Earlier this week I wrote about the Home Secretary's latest extension of surveillance powers, despite there being no evidence they were needed, or that doing so would help achieve any sensible goals. By one of those amazing coincidences, the very next day the Intelligence and Security Committee (ISC) of Parliament released its Report on intelligence matters relating to the murder of Fusilier Lee Rigby [.pdf.] It's a long and fascinating document despite the passages that have been redacted for publication. For the first time, it gives a glimpse of how intelligence operations are carried out in this country.
That's welcome, not least because it shows that the UK government is finally getting the message that we need much more transparency about how surveillance is carried out (without, of course, compromising specific operations or the people involved.) Unfortunately, in just about every other respect, the report is a disaster. If you don't have the time or the energy to wade through all 200 pages of the report itself, there's a useful press release [.pdf] summarising its findings. These essentially fall into two parts. Here's the first:
The two men [who carried out the attack] appeared, between them, in seven different Agency investigations -- for the most part as low-level Subjects of Interest. There were errors in these operations, where processes were not followed, decisions not recorded, or delays encountered. However we do not consider that any of these errors, taken individually, were significant enough to have made a difference.
We have also considered whether, taken together, these errors may have affected the outcome. We have concluded that, given what the Agencies knew at the time, they were not in a position to prevent the murder of Fusilier Rigby.
In other words, according to the ISC, his death was not due to any failure by the intelligence services. The press release and report then go on to point the finger at the usual suspect: the Internet.
The one issue which we have learned of which, in our view, could have been decisive only came to light after the attack. This was an online exchange in December 2012 between Adebowale and an extremist overseas, in which Adebowale expressed his intent to murder a soldier in the most graphic and emotive manner. This was highly significant. Had MI5 had access to this exchange at the time, Adebowale would have become a top priority. There is then a significant possibility that MI5 would have been able to prevent the attack.
We now know that this "online exchange" took place on Facebook, but that's pretty much irrelevant. If it had taken place on Google+ or Twitter, the report's condemnation would doubtless have been the same. Moreover, the timing of its publication shows that whatever its other motivations - for example, genuinely trying to learn from the case in question - it has also become part of the propaganda war in favour of more surveillance. That agenda leads the Home Office into absurd admissions in its evidence, as made clear in section 424 of the main report:
The UK Government has always asserted that RIPA has implicit extra-territorial jurisdiction. The problem is that, whereas UK CSPs [Communications Service Providers] accept that they are legally obliged to provide access to the communications of individuals (through Lawful Intercept), most CSPs based outside the UK do not accept that the UK legislation applies to them. The Home Office has explained the argument the US CSPs have made:
RIPA lacks explicit extraterritorial jurisdiction and cannot be argued to place any obligations onto CSPs based outside of the UK.
The Committee asked whether the Government had any means of forcing overseas CSPs to co-operate under UK legislation. The Home Office told us:
RIPA... contains no lever to compel assistance from overseas CSPs, beyond the power to seek an injunction from a civil court that would require them to do so. Such a power has not yet been tested.
The Home Office explained the particular issue US CSPs have raised, that: “complying with RIPA would leave US companies in breach of US legislation (including the Wiretap Act in relation to lawful interception)”.
That is, the Home Office wants CSPs based outside the UK (Internet companies like Google, Facebook, Twitter etc.) to co-operate with the UK government in the same way as UK-based ones by handing over any requested information. But the Home Office itself admits that any US company doing so would breach the US Wiretap Act. Which means that the Home Office seriously expects US companies and their officers to risk punishment by the US government just because the UK wants easy access to information.
An excellent article in the Guardian by Ross Anderson, Professor in security engineering at the Computer Laboratory, University of Cambridge, explores the foolishness of this approach further. He points out that blaming the Internet here is just part of a larger move to demonise the online world - something I too have written about on Open Enterprise - notably an extraordinary tirade by Robert Hannigan, the new head of GCHQ. Here's what Anderson says about the the idea of demanding US companies ignore US law and meekly obey the UK government:
If [Hannigan] tries to bully US companies into breaking US law, exasperated tech CEOs will just route all requests through the lawyers [instead of generally trying to help, as at present.]
In short, the current mechanisms for delivering lawful access to content at global service firms don’t scale, and are breaking down in the face of selfish and aggressive behaviour by officials like Hannigan and his counterparts in China, Russia, India and elsewhere.
The internet has brought their agencies a cornucopia of new intelligence and evidence. They say they want more. But for that, there will need to be some rules, and rules that other countries can agree to.
What’s really needed is a proper international treaty on mutual legal assistance that sets out transparent global standards for the interception of communications and of traffic data.
Anderson's mention of a "cornucopia of new intelligence and evidence" echoes a point I also made earlier this week: that far from diminishing the capability to monitor terrorists and serious crime, the Internet has provided more information than ever before. The fact that this did not stop two people from murdering Lee Rigby is not an argument for providing more information. On the contrary, had there been less, I suspect the UK's intelligence services would have been able to focus their resources better.
In any case, we shouldn't expect every attack to be stopped, and looking for someone to blame, as in the ISC report, is really misguided. As Anderson writes, what we really need is a mature, global debate about permissible ways to intercept and share Internet data. At the moment, there's absolutely no sign of that happening. Instead, what we are seeing are politicians brazenly trying to exploit an emotive situation for their own agenda. More than anything else, that's the real intelligence failure here.