call +44 20 7096 1079
April 29, 2013

Chapter One

Duncan Campbell is a British freelance investigative journalist, author and television producer. Since 1975 he has specialised in the subjects of intelligence and security services, defence, policing, civil liberties and, latterly, computer forensics. 

The range and reach of surveillance legislation proposed or in place in the United Kingdom is far from novel in its roots or in its impact on the balance of power and rights between the subject and the state. The proposals in the Communications Data Bill (CDB), and the manner in which the new Bill has been introduced and managed, fall full square within long British historical precedents that position privacy rights as an irritant to be managed by a combination of concealment, secrecy, information management, and misinformation.

A possible signal difference in 2013, if history now turns out not to go the way the Home Office and its allies desire, is that the proponents of effectively unrestrained surveillance have become sufficiently arrogant and indifferent toward necessary partnerships as to have brought a rain of criticism on their head, including the condemnation from the normally mild Intelligence and Security Committee that “more thought” and “coherent communications” are essentials before any Bill is reintroduced.

The government’s pitch to Parliament in the summer of 2012 to support CDB began with the spectacularly ignorant claim from posted-in ex SIS officer Charles Farr that “Communications Service Providers (CSPs) no longer retain for their own business purposes communications data as we know it”. They do, even if they don’t log everything new that he and his team want harvested.

Farr later elaborated on his misunderstanding, saying “30 years ago, BT may have kept data because they needed it in order to bill people correctly”. This claim was inaccurate and historically impossible, as the electromechanical exchanges of the early 1980s could not and did not generate call data records – “communications data”. What is now called “itemised billing” did not generally get created in UK exchanges until the 1990s, and was only required to be available to police and intelligence agencies after the passage of RIPA in 2000.

But despite the rise of well-informed and technically knowledgeable civil society advocacy groups and NGOs, society’s understanding of the importance of protecting privacy rights seems to have fallen as quickly in the past quarter century as Moore’s Law has driven up the power and threat of digital processing to place society under unchecked surveillance.

Who now can see any place for or value in the 500 year old (if now politically inept) saying “An Englishman’s home is his castle”? Or the corresponding dictum in the landmark US writings of Justice Brandeis, 1890, that privacy is the “the right to be let alone.”

The presumption that the British state, acting clandestinely and using unwritten prerogative powers, was free to open mail, and in due course tap telephone calls and intercept and read e-mail, has been a constant from the time of the first Elizabethans up to the 1980s, when for the first time the conventions on human rights born from the defeat of Nazism started to impact UK state surveillance, through interventions by the European Court of Human Rights. It seems not entirely a historical accident that that Court is now under sustained attack.

Looking across Europe after more than 60 years, it seems apparent that the fundamental understanding of the importance of enforcing checks and balances, and of imposing regulation and supervision on state surveillance activity is better appreciated and respected in territories where Fascism was born or impacted the harshest than in the country which de facto brought the European Convention on Human Rights into being.

Thus, the German Grundrechte creates a stronger foundation now to enforce the values for which Britain and its allies fought, and which still drive some European resistance against ever increasing surveillance of the citizen, using digital technologies.

The same values are detectable in the language of the 1789 US Bill of Rights, and in particular the Fourth Amendment concerning unreasonable search and seizure. As recently as the 1970s, the Fourth Amendment seemed robust even as modern communications expanded, as when Congressional committees condemned US National Security Agency (NSA) surveillance of citizens’ communications by the use of “watch list” mechanisms.

No such troubling debates affected the United Kingdom in 1975, the year the Church Committee reported to the US Congress. In the same year, in Britain, GCHQ and its costs and operations and surveillance power was entirely unknown to the public and parliament, even though then as now it was the largest and most intrusive of the intelligence agencies, attempting to intercept and sift all communications entering, leaving or passing through the UK, as well as from international sources.

In the same year, in Britain unlike many other democratic states, telephone tapping and mail opening were outwith the law, conducted secretly (for tapping) by teams entering exchanges at dead of night and wiring up targets out of sight of normal staff.

In the same year, a national security ethos hardened by the cold war provided an easy tool for the state to discourage or suppress public information and discussion.

In the same year, unregulated police “local intelligence” collection on citizens, underpinned by secret recommendations to recruit an informer (“observer”) on every street, outwith any direct needs for crime prevention and detection, were by then in form a century old.

The irony of secretly endorsing and creating structures akin to those used by historical and modern dictatorships seemed, then as now, to be undetectable in the vision of senior civil servants.

The first dawning perception in Britain that computer and digital technologies would impact and then determine relationships between the citizens and the state and other centres of power began in the late 1960s, but took no form until 1972, when the Royal Commission on Privacy set out 10 principles of data protection that later underpinned data protection statutes in Europe and the UK.

The Commission found that protecting individual privacy “was the social issue rated most important throughout the population.” They also discovered that, among a wide range of potential threats to privacy outlined in surveys, none attracted more public concern, fear or hostility than the putative creation of a national databank.

Intriguingly, 40 years later, the same important but dated phobia has informed the drafting of and debates on the CDB, and of debates on identity card legislation, largely because of the form in which Liberal Democrat policies and historical Conservative party opposition to New Labour’s Identity Card proposals formed part of their 2009 election manifestos.

Because of this, absurd language has had to be used to explain that the output to the notorious “filter” at the centre of the CDB is anything but a national communications data database. Similar absurdities now compel the government to announce that each new attempt to introduce national ID numbers under another guise are not in fact, um, er, national ID numbers.

When in 1978 the Lindop Committee on Data Protection carried out an investigation of government computer databanks and surveillance systems then in place, they found, according to chair Sir Norman Lindop, that “the greatest threat, if threat there be, does not come from … the entrepreneurial sector, it comes from the public sector.”

They did not “fear that Orwell’s 1984 was just around the comer …But [they] did feel that some pretty frightening developments could come about quite quickly and without most people being aware of was happening”.

His Committee’s report highlighted a new computer system then recently installed by the former Special Branch of the Metropolitan Police, which was to deploy indexing and free text retrieval (FTR) of intelligence reports as raising “new dimensions of unease” because of FTR software’s ability to associate people and any sort of information on them.

The world has turned upside down. Whereas in the 1980s there was real public and political concern that the minor agency collecting TV licence fees had aggregated databases on households and addresses so as to target non-licence holders with implied accusations of evasion and criminality, by the noughties the claim to use central national databases as a threat was central to their advertising. The same tactic of encouraging fear of central national databases was then followed by HM Revenue and Customs.

The national debate and understanding of surveillance now is undermined not only by the arrogance and disengagement from civil society concerns by surveillance advocates, but also by long term and mainly clandestine programs by interested parties to subvert public policy in advance of discussion and regulation, so as to prevent effective technical controls being introduced.

The most significant group doing this internationally is the so-called “Five Eyes” alliance of signals intelligence agencies of the main English speaking countries, including Britain’s GCHQ and the US NSA. Their most important but not exclusive channels of intervention have been telecommunications standards bodies such as the ITU and the European Telecommunications Standards Institute (ETSI). ETSI, although nominally an independent, non-profit, standards organization for the telecommunications industry, has also been a vehicle for rewriting the technical specifications of new telecommunications systems as they come along, so as to make them “interception friendly”.

In the darker and wholly secretive days of the 1970s and earlier, GCHQ and its allies built systems like the “ECHELON” Dictionary Network, intercepting and sifting all international satellite communication and using free text search software years before Lindop sounded his warning. Using secrecy, they were ahead of the curve of public awareness and opinion – and still are – by intention and by design.

Thanks to the infiltration of surveillance agency interests into the ITU, ETSI and similar programmes, new mobile radio systems like GPRS, G3 and G4, and whatever may follow have come with surveillance systems built-in in advance, automatically available to be exploited by national governments and security agencies of every stripe. For parliamentarians and regulators here as elsewhere, the debate is often over before it begins. Caspar Bowden has highlighted how new US FISAAA legislation brought in 5 years ago requires cloud service providers to expose the private and commercial data they hold amounts to the latest and possibly most audacious step in this continuing campaign for access to private data.

In several senses, this is why the Communications Data Bill shows up an interesting new challenge in the UK, compared to the 1970s. No longer are telecommunications agencies single natural monopolies, either owned by or under the thumb of governments. While posing their own serious challenges to privacy, organisations like Skype, Google and Twitter, and the host of other enterprises using the power of the global common carrier that is the Internet, have no natural allegiance to the wide-ranging surveillance interests of the secret agencies.

That is why the interchanges of the committees on the CDB in which these data multinationals set out their experiences with the Home Office have been so interesting. The companies say they will and do in general comply with due legal process, disclosing private data when asked for cause and with authority, compliant with applicable law, and perhaps checking for proportionality and necessity. But they also told the committees that they refuse to open their customers up to all-purpose unchecked trawling, and that they require requests comply with their own local and international law.

The Home Office response is the CDB – a long-laid plan to compel national CSPs to install Deep Packet Inspection extraction and aggregation centres to defeat the adherence of the data corporation to due process, and to create a national communications data and interception database, in all but name.

Well-established legal restraints on unreasonable search and seizure, reframed as tests of proportionality and necessity, are historically rather new to the British state’s attitude to surveillance. They are at the heart of the current debate on the CDB. The approach now taken will determine the form of the latest chapter in the history of British state surveillance.

Read more