November 09, 2013 | Jim Killock

Talking about personal security is a kind of treachery

Which story will win out? Government and civil liberties advocates are arguing over what the real story is after the Snowden revelations. Is it the Guardian’s irresponsibility and their inability to assess the damage they are allegedly creating; or is it a story about the problems with mass surveillance?

The security services in Parliament claimed that the Guardian’s stories have led directly to discussions among terrorists to improve their information security. Sir Iain Lobban was most explicit, saying:

“we have actually seen chat around specific terrorist groups, including close to home, discussing how to avoid what they now perceive to be vulnerable communications methods or how to select communications which they now perceive not to be exploitable.

“The cumulative effect of the media coverage, the global media coverage, will make the job that we have far, far harder for years to come. There is a complex, there is a fragile mosaic as Andrew has said, of strategic capabilities that allows us to discover, process, investigate and then to take action. That uncovers terrorist cells. It reveals people shipping secrets, expertise or materials to do with chemical, biological and nuclear around the world. It allows us to reveal the identities of those involved in online sexual exploitation of children. Those people are very active users of encryption and of anonymisation tools. That mosaic is in a far, far weaker place than it was five months ago”

Their allies in Parliament, led by MPs Julian Smith and Stephen Phillips, have asked the Guardian to “acknowledge the devastating assessment” made by the intelligence chiefs, while the Home Affairs select committee has called the editor of the Guardian to appear before them in a month to answer these points.

The accusations mostly appear to relate to Operation Bullrun (USA) and Edgehill (UK) – programmes to create weaknesses in encryption tools that can be exploited by the NSA, GCHQ and others who are told or find them.

For Parliamentarians these are complex issues, so I would like to take a moment to spell them out.

  1. The Guardian has not concentrated on specific weakenings of technologies, under Bullrun and Edgehill, but the investment of time and effort.

  2. The Guardian did imply that Skype may be compromised – a tool that many of us use daily; such a weakness could have consequences for all of our personal computer security.

  3. The vulnerabilities are being discussed by private companies worried about the consequences for their own security or security products. Vulnerabilities can be exploited by anyone, not just the NSA or GCHQ.

  4. RSA Security were forced to withdraw a broken encryption method, related to use of random numbers, which had been leaving many commercial VPN products at risk. This has affected major UK companies.

  5. No doubt terrorists will be speculating about their personal security just as everyone else is.

The logic of this debate is that the Guardian sparking a debate about personal computer security—an activity that we and the government invest billions of pounds in—is tantamount to aiding terrorism, as terrorists will improve their security too.

The unspoken position of GCHQ is that they have a right to compel companies to give them ways to break into their software and all the installations and uses of them – not by targeting individual suspects, but in a blanket way.

This places everyone at risk. That is a question which deserves a public debate, but it also allows the security chiefs to make the argument that revelations the Guardian has made are ‘endangering national security’ as people try to identify what GCHQ have done, and fix it. From this perspective, when Google encrypt across UK private cables to stop GCHQ breaking in without permission, this will also be an attack on national security, as secret collection capacity diminishes. When RSA fixed their broken technology they will have made parts of the Internet ‘go dark’ and thus aided terrorism.

The problem of course is not the Guardian, but the decision to compel companies to work in a non-transparent, ubiquitous manner, sacrificing general security for the convenience of the security agencies. That to many people will represent the essence of an agency acting without effective supervision.

Some MPs will accept assertions that terrorists have benefited from the Guardian’s revelations, and fail to challenge the notion of pervasive intelligence gathering. By accepting GCHQ's demand to have access to the ‘whole haystack’ of Internet traffic, MPs agree that anything that reduces pervasiveness must of course endanger national security capability. That makes any discussion of national security methods, or improvements to personal security, a form of treachery.

The way out of this logic is to accept that individuals and companies have a right to data security. Once you remember that, then it is obvious that GCHQ’s methods need to fit back in with our normal, everyday objective of trying to minimise our online risks. That may mean that the secret services’ work may sometimes be harder, but it also means that everyone will be a lot more secure from common criminality.

Comments (6)

  1. Harry:
    Nov 09, 2013 at 12:29 PM

    Great article Jim. The last paragraph really says it all. Do we, or do we not, have a right to secure, private communications? With our banks, and with each other?

  2. Franklin Scrase:
    Nov 09, 2013 at 02:40 PM

    At what point can the whole security debate be turned away from being one about the rights of spies to abuse our data security and privacy and towards a debate about how we can organise our economy and affairs of state such that we are not constantly causing the distress to people that gives rise to the terrorism in the first place?

  3. Peter Strong:
    Nov 09, 2013 at 04:26 PM

    This is nothing short of a well organised and widely run campaign of distraction on the part of the many security services implicated in wrong doings by the Snowden revelations. By even engaging with them we are being distracted from the real question which is who poses the greater threat to liberal democracy – the small number fundamentalists who are prepared to engage in acts of terrorism against our societies, or the legions of extremists who think it is right an legal to deprive us of the fundamental right of privacy that underpins the fabric of liberal democracy.

    These latter organisations have been exposed as having acted outside their own laws as well as the laws of other countries, and yet instead of locking up their heads and disassembling their mechanisms of mass surveillance we are entering into arguments about whether it’s patriotic to object to their actions. I would argue that, as Franklin Scrase postulates, these agencies are themselves a major reason for many of the acts of terrorism visited upon our societies, and moreover it is in their interest to inflame that active minority to commit more acts of terrorism simply to justify their own actions, and of course budgets.

  4. Don:
    Nov 09, 2013 at 06:47 PM

    Thanks for the update Jim
    most of the information the guardian has published (in a RESPONSIBLE manner) is/was freely available from other sources (mainly abroad and from the tech community), the government does nothing about that.
    I feel its the government trying to censor the information the public receives, (for political gain as usual)
    but hey I am only uneducated sub human northern benefit claiming scum that would already be convicted and imprisoned if I had revealed the same information.

  5. Graham Todd:
    Nov 14, 2013 at 07:13 PM

    Very well-written piece.

    Could ORG give advice on what VOiP services to use if Skype HAS been compromised - SIP? If so, which of the SIP providers in the UK are more likely to stand up to requests for information from GCHQ and the government?

  6. Don:
    Nov 14, 2013 at 08:38 PM

    ~Graham Todd
    The problem I find is most voip solutions need a server and if you do not control that security cannot be guarenteed
    I have used mumble for worldwide communication in the development of linux operating systems and to help the general public with linux,
    But the server was owned and located with one of my american colleges.
    How secure it was I do not know (but it was encrypted)
    with any software claiming security you need full disclosure from the software maker, on protocols, cyphers and the full method you or others can audit their security model.
    You have to use a TNO (trust no one) attitude to on-line security,
    sorry I know the answer is not much help, but I hope it points you in the right direction.