When UK Home Secretary Theresa May scrapped ID cards in 2010, she said it would ‘reduce the control of the state over decent, law-abiding people’. Five years later, May has revived the Data Communications Bill (the so-called ‘Snoopers’ Charter’), which will require mobile and internet providers to keep the browsing, social media, email, text and voice data of every internet user in the name of counterterrorism. But the bill will be ineffective in combatting terror compared to targeted surveillance and investigation work, the capacity for which is being cut. Even the supposed technical benefits can be achieved better and cheaper by doing different things.
Mass surveillance is ill-suited to combating terror
When the Snoopers’ Charter was first proposed, it was criticised as risking ‘intrusion into the privacy of the vast majority of honest citizens’, before being killed off by the Liberal Democrats. Since then, the European Court of Justice has ruled that mandatory data retention is contrary to Community law, and last week the New York Appeals Court found the US National Security Agency’s bulk collection of phone data was illegal.
Mass surveillance tramples over online privacy – and it doesn’t work in combating terror, as Bruce Schneier argues in his book Data and Goliath. Only one person – a taxi driver who sent $8,500 to a Somali group ‘that posed no threat to the US’ – has so far been convicted as a result of the US’s ‘collect it all’ strategy. Big data mining, argues Schneier, works best where there is a high volume of events, well-defined profiles, and the cost of false positives is low – credit card fraud, for example.
But terror attacks are different. Each one is uniquely appalling, and they are of such low frequency that the kind of profiles that work in combating card fraud can’t be built up. The dots can often only be joined up in hindsight. Adding heaps of irrelevant data – the online life of every citizen – doesn’t make the picture clearer. ‘When you’re watching everything, you’re seeing nothing,’ Schneier says.
Better policy options
There are also better, and cheaper ways of achieving some of the Bill’s goals. The need to map IP addresses to devices has been used as a justification for the Snoopers’ Charter. As the old protocol (IPv4) has run out, service providers are now running ever more elaborate address sharing, especially in mobile networks. This makes it challenging for security services and law enforcement to identify perpetrators. The solution is simple: adopt the next generation of Internet Protocol (IPv6), which will also increase capacity. The government could encourage – even incentivise – ISPs to make the switch but has shown no signs of doing so, despite the fact that the UK has one of the lowest IPv6 adoption rates in the world.
The evidence shows that targeted surveillance with reasonable suspicion and old-fashioned human investigation work best against terror, but due to budget cuts, the number of front-line police officers in the UK has declined by 17,000 since 2010, and the home secretary is promising a similar reduction in this Parliament.
This is a political as well as technical miscalculation, because people do care about online privacy. Last year, a CIGI-Ipsos survey of over 23,000 internet users in 24 countries (including the UK) showed that the majority of users are more concerned about online privacy than they were 12 months ago, and worry about their own government or police secretly monitoring their online activities.
British Internet users (76 per cent) are even more worried about private companies monitoring and selling their data than they are about governments, according to the survey, and the Snoopers’ Charter cannot function without the cooperation of private companies. Many of those private companies fund their ‘free’ services by tracking and selling personal data to advertisers.
It is unlikely that the government will pursue regulation to curb intrusive data processing by companies when the government legally obliges them to capture ever more data.
Even if big data techniques were proven to work against terrorism, placing entire populations under surveillance would still be a high price to pay. In fact, big data is no match for targeted surveillance and investigation. The Snoopers’ Charter, in the name of security, risks sacrificing the very liberties it means to defend.