Some of the most disturbing revelations to emerge from Edward Snowden's leaks are that the UK's GCHQ is involved in spying on all the Internet traffic as it enters and leaves this country, and that it is jointly responsible for undermining basic cryptographic methods that keep communications private - and which make e-commerce possible. All of this without any kind of legal justification, just Jesuitical casuistry that largely turns on contorted interpretations of laws and stretched definitions of key concepts.
Against that background, we might have hoped that a changeover at the top of GCHQ would be a perfect moment to start afresh, with more transparency (obviously without compromising GCHQ's day-to-day operations), more honesty about what is going on, and perhaps a certain contrition for what has happened so far. Instead, evidently believing that attack is the best form of defence, the new head of GCHQ, Robert Hannigan, has penned a cynical, misleading and deeply-worrying assault on the Internet and its leading companies.
Hannigan starts off - of course - with terrorism, specifically the Islamic State of Iraq and the Levant (ISIS). That's rather ironic, of course, since the completely unexpected rise of ISIS is the perfect demonstration that GCHQ's blanket surveillance of the Internet, and routine destruction of people's privacy, doesn't even work. No business would be allowed to use their past incompetence as an argument to be given even more shareholders money in the future, but that's precisely what the head of GCHQ is asking for here. John Naughton recently raised an important point in this context:
there’s the question that is never discussed. Is this bulk surveillance actually effective? Is there credible evidence – as distinct from bland assurances by officials – that it actually works? Why, despite all the snooping, for example, did our intelligence services not pick up the Islamic State threat? And how cost-effective is it? The US currently spends over $100bn a year on counter-terrorism. God alone knows how much the UK spends. Are we getting real value for all this taxpayers’ money? I’d like to know. Wouldn’t you?
On the flawed assumption that he has established the need for them, Hannigan then starts to lay out his demands. First among them is the following:
today mobile technology and smartphones have increased the options available exponentially. Techniques for encrypting messages or making them anonymous which were once the preserve of the most sophisticated criminals or nation states now come as standard. These are supplemented by freely available programs and apps adding extra layers of security, many of them proudly advertising that they are “Snowden approved”. There is no doubt that young foreign fighters have learnt and benefited from the leaks of the past two years.
I've been expecting this attack on encryption for a while. After all, as Snowden himself remarked, "encryption works" in terms of protecting our privacy, which is why GCHQ hates it so much. The attack is clearly part of a coordinated action: the FBI's Director has also started claiming that encryption is dangerous and a threat to society - with the clear intention of softening us up for the idea that it should be banned or weakened even more. But as The Intercept points out:
To make his case, [FBI Director James Comey cited four real-life examples — examples that would be laughable if they weren’t so tragic.
In the three cases The Intercept was able to examine, cell-phone evidence had nothing to do with the identification or capture of the culprits, and encryption would not remotely have been a factor.
Not only that, but Hannigan's snide comment about Snowden and how "young foreign fighters have learnt and benefited from the leaks" is simply not backed up by the evidence.
But he isn't done yet. After insinuating that crypto must go if we are to sleep safely in our beds at night, Hannigan then moves on to attacking the big Internet companies:
They aspire to be neutral conduits of data and to sit outside or above politics. But increasingly their services not only host the material of violent extremism or child exploitation, but are the routes for the facilitation of crime and terrorism. However much they may dislike it, they have become the command-and-control networks of choice for terrorists and criminals, who find their services as transformational as the rest of us.
Yes, the tired old invocation of "violent extremism or child exploitation", because we all know that anyone who dares to suggest that GCHQ and NSA shouldn't be spying on us all the time is an out-and-out supporter of both. As for calling these services "routes for the facilitation of crime and terrorism": what, like, say, roads, or telephones, or the postal service? Those are all clearly "routes for the facilitation of crime and terrorism", but nobody suggests searching every car, recording every call, or opening every letter. Instead, we search a few cars, record a few calls, and open a few letters. Hannigan's attack on the Internet companies is not because these are especially evil, simply that they especially vulnerable: it is much easier to spy on every IP packet than it is to spy on every car or letter. Because Hannigan *can* spy on everything, he believes he has the right to.
Actually, talking of rights, this is rather rich:
We need to show how we are accountable for the data we use to protect people, just as the private sector is increasingly under pressure to show how it filters and sells its customers’ data. GCHQ is happy to be part of a mature debate on privacy in the digital age. But privacy has never been an absolute right and the debate about this should not become a reason for postponing urgent and difficult decisions.
In the light of the activities of the NSA and GCHQ it's not a question of whether privacy is an "absolute right": under the onslaught of their desire to "collect it all", we have lost virtually *all* our online privacy.
As readers of this column well know, collecting metadata about our online activities is much worse than collecting the content. The former can be effortlessly aggregated by computers, because metadata is already expressed as digital information. Content, by contrast, is much harder to parse, and requires human intervention in order to extract its full sense. Humans don't scale very well, unlike computers, which, thanks to Moore's Law, become more powerful by the day.
That not only makes "collect it all" possible, it also means that all our metadata can be - and is - routinely "read" by machines to see if there's anything of interest, looking for the "needle" in the "haystack", to borrow the metaphor that snooping agencies love to adopt in an attempt to justify their egregious activities. It is that act of scanning and analysis that constitutes the loss of privacy, despite what the NSA and GCHQ try to claim. It doesn't matter if the scanning is done by machines, because it means that everything we do online is recorded and analysed: we are therefore under surveillance, and can never act online without that knowledge hanging over us like a sword of Damocles.
Hannigan concludes by invoking the standard bogeymen once again, just to make sure that we are scared enough to suspend our rational faculties during his peroration:
[ordinary Internet users] do not want the media platforms they use with their friends and families to facilitate murder or child abuse.
Those platforms no more "facilitate" those things than roads or telephones or the postal system do, and trying to blame Internet companies for the appalling actions of others is a shabby trick. He concludes:
As we celebrate the 25th anniversary of the spectacular creation that is the world wide web, we need a new deal between democratic governments and the technology companies in the area of protecting our citizens. It should be a deal rooted in the democratic values we share. That means addressing some uncomfortable truths. Better to do it now than in the aftermath of greater violence.
Well, leaving aside the implicit threat in the closing sentence - you'd better do as I say, or your family might die - he's right about needing a "new deal" between democratic governments and tech companies. But it's not the one he probably has in mind, because it's abundantly clear he *doesn't* share the democratic values of privacy and liberty that most of us hold dear.
As part of that new deal we need spy agencies to start obeying the law, rather than circumventing it by doing each other's dirty work; we need a debate about how serious the threats to society really are - something never discussed - and what a *proportionate*, rational and effective response to them would be; but above all, we need intelligence services that respect our privacy online and offline, and that do not seek to undermine our fundamental freedoms yet further by bullying Internet companies into becoming their digital quislings.