Sergey Nivens - Fotolia

Mixed reaction to Anderson review of bulk surveillance powers

While the Anderson review’s recommendation of a technical advisory panel has been welcomed, human rights groups say the opportunity to move to more targeted surveillance has been missed

This article can also be found in the Premium Editorial Download: Computer Weekly: Dell Technologies aims for an intelligent, connected future:

There has been a mixed reaction to the review by David Anderson QC of the controversial bulk powers outlined in the Investigatory Powers Bill currently before parliament.

The report was commissioned by prime minister Theresa May while still home secretary to evaluate the operational case for the powers of bulk interception of communications, acquisition of communications data, equipment interference and personal datasets for use by MI5, MI6 and GCHQ.

According to the review report, Anderson’s team considered around 60 detailed case studies provided by MI5, MI6 and GCHQ, together with associated intelligence reports, internal documents from each of the agencies discussing the powers, and interviews with 85 intelligence officials.

The report concludes that there is a proven operational case for three of the bulk powers, and that there is a distinct (though not yet proven) operational case for bulk equipment interference.

“The bulk powers play an important part in identifying, understanding and averting threats in Great Britain, Northern Ireland and further afield. Where alternative methods exist, they are often less effective, more dangerous, more resource-intensive, more intrusive or slower,” the report said.

The government immediately welcomed the review’s findings, saying the report makes “absolutely clear the critical importance of bulk powers”.

The prime minister, who introduced and championed the bill as home secretary, said the powers often provide the only means by which our agencies are able to protect the British public from the most serious threats.

“It is vital that we retain them, while ensuring their use is subject to robust safeguards and world-leading oversight which are enshrined in the Investigatory Powers Bill,” she said.

Technology association TechUK said it welcomed the review’s single recommendation that the Investigatory Powers Commission appoint a technical advisory panel of independent academics and industry experts to advise on the impact of changing technology, and on how MI5, MI6 and GCHQ could reduce the privacy footprint of their activities.

The report said although the bulk powers have a clear operational purpose, the review team accepts that technological changes will provoke new questions and believes that the appointment of a technical advisory panel will enable such questions to be asked and answered on a properly informed basis.

Read more about the Investigatory Powers Bill

Antony Walker, deputy CEO of TechUK, said as technology evolves it is essential that those overseeing and authorising bulk powers are informed by independent industry experts.

“This will ensure that their decisions do not undermine the security of the devices and networks that we all depend on in our daily lives,” he said.

Walker said Anderson is “absolutely right” to highlight the need to keep these powers under review to assess the implications of rapidly changing technology.

However, he said that the report does not address questions of necessity and proportionality of bulk powers.

“Nor does the report address whether the safeguards on bulk powers will satisfy the European Convention on Human Rights or European Union law. As the EU-US Privacy Shield agreement shows, question of compatibility with EU law remains relevant whether the UK is in or outside the European Union,” said Walker.

Review is one-sided, says Open Rights Group

According to the Open Rights Group, the review presents only the utility of the bulk powers for the state.

“This is only one side of the story,” said Javier Ruiz, policy director of the Open Rights Group. “We need an honest discussion about surveillance that looks at the effects on society, and the balance of power between citizens and the government,” he said.

The review will inform parliament’s scrutiny of the bill, which is set to continue when parliament resumes after the summer recess on 5 September 2016. However, Ruiz called on parliament not to simply rubber-stamp current practices.

“Some of Anderson’s claims, such as that alternatives to bulk may exist but would be more cumbersome, should open the door to a deeper discussion about the ethics of bulk collection,” said Ruiz. 

Parliament cannot pass the buck any longer and will have to decide whether it is right to collect and analyse the phone calls and internet use of whole populations, turning everyone into a potential suspect.”

Janine Regan, associate at law firm Charles Russell Speechlys, said the main issue with bulk data collection is where the line will be drawn.

“Will people eventually become desensitised to government having access to information about every single aspect of their lives? How long until the content of our emails, texts and social media message are also collected in-bulk?” she said.

“While no one can dispute the importance of national security, it is essential that it is not used to justify ill-considered attempts to erode the legal right to privacy.”

Mass surveillance ‘not an acceptable solution’

Jonathan Parker-Bray, founder and CEO of mobile encryption firm Pryvate, also welcomed the recommendation of setting up an advisory panel, but said the greatest issue with mass surveillance from a privacy perspective is that it affects innocent people more than it affects people with something to hide.

“The government has repeatedly demonstrated that they would welcome a weakening of encryption – further reducing the protections available to the general population and disregarding people’s right to have secure private communications online,” he said.

“It has ignored the position of the UK cyber security industry, which has repeatedly said any moves in this direction will affect its ability to do business on a global stage.

“[The industry] has also repeatedly asked for reassurance that the government will not demand the impossible of them – a weakening of encryption while maintaining the highest standards of protection. Yet a weakening of encryption would be necessary for the level of bulk collection the intelligence services are requesting,” he said.

Parker-Bray said a balance needs to be struck. “The government does need tools to fight cyber crime and criminals who use mobile devices to communicate in the digital age, but normal citizens and businesses have the right to private communications.

“With the majority of communications happening over phones and connected devices, some steps must be taken to gain information on these interactions.

“There are viable alternatives to bulk data collection. For example, access to metadata, when coupled with a phone ownership registry, could provide the majority of the information police and intelligence agencies seek to access, and crucially shed light on who is talking to who, without invading people’s privacy.

“This data, however, must be protected and subject to oversight, courts must be engaged to issue a warrant to request the logs of people’s calls and who they speak to, and leads must be generated before seeking more information. Mass surveillance – which puts so many people’s privacy at risk – cannot be an acceptable solution,” he said.

Liberty says review is a ‘wasted chance’

Human rights group Liberty criticised the Anderson review, saying it falls far short of the impartial, probing and well-evidenced investigation into the necessity of “bulk” powers so urgently required.

The group had cautiously welcomed the review when it was announced, and set out the basic framework and requirements needed to make that review effective and gain the confidence of both public and politicians.

However, Liberty said the review failed to meet these requirements and that Anderson’s report had failed to add any further substance to government’s claims.

The group said the review panel was not institutionally independent of the security and law enforcement agencies because Anderson’s advisers included Robert Nowill, GCHQ’s former director of technology and engineering, and Gordon Meldrum, former director of intelligence for the National Crime Agency (NCA).

“The review panel consisted of former agency staff effectively asked to mark their own homework and a reviewer who has previously advocated in favour of bulk powers,” said Bella Sankey, policy director for Liberty.

“The report provides no further information to justify the agencies’ vague and hypothetical claims and instead invites the public to ‘trust us’. Post-Chilcot, this won’t wash – hard evidence is required instead.

“This was an opportunity to properly consider the range of targeted methods that could be used as effective alternatives to indiscriminate and potentially unlawful powers. That chance has been wasted,” she said.

Effectiveness of targeted surveillance

According to Liberty, the Anderson review fails to answer the central question of whether information gathered by bulk powers was the critical factor in preventing or detecting serious crime, and whether that information could have been obtained from smart, targeted surveillance instead.

The report focuses only on claimed successes of bulk power use, Liberty said, based on “anecdotal assertions” from the intelligence agencies, but fails to inspect evidence of their failures, or to provide clear, evidence-based methodology to explain its conclusions.

Liberty notes that in 2013, the US government commissioned an independent expert panel to consider the necessity of just one bulk power – the US domestic bulk phone records programme.

It took six months to report, said Liberty, and concluded that the programme did not contribute to a single counter-terrorism investigation in any way that targeted methods could not have done.

Liberty said the organisation has long been concerned at the lack of any independent evidence that mass surveillance keeps the public safe, and is campaigning for a genuinely effective, targeted system of surveillance that protects the human rights to security and respect for private life.

“Liberty believes that the security and law enforcement agencies aims are, or could be, met by targeted methods – collecting and storing data on known suspects and their social networks, visitors to websites hosting illegal content, and conflict zones.

“By defining zones of suspicion and gathering intelligence from inside them, agencies can create rich, relevant, manageable data that leads to the rapid discovery of targets and threats,” the group said.

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more on Privacy and data protection

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

It's an interesting report - well at least the bits that I skimmed. I wasn't clear that the technical review was adequate as the method description was too weak. 

The bulk collection of data (from foreign traffic) was, to my mind, upheld as targeted approaches that require the cooperation of foreign service providers would be slow and inaccurate. I was much less convinced about bulk interceptions, EI or aggregating personal data, tho'. 

The descriptions implied that encryption is broken by GCHQ now, possibly by subversion of the CA mechanisms that underpin TLS. But the description and language used was too imprecise to be sure. Clearly, if this is the case, then there is cause for concern for any on-line service.

Since the SIAs admit that they've not been very good at enforcing previous internal guidelines, it's not a big step to guessing that the powers will be misused. And they provide a great resource for serious oppressions should the mood take a future state actor.
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close