Sunday, June 08, 2014

Don't spy on us!


Very inspiring today to see over 500 people turn up for the Don't Spy On Us coalition's day of action, on the first anniversary of Edward Snowden's leaks. There were some great speeches - amongst others from Bruce Schneier, Jimmy Wales, Duncan Campbell and Shami Chakrabarti. 

Here are my notes for my own panel remarks:

Maintaining privacy online is an ongoing struggle. We need changes in both technology and law.

Encrypting everything is a good starting point, and will raise the cost of mass surveillance. But it is not a panacea - it is not nearly easy enough yet for the majority of users, and anyway many organisations hold user data without sufficient organisational and technical controls to adequately protect it. 

NSA’s TURBINE programme is designed to allow control of millions of compromised systems. Even at much lower levels of sophistication, we see millions of machines in botnets. Where the Five Eyes states lead, other nations and then criminals will follow. We need much better tools for producing and verifying trustworthy systems.

Technologists can also help by developing useable open source security tools for non-geeks (GPGTools is a good example). But it's also important to work on standards (like the IETF) and find other ways to get mainstream providers to beef up security (like Google’s TLS monitoring).

One important benefit of the Snowden disclosures has been to force legal discussion of foreign intelligence collection into the open. This was previously an almost undiscussed area of international law. It's important to push stronger standards (like the Necessary & Proportionate principles) and even more importantly, to enforce them - through courts, the UN, international political processes like EU-US treaty negotiations - and every other available forum (such as the Council of Europe, WTO, TTIP…) 

This can be a boring unglamorous slog, and eats up campaign groups’ already scarce resources. But the anti-privacy voices in those venues have to be consistently countered. 

The most important way to protect online privacy is political. It takes thousands of loud voices to persuade politicians over the soothing noises of the security agencies (and the tabloid newspapers that think you can never have enough surveillance). We need many more Julian Hupperts, Claude Moraes and David Davises, in national and European parliaments, to get the long-term legal reforms required. So I hope everyone in this room is already a member of at least one campaign group like ORG or Liberty - and will get more involved in activism on these issues in future. 

Tuesday, March 04, 2014

Finally, some high-level UK debate on Internet surveillance

You wait nine months for some UK political debate on the mass Internet surveillance by the National Security Agency and GCHQ revealed by Edward Snowden, then two speeches come along at once...

This morning I went to listen to Nick Clegg, the Liberal Democrat leader and deputy prime minister, give his first major speech on the issue (there is a summary in the Guardian). It was thoughtful, and went into much more depth than is typical for top-level political debate on these matters.

Having given up waiting for their coalition partners, the Lib Dems are proposing some immediate changes: reform of the Intelligence and Security Committee, which should be chaired by an opposition Member of Parliament and hold its meetings in public whenever possible; allowing appeals from the Investigatory Powers Tribunal to the English courts; and publishing an annual government transparency report that gives much greater detail about state access to Internet communications and "metadata".

The deputy prime minister talked at length about the controversial "bulk access" to large amounts of Internet traffic that GCHQ has under the Regulation of Investigatory Powers Act. Unlike most other politicians, and certainly unlike former GCHQ directors I have heard speak on the subject, he argued that such large-scale access is not automatically acceptable so long as there are strict rules within NSA/GCHQ on access to the "collected" data.

Collection itself is intrusive (as the European Court of Human Rights has long recognised, in cases such as Leander v Sweden and Amann v Switzerland), and should only happen when necessary and proportionate. Indeed, as President Obama's review panel said:

"Although we might be safer if the government had ready access to a massive storehouse of information about every detail of our lives, the impact of such a program on the quality of life and on individual freedom would simply be too great. And this is especially true in light of the alternative measures available to the government... We recommend that the US Government should examine the feasibility of creating software that would allow the National Security Agency and other intelligence agencies more easily to conduct targeted information acquisition rather than bulk-data collection."
Meanwhile yesterday, shadow Home Secretary Yvette Cooper gave a shorter speech to Demos. She acknowledged the deficiencies of the existing legal regime, and that the Intelligence and Security Committee should be chaired by an opposition MP to give it more credible independence from the government, and given permanent technological expertise. She also said that the Communications Data Bill previously proposed by the government was "far too widely drawn, giving the Home Secretary unprecedented future powers, and with too few checks and balances, and has rightly been stopped."

There seems to be a developing consensus between the two parties. Yvette Cooper has called for much more public debate about Internet surveillance, echoing Nick Clegg's concern about a loss of public confidence in the intelligence agencies. Both want stronger oversight by converting the existing interception and intelligence commissioners - retired judges  - whose work is largely unknown by the public, into a higher-profile Inspector General. And both recognise that the Regulation of Investigatory Powers Act now needs changing, in areas such as stronger safeguards for "metadata", and looking again at the broad powers given for GCHQ surveillance of "external" communications that start and/or end outside the British Isles (i.e. most Internet communications).

The deputy PM has asked the MoD's external think-tank, the Royal United Services Institute, to convene an Obama-style review panel to report back on these issues after the next election.  By then, as Clegg said, there will be irresistible pressure for Parliament to update the UK legal framework to better reflect the realities of today's Internet - and perhaps a Labour-Lib Dem coalition that would make this happen. Hopefully those Conservative MPs such as David Davis, who have played a strong role in the public debate so far, will also be able to persuade their colleagues in government of the necessity of reform.

Wednesday, January 09, 2013

Could a cyber-attack "fatally compromise" the UK military?

The House of Commons Defence Committee has published a report on Defence and Cyber-Security, which concludes:
The evidence we received leaves us concerned that with the Armed Forces now so dependent on information and communications technology, should such systems suffer a sustained cyber attack, their ability to operate could be fatally compromised... The cyber threat is, like some other emerging threats, one which has the capacity to evolve with almost unimaginable speed and with serious consequences for the nation's security. The Government needs to put in place - as it has not yet done - mechanisms, people, education, skills, thinking and policies which take into account both the opportunities and the vulnerabilities which cyber presents. It is time the Government approached this subject with vigour.
I think this conclusion may be overstated. In a time of serious budgetary cutbacks, the government has committed serious new money — £650m — to cybersecurity activities (although this may have been concentrated too heavily at GCHQ). A small amount of that is going towards Academic Centres of Excellence in Cybersecurity Research, one of which is at Oxford. The report fails to draw an adequate distinction between risks to defence systems and broader national security. And while information security is not developing nearly quickly enough in critical national infrastructure, we are not yet at the point at which likely adversaries would have the motivation and capability to cause serious damage to property or loss of life via these vulnerabilities.

The conclusions Peter Sommer and I reached last year for the OECD in our report on global systemic cybersecurity risk still hold: this is a long-term planning concern for government, not a short-term panic. I've made these points in interviews this afternoon for the World Service and BBC Scotland.

Thursday, September 20, 2012

Confusion reigns over UK Internet freedom

The UK's Director of Public Prosecutions this morning published an extremely sensible statement after deciding not to prosecute Daniel Thomas, the author of a homophobic tweet about Olympic divers Tom Daley and Peter Waterfield:
“This was, in essence, a one-off offensive Twitter message, intended for family and friends, which made its way into the public domain. It was not intended to reach Mr Daley or Mr Waterfield, it was not part of a campaign, it was not intended to incite others and Mr Thomas removed it reasonably swiftly and has expressed remorse. Against that background, the Chief Crown Prosecutor for Wales, Jim Brisbane, has concluded that on a full analysis of the context and circumstances in which this single message was sent, it was not so grossly offensive that criminal charges need to be brought."
This was a positive application of the Human Rights Act and European human rights jurisprudence to a tweet that qualified for the Communications Act 2003 offence of a "grossly offensive" communication sent using a public electronic network. This offence clearly needs reviewing, as the DPP suggests:
"Social media is a new and emerging phenomenon raising difficult issues of principle, which have to be confronted not only by prosecutors but also by others including the police, the courts and service providers. The fact that offensive remarks may not warrant a full criminal prosecution does not necessarily mean that no action should be taken. In my view, the time has come for an informed debate about the boundaries of free speech in an age of social media."
Douwe Korff and I suggested a possible approach in a report for the Council of Europe's Commissioner for Human Rights last year.

The message does not seem to have reached the Greater Manchester police, who have this afternoon arrested a man over a Facebook page praising the alleged murderer of two officers. While repellent, is this really their highest priority right now? There are concerns that the police press conference (as well as a statement by the prime minister) may already have prejudiced the forthcoming murder trial.

Tuesday, January 24, 2012

Can the world agree on free speech principles?

Prof. Timothy Garton Ash and his team at St Antony's College have just launched their fascinating new free speech project, FreeSpeechDebate:

Ten draft principles for global free speech are laid out, together with explanations and case studies – all for debate. Prominent figures from diverse cultures, faiths and political tendencies are interviewed and asked to comment, through video, audio and text. We have Indian novelist Arundhati Roy on the media and national security in India; Iranian cleric Mohsen Kadivar on Islam and the criminalisation of insults to religion; Chinese academic Yan Xuetong on universal values; former head of the Formula One association Max Mosley on privacy with more to come… The entire editorial content is carefully translated into 13 languages, covering more than 80% of the world's internet users, by native-speakers of those languages (mainly graduate students at Oxford University). Anyone can then contribute to the online discussion in these or any other widely used languages, and there is a facility to give a rough translation of every user-generated comment into most languages using machine translation.

I have greatly enjoyed being an adviser to the project. Here is the two-part interview I recently did with Prof. Ash:

Tuesday, November 29, 2011

Giving evidence to Privacy and Injunctions Committee

Yesterday I gave evidence to Parliament's Joint Committee on Privacy and Injunctions. I tried to explain the difficulties in stopping a specific piece of information appearing anywhere on the Internet, particularly in user-generated content and on social media platforms:

Saturday, November 12, 2011

Internet freedom: EU v US

A couple of weeks back, I was honoured to give the second seminar in George Washington Law School's distinguished speaker series on Internet Freedom and Human Rights. I discussed Europe's approach to this topic, on which there has been virtual silence in comparison to the debate stimulated by the US State Department.

GW has now posted a video of my talk. Thanks again to Professors Nunziato and Carillo for organising such an enjoyable visit.