Effective controls and regulations ensure that the UK’s intelligence agencies use their advanced knowledge of cyberspace for the collective good, argues Sir David Omand.
Our law enforcement and intelligence agencies can answer complex questions about legitimate targets that would previously have been hopelessly intractable. That capability in the hands of authoritarian governments can be used to uncover dissent and exercise dictatorial control.
One of the main challenges for secret intelligence in democracies is to achieve their mission whilst behaving ethically in accordance with modern views of human rights, including respect for personal privacy, in a world where deference to authority and automatic acceptance of the confidentiality of government business no longer holds sway. Those principles are under intense examination in this country
The Intelligence and Security Committee of Parliament is looking at the issues of security and privacy in the light of the Snowden material. A major review into interception is under way by the Royal United Services Institute at the request of the Deputy Prime Minister. The Government has also set-up a statutory review conducted by David Anderson QC, the independent reviewer of terrorism legislation. This will look at the capabilities and powers required by law enforcement and the security intelligence agencies, and the regulatory framework within which those capabilities and powers should be exercised. The results of these reviews may lead to new legislation after the General Election.
If in the UK and Europe we end up being over-zealous in constraining our digital intelligence gathering capability then we will fail our publics, since we will not be able to manage the risks from terrorism, cyber crime and other criminality, nor will we have the intelligence on which sound policy decisions can be made.
If, on the other hand, we fail to be seen to exercise sufficient restraint on the use of the powerful digital tools in the hands of the intelligence agencies then the resulting unease on the part of a vocal section of our own public and elsewhere in the EU will destabilize the intelligence community whose work we need to manage 21st Century risks.
The interaction between demand and supply for digital information must be seen to be regulated by applying safeguards that are recognized will give assurance of ethical behaviour, in accordance with modern views of human rights, including respect for personal privacy in accordance with the Human Rights Act Article 8.
Lord Neuberger, President of our Supreme Court, recently floated the idea that in some contexts we should look on the right to privacy as not a separate right, but an aspect of freedom of expression. If I want to do or say something which I am only prepared to do or say privately, then it is an interference with my freedom of expression if I cannot do it or say it because of the fear others will get to know. And just as freedom of expression is not an absolute right – as Justice Brandeis said all those years ago, we do not have the right to shout fire in a crowded theatre – so we do not have an unqualified right for our acts and communications to be private, if they are likely seriously to harm others. This is where properly authorized law enforcement and intelligence comes in.
Yet it is essential to keep confidence in the security of the internet for financial transactions.
We can see how the Snowden affair has made internet companies feel commercially obliged to minimize their exposure to any co-operation with government, including legitimate demands from law enforcement and intelligence. This has harmed our safety and security
We can see how over-regulation of digital intelligence would hamper cyber security against the most serious threats: only the capabilities possessed by the intelligence agencies can deal with advanced persistent cyber threats and serious cyber criminals. Perhaps the greatest risk is the unwarranted Snowden assumption that bulk access to digital communications to find legitimate targets’ communications is evidence of mass surveillance of the population.
Government should, long ago, have explained what is involved in meeting legitimate demands for digital intelligence for law enforcement and national security. Our communications pass through many computers in the course of their delivery, just as all our financial transactions pass through banks’ audit systems. Computers are not conscious and we should not worry that our intimate financial details are subjected to audit algorithms. Only if a potential security threat is discovered will the material be examined by a human being in the bank –protecting us from fraud.
Should we mind that an intelligence agency computer is also capable of accessing internet data in bulk, when legally authorised, to find legitimate targets’ material and so provide security and uphold the law? Within our legal framework for intelligence, I can see no ethical difference between a legally authorised GCHQ computer scanning a chunk of the internet to find the communications of a suspect, and that material passing through an ISP computer. That ISP would legally have to deliver from its computer the suspect’s communications on production of a warrant.
The vital safeguard against mass surveillance is that the sentient human analyst is only allowed to see what the Foreign Secretary’s certificate allows her or him to see: the needle not the haystack. That certificate must satisfy the necessary and proportionate test.
So we should be glad that GCHQ has bulk access by computer to the internet, allowing carefully targeted, highly discriminating, selection of the communications of those who mean us harm.
Interception Commissioner Sir Anthony May’s recent annual report is a big step forward in transparency of safeguards. But I believe the great majority of the public instinctively understands the need for surveillance activity. An opinion poll earlier this year showed that people want reasonable privacy in everyday life.
But they accept that the internet cannot be allowed to be a safe space for terrorists, child molesters and other criminals to communicate without fear of discovery. They certainly expect intelligence agencies to acquire intelligence on legitimate targets and to support everyday safe internet by using their advanced knowledge of cyberspace.