November 09, 2013 | Jim Killock

Talking about personal security is a kind of treachery

Which story will win out? Government and civil liberties advocates are arguing over what the real story is after the Snowden revelations. Is it the Guardian’s irresponsibility and their inability to assess the damage they are allegedly creating; or is it a story about the problems with mass surveillance?


The security services in Parliament claimed that the Guardian’s stories have led directly to discussions among terrorists to improve their information security. Sir Iain Lobban was most explicit, saying:

“we have actually seen chat around specific terrorist groups, including close to home, discussing how to avoid what they now perceive to be vulnerable communications methods or how to select communications which they now perceive not to be exploitable.

“The cumulative effect of the media coverage, the global media coverage, will make the job that we have far, far harder for years to come. There is a complex, there is a fragile mosaic as Andrew has said, of strategic capabilities that allows us to discover, process, investigate and then to take action. That uncovers terrorist cells. It reveals people shipping secrets, expertise or materials to do with chemical, biological and nuclear around the world. It allows us to reveal the identities of those involved in online sexual exploitation of children. Those people are very active users of encryption and of anonymisation tools. That mosaic is in a far, far weaker place than it was five months ago”

Their allies in Parliament, led by MPs Julian Smith and Stephen Phillips, have asked the Guardian to “acknowledge the devastating assessment” made by the intelligence chiefs, while the Home Affairs select committee has called the editor of the Guardian to appear before them in a month to answer these points.

The accusations mostly appear to relate to Operation Bullrun (USA) and Edgehill (UK) – programmes to create weaknesses in encryption tools that can be exploited by the NSA, GCHQ and others who are told or find them.

For Parliamentarians these are complex issues, so I would like to take a moment to spell them out.

  1. The Guardian has not concentrated on specific weakenings of technologies, under Bullrun and Edgehill, but the investment of time and effort.

  2. The Guardian did imply that Skype may be compromised – a tool that many of us use daily; such a weakness could have consequences for all of our personal computer security.

  3. The vulnerabilities are being discussed by private companies worried about the consequences for their own security or security products. Vulnerabilities can be exploited by anyone, not just the NSA or GCHQ.

  4. RSA Security were forced to withdraw a broken encryption method, related to use of random numbers, which had been leaving many commercial VPN products at risk. This has affected major UK companies.

  5. No doubt terrorists will be speculating about their personal security just as everyone else is.

The logic of this debate is that the Guardian sparking a debate about personal computer security—an activity that we and the government invest billions of pounds in—is tantamount to aiding terrorism, as terrorists will improve their security too.

The unspoken position of GCHQ is that they have a right to compel companies to give them ways to break into their software and all the installations and uses of them – not by targeting individual suspects, but in a blanket way.

This places everyone at risk. That is a question which deserves a public debate, but it also allows the security chiefs to make the argument that revelations the Guardian has made are ‘endangering national security’ as people try to identify what GCHQ have done, and fix it. From this perspective, when Google encrypt across UK private cables to stop GCHQ breaking in without permission, this will also be an attack on national security, as secret collection capacity diminishes. When RSA fixed their broken technology they will have made parts of the Internet ‘go dark’ and thus aided terrorism.

The problem of course is not the Guardian, but the decision to compel companies to work in a non-transparent, ubiquitous manner, sacrificing general security for the convenience of the security agencies. That to many people will represent the essence of an agency acting without effective supervision.

Some MPs will accept assertions that terrorists have benefited from the Guardian’s revelations, and fail to challenge the notion of pervasive intelligence gathering. By accepting GCHQ's demand to have access to the ‘whole haystack’ of Internet traffic, MPs agree that anything that reduces pervasiveness must of course endanger national security capability. That makes any discussion of national security methods, or improvements to personal security, a form of treachery.

The way out of this logic is to accept that individuals and companies have a right to data security. Once you remember that, then it is obvious that GCHQ’s methods need to fit back in with our normal, everyday objective of trying to minimise our online risks. That may mean that the secret services’ work may sometimes be harder, but it also means that everyone will be a lot more secure from common criminality.