'Snooper's Charter': Taking liberties?

Britain is set to pass legislation to allow the security services to hack smartphones, trawl vast data sets and scrutinise browsing histories. Will it make the country more secure?


Growing up in Teheran, Mr Fred Ghahramani remembers being told by his mother to be careful with what he said on the telephone because "the secret police is always listening". After several members of his family disappeared, Mr Ghahramani's father, an academic from an ethnic minority, escaped with his family to Canada when the boy was just nine years old.

But Mr Ghahramani's childhood fears of Ayatollah Khomeini's security service remain fresh in his mind. It is why the Vancouver-based tech entrepreneur pledged US$1 million (S$1.4 million) to help campaign groups fight what he sees as a growing encroachment on privacy and civil liberties in his adopted country and in other major democracies.

"You could hear them on the other end of the line - it was quite comical that they might want to listen to a child, but you still had to be careful with what you said. You had to second guess your thoughts," Mr Ghahramani says. "I am not saying we are there yet, but my great worry is that we are sleepwalking into that same kind of environment."


Canada, Australia, France, New Zealand and others have introduced measures to give security services and police far-reaching surveillance powers. No country, however, is going quite as far as Britain in creating laws that give government agencies the ability and the right to gather information. Adding to traditional forms of targeted surveillance, security services will soon have new powers to mine information about individuals via the explosion in data generated by smartphones and tablets.


Britain's investigatory powers Bill - which is due to complete its final stages of parliamentary scrutiny in the autumn - formalises existing powers for security services to hack smartphones and computers, and trawl vast data sets. It also provides new powers to force Internet companies to hand over, without a warrant, details of every website an individual visits and every app he uses, and to hold that information for up to 12 months. The companies must also create systems so that the information can be accessed on demand via a single searchable database.

It will give government agencies powers beyond those in the United States and most other Western democracies. If it becomes law, Britain would be alone with Russia as the only two countries in the world that force companies to keep track of customers' browsing histories.

Privacy campaigners, tech companies and politicians have raised concerns that if a nation with the democratic checks and balances of Britain is taking such action, others will follow.

The government counters that, as the world becomes increasingly digitised, it needs the powers to keep up with technological changes. Pulling back would tie the authorities' hands, they say, and make the job of protecting against terrorism and organised online crime more difficult. Attacks in France, Belgium and Germany in recent months are a vivid reminder of what is at stake.

Former British prime minister David Cameron last year promised 1,900 extra personnel for MI5, the domestic counter-intelligence agency, and MI6, its overseas equivalent, plus £1.5 billion (S$2.6 billion) a year in new funding by 2020 to address the terror threat and cyber attacks.

The challenge for society, says data-protection specialist Kathryn Wynn at Pinsent Masons, a law firm, is getting the balance right between security and privacy.

"The optimal level of surveillance is a great unknown. Threats are changing all the time and the technology is changing with it," she says. "But it is very easy to go over the line and be overly intrusive."

Although ministers must approve the surveillance, and the judiciary oversees decisions to use these powers to ensure they are implemented correctly - a so-called "double lock" to prevent abuses - most requests will be subject to gagging orders, prohibiting telecoms and tech companies from revealing that they are handing over information.

Privacy campaigners say the Bill lays out in black and white the mass surveillance powers that would be at the disposal of the security services and want it amended so that the surveillance is targeted and based on suspicion rather than the product of sophisticated data crunching. They argue that the powers are so sweeping, and the language in the Bill so general, that not just the security services but also government bodies ranging from HM Revenue & Customs to the Food Standards Agency will be able to analyse the records of millions of people even if they are not under suspicion of criminal activity.

The tech industry is also opposed to parts of the Bill, particularly around the encryption of data. The government is sticking to its plan to force tech firms to provide back doors, or a code breaker, to allow the decryption of messages in cases of an undefined national emergency.

In 2014, Mr Robert Hannigan, the then newly installed director of government intelligence agency GCHQ, accused some US tech companies of becoming "the command and control networks of choice" for terrorists and called on them to develop closer relations with the intelligence community.

But sceptics argue that vast volumes of data are of little use because they take too much time and money to process. Increases in computing power and dedicated mapping technology, however, mean that it is proving useful in ways that were unimaginable even a few years ago.

"Too much access to too many people is being given far too easily," says vice-president of security research Rik Ferguson at Trend Micro, a software security firm. "We will be in a world where an algorithm is reaching a conclusion rather than a human being; we are moving towards a world where we end up predicting crime and prosecuting it before it happens."


The extent of the monitoring of big data by the security services was revealed three years ago by Edward Snowden, the American computer specialist and former Central Intelligence Agency employee. He provided details of covert US mass surveillance programmes, principally by the National Security Agency.

It emerged shortly afterwards that Britain and many other Western countries had similar programmes in place.

Last month, Privacy International, a pressure group, launched a legal case against Britain's security services, accusing them of pushing an "aggressive and expansive" use of their powers to access huge data sets, tracking everything from travel information to phone records, to generate leads in investigations.

The case, which is due for a court ruling in the autumn, outlined how GCHQ and MI5 had been using powers under Section 94 of the Telecommunications Act 1984 to require communications companies "to do or not to do a particular thing" in the interests of national security.

The court heard that there are currently 24 orders served on telecoms companies, 15 of which require that they hand over bulk data on request. In one example, O2 was compelled to provide information to security services in secret and not even inform its own board of directors.

Queen's Counsel Thomas de la Mare, acting for the pressure group, said there was a danger that this "de facto constant surveillance" could become "the most potent instrument of repression".

He argued during the hearing that such non-targeted forms of surveillance have turned investigations on their head. Whereas in the past, individual inquiries based on suspicion would throw up leads, it is now the algorithmic processing of data that can provide those leads and that, campaigners argue, amounts to mass surveillance.


    STRANGE BEDFELLOWS: If it becomes law, Britain would join Russia as the only other state tracking online histories.

    FIGHTING TERROR: Government lawyers describe the use of bulk data as "an essential tool" in the fight against terrorism.

    PUBLIC OPINION: In a survey, more people were worried about criminals, rather than the state, gaining access to data.


The government says that the powers as laid out in the Bill are essential to providing security. Its legal team argued in the Privacy International case that the use of bulk personal data "was an essential tool" and that, without its use, the intelligence services would be "significantly less effective in protecting the UK" against terrorism, cyber threats and espionage.

Police say that the need for intelligence is greater than ever before but that the technical environment in which criminals and terrorists operate has changed dramatically.

"We still need to know who criminals are contacting, how they are doing it, where they are when they do it, what devices they use when they do it and whether they are accessing criminal sites," Mr Neil Basu, assistant commissioner at London's Metropolitan Police, said in June.

He also disclosed that the authorities want the powers not just to combat organised crime or terrorism, but also for more routine policing. "If we have low-level fraud and grooming that we could have prevented, how do I explain that to the public and just say I had my hands tied, I didn't have the powers to do that?" Mr Basu asked.

On the surface, the public seems unconcerned. A survey for the Information Commissioner's Office, an independent watchdog, found in April that less than a quarter of the public expressed concern about the security services having access to their private data and were three times more likely to worry about criminals getting their hands on it.

Campaigners and lawyers believe the low level of concern has more to do with a lack of awareness and limited public scrutiny, arguing that the Bill has been rushed through Parliament and not received enough attention. The opposition Labour Party barely put up a fight and voted for it in early June amid, what some said, were fears of appearing weak on terrorism.

Ms Kate Macmillan, a privacy lawyer at Collyer Bristow, says some important concessions have been achieved since the Bill landed in Parliament, notably that trade union activities cannot be subjected to investigatory powers "but one has to question whether enough has been done to protect the public".

She doubts that others in Europe will follow in Britain's footsteps, particularly Germany, which has been championing the privacy rights of individuals through a new European Union data-protection law known as GDPR.

The Advocate-General of the Court of Justice of the EU has published an opinion saying that any laws on data retention should respect personal privacy and can be justified only when necessary in the fight against serious crime.

Ms Macmillan adds that "there is a strong body of opinion (in the legal community) which considers that this development may derail" Britain's Bill.

Mr Ghahramani, the Iranian emigre, remains sceptical about the security claims made not just by the British government but also by other states. "Canada and France have been collecting data in bulk for over four years, and yet terror attacks still happen. In the case of the Paris attacks, the terrorists communicated through unencrypted SMS. In the US, the NSA's bulk-data collection programmes have been in place even longer," he says. "The truth is, it's never actually been proven that bulk-data collection can stop terrorism."

Big data: Creating a digital profile of the UK population

Millions of personal private records are to be moved to a central, searchable Home Office data system that will greatly increase the ability of British police, security services and other government agencies to build a digital profile of the population.

Although the system is still at an early stage of design, large Home Office data sets - which could include passport and police records, border data and car number-plate recognition information - would be transferred to a single system that will significantly speed up search times and cut costs.

The department will move the data onto a common platform and use Apache Hadoop, an open- source software tool, that can match records from large data sources and make associations from seemingly random pieces of information.

The system, widely used in the private sector, allows companies to build customer profiles and consumption patterns by pulling together e-mail accounts, social media profiles and other records.

Random data points can combine to tell a great deal about an individual, according to a study by Stanford University researchers John C. Mitchell and Jonathan Mayer that looked at mobile phone records.

One example from what they learnt from analysing 250,000 calls and 1.2 million text messages was that one volunteer had placed several calls to a cardiologist, a local drugstore and a cardiac arrhythmia device monitoring hotline. Another showed that a person owned a semi-automatic rifle, based on calls to a local gun dealer and a support line run by the weapon's manufacturer.

The study also revealed the large number of people swept up into an investigation by just looking at one lead. The researchers estimated US investigators could look at as many as 25,000 people linked from just one "seed" lead.


A version of this article appeared in the print edition of The Sunday Times on August 14, 2016, with the headline ''Snooper's Charter': Taking liberties?'. Print Edition | Subscribe