Smoke and mirrors
By Ian Lloyd
“Imagine a global spying network that can eavesdrop on every single phone call, fax or e-mail, anywhere on the planet. It sounds like science fiction, but it’s true.”
—Andrew Bomford, correspondent, BBC Radio4
Recent weeks have seen a plethora of media postings concerning revelations about the US government’s systems for obtaining access to communications data. The passage quoted above would seem to fit well into these but actually comes from 1999 and relates to the disclosure of a massive surveillance operation, known as project ECHELON which allegedly allowed the US security agencies (and also those from the UK and a number of other countries) to monitor the content of all email traffic over the Internet (a report on ECHELON produced by a European Parliamentary Committee).
In the world of espionage and national security, little seems to change. There are always more questions than answers.
In early summer 2013 we learned much about two surveillance programmes apparently operated by the United States’ National Security Agency (NSA) and the Federal Bureau of Investigation (FBI). Under the first, the authorities have apparently been granted a secret court order requiring the major US telecommunications company Verizon (which offers fixed line and mobile telecommunications services as well as broadband Internet access) to transmit on an ongoing basis a wide range of data concerning its users’ communications users to the NSA and the FBI. In the UK (and the EU more generally) we are not strangers to the notion that communications providers should be required to retain communications data and, under specified circumstances and procedures, transfer it to law enforcement agencies (and indeed to a range of public authorities). The transfer of communications data is authorised under the Regulation of Investigatory Powers Act 2001 and is supervised by the Interception Commissioner. In his most recent report published in July 2012, he indicated that:
During the reporting year public authorities as a whole, submitted 494,078 requests for communications data. The intelligence agencies, police forces and other law enforcement agencies are still the principal users of communications data. It is important to recognise that public authorities often make many requests for communications data in the course of a single investigation, so the total figure does not indicate the number of individuals or addresses targeted. Those numbers are not readily available, but would be much smaller.
This may seem a substantial figure but, to put it into some perspective, Verizon have nearly 145 million customers, data on all of whom is required to be submitted on an ongoing to the NSA and FBI. It is not known whether other United States communications companies (in particular AT&T which is similar in size to Verizon) have been served with similar court orders but there are suggestions that these networks have been very willing to cooperate with law enforcement. In theory the requirement to obtain a court order is stricter than the UK procedure which requires only approval by a senior member of staff within the public authority. The fact that proceedings are secret and the fact that the US Verizon order became known only through a leak does not inspire confidence.
The second element of US practice which was exposed by the whistleblower Edward Snowden, concerned NSA access to content related data held by a range of Internet related companies such as Google, Apple and Facebook. This data is clearly much more sensitive than the communications data discussed above. As with all aspects of the story there is uncertainty over even basic issues. The claim is that the NSA enjoyed direct access to servers. This has been vehemently denied by a number of the companies involved. A Google statement asserted that:
Google cares deeply about the security of our users’ data. We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government ‘back door’ into our systems, but Google does not have a back door for the government to access private user data.
Google publishes a ‘Transparency Report’ that provides data on the number of requests it receives from governments around the world for access to data on the browsing history of individuals. This does not, however, give details how many requests from the US authorities relate to national security concerns. A number of other Internet companies have produced similar statistics although again with very limited data about the proportion of national security requests. At the time of writing, Google and a number of other communications providers are seeking permission from the US authorities to publish more data about the extent of national security related requests for data.
In the United Kingdom, a draft Communications Data Bill (subsequently dropped following objections from the Deputy Prime Minister) was published in 2012. It was subjected to scrutiny by a joint Parliamentary Committee. In giving evidence to the committee the Home Secretary was asked to comment on the uses made of communications data. Her response was:
As I say, I do not make any comment about individuals in relation to the security service, or any of the other security and intelligence agencies. It would not be appropriate for me to do so. Everybody who is working on this Bill is doing so because this Government believes that it is important that the police and the other agencies are able to continue to have the powers that they have today to do as we have discussed earlier, which is to save lives, in a new technological environment. I understand that the police estimate they get 30,000 urgent requests for communications data per year, and they estimate that they save lives in 25% to 40% of those cases. I think that matters to the public.
Very large numbers but ones that sit rather uncomfortably with the statistic that a ‘mere’ 640 murders were committed in the UK during 2012. It does seem hard to credit that between 7,500 to 12,000 lives are saved annually in the United Kingdom because of access to communications data.
There is no doubt that communications data can be a valuable investigative tool for crime detection. In evidence before the Committee the Director General of the Serious and Organised Crime Agency indicated that it was used in ‘around 95%’ of their investigations. It is very common for information about Internet activity to be led in criminal cases. In 2012, the Telegraph newspaper reported on a murder trial in which the female victim had vanished from her home with her body being found several weeks later. At the trial of the accused:
Lyndsey Farmery, an internet use analyst who assisted police with the investigation, took the jury through Tabak’s online activity in the days after killing 25-year-old Miss Yeates.
Web records from work and personal laptops show he researched the Wikipedia page for murder and maximum sentence for manslaughter, she said.
While regularly checking the Avon and Somerset police website and a local news site, the Dutch engineer was also checking body decomposition rates.
Days after killing Miss Yeates at her Clifton flat on December 17, Tabak watched a time-lapse video of a body decomposing, Bristol Crown Court heard.
Tabak — who denies murder but admits manslaughter — also went on Google to look up the definition of sexual assault.
At another level of communication data, a freedom of information request in 2012 disclosed that the Metropolitan Police had made 22,000 requests over a four year period for access to data held by London Transport relating to journeys made using its system of Oyster cards. The data can be used to place a suspect (or a card registered in the suspect’s name) in the vicinity of an offence at the appropriate time. In another example of the use of electronic data, a magistrate was convicted of theft. A woman had lost a Rolex watch in a Tesco supermarket. Two years later the watch was handed in to a jeweller’s for repair. Its serial number was checked against a list of missing watches and this led to the arrest of the magistrate who had handed it in for repair. His defence that he had bought the watch as a present for his wife in a second hand shop (whose location he could not remember) was undermined when data relating to use of his Tesco Clubcard placed him in the supermarket at the time the watch went missing.
As the above examples show, communications and location data can be crucial evidence in criminal investigations. In the Tesco example, there is an issue why the loyalty card data was still available in such detail two years after the event. The Data Protection Act requires that data be retained for no longer than is necessary. It is difficult to see what justification there might be for keeping data at this level of detail for two years.
In any matters relating to criminal investigations and even more to issues of national security, there has to be a balance between the legitimate need for secrecy and public accountability. The key issue is perhaps proportionality. We live very large parts of our existence online. OFCOM data indicates:
The average UK consumer now sends 50 texts per week — which has more than doubled in four years — with over 150 billion text messages sent in 2011. Almost another ninety minutes per week is spent accessing social networking sites and e-mail, or using a mobile to access the internet, while for the first time ever fewer phone calls are being made on both fixed and mobile phones.
We have established laws relating to respect for our physical property. Search warrants are required to be issued before law enforcement agencies can enter our houses and it is perhaps time that our virtual houses received similar protection. Another recent tool which has been extremely useful for law enforcement agencies is DNA evidence. There is certainly controversy concerning the circumstances under which DNA is collected and retained but there does not appear to be a strong body of opinion in favour of universal DNA profiling. Effectively, however, that is what appears to be happening with communications data in the United States. UK practice is more restrained but we do need a more evidence based debate. I gave data relating to the number of requests for access to Oyster card data. There is no data that I have been able to find relating to the number of times it has been used in the course of criminal prosecutions. In the wake of the Prism revelations in the United States, some cases were cited as evidence of the value in communications data in preventing terrorist offences but other sources have cast doubt on this suggesting that other and older forms of intelligence gathering deserve the credit.
To finish on a lighter note, but one that does perhaps make the point about proportionality, I recall an intellectual exercise intended to identify the best way to reduce casualties in road accidents. We can all think of suggestions, invariably involving additional or improved safety features in cars. The winning suggestion was rather different. Prohibit seat belts and air bags. Instead make it mandatory to have a sharp spike fitted on the steering wheel pointing directly at the driver’s heart. I’m sure it would cut the number of accidents but …
Ian Lloyd is the author of Information Technology Law, now in its sixth edition. Ian received his PhD from University of Strathclyde. He has previously taught in the Department of Private Law at the University of Aberdeen and served as Professor of Information Technology Law at University of Strathclyde until 2010. He is now Professor of Information Technology and Telecommunications Law at the University of Southampton. He is on the editorial team of the International Journal of Law and Information Technology
Subscribe to the OUPblog via email or RSS.
Subscribe to only law articles on the OUPblog via email or RSS.
Image credit: Big Brother Orwell “1984″ in Donetsk, Ukraine by Борис У. Creative Commons license via Wikimedia Commons.