On Cameron’s Candor and Public-Private Cooperation for Monitoring Digital Communications

Hugo Rosemont
Friday, February 13, 2015, 10:00 AM
Susan Landau has published a thought-provoking critique on Lawfare of the UK Prime Minister’s recent remarks covering the powers he believes the State should be afforded to access the electronic communications of terrorist suspects. Crucially, she highlights and explores the link between the need for effective cyber security and how she believes this contradicts the current crux of many governments’ efforts to maintain their ability to monitor suspicious or harmful online terrorist activity.

Published by The Lawfare Institute
in Cooperation With

Susan Landau has published a thought-provoking critique on Lawfare of the UK Prime Minister’s recent remarks covering the powers he believes the State should be afforded to access the electronic communications of terrorist suspects. Crucially, she highlights and explores the link between the need for effective cyber security and how she believes this contradicts the current crux of many governments’ efforts to maintain their ability to monitor suspicious or harmful online terrorist activity. The importance of the connection between these two issues has been underappreciated, and clearly deserves to be addressed in particular by all those who believe that, in certain circumstances, authorities should be able to access such data for security purposes. Landau has not been alone in criticizing the Prime Minister’s approach to this matter in recent weeks. Lawfare Contributing Editor Bruce Schneier has also raised objections to the approach being pursued; he suggested it is as "equally stupid" as the remarks made last year by the FBI Director and also highlighted a separate piece which details the alleged incoherence of the Prime Minister’s preferred approach. In a separate development, a high profile recent ruling by the UK Investigatory Powers Tribunal found that, prior to December 2014, the UK Government had acted unlawfully by not being sufficiently transparent about the practice of data sharing with the U.S., thereby attracting further criticism of the Government’s handling of this issue (various reactions to the judgment are listed here). That being said, the suggestion that David Cameron "doesn’t get" certain things on the basis of his approach and priorities in this area is overly harsh. After all, with his recent remarks, Cameron has indicated that the UK Government now recognizes the need to be more transparent with the public about its activities and proposed future direction in the sector. Whatever one makes of his argument---his preference appears to be to develop a revised legal framework that would give certain agencies of the State the ability to intercept a wide variety of different online communications---his openness about his view on the best way forward should be widely welcomed. Five additional observations about the UK Government’s approach to national security (and the context for it) suggest that the criticism leveled against the PM on this matter has been overdone. First, the coalition Government headed by Mr. Cameron has since 2010---like many other Governments internationally---placed a much greater emphasis on developing an effective cyber security strategy for the country, devoting significant new resources and establishing new structures towards that end. Even after having cast doubt on the strength of the Prime Minister’s approach to "strategy" in Parliament last week, one former Security Minister, Baroness Neville-Jones, then proceeded to cite the UK’s approach to cyber security as an example of where policy had been "implemented with considerable determination across Government." Second, Landau and other critics suggest that the Prime Minister is overreacting and seeks to effectively ban private communications; this type of argument is potentially misleading and leaves an exaggerated impression about his motivations. In fact, Mr. Cameron’s preference seems to be to allow the intelligence services to be able to access data under certain, legally-mandated circumstances. While there is no doubt about the strength of his and other senior Conservative Ministers’ conviction around the need to introduce potentially very intrusive new powers (and the possible dangers associated with them), it would wrong to imply that the overwhelming majority of British citizens’ communications would in practice no longer be private under his proposal; the presentation of such an argument underplays the different processes and accountability mechanisms in place. It does not engage with the distinction the PM and others are making about the difference between accessing communications data and the contents of those digital communications. It thus might leave the impression that the UK Government wishes to conduct "mass surveillance" on everyone. As Professor Sir David Omand recently argued in an analysis of digital intelligence from a UK perspective, "no such mass surveillance takes place by GCHQ; it would be unlawful if it did." Third, a further criticism of Mr. Cameron’s proposed approach is that, given the rapidly-developing and widespread and cross-border development of encryption and other technologies today, it would not in any event be possible for the intelligence agencies of any democratic country to have access to communications data being transmitted across every network, or all mediums. While there is little doubt that any such aspiration would be difficult to achieve at the technical level, a countervailing view also exists that this should not be taken as an excuse for inaction. It is important to recognize in this context---as Omand has previously noted---that the UK’s counter-terrorism strategy known as CONTEST has never sought to completely eradicate the terrorist threat facing the UK; its focus has been to manage the risk. Following this logic, UK security policymakers are pragmatic and appear to hope to ensure that the intelligence agencies have the ability to potentially access as many online communications platforms as possible, should ever such a thing be deemed necessary and authorized. Critics may see the pursuit of this aim as a futile, counter-productive, or highly damaging exercise. But the legitimacy of Mr. Cameron’s aim in principle to ensure potential access to as many communications platforms as possible under the existing legal authorities is hardly ignoble or based on ignorance. It stems from the Government’s desire to fulfill its responsibility for security. Fourth, it should be acknowledged that the campaign to secure the keys to Downing Street is now well underway; the UK will hold a General Election on May 7. Perhaps it is an undesirable reality, but this means that the politics of UK security are currently in overdrive. While national security is unlikely to become the decisive election issue (at least not in the absence of major incidents occurring on UK soil or affecting UK interests overseas), the flexing of the respective political parties’ positions in this area is an inevitable and arguably very important part of any such election. In this political context, it is perhaps reassuring that the most serious decisions on this matter are likely to be taken after the election, and that several independent reviews and government consultations (see here, here and, most recently, here) are currently working to assess the most appropriate ways for Government to be able to access digital communications. Whoever is elected would be well advised to take full account of the findings of this important work. Finally, the impact of the clarity now afforded to the public on the circumstances surrounding the high profile, brutal killing of Fusilier Lee Rigby on the streets of London in May 2013 should not be underestimated. According to a report of the UK Parliamentary Intelligence and Security Committee (ISC) published in November 2014, one of the perpetrators of the attack had expressed in a December 2012 communication exchange on a social media platform his intention to murder a soldier; the report also noted that this information had not been passed to the authorities until after the attack. Following this revelation and the controversy which followed, one poll found that 60 percent of the British public would favor internet companies such as Facebook (later reported to be the platform on which the exchange took place) monitoring private communications taking place on their networks for keywords relating to terrorism. While such figures were generated at a certain point in time and should not necessarily drive policy, that UK public opinion now seems so strongly in favor of companies "doing more" to prevent or disrupt terrorists’ use of the internet perhaps makes it inevitable that politicians would respond by developing and promoting the need for stronger new policies. This last statistic relates to Professor Landau’s article in another interesting way. While the above paragraphs have questioned critics’ reading of Mr. Cameron’s motives on this matter, the emphasis she places on recognizing that many parts of the U.S. and the UK economies are in the private sector is a very important observation, and one which deserves to continue to raise profound questions. The poll above seems to suggest that most people think that at least some private companies now have clear responsibilities for counterterrorism. This might be considered necessary but, even if it were possible (one prominent analyst has highlighted the limitations of using algorithms for this purpose), would society really approve of tasking companies with responsibility for online monitoring in such a sensitive area of national security? Furthermore, what does it say about the ongoing validity of the Government's oft-repeated slogan that national security is the State's (i.e. not companies') primary duty? The UK Government certainly appears to be providing its answer that insofar as sensitive privacy intrusions may need to be conducted for national security purposes, this should continue to be a matter for Government---albeit with the cooperation of companies, under the appropriate authorities. The debate following Mr. Cameron’s proposal should therefore not simply focus on technological matters, and any understandings or limitations arising from them. A wider issue of governance also needs to be addressed. This is not to deny the importance of addressing technical issues in this area, or to suggest that technological considerations have not themselves helped to set the context for the PM’s preferences in this arena. This does in fact seem to be the case, as BBC security correspondent Gordon Corera summarized convincingly in a recent documentary series on cybersecurity: "States are struggling to impose their concepts of national security on a technology industry which is now globalized." But this is not to say that our Governments shouldn’t try. And alongside any attempts to resolve the technological challenges, the matter of how (or how not) to structure public-private cooperation in this complex field---a field characterized by considerable private sector ownership, as Landau recognizes---appears to be becoming increasingly recognized as a central issue. The importance of the role companies will play in this space applies as strongly in the United States as in the UK.  In response to a question I posed recently to the General Counsel of the Office of the Director of National Intelligence on how public-private cooperation might be developed in this area (see the video of the event at The Brookings Institution here from 1.23.30), Robert Litt recognized this, adding:
I think we just have to find ways to engage with them [companies]. I think there has to be a recognition of where do we have common interests, and how can we move those forward. And I think . . . we have to try to be transparent about it to the extent we can.
Mr. Litt’s acknowledgement of the importance of the matter is certainly welcome, and it was striking how forcefully he argued last week that "[o]ne of the many ways in which Snowden’s leaks have damaged our national security is by driving a wedge between the government and providers and technology companies." However, the lack of detail provided in response to such questions---both by him and other policymakers on both sides of the Atlantic---suggests that we still urgently need a debate on the scope and operation of the private sector's involvement in this aspect counter-terrorism strategy. We have not achieved any kind of consensus on the best way forward, and calling out senior politicians on any lack of technical knowledge they may have is unlikely to provide the solution. Instead, the apparent polarization of positions in this complex area places a new demand for greater discussion. Hugo Rosemont is Teaching Fellow and Assistant Director of the Centre for Defence Studies within the Department of War Studies at King’s College, London.

Subscribe to Lawfare