Thursday, July 09, 2015

RIP Caspar

It's hard to believe but privacy activist, Caspar Bowden, has died following a short battle with cancer.

My first encounter with Caspar was on a listserv when he was director (and co-founder) of the Foundation for Information Policy Research. I believe it was the late 1990s but he was telling me off for spelling his name wrong. I apologised and we subsequently became friends. The substance of what we were discussing is lost to my memory but I suspect it was something around key eschrow and the original crypto wars at the time. It's shocking that Caspar should be lost to the security and privacy community just as that ugly battle is rearing its head again, with politicians and securocrats both sides of the Atlantic demanding back door access to encryption.

Combative and prickly, Caspar was also unfailingly kind and generous.

Whilst at FIPR Caspar worked tirelessly to inform parliamentarians and the public of the personal data pollution dangers of the burgeoning information age and ill designed regulations like the Regulation of Investigatory Powers Act (RIPA). He won the Winston award in 2000 for his work on RIPA and he carried that activism into his role as Chief Privacy Officer of Microsoft (initially for Europe, the Middle East and Africa, then for 40 countries worldwide) between 2002 and 2011. 

Long before the Snowden revelations, Caspar was warning of the nature of a huge range of privacy invading behaviour, commercial and governmental, and the facilitating evolving regulations round the world; not least the US Foreign Intelligence Surveillance Act 1978 (FISA) and the FISA Amendments Act 2008, in particular s1881, subsequently implemented as s702 FISA, Procedures for targeting certain persons outside the United States other than United States persons. His report, "The US surveillance programmes and their impact on EU citizens' fundamental rights", for the Civil Liberties, Justice and Home Affairs (LIBE) committee of the EU parliament is the definitive document on the subject.

It was Caspar's insistence on publicly spreading the word about this s702 'guilty of being a foreigner' provision of FISA that he recently explained led to his parting of the ways with Microsoft. 

Caspar was a big believer in a Rawlsian model of justice, a stickler when it came to the universality of human rights and was unstinting in his criticism of corporate or government entities or agents who sought to undermine those rights and principles; and even of US civil rights organisations who he felt passively endorsed the notion of better rights for US citizens.

He was a member of the board of directors of the Tor project. In recent times had become convinced of the potential of Qubes to form at least part of the technical architecture of a counter-insurgency against the seemingly all powerful, unstoppable erosion of personal privacy, by corporate and government agencies and others. 

Caspar was a rare polymath, an expert practitioner in the computer science, the laws of multiple jurisdictions, the technology more generally, identity management and information ethics. And he was prepared to wrestle with the user unfriendly inconveniences of privacy enhancing technologies, as the almost meltdown of his laptop, 4 minutes into his 'Reflections on Mistrusting Trust' talk at QCon last summer, demonstrated. 

For some time he had been contemplating and working on the establishment of a pan-European privacy rights organisation. It would be an appropriate legacy if an effective sustainable such institution could be brought into being.

There were few, if any, more deeply informed, active, passionate and energetic advocates for the privacy cause. Caspar you will be sadly missed. My thoughts and condolences go to your wife Sandi and family.

Update: a truly lovely personal tribute to Caspar by Malavika Jayaram, So long and thanks for all the fish, Caspar Bowden. Other really nice pieces from Natasha Lomas, Chris Soghoian, Robin Wilton, John Leonard, Ben Goldacre, Danny O'Brien, Martin Hoskins, Wendy Grossman, Simon Davies, Joanna Rutkowska, the Open Rights Group,, Sarah Clarke, Phil Booth, EDRi, the Tor Project, here, here, here, here, here, here, here, here, here, here, here, here, here, herehere and here.

Update 2: Guardian Obituary by Ross Anderson and tribute from John Naughton.

Thursday, June 11, 2015

A question of trust: notes on the terror watchdog report

The Terror Watchdog’s Report

The UK government has finally got round to releasing the report of the investigatory powers review by the independent reviewer of terrorism legislation, David Anderson QC and his team. Mr Anderson submitted the report to the Prime Minister on 6 May, just prior to the general election.

As Mr Anderson predicted, the report “won’t please everybody (indeed it may not please anybody)” but it is a substantive piece of work and deserves careful reading and consideration in full. In the press release accompanying the 379 page report he says:

“Modern communications networks can be used by the unscrupulous for purposes ranging from cyber-attack, terrorism and espionage to fraud, kidnap and child sexual exploitation.  A successful response to these threats depends on entrusting public bodies with the powers they need to identify and follow suspects in a borderless online world.

  But trust requires verification.  Each intrusive power must be shown to be necessary, clearly spelled out in law, limited in accordance with international human rights standards and subject to demanding and visible safeguards.

 The current law is fragmented, obscure, under constant challenge and variable in the protections that it affords the innocent.  It is time for a clean slate.  This Report aims to help Parliament achieve a world-class framework for the regulation of these strong and vital powers.”

So far so good. 

The report itself summarises the importance of privacy, threats to the UK, technologies implicated, laws, powers, safeguards and practices and the views from a disparate variety of actors from law enforcement and the intelligence services to service providers and civil society. It closes with a set of 5 governing principles and 124 specific recommendations. It was not limited to counter-terrorism considerations but also included counter-espionage, missing persons investigations, internet enabled crime (fraud, cyber-attacks, child sexual exploitation) and crime in general. 

The purpose of the report is:

a. to inform the public and political debate on these matters, which at its worst can be polarised, intemperate and characterised by technical misunderstandings; and
b. to set out proposals for reform, in the form of five governing principles and 124 specific recommendations. 

I think it’s fair to say it succeeds with both, even if I can’t agree with some of the recommendations.  Mr Anderson has had unrestricted access, at the highest level of security clearance, to the responsible government departments whilst conducting his review.

Key issues arising from the report seem to be:

               The need to start from scratch on a comprehensive and comprehensible, fit-for-purpose legislative framework for investigatory powers – including the retirement of the “incomprehensible to all but a tiny band of initiates” Regulation of Investigatory Powers Act (RIPA) 2000
               Continuation of communications data retention under the Data Retention and Investigatory Powers Act (DRIPA) 2014
               There should be judicial rather than Secretary of State authorisation of communications data warrants – the report itself describes this recommendation as “radical” departure
               The approval of bulk collection of communications data.
               Lack of acceptance of government’s glossy claims for the magic, unimpeachable value of government access to bulk communications data and recommendations for improved oversight of same
               Approval of extraterritorial reach of DRIP Act, for now, until improved international framework for data sharing is in place
               Abolition of existing oversight commissioners and replacement with Independent Intelligence and Surveillance commission
               The power, in Theresa May’s beloved snoopers’ charter, for the retention of internet searches should only apply where “a detailed operational case can be made out and a rigorous assessment has been conducted of the lawfulness, likely effectiveness, intrusiveness and cost”.
               An emphatic rejection of David Cameron & Theresa May’s notion of blanket encryption backdoors for government


Why Theresa and Dave are Glum

Though there is a lot in there, it’s becoming clear why the government delayed publication and both Theresa May and the Prime Minister’s spokeswoman seem to be already distancing themselves from the report.

You can understand why Theresa and Dave might be a bit miffed that Mr Anderson disapproves of blanket encryption backdoors (pointing out the agencies don’t want it and it would undermine security for everyone), has the nerve to suggest judicial rather than Executive oversight of interception warrants might be appropriate, kneecaps the snoopers’ charter and notes some of the claims about the value of communications data in the investigation of nefarious actors might be somewhat overblown.

You would expect them, however, to be positively dancing in the aisles as a result of his apparent support for the continuation of the bulk collection and retention of communications data and the continuation of the extra territorial reach of DRIPA beyond its sunset at the end of 2016.

I have to admit I share Privacy International’s disappointment that Mr Anderson didn't condemn bulk interception. However, whatever cheer the government’s senior Cabinet members derive from the nominal support for bulk collection will be tempered by Mr Anderson’s qualification of this approval by saying   "Though I seek to place the debate in a legal context, it is not part of my role to offer a legal opinion (for example, as to whether the bulk collection of data as practiced by GCHQ is proportionate). A number of such questions are currently before the courts..." [1.12].  

This continual emphasis in the report that he and the government should respect the courts as the requisite arbiters in determining the proportionality of indiscriminate bulk collection, within the framework of the European Convention on Human Rights (ECHR), is interesting. Even as he approves, also, of blanket data retention under DRIPA, he insists that retention would have to comply with the ECHR and the European Court of Justice decision in Digital Rights Ireland case in 2014, which banned indiscriminate data retention.

On the approval of the extra territorial DRIPA powers Mr Anderson is again careful to note:

"I understand those who argue that extraterritorial application sets a bad example to other countries, and who question whether it will ever or could ever be successfully enforced. It is certainly an unsatisfactory substitute for a multilateral arrangement under which partner countries would agree to honour each others’ properly warranted requests, which must surely be the long-term goal.”

So Mr Anderson’s report has turned out to be nothing like the useful excuse for pushing through the snoopers’ charter that the Home Secretary must have hoped it would be.


Why the report might not please anybody

It’s a real pity that, even within the constraints within which he was working, and the reasonable set of 5 principles outlined for underpinning investigatory powers, laid out in Part IV of the report, Mr Anderson did not condemn bulk collection of communications data. I accept it is not part of his role to offer a legal opinion on whether bulk collection is proportionate. 

Yet I find the justification for supporting bulk collection is rather weak and not commensurate with the deeper consideration of the rest of the report. It is linked to a principle of minimising no go areas for law enforcement as far as possible, whether in the physical or the digital world and justified on the grounds of 6 sample cases briefly outlined in Annex 9 of the report. None of these 6 cases provide the detail to demonstrate that bulk collection was the primary source leading to the identification of these criminals in the first instance.  

It is not in dispute that if law enforcement or the intelligence services have just cause to suspect some person/group of involvement in criminal activity, the availability of bulk data which includes the data of the suspect/s, will enable data mining that may be useful in an investigation. Bulk collection facilitates the significant discovery of multiple details about anyone once they become a suspect or a person of interest. Authorities simply do not have the resources to engage deep data mining the lives of everyone even if they have that data available.

Since the turn of the century, time and again from the 9/11 attacks to the murders of Fusilier Rigby and people at the Charlie Hebdo offices in Paris,  information overload caused by bulk data collection has been a primary factor in the failure to prevent terrorist attacks by known dangerous individuals. It is simply not proportionate to engage in bulk data collection in the hope that it will be useful when the authorities decides to look into someone they disapprove of. It actually actively impedes already over stretched investigatory authorities, who would be better served by putting the resources apparently available for such bulk collection, into recruiting more and better trained investigators and analysts.

Mrs May and Mr Cameron would do well to note that the opportunity costs of engaging in the security theatre that is bulk data collection and data retention, undermines security for everyone by making the jobs of those tasked with protecting us more difficult, whilst simultaneously denying them the resources to be more effective.

Update: the airline worker example from Annex 9, according to Joshua Rozenberg is Rajib Karim, who was convicted in 2011 and jailed for 30 years.

Tuesday, May 26, 2015

Open letter to MPs on surveillance

I'm a signatory of an open letter, coordinated by Andrew Murray at the London School of Economics and Paul Bernal at the University of East Anglia, calling for MPs to ensure further expansions of surveillance powers are fully and transparently vetted by Parliament, and open to consultation from the public and all relevant stakeholders.

Those who have happened across this blog in the past will be aware of my serious concerns at the expansion of our surveillance society and surveillance state over the past 15 years. Signatories of this open letter, however, have a wide spectrum of opinions on these issues, from those who believe that increased powers are a reasonable response to an emerging threat to those who think them an unjustified extension of state interference. What we are all agreed on is the requirement for full, evidence based and transparent Parliamentary scrutiny of proposed further expansions of surveillance powers.

These powers are far too important to continue to allow the Executive to get away with the abuse of parliamentary process, for example, that accompanied the unconscionable fast tracking of the Data Retention and Investigatory Powers Act in the summer of 2014.

Copy of the open letter below.

An open letter to all members of the House of Commons,

Dear Parliamentarian,

Ensuring the Rule of Law and the democratic process is respected as UK surveillance law is revised

Actions Taken Under the Previous Government

During the past two years, the United Kingdom’s surveillance laws and policies have come under scrutiny as the increasingly expansive and intrusive powers of the state have been revealed and questioned in the media. Such introspection is healthy for any democracy. However, despite a need for transparency in all areas of lawmaking, and in particular in areas of controversy, the previous Government repeatedly resisted calls for an open and transparent assessment and critique of UK surveillance powers. Instead, in response to legal challenges, it extended the powers of the state in the guise of draft Codes of Practice and “clarifying amendments.” As we welcome a new Government we expect another round of revisions to UK surveillance laws, with the likelihood that the Queen’s Speech will signal a revival of the Communications Data Bill. At this time we call on the new Government, and the members of the House, to ensure that any changes in the law, and especially any expansions of power, are fully and transparently vetted by Parliament, and open to consultation from the public and all relevant stakeholders.

Last year, in response to the introduction of the Data Retention and Investigatory Powers Bill (“DRIP”), a number of leading academics in the field – including many of the signatories to this letter – called for full and proper parliamentary scrutiny of the Bill to ensure Parliamentarians were not misled as to what powers it truly contained. Our concern emanated from the Home Secretary’s attempt to characterize the Bill, which substantially expanded investigatory powers, as merely a re-affirmation of the pre-existing data retention regime.[i]

Since that letter was written, it has become apparent that the introduction of the DRIP Bill was not the only time an expansion of surveillance powers was presented in a way seemingly designed to stifle robust democratic consideration. In February 2015, the Home Office published the draft Equipment Interference Code of Practice.[ii] The draft Code was the first time the intelligence services openly sought specific authorisation to hack computers both within and outside the UK. Hacking is a much more intrusive form of surveillance than any previously authorised by Parliament. It also threatens the security of all internet services as the tools intelligence services use to hack can create or maintain security vulnerabilities that may be used by criminals to commit criminal acts and other governments to invade our privacy. The Government, though, sought to authorise its hacking, not through primary legislation and full Parliamentary consideration, but via a Code of Practice.

The previous Government also introduced an amendment via the Serious Crimes Act 2015, described in the explanatory notes to the Bill as a ‘clarifying amendment’.[iii] The amendment effectively exempts the police and intelligence services from criminal liability for hacking. This has had an immediate impact on the ongoing litigation of several organisations who are suing the Government based in part on the law amended, the Computer Misuse Act 1990.[iv]

The Way Ahead

The new Conservative Government has announced its intention to propose new surveillance powers through a resurrection of the Communications Data Bill. This will require internet and mobile phone companies to keep records of customers’ browsing activity, social media use, emails, voice calls, online gaming and text messages for a year, and to make that information available to the government and security services. We also anticipate this Parliament will see a review of the Regulation of Investigatory Powers Act 2000, which currently regulates much of the Government’s surveillance powers. The Independent Reviewer of Terrorism Legislation, David Anderson QC, has conducted an independent review of the operation and regulation of investigatory powers, with specific reference to the interception of communications and communications data. The report of that review has been submitted to the Prime Minister, but has yet to be made public: when it is made public, parliamentary scrutiny of the report and any recommendations made following it will be essential.

As the law requires that surveillance powers must be employed proportionate to any harm to privacy caused (as required by Article 8 of the European Convention on Human Rights and Article 12 of the Universal Declaration of Human Rights) we believe that any expansion or change to the UK’s surveillance powers should be proposed in primary legislation and clearly and accurately described in the explanatory notes of any Bill. The Bill and its consequences must then be fully and frankly debated in Parliament. When reaching an assessment of the proportionality, of any measure that restricts rights, both our domestic courts and the European Court of Human Rights place great stock on the degree and quality of Parliamentary involvement prior to any measure being adopted. If the matter ever came to before the courts one issue examined would be the nature of any “exacting review” undertaken by MPs into the necessity of extending these powers. The Government should not be permitted to surreptitiously change the law whenever it so desires, especially where such changes put our privacy and security at risk.

This letter has been prepared and signed by 35 academic researchers. We are comprised of people from both sides of this issue - those who believe that increased powers are a reasonable response to an emerging threat, and those who think them an unjustified extension of state interference. Our common goal is to see the Rule of Law applied and Parliamentary oversight reasserted. We are calling on all members of the House of Commons, new and returning, and of all political persuasions to support us in this by ensuring Parliamentary scrutiny is applied to all developments in UK surveillance laws and powers as proposed by the current Government.  


Andrew Murray (contact signatory)
Paul Bernal (contact signatory)
Professor of Law
London School of Economics
Lecturer in Information Technology, Intellectual Property and Media Law University of East Anglia

Subhajit Basu
Associate Professor
University of Leeds

Sally Broughton Micova
Deputy Director LSE Media Policy Project, Department of Media and Communications
London School of Economics and Political Science

Abbe E.L. Brown
Senior Lecturer
School of Law
University of Aberdeen

Ian Brown
Professor of Information Security and Privacy
Oxford Internet Institute
Ray Corrigan
Senior Lecturer in Maths, Computing and Technology
Open University

Angela Daly
Postdoctoral Research Fellow
Swinburne Institute for Social Research
Swinburne University of Technology
Richard Danbury
Postdoctoral Research Fellow
Faculty of Law
University of Cambridge

Catherine Easton
Lancaster University School of Law

Lilian Edwards
Professor of E-Governance
Strathclyde University
Andres Guadamuz
Senior Lecturer in Intellectual Property Law
University of Sussex

Edina Harbinja
Lecturer in Law
University of Hertfordshire

Julia H├Ârnle
Professor in Internet Law
Queen Mary University of London
Theodore Konstadinides
Senior Lecturer in Law
University of Surrey

Douwe Korff
Professor of International Law
London Metropolitan University

Mark Leiser
Postgraduate Researcher
Strathclyde University

Orla Lynskey
Assistant Professor of Law
London School of Economics

David Mead
Professor of UK Human Rights Law
UEA Law School
University of East Anglia

Robin Mansell
Professor, Department of Media and Communication
London School of Economics

Chris Marsden
Professor of Law
University of Sussex

Steve Peers
Professor of Law
University of Essex

Gavin Phillipson
Professor, Law School
University of Durham
Julia Powels
Faculty of Law
University of Cambridge

Andrew Puddephatt
Executive Director
Global Partners Digital
Judith Rauhofer
Lecturer in IT Law
University of Edinburgh

Chris Reed
Professor of Electronic Commerce Law
Queen Mary University of London

Burkhard Schafer
Professor of Computational Legal Theory
University of Edinburgh

Joseph Savirimuthu
Senior Lecturer in Law
University of Liverpool

Andrew Scott
Associate Professor of Law
London School of Economics

Peter Sommer
Visiting Professor
Cyber Security Centre, De Montfort University

Gavin Sutter
Senior Lecturer in Media Law
Queen Mary University of London

Judith Townend
Director of the Centre for Law and Information Policy
Institute of Advanced Legal Studies
University of London

Asma Vranaki
Post-Doctoral Researcher in Cloud Computing
Queen Mary University of London

Lorna Woods
Professor of Law
University of Essex