Show Hide image

Databases of ruin

Ben Wizner, chief legal advisor to Edward Snowden and director of the ACLU’s Speech, Privacy and Technology project, talks to the New Statesman about the new age of mass surveillance.

A Skype call with Edward Snowden’s lawyer is different from other Skype calls. Beneath the introductions and the courtesies sits the question of who else is listening. Among the NSA data released by Snowden in 2013 was a training document which confirmed that “sustained Skype collection began in Feb 2011”. Since that date, the NSA has been able to listen to and record any Skype call. Does Ben Wizner think they’re listening, right now?

“I guess I would say… probably not.” Wizner is not one for dramatic speculation. He first sued his government for torturing its own citizens more than a decade ago; his work is dramatic without embellishment. Wizner joined the ACLU months before 9/11. Ten years later, he became the director of the Speech, Privacy, and Technology Project. In 2013, he became principal legal advisor to the world’s most wanted man. In his defence of Snowden and his work for the ACLU, Wizner works at the point where civil liberties and national security meet. Increasingly, he says, it is hard for the legislation that protects civil liberties to keep up with the methods available to those who would infringe them.

“The fundamental issue,” says Wizner, “is simply that surveillance used to be expensive, and now it's cheap. That's something that we have to confront, centrally, as one of the main challenges of our time. It used to be that our privacy was protected more by cost than by law, but that cost protection is gone. If governments wanted to know where you were, a generation ago, they had to assign a team of agents to track you 24 hours a day. There was no real legal barrier to doing that, but there was a huge resource barrier. There had to be a pretty good reason for it. Now, our technological systems are passively collecting all of this intimate information about all of us. The cost of storing it, forever, has plunged from being very expensive to almost trivially cheap. So we're going to need law and policy in places where we didn't need it before. We're going to need to figure out what role law needs to play in a world where governments have the financial and technological capability to record and store virtually complete records of our lives.”

Many technologists have observed that the advances in computing and communication of the past few decades have allowed us to sleepwalk into an almost perfectly pervasive surveillance state. Wizner advises viewing any argument for extension of these powers with extreme caution. “ I think the way to understand this is that even people who seem willing to exchange personal privacy for a measure of safety wouldn't want video cameras throughout their house, including in their bedrooms, on at all hours of the day. They wouldn't want drones with sophisticated cameras hovering over their homes and communities, 24 hours a day, recording every movement in the streets. But mass metadata surveillance achieves almost the same effect. If the police can know, without any legal restriction, where your phone is at any hour of the day, what other phones are with it at any hour of the day, and they can get months of this information and put it together, they can paint a remarkably intimate picture of your life. Who you're sleeping with, whether you pray, whether you drink, if you've had an abortion. All of this information can be very easily reconstructed from the metadata that we leak on a daily basis, now.”

The argument for further extension of government surveillance almost justifies its means by the threat of terrorism. Wizner calls this a “bait-and-switch” – a ruse, to secure powerful surveillance in the name of preventing extremist attacks, but then to pass these powers on to other authorities. Against terrorists, he point out, “mass surveillance is not terribly effective as a predictive measure. Collecting billions of communications in order to predict extremely rare events is not effective. The system gets overwhelmed with false positives, no matter what measure you’re using. That's why the investigatory groups that were put together following the Snowden revelations uniformly reached the conclusion that collection of the metadata for all US phone calls didn't lead to either the prevention or the discovery of any terrorist attack or activity.”

For domestic law enforcement, however, vast databases of the details of citizens’ lives represents a goldmine. Wizner calls it “a kind of surveillance time machine. They would be able to hit rewind on the database, and to reconstruct all kinds of things that had happened. Because they could be extremely useful for solving crimes, the capabilities will migrate from intelligence into law enforcement. And then, our societies are going to feel very different - when every police officer with a smartphone has access to the kind of information that the NSA and GCHQ collect.”

In the UK, Wizner’s forecast has already precipitated. Under the Investigatory Powers Act, the communications data of any UK citizen is now collected by default and may be provided, without warrant, to any police force. The data is also available, again without a warrant, to most government departments, as well as such well-known anti-terrorist forces as the Food Standards Agency and the Welsh Ambulance Service.

What kind of state does Wizner think this will lead us into? “Here, I like to quote the security technologist Bruce Schneier, who asks "how do you feel when a police car is driving right next to you? Imagine having that feeling all the time." Some people might say, "oh, I just feel safer". But most of us don't just feel safer. We feel nervous, we feel watched, scrutinised. It absolutely would affect our willingness to take risks, to engage in behaviour that's not fully sanctioned - the kinds of things that free societies need to grow and develop.”

Whether the unprecedented mass surveillance now being conducted by the governments of the UK, US and other nations on their own citizens will lead inevitably to totalitarianism is debatable. What is inevitable is that when governments collect data on their citizens, it falls into other hands. In 2015, it was revealed that councils in the UK suffered data breaches at an average of almost four per day, losing the personal data of children on 658 occasions in three years. In 2012, the NHS lost 1.8 million patient records. In 2008, HMRC lost the personal data of 25 million taxpayers. The list of incidents in which the UK government has lost, stolen and carelessly handled databases of its subjects’ data is thousands of items long.

“We've already seen networks of hackers obtain vast amounts of personal information, and convert it into profit,” agrees Wizner. It is absolutely the case that we're going to have to come to see that aggregated data is not just something that has beneficial uses, but something that creates real liabilities for us.”

However, Wizner says we should not compare the data being collected on us by mass surveillance to traditional government records. It is more personal than that. The data breaches that will result will be closer to the 2015 data breach of Ashley Madison, a dating website that enabled people to have extramarital affairs. Publishing of the site’s user database was linked to suicides in two countries. Wizner says he and his colleagues refer to such deeply personal information as "databases of ruin", because “they contain within them the seeds to ruin any of us.”

That a government database could contain the seeds of your ruin – the means to impersonate you, jeapordise your position or make public the evidence of anything you’ve done which you’d rather wasn’t publicly known – is not, says Wizner, a paranoid idea about the future. “That information sits in government databases today. And not just our own government. The Chinese government was able to breach the database the Office of Personnel Management, which does all of the background checks for people who work in sensitive jobs in the United States. Millions of records, of the most sensitive kinds of information, are now available to a foreign government.”

Wizner says last year’s dispute between the FBI and Apple, in which the technology giant refused to crack the security on its iPhone in order to aid the agency’s investigation of the San Bernadino terrorists, is a good example of law enforcement’s failure to recognise that data security can be more important than forensic capability.

“Many former high-level NSA officials actually took Apple's side in that dispute. They argued that it was actually more important for Apple to be able to create government-proof security on a global scale than it was for US law enforcement to be able to break into this one phone. They know that if Apple has to engineer its product to allow the FBI in, then it will also have to allow in the Chinese military, and Russian intelligence.”

So how can civil liberties be protected in this emerging state of cheaply available, barely regulated surveillance? “There are two parallel reform conversations that need to take place. One is about what kind of laws we need to pass, and how our courts can act as a check on government.  The other is on the technology side - how can we build up our defences. The answer to the second [question] is encryption.”

The great benefit of encryption is that “it can assist citizens even in authoritarian states. We could have the best surveillance reform imaginable in the US - we haven't, but we could - and it wouldn't protect anybody in Russia or China. On the other hand, if the technology platforms that we're using make it difficult or impossible for governments to engage in mass surveillance, that's something that could be a benefit everywhere.”

Wizner says it’s crucial that these issues of privacy and security are seen as international, because the means are so easily to sell and transport that one country’s surveillance capabilities soon become another’s. “It would be a mistake if everyone in the world viewed the Snowden revelations as a story about the NSA's activities and capabilities. Snowden likes to say that we have reached the “atomic moment” for computer science. But proliferation is much faster; it doesn't require all of the complexity that nuclear proliferation has required. So now is the time for us to be developing laws about how we're going to deploy those technologies against each other.”

Will Dunn is the New Statesman's Special Projects Editor. 

Show Hide image

Investing in a secure future

Increased training and investment in cyber security infrastructure are essential in the digital age.

It is easy to underestimate how crucial the internet is to our everyday lives. It has become an essential tool in the way we communicate with others and conduct business both at home and abroad. More than 1.6m people work in the digital sector or in digital tech roles in the United Kingdom and the internet continues to provide individuals and businesses with huge opportunities.

However, we know that criminals seek to exploit the many benefits of the internet for their own personal gain, often at great expense to others. The WannaCry ransomware attack, which hit the NHS as well as other organisations, highlights the seriousness of the threat and reinforces the need to properly protect ourselves online.

In the recent Cyber Security Breaches Survey 2017, just under half (46 per cent) of all businesses identified at least one breach or attack in the last year. Although it is difficult to put an exact figure on how much this cost the UK economy, it is likely to be in the billions.

We are also all too aware of attacks by hostile state actors who look to exploit the UK through intellectual property theft, in order to further their own interests and prosperity. We take these attempts to disrupt our national security very seriously.

That is why this the government set up the National Cyber Security Centre (NCSC), which provides cyber security at a national level. In its first year of being operational, the NCSC responded to 590 significant cyber incidents, more than 30 of which were sufficiently serious to require a cross-government response.

It is not just large organisations and our national infrastructure that are targeted by online criminals; individuals also face the daily threat of being scammed in their own homes. It is now the case that British citizens are 20 times more likely to be defrauded at their computer than mugged in the street.

It is a threat we all face. I strongly believe that we – individuals, businesses and the government – must play our own part to mitigate the risk and ensure that the internet is a safe and secure space for everyone. The government has legislated within the Serious Crime Act 2015 to create a new offence that applies where an unauthorised act in relation to a computer results in serious damage to the economy, the environment, national security or human welfare, or a risk of such damage occurring.

Legislating against online criminality goes some way to tackling the problem; however, close collaboration between the government, business and international partners is essential in combating the increasingly sophisticated attacks that the UK faces.

We work closely with the NCSC, which acts as a bridge between industry and government, providing a unified source of advice and the management of cyber-related incidents. It is at the heart of the government’s 2016 National Cyber Security Strategy, which is supported by £1.9bn of transformational investment to 2021.

Our law enforcement agencies across England and Wales also play a vital role in disrupting the activities of cyber criminals and bringing them to justice. They now operate as a single networked resource with the National Crime Agency (NCA) and Regional Cyber Crime Units using shared intelligence and capabilities. The NCA also has a dedicated Dark Web Intelligence Unit which targets those criminals who exploit hidden areas of the internet.

But we also want people to take their own preventative measures, so that they don’t become a target by criminals operating in the cyber space. We are running a series of campaigns and programmes which aim to encourage individuals and businesses to adopt more secure online behaviours.

Cyber Aware works with over 320 public and private sector partner organisations to encourage us all to take simple steps to protect ourselves online including using a strong, separate password for our email accounts and installing the latest software and app updates on our electronic devices.

The NCSC has also recently launched expert guidance on how small businesses can easily avoid common online breaches and attacks. Should organisations seek to improve their cyber security further, they can get certification through the Cyber Essentials Scheme.

To further support the efforts of SMEs in improving their cyber security, regional cyber crime prevention coordinators engage with businesses and members of the public to provide customised cyber security advice based on the latest technical guidance from the NCSC.

We must also look to the future – we now have a whole generation that have grown up immersed in tech. It is hugely important that we harness their talents and put them to good use rather than letting them wander down a path towards criminal online activities.

We must train and engage with the next generation of cyber security experts and is why the NCSC is taking a leading role in promoting a culture where science and technology subjects can flourish within the education system. Their CyberFirst programme identifies and nurtures young talent through a series of summer workshops and competitions. In addition, their CyberUK 2018 programme focuses on encouraging more women to enter into the technology industry, a sector that is largely seen as male-dominated.

There is a great effort across government and law enforcement to pursue online criminals, prevent
those that are headed on a path towards criminal activity, protect the public and prepare for the many threats we face online. We will continue to invest in law enforcement capabilities at a national, regional and local level to ensure agencies have the capacity to deal with the increasing threat from cyber crime.

However, this is not a threat that we can tackle alone. It is everybody’s responsibility, from top to bottom, to follow the guidance provided and increase their awareness of cyber security in order to create a safe space to communicate and conduct business online.