Wednesday, March 25, 2015

Polling booths unfit for purpose

I wrote to the electoral services administration at the local council last week about the equipment, in particular the polling booths, used at my local polling station.
"Dear Sir/Madam,

I’ve been meaning to contact you about a problem with the polling booths in the ********** polling station in ******** for some years. With the general election looming, I feel obliged to do so now. Basically the polling booths are tiny triangular counters which are often arranged facing out into the polling station room. They offer no privacy for casting a vote and are fundamentally unfit for purpose, compared to the rectangular curtained booths that were available when I first moved to ******** ** years ago. The secret ballot introduced to the UK in 1872 is the cornerstone of the electoral process. There has been no meaningful capacity to cast a secret ballot with confidence in the ********** polling station, ever since this completely unsuitable equipment was introduced some years ago.
I would therefore appreciate your confirmation that suitably appropriate and reasonable polling booths will be made available for use in the ********* polling station for the coming general election and indeed future local, general and European elections.

Could you also send me a copy, under your freedom of information procedures, of your most recent review of the ******************* community centre polling place, conducted under section 16 of the Electoral Administration Act 2006 (which amended section 18 of the Representation of the People Act 1983).

Thank you.

Ray Corrigan"
Not only are these counters unfit for purpose, the election ballot paper is often bigger than the surface available to lean it on to record a vote, in pretty much full visibility of anyone in the polling station.

Credit where it is due, however, the electoral services team leader responded within two working days, promising that they are upgrading the equipment.
"Dear Mr Corrigan
Thank you for your email.  I can confirm that we have ordered new polling screens for these elections.

Electoral Services Team Leader"
Hopefully it means that by the time of the general election, my local polling station will, for the first time in years, have "reasonable facilities for voting", as guaranteed under section 16 of the Electoral Administration Act 2006 (amending section 18 of the Representation of the People Act 1983).

Wednesday, March 04, 2015

The coaltion and computers

The Institute for Advanced Legal Studies recently launched their Centre for Law and Information Policy.

The ever entertaining and informative Daithí MacSíthigh opened proceedings, with a look at the UK coalition government's record over the past 5 years.

They have mostly had a domestic legislation focus. There is a perception that they engaged with technology issues but 5 years on they are looking pretty old and grey. Of the 130 Acts of Parliament adopted since 2010 there are only a few in the tech policy arena.

Daithí suggested three ways to think of this limited degree of regulation - rollback, re-balancing and re-regulation.


ID cards were repealed with the Identity Documents Act 2010.

The Protection of Freedoms Act 2012 had something to say about CCTV, DNA retention and RIPA amongst other things. Daithí didn't mention it but this Act has little known provision, s26(5), which I highly recommend every child in the country, based at schools unconscionably collecting biometric data, exploit to its absolute maximum effect:
26 Requirement to notify and obtain consent before processing biometric information
(5) But if, at any time, the child—

(a) refuses to participate in, or continue to participate in, anything that involves the processing of the child’s biometric information, or

(b) otherwise objects to the processing of that information,

the relevant authority must ensure that the information is not processed, irrespective of any consent given by a parent of the child under subsection (3).
So calling all teens - how would you like to annoy your teachers and possibly even parents and simultaneously strike a major blow against the sickening normalisation of the unethical mass collection of kids' biometrics in schools? Roll out section 26(5), get your mates together and opt out of your school fingerprint (or other biometric) collection systems. Tell your headteachers you are not numbers to be processed and you refuse to participate, any longer, in school schemes that are undermining the fundamental rights of yours and future generations.

The Enterprise and Regulatory Reform Act 2013 was a bit of a mongrel covering a range of disparate issues and apparently included some amendments to the Wireless Telegraphy Act.

In the rollback box there is also some interesting unfinished business relating to the promised repeal of sections 17 and 18 of the Digital Economy Act 2010.


The Defamation Act 2013 introduced a series of revisions considered pro-defendant including a single publication rule, restrictions on jurisdiction shopping and a fourth type of intermediary protection. That made the tech and media industries happy.

On the intellectual property front, in the summer and autumn of 2014 a series of changes, including recognition of exceptions for parody, format shifting and quotation, were made by statutory instrument to implement parts of the Hargreaves Report. The entertainment industry were not best pleased with the changes and have engaged an expensive collection of m'learned friends in an attempt to quash the private copying changes under a judicial review. Oh yes. Judicial review is still available to those wealthy few who can afford it.

In the recently passed Counter Terrorism and Security Act 2015 there is a provision to set up a Privacy and Civil Liberties Board (not to mention the appalling McCarthyite section 26 "prevent" duty)


In terms of re-regulation the abomination that is the Data Retention and Investigatory Powers Act 2014 was rushed through Parliament in the week before MPs went off for their summer holidays.

Having sung lalala with their fingers in their ears for months, following the abolition of the data retention directive by the Court of Justice of the European Union, DRIPA was the government's panicked "something must be done" response and its reach was extended to MAC addresses in section 21 of the Counter Terrorism and Security Act, 2015.

Elsewhere on what Daithí was labelling re-regulation, powers of censorship  and online gambling provisions have been extended. And one of the coalition's final provisions is the revenge porn measures in the Criminal Justice and Courts Act. Sections 33-35 are not exactly exemplars of legislative clarity and were passed with no evidence and no scrutiny.

The digital goods add on to the Consumer Rights Bill is still working its way through Parliament.

Big Projects

The final string to the coalition's tech bow was outwith the legislative bandwagon. They don't want to use legislation too readily after all, since it could be seen as at odds with their aim to reduce bureaucracy.

Their big big project is, of course, big data, wherever they can get it.

The Health and Social Care Act 2012 is enabling them to wreak all kinds of ignorant havoc with medical confidentiality, for example. Ross Anderson, only last week described the Hospital Episode Statistics data warehouse and the horrendous programme as residing in the 7th circle of hell, as far as lack of respect for medical confidentiality and privacy is concerned.

Whilst I'm mentioning Ross, could I also highly recommend the Nuffield Council on Bioethics report of which he is a joint author, The collection, linking and use of data in biomedical research and health care:ethical issues. Ross neatly sums up;
As the information we gave to our doctors in private to help them treat us is now collected and treated as an industrial raw material, there has been scandal after scandal. From failures of anonymisation through unethical sales to the catastrophe, things just seem to get worse. Where is it all going, and what must a medical data user do to behave ethically?
We put forward four principles. First, respect persons; do not treat their confidential data like were coal or bauxite. Second, respect established human-rights and data-protection law, rather than trying to find ways round it. Third, consult people who’ll be affected or who have morally relevant interests. And fourth, tell them what you’ve done – including errors and security breaches.
The coalition's other big project was tax relief for the video games industry. Needless to say, the industry approved. So popular was it that the government decided to extend a similar provision to theatres.

Finally, hugely unwelcome all around parliament, Leveson landed upon the government and the effects are still unclear.


Daithí's conclusions on all this brought us back to where he started. The coalition began with some promising promises on technology and civil liberties but it proved all too easy for them to talk in libertarian soundbites on the outside, then quickly succumb to the temptations of power. He was more generous than I would have been in describing the coalition as looking merely old and grey.

Their consolidation and expansion of the mass surveillance agenda and practices (Daithí didn't mention the Snowden affair but I'm sure would have done if time had allowed) and the government's entrenched view of UK residents as industrial raw material, as Ross Anderson so eloquently puts it, to be mined for the response to whatever stick the rabid 24 hour news media are currently beating the government over the head with, will do untold damage to fundamental rights for generations to come.

Update: I expect Daithí would also have included a treatise on the Justice and Security Act 2013 (including reinforcement of secret courts and secret "evidence") and the decimation of legal aid, if he'd had the chance.

Tuesday, February 24, 2015

What were you doing when they were building the surveillance society?

At the behest of my friend and colleague at the Open University, Mike Richards, I penned a piece towards the end of last year in connection with our introduction to cyber security mooc. I realise it is now up on OpenLearn. Copy below.
In the 1600s the founders of New England meticulously laid out their towns so that the relationship of buildings to each other and the town square allowed the Puritan inhabitants to keep a close eye on each other. For practising Puritans, at that time, allowing friends, family and the rest of the community to pry into their private lives was routine. Good behaviour in private was considered to be essential for societal wellbeing. However, that good behaviour would only be forthcoming if people watched each other closely.
This practice was brought into the internet age by a company called NetAccountability in 2002. They enabled people to sign up to have a morally upstanding friend or family member monitor their web surfing habits. The monitor then received regular comprehensive reports of the websites that person visited. There are a multitude of such services today.
In 1791, English philosopher Jeremy Bentham came up with the idea of an “ideal prison” built with a central tower from which watchers could see into every cell but the cell-bound could not see into the tower. Prisoners could never know exactly when they were being watched, would have to assume they were under constant surveillance and moderate their behaviour to avoid severe punishment. Bentham called his design a panopticon.
After the Berlin wall came down, the Stasi were found to have more than 6 million files on East German citizens, more than a third of the population. The German Democratic Republic panopticon, could not, however, when it comes to surveillance, hold a candle to modern practices of the governments of the US and the UK.
The internet, lauded in the 1990s as the force that would free humanity, has been turned into the world’s panopticon, an apparatus of mass surveillance the like of which the world has never known. Thanks to NSA whistleblower, Edward Snowden, we know that the UK and US governments sweep up communications data on an unimaginable scale, not on just a third of their citizens, but their whole populations – and the rest of the connected world.
Now I don’t know about you but I find the thought of permanently being watched oppressive, intrusive and disturbing. 1600s New England, Bentham’s panopticon, the GDR or communities that require me to sign up to constant close monitoring to protect my soul are not places that appeal to me in the slightest. However, as a result of the evolution of technologies and the war on terrorism, the Internet has become a world of incomprehensible surveillance.
Snowden has disclosed that the US National Security Agency (NSA) specifically targets the communications of everyone, ingesting, collecting, filtering, measuring and storing everything by default. The NSA’s counterpart in the UK, the Government Communications Headquarters (GCHQ) has developed a programme called Tempora; a hard wired intercept of the international communications cables entering and leaving the UK. Tempora is capable of collecting all communications content and “metadata” that pass across the UK. The metadata is the details of who is in contact with whom, what devices they are using, when and from where they are communicating, for how long, what websites are visited, searched, clicked etc.
Documents leaked by Snowden indicate data that several years ago GCHQ had the capability to collect 21 petabytes of data every 24 hours. That is equivalent to about 200 times the contents of the entire British Library, every single day. The technology (better) and economics (cheaper) of digital storage mean that their capacity is undoubtedly far greater today.
Yet the thing about the internet is we don’t notice we’re being watched. Sure we know about things called “cookies” tracking us – because of those irritating EU-mandated warnings that pop up on websites – even if we don’t know exactly what cookies are; and to a degree we know our browsing habits allow advertisers to specifically identify each and every one of us for targeted advertising.
But we don’t think about it too much… and when we do we console ourselves with thoughts such as “the government are only interested in terrorists and drug dealers and child abusers and organised criminal gangs – the four horsemen of the infocalypse – not us… and they know what they are doing… and they are the good guys… and most of us most of the time are not conscious of any intrusion… and we’ve got nothing to hide anyway….”
The trouble with the seductive “the innocent have nothing to hide” meme, wielded so freely by politicians and the press so intent on stripping away our privacy, is that is dangerous and wrong.
It is underpinned by two hidden and completely false assumptions.
1.      Privacy is only about bad people hiding bad things, so only bad people want privacy.
Wrong. The need for privacy is a fundamental part of the human condition.
2.      Sacrificing privacy will solve complex problems like terrorism.  
But here’s a news flash from a former senior executive of the NSA, decorated US Air Force and Navy veteran, and whistleblower, Thomas Drakemass surveillance doesn’t work.
We know it doesn’t work because in 13 years of mass surveillance following the 9/11 attacks neither the US nor the UK governments have been able to produce a single example of where it has worked that can withstand robust independent scrutiny. The US has claimed 54 attacks have been thwarted. All these have been rebutted by experts. The UK claims at least two major terrorist attacks every year since 9/11 have been stopped by mass surveillance. No specifics - we just have to trust them on that. Any plots that have come to light in the media have, when examined, been uncovered through conventional targeted intelligence and policing.
You see, finding the four horsemen is a needle in a haystack problem. There may (or indeed may not) be a crime-related communication in today’s 21 petabytes of data, but it is in amongst a colossal amount of completely innocent information. It doesn’t become easier to find the needle by throwing infinitely more needle-free hay on your stack and/or creating multiple giant and exponentially growing data haystacks.
Mass data collectors can dig deeply into the digital persona of anyone but don’t have the resources to do so with everyone. The resultant pursuit of false positive leads mean the real bad guys often get lost in the noise, as happened with the perpetrators of the 9/11 attacks who were known to US authorities but not considered sufficiently important to intercept. Even then, in a time of significantly more limited and targeted surveillance, the intelligence and security services were so inundated with data that the attackers evaded their grasp.
Despite of all of this the Snowden revelations have raised little more than a collective “meh”, in the parlance of my teenagers, amongst the majority of people in the UK. Even when it was revealed that GCHQ were running a system called Optic Nerve, secretly collecting private images from nearly 2 million Yahoo! webcam accounts, - including those of children - general public apathy prevailed.
Security and privacy professionals used to joke about the government wanting to put a camera in everyone’s bedroom – it couldn’t possibly happen – now they’ve done it and we apparently don’t care.
Why is that?
Well I suspect part of the answer is related to Stanley Cohen’s theory that when we as individuals, groups, communities, societies, governments, learn about monumentally appalling things, we go into a state of denial about it. It is too complex/difficult/terrible to comprehend or cope with, so we put it to one side and don’t think about it. In that state we can readily take on board assurances of the powerful to trust them and they will protect us.
And we have the additional bonus that the internet and our gadgets connecting us to it are so attractive, gratifying, responsive, entertaining, accessible, convenient, and educational even – our very own Huxleian soma, the drug that makes us feel better.

More importantly why should we care?
We should care because invasion of privacy is an ecological problem. When I give up a little bit of my privacy I’m polluting the lives of everyone I’m connected to and everyone they are connected to. The NSA deputy director testified to Congress that they look at anyone ‘3 hops’ removed from their targets.  You don’t have to have done anything wrong, just be connected to someone connected to someone connected to someone that falls under suspicion. Then, according to Snowden, the NSA or GCHQ uses their giant personal data haystacks to time travel through a comprehensive record of your digital history and scrutinize everything with a view to deriving suspicion from an innocent life.

And in a way it is not even that concerns me the most.
A lot of this mass surveillance activity is done by good people with the best of intentions but when you build the infrastructure of a surveillance state you cannot guarantee that it is – given the revelations of Edward Snowden and Thomas Drake – or will permanently remain under the control of the good guys. Nor can you guarantee it won’t be exploited by the very horsemen of the infocalypse it was nominally constructed to counteract. Mass valuable personal data databases are irresistible targets for the horsemen. Security backdoors built into standard computer architecture for intelligence purposes quickly become available to nefarious actors too.
The thing that worries me the most, though, is the legacy we are leaving for future generations and the question my kids and possibly their kids will be asking me in 20 years.
“Dad/granddad, what the hell did you think you were you doing when they were building the surveillance society?”
Mass surveillance is incredibly socially destructive and yet we don't seem to care enough to do anything about it.

Tuesday, February 10, 2015

Liberty, PI, Amnesty v Foreign Secretary at IPT

I had a quick go yesterday at explaining the Investigatory Powers Tribunal (IPT) ruling, in Liberty & Ors v The Secretary of State for Foreign and Commonwealth Affairs & Others (Case No: IPT/13/77/H).

When government, for an indeterminate number of years prior to 5th December 2014 has said,
“All of the work of the intelligence and security services is carried out in accordance within a strict legal and policy framework, which ensures that our activities are authorised, necessary and proportionate ...”
they were being economical with the truth. They were, during that period, in fact flagrantly undermining the rights to privacy and freedom of expression under articles 8 and 10 respectively of the European Convention on Human Rights (ECHR).

The government can, according to the IPT however, make that claim now because we are told there is a legal and policy framework. We are not just entrusted with the privilege of knowing what those legal and policy framework rules are.
Secret laws and policies.

For secret government mass surveillance activities.

Approved by a secretive tribunal historically predisposed towards approving of government secrecy, with the sole limited exception being this Liberty & Ors case.
The most recent IPT ruling takes great pains, from the start, to emphasise that they ruled, in December 2014, that the UK security services intelligence sharing with the NSA, in connection with the Prism and Upstream, is lawful.
"Save in one possible (and to date hypothetical) respect"
The limited and hypothetical exception is laid out in paragraph 53 of their 5 December judgement.
"53. The one matter of concern is this. Although it is the case that any request for, or receipt of, intercept or communications data pursuant to Prism and/or Upstream is ordinarily subject to the same safeguards as in a case where intercept or communication data are obtained directly by the Respondents, if there were a 1(b) request, albeit that such request must go to the Secretary of State, and that any material so obtained must be dealt with pursuant to RIPA, there is the possibility that the s.16 protection might not apply. As already indicated, no 1(b) request has in fact ever occurred, and there has thus been no problem hitherto. We are however satisfied that there ought to be introduced a procedure whereby any such request, if it be made, when referred to the Secretary of State, must address the issue of s.16(3)"
But the exception was hypothetical, had not happened and they were therefore "satisfied as to the lawfulness" of the intelligence services' activities relating to Prism and Upstream. From the 6 February decision:
"10. By our Order of 5 December 2014 we made declarations that the Prism and/or Upstream arrangements (subject to the exception referred to in paragraphs 7 and 8 above) did not contravene Articles 8 or 10 ECHR, and further that the RIPA regime in respect of ss. 8(4), 15 and 16 of RIPA similarly did not contravene Articles 8 or 10 ECHR.
By paragraph 4 of the Order, we directed that the parties serve written submissions according to an agreed timetable, and with a view to the two outstanding issues being resolved by the Tribunal, by agreement of the parties, without a further hearing:

“4. i) Whether by virtue of the fact that any of the matters now disclosed in the judgment of 5 December 2014 were not previously disclosed, there had prior thereto been a contravention of Articles 8 or 10 ECHR. (“The First Issue”).
ii) Whether by virtue of the facts and matters set out in paragraph 53 of the judgment of 5 December 2014, there is a contravention of Articles 8 or 10 ECHR.” (“The Second Issue”). "
We'll get to the IPT's specific answers to these questions presently but (spoiler alert) they basically conclude i) keeping the existence of the rules secret was illegal but isn't anymore since we now know the rules exist (it's slightly more subtle than that, in that there is a the question of "adequate signposting" to the rules) and ii) don't worry about it, the government promise to behave.

Perhaps surprisingly, (though I expect the legal representatives advised of the serious possibility of a limited win on the secret rules grounds and decided to focus exclusively on that), Liberty and co chose not to challenge the RIPA regime at this particular stage. So the IPT take the open goal opportunity to pat GCHQ and co on the back,
"12. ... As requested by the Respondents, therefore, the Tribunal can make it clear, for the avoidance of doubt, that the declaration it made on 5 December 2014 in relation to the RIPA regime was that it is in accordance with the law/prescribed by law and was so prior to the Tribunal’s Judgment of 5 December 2014."
They next tackle the question of whether the absence of government acknowledgment of secret rules governing mass surveillance was illegal.
"15. We set out the requirements of Article 8 in paragraph 37 of the December Judgment:
“37. The relevant principles appear to us to be that in order for interference with Article 8 to be in accordance with the law:
(i) there must not be an unfettered discretion for executive action. There must be controls on the arbitrariness of that action.
(ii) the nature of the rules must be clear and the ambit of them must be in the public domain so far as possible, an “adequate indication” given (Malone v UK [1985] 7 EHRR 14 at paragraph 67), so that the existence of interference with privacy may in general terms be foreseeable."
So there must be rules reigning in "unfettered... executive action" i.e. theoretically the government is subject to some controls. The rules don't have to be public but the public must know enough to be able to deduce that our privacy may be undermined.
"16. We continued:
“41. We consider that what is required is a sufficient signposting of the rules or arrangements insofar as they are not disclosed. . . It is in our judgment sufficient that:
(i) Appropriate rules or arrangements exist and are publicly known and confirmed to exist, with their content sufficiently signposted, such as to give an adequate indication of it (as per Malone: see paragraph 37(ii) above).
(ii) They are subject to proper oversight.”
I'll leave you to decide on the difference, if any, between "the nature of the rules must be clear..." etc and " what is required is a sufficient signposting of the rules or arrangements insofar as they are not disclosed" etc.

Bottom line?

Secret rules governing mass surveillance are ok as long as the public know there are rules, even if they are not allowed to know what the rules are and as long as the rules "are subject to proper oversight".

The IPT did get a confidential look at the "arrangement below the waterline" i.e. secret rules, in secret and:
"17. We set out our conclusions, so far as relevant to this question, in paragraph 55:
“55. After careful consideration, the Tribunal reaches the following conclusions:
(i) Having considered the arrangements below the waterline, as described in this judgment, we are satisfied that there are adequate arrangements in place for the purpose of ensuring compliance with the statutory framework and with Articles 8 and 10 of the Convention, so far as the receipt of intercept from Prism and/or Upstream is concerned.
(ii)This is of course of itself not sufficient, because the arrangements must be sufficiently accessible to the public. We are satisfied that they are sufficiently signposted by virtue of the statutory framework to which we have referred and the Statements of the ISC and the [Interception of Communications] Commissioner quoted above, and as now, after the two closed hearings that we have held, publicly disclosed by the Respondents and recorded in this judgment.”
In other words - trust us, there is "adequate" secret oversight of mass surveillance ensuring it complies with human rights.

But don't worry, we've got your back. Not only can we confirm the the existence of adequate secret controls but we realise the fact of the existence of these secret rules must be in the public domain. And hey presto! By way of our wondrous work in getting this information disclosed to the public - i.e. that secret rules exist - the public know that secret rules exist. High fives and self congratulatory kudos all round.

But wait.

Liberty's QC, Matthew Ryder, pointed out that it was only because this case was pursued that the government were forced into releasing the information that secret rules existed that, in turn, satisfied the IPT that the public now know that secret rules exist.

The IPT response?
"19. ... We agree."
Not much to add to that.

Paragraph 20. of the judgement is fun but really for the lawyers. Rough translation:
The government say: leave us alone, there was enough information to deduce that rules existed.

Privacy International barristers, Dan Squires and Ben Jaffey say: maybe but there was not enough information about the nature and ambit of the rules (in the language of the Padfield decision noted in para 15) or sufficient signposting to the content of the rules to give an adequate indication (Padfield & IPT from para 15 & 16) of the ballpark they might reside in.
I won't quote the IPT in paragraph 20 agreeing with Privacy International but the IPT agreed with Privacy International.

We finally reach the heart of the decision so loudly proclaimed as historic by Liberty, Privacy International, Amnesty and The Guardian.
"21. ... We are however satisfied ... that, without the disclosures made, there would not have been adequate signposting, as we have found was required and has now, as a result of our Judgment, been given.
22. Although the first requirement of Article 8, set out in paragraph 37(i) of the December Judgment and in paragraph 15 above, is satisfied, the second requirement, as set out in paragraph 37(ii) of the December Judgment, was only satisfied by the Disclosures being made public in our Judgment.
23. We would accordingly make a declaration that prior to the disclosures made and referred to in the Tribunal’s Judgment of 5 December 2014, the regime governing the soliciting, receiving, storing and transmitting by UK authorities of private communications of individuals located in the UK, which have been obtained by US authorities pursuant to Prism and/or (on the Claimants’ case) Upstream, contravened Articles 8 or 10 ECHR, but now complies."
There are secret rules controlling government action in this area.

There would not have been "adequate signposting" to the secret rules governing Prism & Upsteam intelligence sharing, without the disclosures the government made in this case.

Prior to these disclosures the government were in breach of  Articles 8 or 10 of the European Convention on Human Rights (ECHR), protecting privacy and freedom of expression; as there was inadequate signposting to the secret rules.

The Prism & Upstream intelligence sharing regime, by virtue of government disclosures, as a result of this case, of adequate signposting to the secret rules, now comply with Articles 8 or 10 of the ECHR.
Having shot the government metaphorically in the foot then bandaged the wound so it was no longer noticeable, the IPT move thence to the" hypothetical" Regulation of Investigatory Powers (RIPA) loophole. "Hypothetical" because they are assured by the government that the issue has never arisen.

The RIPA issue in the case is more complicated than the question of the existence of secret rules, so  in deference to the patience and stamina of readers who have got this far, I'm going to take a relatively short run at it. It is addressed in paragraphs 24 to 31 of the decision. Let's skip the hypotheticals on the 1(b) request and the dancing in and out of sections 5, 8, 15 and 16 of RIPA and get to the government promise outlined in paragraph 30.
"30. The Respondents have now given the further Disclosure, as contained in paragraphs 19 and 20 of their submissions:
“19. For the avoidance of doubt, the concern identified by the Tribunal would not arise in the first place if a request were made pursuant to paragraph 1(b) of the Disclosure for material to, from or about specific selectors (relating therefore to a specific individual or individuals). In such a situation, the request would be a “targeted” one and the Secretary of State would therefore have approved it for the specific individual(s) in question. In that case, the proper parallel would be with a warrant under s.8(1) of RIPA, not s.8(4). Thus, the safeguards under s.16 of RIPA would not be at issue even by analogy because s.16 of RIPA only applies to the examination stage following interception under s.8(4) warrants (i.e. “untargeted” interception).
20. In those circumstances, the remaining concern is in relation to such untargeted interception. The Respondents can confirm that, in the event that a request falling within paragraph 1(b) of the Disclosure were to be made and approved by the Secretary of State other than in relation to specific selectors (i.e. “untargeted”), the Intelligence Services would not examine any communications so obtained according to any factors as are mentioned in section 16(2)(a) and (b) of RIPA unless the Secretary of State personally considered and approved the examination of those communications by reference to such factors.” "
This requires careful and repeated reading but purports to be an assurance from the government to close this one lacuna, in a veritable colander of RIPA loopholes. The assurance attempts to give the impression that the Secretary of State must sign off on surveillance targeted at specific individuals.

In other words the government promise to behave... honestly... on this specific RIPA pathway.

Secretary of State approval is now supposed to apply both:
to targeted interception of communications
and to targeted data mining of the giant data silos collected through untargeted interception.
I'm not sure I derive a great deal of comfort from that.

On the latter, just to repeat;
"The Respondents can confirm that, in the event that a request falling within paragraph 1(b) of the Disclosure were to be made and approved by the Secretary of State other than in relation to specific selectors (i.e. “untargeted”), the Intelligence Services would not examine any communications so obtained according to any factors as are mentioned in section 16(2)(a) and (b) of RIPA unless the Secretary of State personally considered and approved the examination of those communications by reference to such factors.”
Privacy International and Amnesty accepted the government assurances explicitly. Liberty were silent on the matter. The IPT takes the declaration as a resolution.
"31. Privacy in their reply submissions, with which Amnesty agrees, accept that “that safeguard is now in place, but was not in place before December 2014”. Liberty does not expressly so accept, but made no submissions to the contrary in their reply. In any event we agree, and the disclosure which resolves the lacuna is now made public in this judgment."
Given the importance the government RIPA promise and the IPT's acceptance that it closes a loophole, they conclude the case at paragraph 32:
"32. In our judgment the appropriate course is to alter the declaration we were otherwise minded to make as set out in paragraph 23 above in respect of the First Issue, so that the declaration we propose to make would recite that “prior to the disclosures made and referred to in the Tribunal’s Judgment of 5 December 2014 and this judgment” the Prism and/or Upstream arrangements contravened Articles 8 or 10 ECHR, but now comply."
So, prior to -
the disclosure of adequate signposting to secret rules governing Prism and Upstream intelligence sharing
the government's promise not to exploit one of many RIPA loopholes  
- the UK government, for many years, contravened articles 8 and 10 of the European Convention on Human Rights. Now, thanks to the disclosures and promises extracted as a result of this case, they are no longer undermining the right to privacy and freedom of expression. At least as far as the IPT is concerned, within the narrow confines of the issues it examined in this case.

Update: I meant but neglected to include Caspar Bowden's wonderful description of the decision -

"IPT "illegality" finding a Pyrrhic victory, harpoon hurled at heart of "margin of appreciation". ECtHR reviews "safeguards" not spy methods"

Also Privacy International's note about the secret rules: 
"What was publicly disclosed, therefore, is little more than a Tribunal’s summary of secret policies disclosed in a secret hearing, which policies describe only the broadest of restrictions on the receipt of intelligence material by the UK, and remain buried in a 77-page long decision from the IPT, not enshrined in any accessible law or statute. 
We think that falls far short of what is called for by the “in accordance with law” requirement, and in the coming weeks will be appealing to the European Court of Human Rights to argue our case there, demanding an end to unlawful mass intelligence sharing, and ensuring privacy protections for all. "

Monday, February 09, 2015

IPT on mass surveillance - it's alright now, move along...

On Friday last, Investigatory Powers Tribunal (IPT) ruled, in Liberty & Ors v The Secretary of State for Foreign and Commonwealth Affairs & Others (Case No: IPT/13/77/H), that the UK government had been breaking the law, for an indeterminate number of years, in the context of intelligence sharing operations between the NSA and GCHQ.

Basically the tribunal said mass surveillance was illegal when we didn't know about it. But now we do, as a result of some documents the government were obliged to release during this case, it's entirely fine and hunky-dory. It's perfectly grand, as an old friend of mine used to say. The documents don't tell us about the mass surveillance but they provide "a sufficient signposting of the rules or arrangements insofar as they are not disclosed".


There is... er... might be... mass surveillance er in theory.

If there... er... were mass surveillance, it is under control because there are rules.

We're not telling you the rules.

They are secret.

But trust us, there are rules, aka "adequate arrangements in place for the purpose of ensuring" respect for privacy and freedom of expression under articles 8 and 10 respectively of the European Convention on Human Rights (ECHR).

And we have "a sufficient signposting of the rules or arrangements insofar as they are not disclosed".

Don't worry your fluffy little head about it citizen friend. The good guys are in charge.

So, because the government have finally agreed to tell us there are rules governing mass surveillance, something the IPT ordered them to do following submissions from Liberty & others last summer, and the IPT is satisfied everything is ok, even though it may not have been, er... technically, before they er... agreed to tell us there were rules.

And oh, they were only guilty of not telling us there were rules but now they are not guilty of anything because they have told us there are rules.

We're not, however, allowed to know what the rules are...

The government and intelligence services never comment on matters of national security (except to spread fear and hang on wasn't that the terrorists' intent), other than with the standard boilerplate,
“All of the work of the brave men and women in the intelligence and security services is carried out in accordance with a strict legal and policy framework, which ensures that our activities are authorised, necessary and proportionate ...”
So move along... nothing to see...

From the IPT order on Friday:
"(i) THAT prior to the disclosures made and referred to in the First Judgment and the Second Judgment, the regime governing the soliciting, receiving, storing and transmitting by UK authorities of private communications of individuals located in the UK, which have been obtained by US authorities pursuant to Prism and/or (on the Claimants’ case) Upstream, contravened Articles 8 or 10 ECHR, but
(ii) THAT it now complies with the said Articles."
It's the first time since it was established in 2000 that the secretive tribunal has formally ruled that the intelligence services acted outside the law. Liberty, Privacy International and Amnesty, who had funded the legal challenge, were keen to note the decision as a historic victory but nevertheless only a small step on the road to reigning in mass surveillance. They plan now to pursue the case to the European Court of Human Rights.

The IPT had previously ruled, in December 2014, that the intelligence sharing had not contravened Articles 8 or 10 of the European Convention on Human Rights.

Friday's decision was more of a technical than a substantive victory for the civil rights groups. Indeed GCHQ expressed their pleasure at the decision in a statement,
"The judgment reaffirms the IPT’s main December ruling which found strongly in favour of the Government. The Court ruled that the legal frameworks governing both the bulk interception regime (found in section 8(4) of the Regulation of Investigatory Powers Act or RIPA), and the intelligence-sharing regime, were fully compatible with human rights, in particular the right to privacy.
The judgment focuses primarily on a discrete and purely historical issue – whether those legal frameworks were also fully compatible at a point before these legal proceedings began.
It confirms the UK’s bulk interception regime was fully compliant with the right to privacy at all times, both before and at the time of the legal proceedings.
A GCHQ spokesperson said: "We are pleased that the Court has once again ruled that the UK’s bulk interception regime is fully lawful. It follows the Court’s clear rejection of accusations of ‘mass surveillance’ in their December judgment."
They went on to dismiss the loss as a technical blip,
"The IPT has, however, found against the Government in one small respect in relation to the historic intelligence-sharing legal regime. The Court has ruled that the public disclosure of two paragraphs of additional detail, voluntarily disclosed by the Government during the litigation, were essential to make the public regime sufficiently foreseeable and therefore fully compatible with the European Convention of Human Rights. They found that to the extent that these two paragraphs were not previously in the public domain, the intelligence-sharing regime prior to that point was in contravention of human rights law.
But the judgment does not in any way suggest that important safeguards protecting privacy were not in place at all relevant times. It does not require GCHQ to change what it does to protect national security in any way."
So who's got the real bragging rights - Liberty & co or GCHQ? Well in a sense they both do. Liberty & co get to say it's historic since the IPT have never ruled against the government before. The Guardian as a bonus get to take out some justifiable angst on their UK mainstream media fellow travellers, who have been undermining their reporting on mass surveillance at every turn.  GCHQ and the government get to say don't worry about it, minor blip, all fixed, nothing to see here anymore, move along.

So everyone wins, right?


As long as the mass surveillance that has become normalised in the past 15 years continues, everyone loses.

Update: some links on the case shared on Twitter on Friday last.

FA Respect code more honoured in the breach?

What is it about kids football that brings out the worst in people?

Several weeks ago my son's under 16 team, St Edmunds, comfortably beat Barton Rovers 4-1 in the quarter final of the Berks & Bucks FA cup, in a game played in a generally good spirit. There was not even a remote hint of what was to come. The Barton manager was generally complimentary about St Eds performance and the home linesman on the day had been one of the fairest we had come across this season.

Preparing for a semi final against Ascot a few weeks ago, St Eds discovered the game had been postponed. Barton Rovers had lodged a formal complaint about player ID cards. St Eds' management team had to attend an FA hearing to discuss paperwork and ID cards under Berks & Bucks FA county cup rules 8(e) and 11(e)(ii). Barton Rovers declined to attend the hearing and sent a statement instead.

As I understand it, there was no question of any St Eds player being ineligible and any doubts to that effect could be easily settled, only that ID cards for all players were not produced on the day of the game.

The outcome of the hearing was that the FA ordered a replay of the quarter final.

This took place at Barton Rovers on Sunday, 8th February.

The atmosphere was tense from the start and didn't get any better as a blood and thunder cup tie played out with emotions running high on and off the pitch. The referee had a tough afternoon, producing a multitude of yellow cards and awarding four penalties, in a game that finished 4-3 to the home side. It's a testament to his impartiality that some players and supporters on both sides were consistently vocalising their displeasure, as the game ebbed and flowed.

Unfortunately, two of the ref's most heavily disputed decisions came in the closing five minutes or so, when he awarded the penalty from which Barton equalised and then the winning goal. When the whistle went for the penalty I assumed he was blowing for a free kick for two successive, really dangerous, two footed challenges on the St Eds' centre half. On the winning goal, he dismissed the linesman's flag and also missed a pretty blatant push in the back. Nevertheless, referees are human too, in spite of rumors to the contrary, and have to give the calls as they see them.

A hard fought cup tie had been shaded by Barton and St Eds would have to chalk it down to experience, pick themselves up, dust themselves off and get on with their efforts to win the league. Injustice is rampant in this world and if they have to experience it in the confined context of youth cup  football, it's tough but not life changing. I have to admit it's easier for me to say that now than it would have been when I was 15/16, though, as football was more important than life or death to that teenager.

It is a testament to the players and St Eds' management team that, in spite of the context of the replay and prevailing atmosphere, when they focused on playing football, they played really well.

However, after the final whistle and as the St Eds lads left the ground, there was little evidence on show from the Barton Rovers crew of adherence to the FA's respect agenda, noted so conspicuously on signs around the place. The taunting and cheering was, on the contrary, pretty shameful. The FA’s Respect Code of Conduct for coaches, managers and officials states:
We all bear a collective responsibility to set a good
example and help provide a positive environment
in which children can learn and enjoy the game.
Play your part and observe The FA’s Respect Code
of Conduct at all times.
On and off the field, I will:
• Use my position to set a positive example for the people
I am responsible for
• Show respect to others involved in the game including
match officials, opposition players, coaches, managers,
officials and spectators
• Adhere to the laws and spirit of the game
• Promote Fair Play and high standards of behaviour
• Respect the match official’s decision
• Never enter the field of play without the referee’s
• Never engage in, or tolerate, offensive, insulting or
abusive language or behaviour
• Be aware of the potential impact of bad language on
other participants, facility users or neighbours
• Be gracious in victory and defeat
For spectators and parents it says:
We all bear a collective responsibility to set a good
example and help provide a positive environment
in which children can learn and enjoy the game.
Play your part and observe The FA’s Respect Code
of Conduct for spectators at all times
• Remember that children play for FUN.
• Applaud effort and good play as well as success.
• Respect the Referee’s decisions even when you don’t
agree with them
• Appreciate good play from whatever team it comes from
• Remain behind the touchline and within the Designated
Spectators’ Area (where provided)
• Let the coaches do their job and not confuse the players
by telling them what to do
• Encourage the players to respect the opposition, referee
and match officials
• Support positively. When players make a mistake offer
them encouragement not criticism
• Never engage in, or tolerate, offensive, insulting, or
abusive language or behaviour
For players:
When playing football, I will:
• Always play to the best of my ability
and for the benefit of my team
• Play fairly – I won’t cheat, dive, complain
or waste time
• Respect my team-mates, the other team,
the referee or my coach/manager.
• Play by the rules, as directed by the referee
• Be gracious in victory and defeat – I will shake
hands with the other team and referee before
or at the end of the game
• Listen and respond to what my coach/team manager
tells me
• Understand that a coach has to do what is best
for the team and not one individual player
• Talk to someone I trust or the club welfare officer
if I’m unhappy about anything at my club.
Whether the referee and the observer from the Berk & Bucks FA choose to record the less than respectful post game behaviour, or anything else that may have drawn their attention, formally in their reports is entirely a matter for them. Irrespective of whether they do so or not, it was distinctly unpalatable. Despite being apparently gracious in defeat, at least immediately following the original match, whatever might be thought about the subsequent formal complaint about ID cards, there was no graciousness or respect on show following the controversial last minute victory snatched on Sunday afternoon.

I'll say it again. What is it about kids football that brings out the worst in people?

Thursday, January 29, 2015

Lords King, Blair, Carlile & West go to Westminster

My irreverent parliamentary sketch take on the the attempt to sneak the snoopers' charter into law is now available at The Conversation.

A copy of the slightly more serious original draft is below.
If you’re a fan of The Simpsons, you might recall an episode entitled "Mr. Spritz Goes to Washington".  Krusty the Clown gets elected to Congress and the family receive an education in the activities required to get things done in Washington DC. Against the ever decent Lisa’s better judgement, they surreptitiously attach an air traffic control bill to a bill giving US flags to orphans. The provisions get passed, thereby curing the Simpsons’ recent air traffic noise pollution problem created by Mayor Quimby.
This side of the pond we’ve had our very own version of the Simpson’s 2003 scenario playing out in recent days in the House of Lords. Lords King of Brigwater, Blair of Boughton, Carlile of Berriew & West of Spithead attached 18 pages of amendments to the Counter Terrorism and Security Bill the UK government are currently fast tracking (is there any other way with supposed anti -terror proposals?) through parliament.  These amendments effectively amounted to an attempt to sneak the snoopers' charter aka the Communications Data Bill (CDB) into law by the back door.  Basically the same snoopers charter that was emphatically rejected by Parliament's Joint Committee on the Draft Communications Data Bill.
The Joint Committee said the draft Bill paid “insufficient attention to the duty to respect the right to privacy”, was a “disproportionate” attack on fundamental human rights and the Home Office’s justifications for it were “fanciful and misleading.” Additionally they found the Home Office estimate of £1.8 billion in relation to the implementation of the Bill likely to be exceeded “by a considerable margin.”
Whilst watching laws or sausages in the making was not a pastime recommended by Otto Von Bismark, what passes for debate in Westminster really should be compulsory viewing (beginning here at 16:32) on occasion.
Led by Lord King, the gist of the excuses for clipping the thoroughly discredited snoopers’ charter to the already hugely problematic Counter Terrorism & Security Bill was, as I understood it:
·         The Lords don’t understand new technology but terrorists DO!
·         95% of the criticisms of the parliamentary joint committee investigating the snoopers’ charter have been accepted by the Home Office (so why try to pass the original?)
·         the principle has been established of data collection
·         Jack Straw likes it
·         We need targeted rather than mass surveillance (er… how does that marry up with passing a mass surveillance measure?)
·         Baddies are bad. Be afraid
·         Action is need urgently otherwise parliament will be blamed for not acting
·         Needs of security services and police must be met
·         The police desperately need the snoopers’ charter for ordinary crime fighting
·         We are now losing the technology race against the terrorists - there is a "horrendous gap that gets bigger each day" that prevents the security services doing their job
·         Comms data in Paris established connection between the murderers (not the fact they were brothers and one of the murderers claiming on camera they were connected...?)
·         The 4 lords calling for the snoopers charter amendments are experts so we should trust they know what they are doing
·         The government are not looking at content only the “outside of the envelope” and we should worry about private companies not government
·         We don't need studies - our nation's security is too important, so we must act now
·         Opponents are peddling emotive claptrap when we need the snoopers charter to protect children
·         It is an affront to the police and security services to call the CDB  the snoopers charter, thereby attributing exclusively malign motives to these brave men and women
·         If the French security services had known the wives of the Kouachi brothers had called each other’s mobiles 50 times, they would have prevented the terrible murders in Paris
·         There’s a sunset clause so we don’t need to worry about the snoopers charter being in place for very long
Lord Blencathra, the chairman of the joint committee that had so roundly rejected the Draft CDB, was one of a number of members of the House who spoke against the amendments.
In summary their position was:
·         The police already have excellent data handling and processing systems and have said all they wanted was the who, where and when not the “sweeping powers” the snoopers’ charter represents
·         Clause 1 of the snoopers charter is so obscure and so broad that it effectively has no limits
·         Parliament should not pass general and obscure laws that give security apparatchiks carte blanche to do anything with no checks and balances
·         It would be an affront to parliamentary democracy to bounce these kinds of powers into law by attaching them in undiluted form to a fast-tracked Bill
·         a distinction has to be made between powers to tackle terrorism and serious crime on the one hand - big money, big bucks, drugs - and the rest of crime on the other; it tarnishes the reputation of the big guns, like MI5, if local councils are using anti-terror regulations to pursue fly tippers
·         Parliament will be severely criticised if they rubber stamp the passing of such fatally flawed measures, particularly if they originate in the unelected House of Lords
·         The growing “horrendous gap” in the technological arms race with the terrorists is an exaggerated myth not supported by any credible evidence – members of the CDB joint committee were “angered” by the misleading claims
·         We need to engage with communities not create alienation and resentment by passing laws perceived to be disproportionately targeted at minority communities
·         You can only get good intelligence by cultivating good relations with communities - most plots are foiled because of intelligence from communities not high tech interceptions
·         Forcing mass corporate collection of personal data for subsequent security services access will lead to mission creep
·         Abuse of the Regulation of Investigatory Powers Act 2000 to track down journalists’ sources should be a stark warning of this
·         Regardless of any supposed sunset clause no future government would be prepared to remove the snoopers charter from the statute books for fear of being accused of being soft on terrorism
·         The use of the Tempora system means the security services are already acting beyond any extra powers this Bill will give them and parliaments should not grant these kinds of powers on the precautionary principle
·         These snoopers’ charter amendments are a “gratuitous affront to parliamentary democracy“ that must be “consigned to the dustbin of history.”
Lord Bates, Parliamentary Under-Secretary of State for Criminal Information at the Home Office, then confirmed, as various members had claimed, the government have CDB 2.0 waiting in the wings. This masterpiece of parliamentary drafting could not be made available yet but some people have seen it, including Lord Blencathra, who confirmed it apparently addresses 95% of the criticisms his committee levelled at the original CDB.
There were several requests for the government to make CDB 2.0 available to attach to the Bill. Lord Bates declined, however. The government were concerned that both the tabled snoopers’ charter amendments and any version thereof, regardless of how pristine it now might be, would put the safe passage of the 53 page Counter Terrorism & Security Bill through the House of Commons at risk.
Lord King, accepting those concerns, though believing the powers therein to be more important than those in the rest of the Bill, then withdrew the snoopers’ charter amendment. In the course of doing so he made a really important point:
“what I do know is that the moment you get a terrorist outrage is when all the wrong things are decided. The pressure comes on that something has to be done, and it is much better to have decided in advance what you are going to do, in a measured way.”
The attempt to tag the snoopers’ charter to the already controversial Counter Terrorism & Security Bill, being fast tracked in response to the Paris terror attacks, displays little evidence, however, of a measured approach.
Closing note to Mr Cameron and potential successors: the security and intelligence and police services don’t need more laws, powers, personal data or money thrown at computer systems. They need more people i.e. experienced, well trained and effectively deployed human intelligence. 
It is important to note that the snoopers' charter has not gone away with Lord King's withdrawal of the amendment in the House of Lords on Monday, however. Our very own securocrat version of the Simpsons crew have made clear their intention to re-introduce it at the report stage of the Bill next week if they don't get some movement from the government in their direction on this. It seems the snoopers' charter is more important to them even than the section 21 provision of the Counter Terrorism & Security Bill requiring educators and other public servants to become the counter terrorism thought police. So it is to be recommended that a close eye be kept on proceedings.