The Open Rights Group have recently released “Digital Surveillance – Why the Snoopers’ Charter is the wrong approach: A call for targeted and accountable investigatory powers”. The report sets out various arguments as to why the proposed Communications Data Bill in the UK, which aims to massively extend the scope of surveillance over online communications, is a terrible, counterproductive, expensive, and unnecessary idea.
I was asked to contribute a section on the risks of the existing proposals, and some thoughts on where things should go in the future. My contribution is reproduced here, but please do go and download the full report.
Where laws intersect with technology, as is strikingly the case with surveillance, the discrepancy between the pace of technological change and the pace of legal change requires lawmakers to consider carefully the risks that arise from the future development and application of technologies. Crucially, and challengingly, it is necessary to differentiate between the limitations that exist in current technologies, and will disappear as technology develops; and those limitations that are fixed and inherent.
Information technologies, and in particular the Internet, have expanded the potential for surveillance to a degree that would have seemed fantastical in previous decades. Unprecedented levels of data can now be collected, stored, and analysed, and can be combined and controlled with an amazing degree of centrality.
The technical capabilities of the Internet not only allow this surveillance, they encourage us, through convenience, to place more and more of our lives into the spotlight. We now read news, search for information, talk to friends, organize social and business life, bank, and meet potential partners via the Internet. There is no precedent that can even approximate a model for the pervasiveness of the Internet in our lives — not the phone network, not post or telegraph, not CCTV surveillance. Equating the Internet with historical technologies when making policy is not simply wrong, it is dangerously misleading.
From the state’s perspective, the desire for surveillance is easy to understand. Such a wealth of data seems to promise an oracle allowing security services not only to investigate, but also to detect, predict and prevent crimes — and ubiquitous surveillance can, certainly, achieve some of these goals.
The sheer wealth of data that surveillance reveals, however, tips the balance decisively from its power to help towards its power to harm. Vast amounts of information can be handled by faster and faster computers, but the power and accuracy of the predictive algorithms are not so scalable — when applied blindly to entire populations the ability to identify suspicious patterns is lost in the flood and becomes either worthless or actively harmful.
Pervasive and detailed information on individuals is a powerful tool. When investigating a crime the details of a suspect’s activities, communications, and habits can be highly valuable. This tool, however, can be used just as effectively against all those individuals who are not under suspicion — blackmail, fraud, stalking, and simple invasion of privacy are all enabled by such collections of data just as effectively as the investigation of crime. Placing an entire population in handcuffs to ensure that the criminals have been caught is not an acceptable policy.
As such, any legal framework for enabling surveillance must, in the first instance, be based on the notion of targeted gathering of data on well-justified grounds. This precludes the a priori gathering and storage of data — such gathering should only occur in response to justified suspicions. Data that is found not to be useful, particularly where it concerns third parties, must be deleted quickly and verifiably. Further, there should be no institutionalised technical mechanism to surveil communications; instead, surveillance requests should be made directly to service providers who must be free to manage and control their own platforms.
As has been observed with existing laws, such as the UK’s own RIPA, surveillance powers are easily and widely abused. Strict and independent audit, therefore, both of surveillance requests and data handling should be a key feature of any proposed surveillance framework. This must, of course, be supported by stringent penalties for misuse of either powers or data. Transparency, imposed both at a legal level and by the need to interact with private organisations that control infrastructure, is the only hope to mitigate the abuses that inevitably accompany such approaches.
The technological landscape in which we find ourselves is one in which the potential for surveillance is vast and growing. Surveillance law must therefore focus on restraining risks and abuses, without being carried away by false promises of effectiveness. Minimisation, decentralisation, accountability and limitation of access are all necessary steps to ensure that the cure is not worse than the disease.