Yesterday, the Intelligence and Security Committee (ISC) issued its report into the murder of Fusilier Lee Rigby in Woolwich. Despite cataloguing a number of failures, the report claims that the security services couldn’t have prevented Lee Rigby’s killing, while appearing to claim that Facebook could have.
The report showed that Rigby’s killers Michael Adebolajo and Michael Adebowale had appeared in seven different investigations by the security services and there were “errors in these operations, where processes were not followed, decisions not recorded, or delays encountered”.
Despite this finding, the ISC reserved its strongest criticism not for the intelligence services, but for overseas communications service providers. The committee referred to an online exchange between Adebowale and an extremist overseas, (discovered after the killing) in which Adebowale expressed his intent to murder a soldier. The committee concluded:
“What is clear is that the one party which could have made a difference was the company on whose system the exchange took place. However, this company does not regard themselves as under any obligation to ensure that they identify such threats, or to report them to the authorities. We find this unacceptable: however unintentionally, they are providing a safe haven for terrorists.”
It is shocking and unreasonable to suggest that the company (un-named in the report but now named as Facebook) is responsible for any failure to prevent the murder. The suggestion appears to be that the company should have been trawling through the content of the communications of all of its users on a blanket basis on the off chance that one of them may be sending messages about terrorism. The ISC laments the fact that “none of the major US companies we approached proactively monitor and review suspicious content on their systems”.
There are two suggestions: one is blanket trawling that would represent a hugely disproportionate interference with the right to privacy of all of the company’s users. It would have a chilling effect on freedom of speech online if individuals are unable to trust service providers not to snoop on their communications. It may also be contrary to the companies’ terms of service.
ISC member Hazel Blears said yesterday that companies already proactively search and report illegal child abuse images and therefore by extension should be able to expand this to ‘terrorist content’. But it is not so straightforward. The former involves using hashes to tag illegal images, the latter would involve searching for keywords (killing? beheading?) and then making a decision about whether they have been written by someone who is a credible terrorist threat.
Facebook is right to regard itself as not being under any obligation to pro-actively identify this type of communication and report them to GCHQ. To place communications providers under such obligation would be to render them an arm of a surveillance state.
A more reasonable approach could be to identify individuals that may be of interest to the security agencies - for example people who have drawn themselves to the attention of Facebook because they have posted extremist content, which has led to their accounts being suspended.
There are also clear legal mechanisms in place by which the security services can access the content of communications held by overseas companies. The first is by using a targeted warrant signed by the secretary of state under section 8(1) Regulation of Investigatory Powers Act (RIPA). The ISC appears to have accepted at face value the government’s claims that this method is ineffective because overseas service providers do not comply. In fact, just because overseas service providers may say they do not regard themselves as bound by UK does not mean they do not cooperate with UK requests. Their transparency reports suggest otherwise. For example, between January and June 2014 Facebook supplied data for 71.68% of requests from the UK government. The ISC’s statement that if MI5 had sought information under a warrant the company might not have responded is highly speculative.
If the government is unable to access communications using a warrant, the appropriate mechanism to use is the established Mutual Legal Assistance Treaty (MLAT) between the UK and the US. The ISC suggests that the government believes using MLAT to be ineffective as it is too slow, does not apply to intelligence investigations and involves scrutiny of sensitive information by a US court. These are not insurmountable objections. Reform of the MLAT procedure should be a priority.
Instead, the government is trying to pressure service providers to comply with its demands outside of any transparent legal process. Unregulated cooperation damages the rule of law. And importantly, if US companies have to comply with ad hoc requests from the British government surely they should also agree to demands for access to customer communications from the Russian and Chinese governments.
It is also notable that GCHQ’s vast TEMPORA programme, which allows the mass collection of external communications passing along fibre-optic cables between the UK and the US, does not appear to have helped them identify the communication. ORG is disputing the legality of the programme before the ECtHR. This is evidence that mass surveillance (as opposed to targeted surveillance) is ineffective as well as breaching our fundamental human rights.
The findings of the committee accord conveniently with the recent rhetoric of Theresa May and GCHQ’s Robert Hannigan, who want to increase surveillance powers and bully Internet companies into agreeing to their demands. The committee appears to have accepted this narrative unquestioningly. In addition, the decision to publish the the Counter-Terrorism Bill the day after the ISC report has been criticised by ISC members themselves.
It’s going to be very unlikely that people who are plotting terrorist attacks will be discussing them on Facebook, particularly now that we have had a public debate about this. Even so, this horrific murder should not be used as a political tool to pressure Internet companies to do what GCHQ wants.
This article was originally published in The Drum.