Sergey Nivens - Fotolia

French intelligence ‘could have prevented Paris attacks'

A former US intelligence director turned whistleblower tells MPs and peers that bulk collection of internet and phone data is putting lives at risk

This article can also be found in the Premium Editorial Download: Computer Weekly: Is government surveillance going too far?

The French intelligence services could have prevented the November 2015 Paris terrorist attacks, a former US intelligence chief told MPs and peers, write Fiona O’Cleirigh and Bill Goodwin.

William Binney, a former technical director of the US National Security Agency, told a parliamentary committee that intelligence agencies are missing important data on terrorist attacks because they are overwhelmed with electronic data.

Giving evidence on the draft Investigatory Powers Bill, which gives the police and intelligence services bulk access to the population’s internet, email and telephone records, Binney said that the approach risked overwhelming analysts with information.

The Paris attacks might have been prevented if French intelligence services had targeted their surveillance, he told the committee scrutinising the draft bill on 6 January 2016.

“They could have got all that data up front with a targeted approach, and they could have had the opportunity to stop them before the attack.”

Bulk data collection led to lives being lost

The draft bill introduces data interception powers for UK intelligence agencies and police, including a requirement that internet and phone companies keep records of their customers’ emails, phone calls and web browsing activities for 12 months.

Binney claimed that history shows that the collection of the population’s data on such a massive scale has resulted in people losing their lives, because intelligence analysts are unable to separate the important information from the mass of data collected.

“The result is a dysfunctional analyst, no prediction of intention of capabilities and no stopping of any attacks. People die,” he said.

UK bill fails to make case for mass retention of data

Jesper Lund, chairman of IT-Political Association of Denmark, who testified alongside Binney, told the committee that the mass retention of data failed to help Danish intelligence services.

Although Denmark started collecting internet records 10 years ago, the scheme became redundant after seven years through lack of use.

“The Danish experience, based on similar objectives as this bill, concluded that internet connection records were not useful for law enforcement work,” said Lund.

The UK information commissioner Christopher Graham also gave evidence, saying the government failed to make a clear case for retaining data in the 296-page draft bill.

“The one thing we don’t have in the material put before us is any real evidence, as opposed to the occasional anecdote, for the utility of the information that is sought,” said Graham.

Twelve months is an arbitrary period to collect the population’s internet and email communications, he told MPs.

“There is no particular explanation why twelve months, rather than six months or eighteen months, is desirable,” he said.

The information commissioner warned that there was an increasing danger the UK will become a society where few aspects of people’s daily private lives are beyond the power of the state.

“This poses the real and increasing risk that the relationship between the citizen and the state is changed irreversibly – and for the worse,” said Graham.

He told MPs and peers that a sunset clause should be introduced to allow Parliament to review the effectiveness of the surveillance powers in the draft bill.

“I think it would be sensible and wise for Parliament to review from time to time how it is working in practice,” he said.

Bizarre datasets

Graham told the committee that the inclusion of the electoral register and the telephone directory in the draft bill seemed “bizarre”, as the data is not even closed off to intelligence services.

“That information is already available – legislation is amended to make sure that information is available to the security services.”

He also raised concerns over the additional security risks that would be created as a result of bulk data acquisition.

“Information rights are affected and a risk is created simply by amassing a huge amount of personal information that may or may not be needed for the purpose it was originally collected.”

The information commissioner said he needed greater auditing powers to ensure communication service providers store the public’s internet data securely and delete it after 12 months.

Denmark’s bulk collection programme

Jesper Lund revealed that under the Danish interception scheme, 50% of the population were not subject to data collection, but even those who were covered yielded little useful information. 

“Even in those cases, the police were not able to come up with a realistic case of use of communications records for the investigation,” he said.

This was partly due to the logistics of collection as the internet is less structured than the telephone system, he said.

“Every communication is broken into packages, which are transmitted independently. The internet will be a really large database and there will be a needle in a haystack problem whenever you use this data.”

Lund said that citizens’ perception that all of their activities could be monitored by the state raised questions of proportionality.

“Even if only a small fraction of that data is ever going to be examined, citizens will still have the feeling that whatever they do on the internet is going to be accessed – that was not the case before.”

When asked by the Bishop of Chester why the British government has chosen bulk collection of data rather than a targeted approach, former employee of the US National Security Agency Binney said the UK was following the example of the NSA.           

“They took [the approach] because the NSA took it. The NSA did it because of contractors and the interest of contractors in getting money. There was a lot of money upfront.”

NSA gravy train

Binney criticised former NSA employees who took their skills and contacts from the NSA into the private sector companies working on lucrative NSA contracts.

“People would retire from the NSA and then go to work for the contractors and use their influence to get more contracts.”

He said such practices compromised the decision-making process that should have been protecting ordinary citizens.

“I accused them publicly of trading the security of the people of the US for money – and that is why they did it.”

In a challenge to Binney, Victoria Atkins, conservative MP for Louth and Horncastle, said many serving law enforcement officers and security services witnesses have testified to the committee in favour of increased investigatory powers. 

“Their evidence has been that they need these powers,” she said. “Are you telling this committee that each and every one of those witnesses are wrong and, indeed, possibly misleading the committee?” 

“I guess I am,” said Binney.

Read more about the draft Investigatory Powers Bill

Read more on Privacy and data protection