly concerned about cybercrime. And the web of course went mobile, extending its reach via smart phones and tablets into every corner of our lives.
This new medium has brought unprecedented opportunity, innovation, and the spread of new ideas. But it has also opened up new possibilities for criminals, terrorists and hostile states to plot, recruit and carry out attacks, while concealing their identities.
So the agencies have, rightly, harnessed the power of new technologies to ensure that our ‘signals intelligence’ (or SIGINT) capability keeps pace with the technologies that people are using.
Meanwhile, the sheer amount of data we are generating has just gone through the roof. 22 billion letters are delivered by Royal Mail each year. That sounds like a lot, but roughly 2.4 trillion emails are sent every year in the UK. That’s more emails sent in 4 days than letters delivered in a whole year.
Then there’s the 1 billion tweets, 23 billion Google searches, 70 billion Facebook views, 145 billion text messages, and 160 billion instant messages sent in the UK each year. Our online data and communications dwarf our real-life, real-world communications; and this trend is set to continue.
As the data mountain has grown, so has the capacity to store it, analyse it, and extract value from it. That is in many ways good news: for example, it means companies can offer us free services and applications driven solely by advertising revenues.
On the other hand, few of us are really aware of the size and nature of our electronic footprint. Smart phones, for instance, keep track of so much more about us than could ever have been possible in the past - including recording our location on a regular basis. But we understand little about who retains such data, and what it might reveal.
All this puts a lot of stress on the notion of privacy. We had a foretaste of this with the ID cards scheme, where people started to understand the potential for abuse if government was able to link together disparate databases (banking, immigration, health, benefits, criminal justice).
The coalition government acted quickly to respond to public concerns about ID cards, decommissioning the scheme and destroying the national identity register that sat behind it.
But that was a public scheme, debated in parliament and in living rooms up and down the country; the recent leaks have triggered a global debate about what governments can do with this data in secret.
The issue I want to focus on today is what happens when personal internet data is collected in bulk by our intelligence agencies.
As President Obama has said in his speech on 17th January, responding to the report of his Review Group on Intelligence and Communications Technologies:
[The] combination of increased digital information and powerful supercomputers offers intelligence agencies the possibility of sifting through massive amounts of bulk data to identify patterns or pursue leads that may thwart impending threats. But the government collection and storage of such bulk data also creates a potential for abuse.
President Obama is referring there to the vast quantity of information that is generated by us all, every day, in our communications over the internet. This includes so-called metadata, the contextual information which describes the ‘who’, ‘when’, ‘where’, and ‘how’ of our communications, alongside the ‘what’ – the content itself. When this is collected on a large scale, it is referred to as bulk data.
GCHQ is legally able to collect bulk data as part of its work in countering threats from abroad. The national security justification for doing so is straightforward. If we are talking about an international terrorist network that we want to disrupt, then we want them to be able to find out who is talking to whom.
That network may be operating across several jurisdictions and in parts of the world where we could not access industry-held data even if we wanted to. And so bulk data allows our analysts to trace those interactions, those networks, while leaving the overwhelming majority of the data untouched. In other words, this is the way we collect the haystack in order to find the needles.
On the other hand, the civil liberty concern about holding bulk data is also clear. Some critics argue that the very act of collecting untargeted data on law-abiding citizens is an invasion of privacy, regardless of whether it is ever looked at.
Others argue that it is acceptable to do so abroad, but that data collection in the UK should be strictly limited to information on named individual suspects. All would agree that once governments hold bulk data, there is of course a risk that it could be misused, for example to monitor legitimate political protest.
Again, I don’t think the answer to the dilemma sits at either pole. The idea that the security services should be able to track communications in order to pursue or disrupt serious criminals and terrorists is not controversial. If, in order to do that effectively, the judgement is that there is no practical alternative to bulk data collection, then to some degree we should allow it.
But the questions are then those of necessity and proportionality, the same principles which govern established data protection law, and start from the principle that the government should intrude as little as possible into private affairs:
- how long is the data stored, by whom, and how much of it?
- how can the collection of extraneous data on law-abiding citizens be minimised?
- who should authorise access to the data that is collected? Should permission be granted internally within the agencies, or should it be signed off by a minister, an external body, or by a judge?
- should metadata be treated as less sensitive than content, despite that fact that it can tell a great deal about an individual’s private life?
- what kind of analysis can the data be subject to?
- oversight – is the way we supervise all this sufficiently robust?
Currently, the ability of the agencies to gather the content of a communication – what is actually said and its associated metadata - is governed by a legal framework, the Regulation of Investigatory Powers Act (RIPA), which has a strict system of warrants that need to be signed off by democratically accountable ministers (the Foreign or Home Secretaries) before content can be accessed. In my experience, the agencies pride themselves, rightly, on their strict adherence to this framework.
But those laws were written 14 years ago, before the internet revolution had really taken hold.
Some privacy experts understood what might happen with the advent of the internet, and did raise concerns at the time of the Regulation of Investigatory Powers Bill. But these were not widely understood, and government proceeded regardless. The result is that some aspects of RIPA already feel outdated.
For example, in the internet age, is the distinction that RIPA strikes between external and internal communications valid, and what does it mean in practice? The mission of GCHQ is first and foremost about countering threats from abroad. But when it comes to internet communications, the distinction between ‘domestic’ and ‘foreign’ is all but redundant.
The email that I send to my friend who lives a few streets away from me is likely to be routed via the United States; the video that I watch on YouTube may be retrieved from a server in Finland, Chile or Singapore. Transactions that feel intuitively like they take place within the UK now qualify as external communications, and traces of them may end up in GCHQ’s servers.
In other words in the course of carrying out its core function, monitoring the ‘external’ communications of those who threaten our national security, both the content and the ‘metadata’ of our domestic communications may as a consequence be collected and stored.
Whether that data is ever interrogated is a separate question, but that simple fact about collection jars with the perception that most people have of GCHQ as a predominantly foreign intelligence agency.
These facts pose intricate and difficult questions. The challenge, then, is for careful analysis and practical solutions, and to determine where the right balance can be struck.
How, therefore, should we proceed?
I have and will continue to have the highest respect for the professionalism of our agencies. They conduct their work in good faith and the scope of their activities is constrained by laws, including the Human Rights Act, which require them to operate in the public interest. That being said, I am concerned about 2 things which risk undermining their reputation and, by extension, their long-term effectiveness.
First, our current framework assumes that the collection of bulk data is uncontroversial as long as arrangements for accessing it are suitably stringent. I don’t accept that.
I agree, of course, that strong access controls are vital to prevent employees from going on ‘fishing expeditions’ once a store of data exists. But the case for collection itself has to be made, not assumed, and it must be shown to be proportionate. This is particularly true in a world where – as we have seen in recent weeks in the context of NHS data – people are starting to question the uses to which their data are put and to demand that government does more to obtain their informed consent.
Second, the public interest cannot be democratically determined behind closed doors. Decisions exercised in obscurity cannot be relied on to command public confidence when they come to light.
It is not enough for the agencies to claim that they accurately interpret the correct balance between privacy and national security: they must be seen to do so, and that means strong, exacting, third-party oversight.
The first of these observations is a cultural problem. The second is a systemic problem flowing from secrecy. Both point to the need for better scrutiny, oversight and challenge.
These issues will need to be revisited in the next Parliament. I believe that thinking and analysis needs to start now, so that we are in a position to take early decisions after the next election.
I would like the next government to be able to draw on an independent assessment of the issues at stake. The ISC is conducting a review into privacy and security which I expect will provide a valuable contribution to a wider discussion. But there is an important role for independent think tanks and NGOs too, and that’s why I’m delighted to be able to announce today that the Royal United Services Institute (RUSI) has agreed to establish an expert panel to review the use of internet data for surveillance purposes.
The panel will consist of a group of experts, drawn from the worlds of intelligence, technology, civil liberties, and law, and chaired by Professor Michael Clarke, RUSI’s Director General. They will look at the principles that ought to govern our use of surveillance, examine current practice, and make recommendations for reform and, where necessary, new legislation. They will look at the specific challenges I have set out today, including the proportionate use of bulk data, but also the question of access to communications data held by private companies too.
This is not an approach that I have been able to agree within government with my coalition partners. For now, Liberal Democrats are leading the way, and we will be the first political party to debate these issues at our Spring Conference later this week.
I hope that as it progresses, the review that RUSI will lead will be able to garner support from across the political spectrum.
I will now turn to the concrete changes that I would have liked to see enacted by this government, and which don’t in my view require the kind of detailed reflection that we need on data, and which could be done promptly.
To start with, we should introduce more transparency and openness where we can do so without jeopardising operations. Secrecy is essential for the agencies to conduct their operations, but if blanket secrecy becomes an unthinking default response then public trust will suffer.
The assumption should always be for openness where possible, secrecy where necessary.
We would set up a new single web portal - we could call it “surveillance.gov.uk”- to act as a single source of information about the work of the agencies. New reports, legal rulings and statistics would be posted here to give them due prominence.
More significantly, we would follow the example of the private sector and publish annual transparency reports with a breakdown of the requests made under RIPA for access to comms data held by internet service providers and telecoms firms.
For the first time people will be able to see which agencies request access to data, on how many individuals and for what purposes.
Next, oversight. The oversight mechanisms are complicated and – in my view – unnecessarily difficult for a layperson to understand. This means that the very mechanisms that are supposed to reassure the public are, in fact, inaccessible and unconvincing.
The public face of agency accountability, the parliamentary Intelligence and Security Committee, has been criticised for being overly-deferential, and I think anyone who saw the recent public hearing with the 3 agency heads would agree that the pre-cooked questioning, whilst welcome as a new innovation, was no match for the kind of raw grilling that the US agencies receive in front of their congressional oversight committees. We have recently given the committee more powers and resources, but questions remain about its effectiveness and I consider the ISC to be on probation in its present form. The ISC has to persuade the public that they are really capable of holding the agencies’ feet to the fire.
The danger, whether in perception or reality, is that we have a closed shop, especially when the Chair of the Committee previously served as one of the sponsor ministers for the agencies in Whitehall. If the public believe that there is no grit in the machine – no real push to challenge the agencies in a tough and exacting way where needed – that in my judgement is a serious political liability for organisations that can only operate with a high degree of public trust. I am clear that we need to simplify and open up the systems and institutions that oversee agency activities, to ensure they behave in a sufficiently challenging way, and to increase engagement with the public.
That is why today I am calling for the following reforms.
First, the ISC should be further strengthened as the parliamentary body that provides scrutiny and challenge. The membership of the committee should be expanded from 9 to 11, to match the standard size of select committees. The holder of the chair should in future be an opposition party member, to avoid accusations that the committee is too cosy with the government of the day. Hearings should be held wherever possible in public. And budgets should be set in public for 5 years ahead, to allow it the stability to plan a long term work programme.
Secondly, changes should be made to the Investigatory Powers Tribunal (IPT), which considers complaints against the use of intrusive powers by the intelligence agencies and others. At the moment there is no right of appeal – if the IPT rules against an individual, his or her only recourse is to the European Court of Human Rights. We should enable appeals to be heard in this country. We should also introduce greater transparency to the work of the IPT, with the reasons for rulings published.
Thirdly, we should create an Inspector General for the UK intelligence services, with reinforced powers, remit and resources.
This role would replace 2 existing offices, the Interception of Communications Commissioner, and the Intelligence Services Commissioner. The requirement for those individuals to have held high judicial office should be removed to allow recruitment of the new Inspector General from a wider pool. My hope would be that over time, this post would have a greater public impact, increasing the general understanding of the agencies’ work and how they are held to account.
So, in conclusion, what kind of internet do we want? An internet which is open, vibrant, a force for change, a place where private conversation can take place without fear? Or, at the other extreme, an internet that becomes a tool of social and political control rather than liberation? In some parts of the world, that dystopian version of the future is already becoming a dangerous reality.
In others, where people are only just becoming connected and the infrastructure for the internet is at its early stages, other governments are looking to this debate to guide them as to how the relationship between the state, the citizen, and the internet should be governed. We have a duty to ensure the UK stands proudly for the free and open internet.
Yet it is in all our interests to ensure that we can enforce the law in the online world in the same way we enforce the law in the offline world, targeting terrorist and criminal networks and preventing attacks from taking place, precisely to safeguard the free and open society that we want.
The challenge is to preserve their ability to keep us safe without altering the fundamentally open nature of the web.
I strongly believe that if we are going to establish an enduring basis of trust between the public and the intelligence agencies in the internet age, then the ideas I have set out today constitute the bare minimum that is needed. We cannot foresee what the internet will look like in 10 years, let alone 50 or 100 years. But we can confidently predict that the exponential growth of personal data and our ability to analyse it will continue unabated.
The way in which governments make use of that data should be of fundamental concern to anyone who cares about liberal democracy.