LSE’s Alison Powell interviewed cyber-security expert Ian Brown about the implications of Edward Snowden’s revelations about GCHQ’s surveillance program. This program, called Tempora, the UK’s fibre cable-tapping program that records all of the internet traffic passing through fibre optic cables landing in the UK. Dr Brown, a Senior Research Fellow at the Oxford Internet Institute, explains how Tempora works, and the implications for privacy, human rights and the future of the internet.
Ian Brown: one of the most surprising things that Edward Snowden has revealed is that GCHQ, in the last few years, has managed to gain access to much more of the international internet traffic flowing through the UK. And not just to get access to it by tapping the fibre optic cables that are landing in the UK and heading off from the UK to particularly the US, but to do something useful with that data – recording, processing, storing for three days at a time but also extracting information that they call metadata about who is talking to whom, which websites they are visiting, who is skyping whom, all the things you can do on the internet, and keeping that for 30 days on a rolling basis. So the idea is, there is a team of analysts – Snowden’s documents suggest there are 500 of them, between GCHQ and the US analysts – who are working all the time looking for interesting stuff in this data, and if they spot something interesting today they can go back three days in the volume of the traffic, and they can go back 30 days in this metadata.
So if I understand correctly . . . [Tempora] is actually tapping the transatlantic fibre-optic cables.
Yes – basically putting an optical splitter in – which is quite simple when it comes down to it, basically taking beams of light from a fibre optic cable, and sending one copy down its expected route to its recipient, and sending another copy down a fibre optic cable to GCHQ sites in the UK where they have the kind of hard disk capacity to store all of that data and to process it.
And that data is stored in its entirety for three days, and metadata about the communications is stored for 30 days. Is that just information saying that my computer has connected to your computer?
The metadata is more detailed than that. It’s not just logs of IP addresses but information about emails you have sent or websites you have visited.
I feel like this is breaking the internet as I understood it. I thought that the cables just transmitted information. I thought the thing for us to worry about would be our own personal computers and keeping them safe and private, and not this massive flow of information.
Well, it’s certainly true that most people’s computers are horribly insecure and that’s not their fault. That’s just because most of the software we have today . . . software companies and internet companies respond to consumer demand and it seems that consumers are much more interested in innovation and new shiny toys than they are in secure software. So in the past I would have said that the weakest link would have been our own devices. The counter-argument is that going after individual devices takes a lot of time, but if you can stick a probe into the arteries of the internet, that gets you a huge amount of data.
So is there any indication in the leaks from Snowden of what is happening with this data?
We know that it is going into big databases run by GCHQ and the NSA and their allies in Canada, Australia and New Zealand. We know that the NSA has tools like XKeyScore, that lets them search right through that data – it’s a globally distributed database. They have connected up lots of different data stores right across the world and they can search them through an index search, so taking in not just the fibre optic cables but also the satellites that used to be the way that international communications happened. And we also know that the US in 80 of their embassies around the world are monitoring local radio traffic so that gives them access to mobile phone traffic as well as other radio data, and in some cases are plugging into local sources of data in countries outside of the US and UK where you can’t so easily get access to the fibre optic cables.
But surely this is what security agencies should be doing? Surely they should be protecting the public interest by collecting information about things that could be threatening to the public?
I think almost everyone would agree that we need law enforcement agencies and intelligence agencies to be doing targeted investigations when they have a reasonable suspicion that someone is plotting a terrorist attack or a range of other things that the intelligence agencies might be working on (and we shouldn’t get caught up in the fact that this is about terrorism; in fact, that is a relatively new thing that the intelligence agencies work on). The main things that the intelligence agencies work on is spying on foreign governments to help the domestic government in things like trade negotiations. They are doing counter-espionage to prevent other governments from doing that to them; they are protecting the economic well-being of the UK economy, and we are not sure to what extent this includes economic espionage, for example Snowden’s leaks suggest that this is happening and that the US government is spying on Brazil’s largest oil company Petrobras and just today the Brazilian president tweeted that this is economic warfare and it has got to stop.
I guess what I am trying to gauge is whether this level of data collection is unprecedented.
Yes, and this is not because the intelligence agencies have been given vast new powers that they had never had before. It is because of technological change. In the past it just wasn’t feasible for post offices to record every detail of every letter that flowed by (the envelopes now are being recorded in the US because of scares about Anthrax being sent to Congress). That to me is a strong argument to pause, reflect and think: does the fact that the technology has changed and made surveillance much easier change the ethical situation of doing very large scale surveillance? No, of course not, and that is why the societies affected – not just the countries doing the spying but those countries being spied on –have to think carefully about how we want the internet, in this way, to go on affecting people’s lives. Are we going to say: “these are very serious threats”; do we just have to take the intelligence services at their word and trust that they will put oversight procedures in place to make sure it isn’t abused?
This is the argument we hear all the time: we shouldn’t have the same expectations about privacy because technological change has meant that there is so much more data about communications than there was when everyone was sending sealed letters. Since there are many more data points doesn’t that mean that each data point is less meaningful?
No! I would not agree with that, and to me that is very lazy ethical thinking. Just because in the past the intelligence agency could look at 0.1% of all the letters flowing through the post office and now they can look at 100% of the communications flowing through an internet exchange point (and by the way, people would only write letters about significant things because it was so much effort, and now people in societies like the UK live so much of their lives online), it’s everything you do. It’s like someone following you around every day with a CCTV camera just in case they might see something useful to an intelligence agency.
We hear the claim that since technology has changed we should just have our society catch up, and this discussion of privacy is outdated because “if you’ve got nothing to hide you’ve got nothing to fear”. How do you respond to that?
I think you could respond to that in a number of ways but the most fundamental of them is that clearly the nature of technology and technological change does change society BUT it is offensive to notions of human autonomy and dignity that we should just sit back and say ‘ok, technology sails on and we may have spent the last several hundred years in the west working on these human rights protections but technology changes and we should just give up’. Of course we don’t. And of course technology is human-made. We design the technology, we shape the technology and there are ways that we can make choices. It would perhaps be over the top for governments to meddle in the design of specific applications, but to set broad principles for the directions we would like these technologies to go is a key part of what democratic self-government means.
So we have this astonishing amount of information being pulled off internet cables, this is getting processed at a high scale – what do we do now?
There are perhaps three likely ways forward. One is that nothing changes, and we should never underestimate the forces of conservatism. There are lots of interests that like the situation as it is and don’t want things to change. I can’t see any likelihood that by itself the UK government will change what it is doing. The second option is perhaps the most likely, that we will see limited changes. In the US, Obama has set up a review panel and suggested that some changes are required, mostly in the area of stronger oversight and transparency – telling people more about the surveillance programs in operation, telling people about what the reach is, having a privacy advocate in the Foreign Service Intelligence court in the US to make the case against the NSA getting more data access, having stronger powers for Congress and the UK parliament’s committees to see what is going on. That is the legalistic path and I wouldn’t be surprised if that is what ends up happening.
For me, though, that doesn’t go far enough. What has been revealed over the summer is at such a greater scale than imagined, and so impacts everybody’s day-to-day activities and privacy and autonomy and freedom of expression and freedom of assembly that to me, we need a fundamental scaling back of the system. I don’t think that the NSA and GCHQ should be plugged into those fibre-optic cables. There are all sorts of other ways that they could do targeted interception. The US has had a law since 1994 that says that phone companies and internet service providers have to design their networks so that security services can do targeted interception. I think we need to go back to that model. I think we need to unplug the optical splitters at the fibre landing points. But: I quite recognize that is against the interests of all sorts of people and is unlikely.
So is the internet broken forever as a potentially anonymous communication tool?
I hope not. I hope my third option, my radical option is the way forward and will protect the potential for anonymity. But still, even before all of this, it is not trivial to use the internet anonymously, especially over time. It is very hard not to leave all sorts of digital traces. But this is of value to individuals and to the media and those doing investigative journalism. We see responses from newspapers saying that this level of surveillance makes it very difficult for journalists to talk to sources, especially whistleblowers, especially in areas that are national security-related, which is important because these are the areas in which society most needs to know if abuses are happening. So that to me is why it’s important that we have a significant change of path, but bringing that about will not be easy.
Are you involved in anything to try and bring this about?
I have given an expert witness statement to a submission brought to the European Court of Human Rights by three British NGOs, Big Brother Watch, the Open Rights Group and English Pen, and a German computer expert from the Chaos Computer Club. The submission says that what we know about GCHQ’s activities is not properly controlled by law. The European convention of human rights does not say that privacy is an absolute right, nor does it say that under no circumstances can governments carry out surveillance or collect information from their citizens, but what it does say is that when governments are going to interfere in people’s privacy and other rights, they have to set out the law in a way that is understandable to everyone: what are the circumstances in which that will happen, what are the safeguards, how will the information be used and so on. The main claim of this application to the European court is that if you look at British law, that test isn’t met. In particular the Regulation of Investigatory Powers Act is very vague. It in itself was only put in place after a previous challenge in the European court of human rights, and now what we understand about Tempora goes far beyond what was understood to be allowed by that law. And that in a way is a simple thing for the European court to address.
This article gives the views of the interviewer and the interviewee, and does not represent the position of the LSE Media Policy Project blog, nor of the London School of Economics.