Making Facebook an arm of MI5 won't be a guarantee against terrorism

The security services want social networks like Facebook to be more forthcoming with material posted by users that might indicate a threat to national security. But the root causes of terrorism will never be fixed with data alone.

Sign Up

Get the New Statesman's Morning Call email.

Today sees the publication of proposed new anti-terrorism bill, the Counter-Terrorism and Security Bill 2014-15, ahead of its scheduled second reading in Parliament tomorrow, on 27 November. Yesterday, meanwhile, saw the Commons Select Intelligence and Security Committee (ISC) publish its findings into the murder of Lee Rigby in May 2013 by Michael Adebolajo and Michael Adebowale, with specific blame laid at the feet of social media companies for not doing enough to prevent it. 

The report itself doesn't name the single company it considers most at fault, but it didn't take long for journalists to work out that Facebook was the alleged culprit in question. Most of the major papers today carry the damning verdict on their front pages with reference to Mark Zuckerberg's company, with the Mail reporting Rigby's sister stating Facebook had "blood on their hands" for their inaction, and that she held them "partly responsible" for his death. According to the report, some of Adebowale's activity on Facebook had come to the attention of site moderators, who had deleted some of his posts (and even his account) on more than a few occasions. According to Sir Malcolm Rifkind, the chair of the ISC, had this information been passed on to MI5 the attack on Rigby could have been prevented.

Is this true? Well, yes, but also no, with caveats for either. This is the old conflict between what the state wants to know and what the individual wishes to keep private, but with the added complications that come with the internet, and social networks, and national sovereignty. 

Treating this as a clear binary between privacy and security isn't enough, as evidenced by Facebook making people unhappy on both sides of the divide for what it does: it actively monitors everything that its users do (so that it can make money off them and/or remove inappropriate/illegal content, upsetting privacy advocates in the process), but it also doesn't necessarily report posts that could signify an illegal activity to the relevant authorities (which annoys bodies like MI5, who would find that kind of content extremely useful). 

Put this in the context of the British government's attitude towards data collection over the last 15 or so years, and the conclusions of the ISC report make send. The UK political establishment, in all three main parties, tends heavily towards a policy of better safe than sorry, and of expanding data collection whenever a blind spot in intelligence gathering is exposed. For example, when the European Court of Justice ruled earlier this year that the EU-wide directive mandating the collection and retention of customer metadata by ISPs violated the human right to privacy, Parliament's response (with Tory, Labour and Lib Dem backing) was to rush through new legislation to reintroduce the mandate into British law as soon as possible. (Other countries, like Sweden, went the other way, even going so far as to opt not to charge those ISPs who had ignored the original directive.) 

Facebook, then, is a ripe, low-hanging fruit which, if plucked, would make the lives of spooks hugely easier. However, they can't - because Facebook is an American company which is only legally obligated to obey American warrants. That's the problem identified by Rifkind. Facebook may not have the legal obligation to hand over data like the type it had on Adebowale, but it certainly may have had the moral obligation. What's more troubling, though, is that the demand here is that Facebook chooses to hand over possible evidence of a user planning for a terror attack before a body like MI5 asks for it. (MI5 didn't ask Facebook about Adebowale's messages until after the attack, as far as we know.)

Follow this chain of thought any distance, however, and the problematic consequences are obvious. If Facebook accepted that any national government could demand the personal information of any user for matters of national security, that opens up all kinds of precedents for human rights abuses in nations where activists or persecuted groups use Facebook as a communication medium. (Arguably, that doesn't just mean, for example, Russia. It can also mean the UK, where many groups face surveillance from the police.)

This doesn't stop the British government from repeatedly trying to act as if US-based tech companies should listen to these kinds of requests, though, as evidenced by the Guardian's report on Silicon Valley's response to the ISC findings. In techno-libertarian California, not only is this kind of attitude seen as undemocratic, it's seen as part of a wider campaign against web freedom altogether. ("Nice fucking timing," said one executive, referring to the new bill published today.)

Privacy and civil rights campaigners tend to talk about this issue using the metaphor of physical mail - we can accept the need for opening the letters of someone under suspicion of plotting a terrorist attack, given the oversight of a judge and a warrant, but we otherwise expect nobody but the sender and the receiver to know what's in each envelope. That isn't a perfect analogy for what social networks are, though, and that's crucial here. Facebook, like every other social network of any notable size, has a business model based almost entirely on eavesdropping on the conversations its users are having with each other so they can try to show relevant ads. At the same time, things posted on them can be intended for an audience of a few people, but there are mechanisms in place that can mean a psuedo-private conversation can quickly spread among millions of other people.

The constant surveillance, even of private messages, is currently the focus of a large EU-wide civil suit, and the problem of corporate surveillance - which we legally, if not morally, consent to - is its own problem altogether. But I would argue that, when it comes to state surveillance, we should think of a site like Facebook in terms less like a postal service and more like a pub or cafe, with the staff coming around to pick up the empty mugs taking the role of the algorithms that listen in on our passing conversations. It's a service as much as a medium, and one which puts up ads on the walls to pay the rent.

In that kind of scenario, what should someone do if they hear a customer use the word "kill"? Or "explosion"? Facebook has 1.3 billion users each sending upwards of 500 billion messages a day - and while the site does have some sophisticated scanning methods for trying to keep on top of, for example, potential cases of child grooming, it is limited in its ability to parse nuance, or humour. The vast daily stream of data which comes from social media sites that has been flagged as needing human moderation has created, in turn, a huge outsourced moderation industry that is both horrible to those who have to work within it and still far from perfect at catching everything abhorrent (as ongoing issues with online harassment of women and people of colour have shown).

And don't forget the Twitter joke trial, which came about because a human being - not an algorithm - passed a tweet that was clearly a joke onto the police, just in case. Knowing how fallible these systems already are, it isn't reasonable to think that any solution to an intelligence gap should be piling yet more data onto the heap that is already there. Facebook may act like a private surveillance agency, but it doesn't necessarily follow that the best thing is to then combine its abilities with the state's - it won't double the innaccuracy, but it could well double the margin of error.

In the ISC's ideal world, Facebook would be an extension of the surveillance state - taking on the cost of identifying and assessing likely leads from among billions of posts each day, with the most promising passed on down the line. This is a fallacy that affects so much of the tech industry, that technology will fix everything, and everything in the physical world is reflected in how people act online. But MI5 still doesn't know how Adebolajo and Adebowale planned their attack, even now. The data was the missing link here, but it's dangerous to think it'll always be.

The ISC report makes it clear that both Adebolajo and Adebowale were under MI5 surveillance for years for a range of other real-world links to other suspected extremists, but Facebook gets the blame because the single message about killing a soldier could have alerted the authorities that he was a more serious risk. Yet what's also clear is that the government's approach to tackling the root causes of terrorism - and in trying to stop young men and women choosing to commit acts of terror - is failing. What's the better investment here: the removal of yet another layer of privacy the average citizen can expect, or spending some time and money on something which gets to the root of the issue?

Ian Steadman is a staff science and technology writer at the New Statesman. He is on Twitter as @iansteadman.