What are the hard costs and benefits of online surveillance?
It is annoying to read, once again, reports that the coalition government, or at least certain civil servants, wants to reintroduce Labour’s shelved Interception Modernisation Programme (IMP), now in its new guise as the Communications Capabilities Development Programme (CCDP.
Curiously, the story broke in the same week that Canada introduced a “Crime Bill” to permit surveillance, allegedly to give children the same online protection that others countries give, but which looks a lot like the IMP.
Basically the law enforcement people want to be able to tap phones they way used to, but the change in technology to packet switching means this is hard to impossible.
The initial cost of IMP was put at £12bn. This was mainly for the centralised GCHQ database, to be run by US outsource outfit EDS. This was to house all the emails, social network chit-chat, telephone calls, and especially voice over IP calls, that originate in or transit the UK. GCHQ then apparently opted for a £2bn pilot study. No-one outside the security establishment knows whether it worked, or to what extent it failed.
The UK, and to be fair, most other countries, have been deluged with draconian surveillance legislation ever since the 9/11 terrorist attacks. In Britain, the Information Commissioner’s Office even produced a report that asked whether we were sleep-walking into a “surveillance state,” and answered its own question with a “yes”.
Communications service providers like BT, Virgin Media, TalkTalk, Sky etc, are required under data retention laws to keep header information about the messages that transit their networks for a year. This information is essentially the same as one might find on a postal letter: name and address of sender and receiver, and the time of sending. NOT the contents. Or at least, not yet.
The data retention laws are supported by the Regulation of Investigatory Powers Act 2000 (RIPA). Under RIPA warrants to intercept messages (i.e. the entire communication) must be signed by a secretary of state of a Scottish minister. “The authorisation can only be given in the interests of national security, for the purpose of preventing or detecting serious crime or for the purpose of safeguarding the economic well-being of the United Kingdom,” the Interception of Communications Commissioner (ICC) says in his 2010 annual report.
In 2010 the Home Secretary signed 1,682 warrants, and there were 1,048 still in force at the end of the year, a 10% rise over 2009. Scottish ministers approved 183 warrants, down from 204 in 2008, leaving 46 still in force at the end of the year a 5% rise from 2008. The ICC does not report how many requests were refused.
RIPA also allows hundreds of thousands of civil servants to request communications data (i.e. the “envelope information”). And they do. Those allowed include the intelligence agencies, police forces, the United Kingdom Border Agency (UKBA), the Serious Organised Crime Agency (SOCA) and other public authorities such as the Gambling Commission, Financial Services Authority (FSA) and local authorities.
The ICC’s annual report for 2010 says there were 552,550 requests for communications data for that year. This was up from 525,130 and 504,173 in the two preceding years respectively. Some 65% were to find out who owns a mobile phone. In the light of investigations into police corruption allied to mobile phone hacking, that may cause some concern.
There is without doubt a terrorist threat: the 7/7 London bombs show that. But with the death of Osama bin Laden and the apparently destruction of of Al-Queda, what threats remain?
One would not like to think that the entire panoply of anti-terrorist measures are to be used to fight RnB music pirates, as SOCA did this week.
The fact remains that this entire area is virtually evidence-free, certainly with regard to costs and benefits. One imagines that MI6 could buy an awful lot of human intelligence with £12bn, without affecting the law-abiding majority of the population.
These are the questions I would like to see answered and debated in public.
What evidence must the authorities produce for minister to grant a warrant to permit surveillance?
How can ministers test it before they grant the warrant?
How many warrants does the government expect to issue a year?
Under what circumstances will the evidence gathered from surveillance be permitted in court?
How do the investigators account for IP spoofing, for temporary IP address assignments, for TOR’ed messages and for encrypted messages?
Who bears the cost of collecting, storing and accessing communications data?
What is the budget for the collection, storage, retrieval and subsequent processing of this data?
What protections and sources of restitution are there for people falsely identified and investigated?
What estimates are there of the number of residents who buy or sell pornographic images of children?
How many convictions have been secured in the past five years in which evidence gathered using surveillance laws, particularly intercept and communications data, proved conclusive to the prosecution?
What is the split between convictions related to terrorism and to economic crime (including smuggling)?