Wednesday, 15 July 2015

RUSI’s surveillance report

Following the publication of reports into surveillance recently carried out by Parliament’s Intelligence & Security Committee and David Anderson, the Independent Review of Terrorism, RUSI have now delivered their verdict on the current situation.  RUSI’s 20 recommendations broadly support those made in the previous reports, and they complement many of the recommendations made by the Joint Parliamentary Committee on the draft Communications Data Bill, back in 2012.

Little new material has been unearthed – which is not surprising, as all three bodies basically took evidence from the same group of witnesses. The witnesses included Caspar Bowden, who sadly died last week.Few people are likely to take the opportunity to read this particular report – after all, its not calling for a change in surveillance outcomes, but more of a tweak to the procedures that deliver these outcomes. Law enforcement investigators are likely to continue to be able to get what they currently get, although the they may be required to go through a different legal and supervisory regime to get it.

For those of us with really short attention spans, here are a few of the highlights that caught my eye as I read the report:
  • Privacy policies can be really wordy, especially when compared to the works of Shakespeare. Hamlet has 30,066 words, Macbeth 18,110. Long privacy policies have been published by PayPal (36,275); Apple iTunes (19,972), Windows Live (14,714), Apple iOS 5 (13,366), Facebook (11,195), Google All-inclusive (10,640), Apple iCloud (10,742), Twitter (4,445). [2.42]
  • In the past, neither the government nor the overseers had felt it necessary to provide information about how the law regarding interception was actually being applied in practice. As a result, these processes were not well understood by politicians or the wider public, which made the media’s allegations of wrongdoing (ie the Snowden allegations) all the more powerful. [3.5]
  • The current Home Secretary Theresa May has said that warrantry decisions occupy ‘more of my time ... than anything else’. [3.40]
  • Rather than provoking a fundamental shift in CSP and target behaviour, the disclosures by Edward Snowden have accelerated existing trends. For example, as targets are more security-aware, it has become much harder to intercept communications and to counter encryption. Of real concern is that co-operation from CSPs has reduced – a key issue for the police and the National Crime Agency as well. [3.47]
  • During the Panel’s visit to the NCA, officers appeared satisfied with the current limit of twelve months for data retention. Any longer becomes unnecessary, as there are diminishing returns on data retained beyond this period; any shorter, however, would be problematic. Details from Operation Notarise – a substantial operation targeting people allegedly accessing child abuse images online – were used by the NCA to illustrate this. After 4,000 requests for communications data to trace who these individuals were, 92 per cent of suspects were identified, ultimately leading to 660 arrests. However, if the data retention period limit had been less than the current twelve-month period, the outcome would have been very different:

    • Only 13 per cent of suspects would have been identified had the data-retention period been three months
    • Thirty-nine per cent would have been identified had the data-retention period been six months
    • Sixty-six per cent would have been identified had the data-retention period been nine months. [3.63]
  • RUSI is particularly concerned that levels of technical understanding among policy-makers and legislators are seriously deficient and the best use is not being made of the technical expertise already available. Support and advisory bodies, such as the Technical Advisory Board and Communications Data Steering Group, are not being exploited to their full potential. Government officials must have sufficient understanding of relevant technical issues to both assess the needs of the agencies and provide credible oversight of their activities. [5.47]
  • The [oversight] commissioners do not have a significant public profile. Despite providing substantial oversight of warrants and the activities of the agencies, the work of the commissioners does not currently translate into greater levels of public understanding. Their annual reports place a great deal of information in the public domain on the work of the agencies and their compliance with legal regulations, but these are not widely read or publicly debated. [5.64]
  • The offices of some of the commissioners are very proficient (especially IOCCO). It is important to ensure that all commissioners are supported by sufficient resources to ensure the breadth and depth of investigations. These resources should comprise a breadth of expertise (to be able to consider broad, thematic issues), a depth of knowledge in certain areas (including technical knowledge of coding and algorithms to inspect methods of data collection and analysis, for example) and individuals from a variety of backgrounds (including those with technical, legal, investigative and NGO experience).
Lets see what legislative changes the Home Office now proposes, given the publication of these three reports.