Programming

Wednesday, October 16, 2013

How about a Digital Privacy Act 2014

The recent exposés of the work of the NSA and GCHQ have led to the general consensus among politicians that more engagement and more oversight is needed of the work of the intelligence agencies. Here I will discuss the shape that I think this new legislation should take.

Andrew Parker, head of MI5, made a speech on the 8th of October, to answer the critics of the surveillance programs, but unfortunately I feel this speech fell short in several areas. It fails to acknowledge that real compromise is needed, and that individuals have a basic human right to privacy. Andrew Parker fails to see the irony that in order to preserve the freedoms we enjoy, we should impose total surveillance on all citizens, exceeding the quantity of surveillance suffered in East Germany by several orders of magnitude. He fails to realize that surveillance, not terrorism, is the biggest challenge to our freedom.

To understand just how appalling the current state of affairs is, we must use an analogy: A government agent has the master key to your house, and each day he comes in and look through all of your letters, correspondences, intimate photos, and can take copies to store indefinitely. There is no oversight on what agents may do, but there is no need for alarm because most of them are good eggs and not at all interested in those intimate photos of your wife or the contents of her underwear drawer. He installs a hidden microphone in each room in your house. But it's okay, because only people who are potential terrorists are targeted, such as those with one or more Muslim friends, those who have traveled abroad recently, environmental activists, politicians, journalists, bloggers, or those who express critical opinions of our security agencies.

Andrew Parker feels that the current incursions into our privacy are necessary and proportionate, but I disagree.

Given that most politicians lack the courage to stand up to such surveillance programs, we should at least explore what better oversight actually means. The first thing I would do is to rename the Data Communications Bill to the Digital Privacy Bill. This is because the surveillance aspect is already a done deal, and we need to focus on limiting the powers rather than reinforcing them. It would also be an easier sell to the Liberal Democrats and the general public.

First, the good news for the intelligence services:
  • We should continue to allow intelligence services to collect information using existing methods, including cable taps, span ports, hacking, back doors, decryption, radio signals, and to store the data for a limited period of time.
  • We can expect the cooperation of communications providers to install monitoring equipment.
  • Data can be stored for a maximum of five years.
  • Automated analysis of the all available data can be used to identify potential threats. This includes voice, image and text analysis of the contents of the communications.
  • Methods on how private data are gathered are not revealed. Only that the data has been gathered, and the identity of the data (host name, user name, file name or id).
  • Using "black hat" methods, including payments to hackers, malware writers and controllers of illegal botnets, is permissible via court order on a case by case basis. (And illegal otherwise).
Now the bad news for the intelligence services:
  • We need a proper definition of what is meant by "private", "public" and "confidential" data. 
  • Private data should match people's expectations. If you send someone a message (such as a lover, lawyer or journalist), then the fact that you have sent something and to whom is considered private. If you visit a website (such as health or legal pornography), then that fact is private. Files stored on your computer are private. Contact lists are private, unless explicitly made public by the user (such as Facebook or Twitter). If you share a photo to a private group of individuals, then that is expected to mean just the intended individuals, and not include government watchers.
  • In order for a human analyst to view "private" data, a court order must be obtained. The court order must explicitly state the reasons why the individual is under suspicion, (not just because some neural network said so), and there must be a reasonable suspicion that a crime has been committed or is being planned. What data is accessed is to be explicitly stated, as well as the motivation for viewing it.
  • An analyst is limited to viewing the data specified in the court order.
  • There is an audit trail of what information an analyst has viewed.
  • Private data can be used in court, but in that case the methods of interception must be revealed.
  • The automated analysis must not reveal private information, but it must generate a report which is sufficiently detailed to establish why an individual is under suspicion.
  • Oversight and enforcement that the computer systems and workflow comply with the legislation.
  • Ideally, the target of the court order must be notified that their private data are being seen by a human being. Such notification can be delayed by a court order, for a maximum of 10 years.
  • Retention of data beyond 5 years can be extended by court order to a maximum of 10 years.
  • Authorization to view private data is for a limited period of 30 days. After that, another court order would be required.
  • Where no further action is taken on an individual, they must be notified after the 30 day investigation period.
  • Certain professions, such as diplomats, politicians, lawyers and journalists, would have a much higher threshold to justify viewing their private data.
  • Statistics are published annually, showing the number of data items gathered, breakdown of data gathering by type (e.g. by web site), number of human views of private data, number of high profile individuals etc. Some, ideally all, of these statistics would be made public.
  • All interception methods must be revealed in detail after a period of 50 years.
  • Must not be used for civil uses, such as copyright infringement.
  • Private data must not be shared to any organization or government which does not have the same protections and respect for private data.
  • It is illegal to solicit others (and foreign agencies) to obtain private data other than via UK court order.
  • Any attempt to weaken commercial security systems, such as installing back doors, weakening protocols or encryption etc, must be approved by a court, and such methods to be revealed after 50 years.
  • Direct access to a user's systems, such as their home router, computer, storage devices, either physical, or remotely, requires a court order and a notification to the individual.
  • The act would need to be renewed every 5 years as the terrorist threat level goes down (leading ideally to total disconnection of the surveillance systems) or up.
  • The Bill would apply to all people, not just UK citizens. That is, court orders must be obtained to view the private data of foreigners. However in this case there is no duty to notify them.
There are many powers we could grant the police and security services, but we don't because we still aim to live in a free society. These safeguards are not too unreasonable, and offer the security services a great deal of freedom to do the good and generally well-intentioned work.

I would actually prefer that such surveillance proved unnecessary, as this kind of mass infringement on our rights becomes very difficult to reverse.

1 Comments:

Post a Comment

<< Home