This morning the first of a season of reports on surveillance and information assurance was published. The House of Commons Home Affairs Select Committee report was released to the Sunday Papers at one minute past midnight. The Commons Press Gallery get their copies at 09.00 Monday morning. Meanwhile the Cabinet Office report and recommendations on Information Assurance have been circulating, unpublished for nearly two months.
Keiran Poynter’s review and recommendations with regard to the lessons from the HMRC disc losses is supposedly due for imminent publication. Sir Edmund Burton’s review and recommendations with regard to the laptop losses from the Ministry of Defence is said to be similarly complete. Meanwhile, the report completed almost a year ago, by the Cabinet Office “independent assessor” on the state of information assurance across Whitehall remains unpublished, save for the summary. In the pipeline is the report by Richard Thomas and Mark Walport. There are more, covering other parts of Government and private sector.
In talking to the press this morning the chairman of the Select Committee referred to the millions of surveillance cameras in the UK. Most are out-of-order, unmanned and/or fail to produce images of evidential quality. Many are useless after sunset, e.g. those supposedly protecting unlit pub carparks. The recordings from those that are working are rarely held securely. Recordings of “courting couples” and other “amusing incidents” are regularly available for exchange or sale.
The debates over data retention, in case required to investigate possible offences, from misleading school selectors as to your main home through conusmer protection to anti-terrorism, are as divorced from reality as thsoe over CCTV.
Those calling for records of communications or transactions to be retained to aid consumer protection or the war against terror rarely know what they may need to know and do not appreciate that stored data becomes inaccessible unless actively managed. And active managment is not only expensive, it reduces security and removes evidential value.
Calls to simply stop collecting, storing or sharing data are not the answer. More people suffer and die because information is not shared when it should have been than because of abuse. A key part of the EURIM agenda is therefore to bring together informations systems and security practitioners to reset the agenda around organising efficient, secure and democratically accountable sharing and surveillance.
The problem is not the hardware or software that so obsesses ICT professionals. It is the probity, morality and competence of the “wetware”, the people who design, build and operate the systems and who enter, retrieve ir analyse the information.
The UK currently spends somewhere over £3 billion a year on electronic security and less than £30 million a year on e-policing, including child protection. The Citizens Advice Bureau and Salvation Army may protect their clients’ data, routinely encrypting all laptops – including those that are not supposed to leave the office – while government departments and Ministry of Defence regularly lose unecrypted systems, including from supposedly secure areas. Discs of data awaiting analysis have even been stolen from supposedly secure forensic facilities.
Society is now critically dependent on on-line systems. The Internet may be resilient in theory but most of access it over networks that have more bottlenecks than a brewery. It was built for ease of use – with attempts to retrofit security. Today most of the western world is on-line: including most of our criminals.
Shortly after Y2K, EURIM set up a group to look at the issues of E-Crime. The tille we chose for our first report was “E-Crime – a new opportunity for partnership”. It has proved to be all too accurate. Criminals have seized the opportunity to create integrated global supply chaiins, from malware production and data theft, thrugh phishing, botnet recruitment, herding and exploitation to netwroks of mules to launder the gains. Meanwhile law enforcement is still at first base, obessing over better intelligence to help justify future budgets.
In parallel, our ability to spy on our on-line neighbours, possible future recruits or business partners, is frightening.
I recently asked a colleague about some-one who had sent an e-mail asking to become involved in a sensitive study. I expected to receive a note of their current job title and organisation. It was easier for my colleague to forward me their Linked-In entry: being a secuirty consultant the peson who had sent the e-mail was not on Facebook.
In my essay for the 50th Anniversary of LEO I predicted that we would pass through a nadir when no-one trusted what they found or received on-line. I would like to think that are close to the bottom of nadir – and that the current crop of reports and recommendations will mark a turning point.
In the meantime, we may already have a surveillance society – but hardly anyone is watching and we do not know if we can trust those who are.
The plans to update the legislation on the Regulation of Investigatory Powers offer a great opportunity to improve the governance and accountability of those who most (but not all) of us would like to be able to trust to watch over us.