call +44 20 7096 1079
April 29, 2013

Chapter Four

Peter Sommer is currently a Visiting Professor at De Montfort University and a Visiting Reader at the Open University. Before that he was at the London School of Economics for 17 years, ending up as a Visiting Professor. His research interests and publications include cyber security, cyberwarfare and the reliability of digital evidence. His main income comes from acting as an expert witness, for both prosecution and defence interests in criminal cases and in civil proceedings. 

It is easy enough to get agreement on the general aims of surveillance law: intrusion should pass tests of necessity and proportionality and there must be a robust framework of oversight.

But laws require words of precise meaning and easy interpretation. Precision is needed by those who wish to undertake surveillance and those who authorise their requests. Third parties such as communications services providers, public authorities and financial services companies who are asked to co-operate, those who turn out to be innocent but have been subject to excess and seek redress, and the courts who may have to arbitrate, all have to be clear about what is permitted and what records should exist of decisions made. The legal words need to reflect the reality of how the technology works.

A number of factors conspire to inhibit sensible and balanced discussion of surveillance laws, some practical in terms of the knowledge needed, some from politics. And there are a few elements that present real challenges about the efficacy of laws passed to regulate surveillance.

One excuse for political inaction, some MPs say, is that surveillance is not a doorstep or constituency surgery issue like jobs, the economy or the closure of a local hospital. But even if the public are not interested in the twists and turns of surveillance legislation, they can have strong feelings in the face of abuse, as shown by concern about the use of Regulation of Investigatory Powers Act (RIPA) powers against fly-tipping and dog fouling, the deployment of undercover police officers who had long-term sexual relationships with environmental activists, and the use of “dead children” identities.

Surveillance policy in general

Surveillance is part of more general security policy. Some politicians will have you believe that there is only one aim: to keep people, institutions and the community safe. But there are two others: to protect the essential values of society (freedom of speech, open and fair judicial processes, right to dissent, privacy such that the state only intrudes when provably necessary), and to deliver value for money.

Surveillance law is about balancing competing objectives, not absolutes. But for lazy politicians it seems simpler to use the scare language of paedophilia, terrorism and “lives lost” than to make the nuanced arguments of managing risks. Easier, too, for opposition politicians to say an incumbent is weak and not doing “enough”.

Changes in the Landscape

But there are particular problems in getting to grips with how far surveillance capabilities and technologies have changed – and the implications.

First we need to look at the changes, some of them a function of our increasing personal use of digital devices but others the result of the deployment of official and commercial information-gathering and storage facilities.

Over 80% of the UK population has access to the Internet from home and each UK household on average owns three Internet-enabled devices. RIPA currently allows the collection of a user’s activities in terms of the “top level” of a website and data is retained for a year.

Costs of hard disk storage fall by 50% every 18 months – a 1000GB (1 TB) hard disk now costs about £55 – so that in a typical warrant execution on domestic premises the police can expect to find several PCs of various vintages, plus external data storage devices such as disks and USB memory sticks.

There are 130 mobile phone contracts per 100 of the population and 52% of mobile phone users have a smartphone which is in effect a powerful ultra-portable computers. Nearly all these devices contain substantive files, copies of emails sent and received and histories of such Internet activity as websites visited or research carried out by the owner. Police can obtain this information under PACE powers.

All mobile phones will contain some records of calls made and received and copies of SMSs made and received – Ofcom says 200 SMSs are sent per person per month. While the phone is switched on, it constantly re-registers its presence with the nearest mast; this archive of an individual’s detailed movements is retained for 12 months. Cell site analysis is now one of the most powerful and widely used of investigative techniques and is available under RIPA and the EU Data Retention Directive.

At the same time the availability of Closed Circuit Television (CCTV), both publicly and privately owned, has expanded greatly, in terms of the quantity of cameras and their locations, as has the quality of images. The UK’s National Policing Improvement Agency (NPIA) operates a national DNA database, which is one of the world’s largest, with profiles on an estimated 5,570,284 individuals as of 31 March 2012. The NPIA also operates a national automatic number plate recognition system (ANPR), which by March 2011 was receiving 15 million sightings daily, with over 11 billion vehicle sightings stored. A national fingerprint database contained 8.3m individuals’ prints in April 2010. Another newer method for tracking the movements, at least of people in London, is via the Oyster card.

At the same time, commercial companies have built up their databanks – through customer relationship software and credit data. Some companies – Google, Facebook, twitter – base almost their entire business on acquiring and then monetising personal data.

What characterises many of these changes is “rapid incrementalism” – change that occurs bit-by-bit, just too slowly to easily register in the public imagination but which nevertheless has profound impact – rather as personal computing power and mobile telephony have become wholly embedded in many people’s lives.

There have also been significant improvements in specific surveillance technologies, covered elsewhere in this publication.

Data Amalgamation or Link Analysis

Some technologies are introduced on one agenda and then deployed against others: ANPR finds stolen, unlicensed and un-insured cars but also tracks all vehicular movements on major roads. Data is collected for one purpose and retained forever on a “you never know it may be useful” basis – DNA, finger prints and, once legally obtained from Communications Service Providers (CSPs), cell site and web log data. (The 12 month period is the time the CSP holds data pending a request from law enforcement). “Convenient” and “efficient” means by which CSPs pass information to law enforcement – the semi-automated provision of mobile phone call data records, for example, can have the effect of by-passing the impact of the application of the “necessity” and “proportionality” tests.

Yet other aspects only become obvious on very close scrutiny. Data amalgamation, sometimes called “link analysis”, consists of linking different streams of evidence into chronologies of events, and assessing who knew who, and is a fundamental feature of investigations. But once all data is digital, software can combine and produce visualisations; the more data there is, the greater the granularity of the resulting analysis – and the greater the intrusion, far more than was ever envisaged when necessity and proportionality tests were applied to the original streams of evidence.

Many of the technological changes have had a drastic effect on the economics of surveillance. Traditional physical surveillance of a single important target may involve the cost of at least six operatives, more if the coverage is 24-hour. Live mobile phone movement coverage, aided perhaps by ANPR data and CCTV, can be handled by one operative sitting in an office. Seldom argued is the possible conclusion that the agencies may need less in the way of manpower.

Internationalism

Perhaps the greatest challenge both to policy makers and legislators is that globalisation and technology are taking matters far out of their control. The Internet is global and attempted restrictions on it inhibit innovation, trade and the exchange of ideas. Global information facilities companies like Google, Amazon and Microsoft offer search, communications, storage and processing services of immense social and economic value. Such companies are multi-jurisdictional as are the technical resources they offer, which are located in many different places; at any one time it may be unclear where a specific item of data is being held. Many of these companies have collected vast amounts of personal data about their customers, much of it of great potential value to police and spook investigators.

Most of the services are encrypted – mainly to protect customers from criminals but with the effect of denying surveillance agencies easy access. Ultimately there are often legal routes to access, but these are far slower than the speed at which criminals and terrorists move. It is a highly awkward realisation for nation states and their legislatures to understand that their powers and capabilities have weakened, and that they need to form new types of co-operative relationship with these global Internet entities.

Practical problems

The practical problems are, alas, extensive.

  • It is much easier to make incremental legal patches than fundamental changes: bigger bills require scarce larger legislative “slots” for time on the floor of Parliament and in committee. It is also easier for promoters to claim that a proposed change is almost negligible – “maintaining capability”.
  • Legislators need knowledge of existing law. But surveillance law is spread over many statutes and often depends on frequently changing codes of practice. Authorisers of intrusion are variously judges, senior law enforcement officers and a Secretary of State. There is a least one substantial oddity: interception of data in transmission is currently inadmissible, though all other forms of data acquisition are not.
  • Legislators need knowledge of how investigations take place, the techniques and resources used and where the costs occur. Most will probably not know unless they worked in law enforcement or as criminal lawyers.
  • Legislators need knowledge of the technical capabilities of surveillance technologies. That has to include technologies currently deployed under existing law, as well as what the near future is likely to deliver. Law enforcers will say they are reluctant to provide detail in public for fear of alerting their targets. 
  • A similar need for secrecy is invoked when there are public demands for detailed breakdowns of costs, including claiming commercial confidentiality for vendors. When looking at estimates it is useful to consider other areas of related government expenditure: the annual cost of running the Serious Organised Crime Agency is £460m, and for the new Tier One UK Threat, CyberSecurity, the real new money being spent is £650m over 4 years, of which £65m covers Home Office activities, with £28m allocated specifically to law enforcement. Apparently the Government has already spent £405m on the Communications Capability Development Programme even before its related enabling Bill has passed through Parliament.
  • Legislators need to understand the nature and extent of the threats surveillance laws are meant to mitigate. In the last 12 months there has been an overall drop of 8% in recorded crime in England and Wales; only personal and retail thefts show an increase. ONS says there has been a 41% drop in recorded crime between 2002 and 2011, and a 26% drop using the British Crime Survey methodology. If we take the last time anyone died from terrorism, 2005, when “7/7” occurred with 52 victims, in that particular year you were over 61 times more likely to die in a road crash and 72 times more likely to incur a fatality in the home than to be killed in a terrorist atrocity. There has been approximately one serious terrorist attempt per year since then, all so far caught in time because once a plan moves towards action, the processes of sourcing material, establishing a bomb factory and recruiting personnel all create risks of detection for the actors.

Police and Security Service Pressures

Finally, there’s the position of the major actors. Law enforcement and security agencies are expected to deliver public safety and successful prosecutions against budgets for resources and powers, which they will regard as inadequate. If politicians use the language of absolutes as opposed to managing risk, police and the security services do likewise. In any event, it is only reasonable that they should argue for “operational convenience” and lower levels of “bureaucracy”. Police and the security services follow the same course as all lobbyists: exaggerate and demand more than they need. And there is a particular advantage in doing so. In the wake of a large disaster that they have been unable to prevent, they are able to point to an audit trail of requests for powers and resources denied. And politicians know this.

Read more