The recent leaks about the surveillance capabilities of our intelligence agencies have undoubtedly harmed national security. Nevertheless, they also provide a long overdue opportunity to update legislation that will help security agencies and protect the rights of individuals.
Recent newspaper revelations on the capabilities of GCHQ and the National Security Agency have far reaching implications, both for national security and policing, and our perceptions of what we regard as private online. Current legislation is outdated, but discussions on alternatives are hampered by secrecy and a lack of technical understanding of the underlying issues.
The key piece of legislation that governs interception of communications and the collection of data related to communications (there is a distinction) is the Regulation of Investigatory Powers Act 2000. RIPA provides authorisations for a variety of powers primarily (though not exclusively in every case) used by the police and intelligence agencies. The act is split into five parts covering interception of data, surveillance and regulation of human sources, encryption and overall oversight.
It is the provisions of RIPA Part I that are coming under most scrutiny largely, as we will discuss below, due to the huge changes in the operating environment since the RIPA became law. RIPA became law in 2000, meaning it was drafted to address problems that had arisen in the second half of the 1990s. Before considering what it means today, it is worth reviewing what communication meant to the average person in 2000.
It Was all So Straightforward Once Upon a Time
In 2000 approximately half of UK adults had a mobile phone, equating to 23 million users. It was the same year that the UK government auctioned off the 3G spectrum for £22.47bn – so at this time there were no 3G services in the UK. Mobile phones were overwhelmingly used only for text messages and calls. 2000 was also the year the first ADSL and cable broadband services were launched. Until that point, home internet use was exclusively through dial up services, and remained relatively uncommon. This means that in the year 2000 almost all of the lawful interception carried out by the intelligence agencies and law enforcement would have been focussed on phone calls (from mobile and land lines) and text messages.
Fast forward 13 years. By 2013 half of UK adults owned a smartphone, 94% of adults have a mobile phone, and there are overall more mobile subscriptions than people. 21 million UK households have broadband. In the 13 years from the year 2000, personal email use has exploded. Facebook, Twitter, LinkedIn and a myriad other social media sites have launched. Online gaming is so prevalent that the latest generation consoles require an internet connection just to work. The ways in which people communicate has gone from letter, text and phone call to an almost uncountable number of online services.
The volumes of data we generate have grown almost unimaginably. In the year 2000 it was estimated global annual internet traffic amounted to 84 Petabytes per month. By the year 2012 this was estimated to be over 32 thousand Petabytes per month. Peta- is a 1000 million million (fifteen zeros). 1 Pb of music stored as an MP3 could play continuously, without repeating, for approximately two thousand years,
In the RIPA world of the early Twenty-first century, interception was relatively straightforward. There were a limited number of providers, all were UK based and all provided broadly the same set of services. There was a limited amount of data to collect. That world is long gone.
Data, Data, Everywhere
RIPA makes a clear distinction between the contents of a communication (Chapter I Part I) and details about the communication itself (Chapter I, Part II), and consequently the authorisation required to access that data. In the world of 2000, this made sense. When you call someone on the phone, the contents of that call are only known to you and the other party. It is reasonable to expect the details of your conversation are private. However, the fact of the call – the numbers involved and the duration are by necessity shared with the telecommunications company providing your service. This is self evident and something we are used to and accept: when we get a phone bill it clearly shows the numbers we called, and how long we spoke.
Also we accept the fact that this information is held for relatively length periods of time by a third party. In the UK, telecommunications companies hold call data records for a minimum of one year, and a maximum of two. The EU Data Retention Directive also requires internet service providers to store certain elements of communications data for a period of six months to two years, however it does not mandate the collection of data that is not otherwise collected by the Internet Service Provider.
However, in the internet world, things are very different. Our relationship with the providers of our communications services has changed as much as the use we make of them. Broadband providers do not bill per download, or Facebook message and so, beyond the requirements of the Data Retention Directive, there is no reason for an ISP to monitor, store and itemise your internet use. Thus you might get broadband from the service provider BT, but will get email from Gmail, anddo most of your communicating using Skype on your mobile phone, and Facebook messaging. In this scenario your communications data is scattered across a variety of service providers.
The volume of data and metadata (the information about a communication) we generate as individuals has increased, and the difference between them has blurred as well. The original ability by law enforcement and the agencies to see who a target had called, while useful, provided a limited snapshot of a person’s life. The combined data from calls, emails, social media use etc., can provide a much more detailed, and hence intrusive view.
There are more complications. Many of the companies we use now for communications are overseas and are subject to different legislation. Encryption complicates this picture further. Most online services now provide encryption to users, rendering any interception of data locally fruitless.
There have been efforts by the government to respond to these new challenges. In 2009 the Home Office published a consultation paper on the ‘Internet Modernisation Programme’ that proposed ISPs take responsibility for storing communications data, with access still governed under RIPA. This proposal was roundly criticised on the grounds of practicality and cost, as well as significant privacy concerns.
The draft Communications Data Bill took this further putting responsibility on ISPs for large scale data acquisition and retention. It was unpopular legislation, and ultimately abandoned. It was an unpopular bill partly because it did not address the fundamental issues described above – the data we generate, in content and volume, and our expectations of privacy have changed radically since the introduction of RIPA.
The requirement for change was also poorly communicated. Part of the reason for this is the challenge understanding the way internet traffic works. A petabyte is a large volume of data, and internet traffic is not one homogenous mass, but a varied and complex hierarchy of protocols and applications. There are very few senior civil servants and fewer politicians who have a background that would give them a broad understanding of these issues. Their lack of knowledge stymies the whole debate as they are incapable of explaining decisions to the public..
Lack of knowledge also has a significant impact on the oversight regime. The Parliamentary Intelligence and Security Committee (ISC) is undoubtedly a robust body, and its inspections and reviews not taken lightly. But without members who properly understand the issues posed by the internet revolution, it seems unlikely they are able to evaluate the information given to them, and more importantly to challenge it when required. An expanded ISC that included subject matter experts would provide a great deal more assurance to the public.
Can we have a Rational Debate?
The intelligence agencies and Security Service have had to respond to a rapidly changing operational environment using the legal framework available. As Andrew Parker commented in his recent speech at RUSI ‘[terrorism] is the one area of crime where the expectation sometimes seems to be that the stats should be zero. Imagine applying the same target to murder in general, or major drugs trafficking. That is the stuff of 'pre-crime' in the Tom Cruise movie Minority Report.’
We need a discussion on data. Does the differences between data as classified by RIPA still make sense, given the overall level of intrusion that metadata can now represent? We need a discussion on what interception means in the internet age. And if the UK populace consent to data retention, how is it managed and by whom?
The Snowdon leaks have undoubtedly caused significant harm to our national capability, and the information revealed is being used to cast the lawful work done by our intelligence and security agencies in a disproportionately negative light. The UK now has an opportunity to change the approach we take to communications interception and data retention, and to bring legislation up to date. The reasons for this need to be articulated clearly, and the debate conducted in rational terms. It seems unlikely that most people would want to live in a country where it is possible for criminals to communicate entirely beyond the reach of law enforcement, but we are also rightfully queasy about perceived large state scale intrusion into our online lives.
Associate Fellow, Cyber