The attacks in Paris yesterday give a terrible topicality to debate over the Investigatory Powers Bill and the issues I raised yesterday. I have already received interesting feedback on some of the questions that need to be clarified for the legislation to achieve its supposed objectives but the news from Paris raises a core question of priority:
Is it more important to retain more data for longer or to give the security services and law enforcement more rapid access to analyses of the data that is already available?
Amazon, BT, CGI, Experian, Fujitsu, Google, HP, IBM, Microsoft, Paypal, Vodafone and others routinely analyse massive volumes of traffic in real time to run their own businesses or on behalf of customers, including to detect potential crime (particularly fraud and impersonation) as it is attempted. At the time of the London Riots the mobile operators offered real time feeds (including of decrypted traffic) to the police in far less time than it would have taken to organise requests under RIPA. The police were unable to handle the volume of information on offer. They lacked both the people and the technology. Even were we not facing a massive shortage of the relevant skills, (subject for another blog), they are unlikely to ever get the necessary budgets to have such facilities on hot standby.
The time has come to take the recommendations in the EURIM-IPPR study on partnership policing rather more seriously – albeit updated for the decade that has passed since.
That study used the story of the FBI US response to the Love Bug to make the case for the large scale programmes of cyber reservists, specialist constables and community support officers and other forms of volunteer support, that we still have not got.
With 48 hours the FBI claimed to have 400 agents working on the Love Bug. In fact there were approximately 40 FBI employees supporting nearly 400 information security staff employed by EDS, IBM and others, working on the issues from company workstations. The latter were now wearing their “hats” as military reservists or part-time law enforcement officers, having been “mobilised” into their wartime/emergency command and control positions: The zig-zag career path of Rear Admiral Grace Hopper helps illustrate the US approach. [I had similar ambitions as cold war reservist working in the computer industry but was persuaded to drop them by my future wife after the sinking of HMS Fittleton. [ICL would not let me take two weeks off immediately before year end and I knew the radio operator who drowned in my place alongside the CRS who taught me morse].
But today we also need processes to call on the cloud computing resources of industry to analyse the data already available, in time to “make an operational difference”.
The core objective of the Investigatory Powers Bill should not be to just retain more data for longer in case it might be useful. it should be to enable industry and academic experts, operating under “appropriate governance” to use Corporate, Commercial and University computing facilities to do that for which law enforcement (and even GCHQ) will never have sufficient budget – to identify threats in time to respond effectively, not just investigate afterwards.
That raises questions of governance, probity and impartiality that are far trickier than the meaning of “judicial oversight” or “communications data”. At this point I ask whether we are serious about finding “answers” or merely playing expensive “displacement activity” games.
I will stop there because I do not know the answer. I know what I think it should be – but my brain begins to hurt when I try to think through the consequences.