Banksy street art near GCHQ in Cheltenham. Demotix/ Saskia Gregory. All rights reserved.
The 2010 Conservative party election manifesto promised to ‘roll back the frontier of the database state’. It promised to protect human rights, to protect citizens from unwanted state intrusion and to ensure proper parliamentary scrutiny of new data sharing arrangements. It suggested that the mass surveillance efforts undertaken by Labour were expensive and ineffective. And yet, new extended surveillance powers, more intrusive and extensive than anything contemplated by the last Labour government, are now enacted. Such legislative efforts appear not only to violate human rights but also be completely unworkable. So why continue with this strategy?
The draconian Data Retention and Investigatory Powers Act (DRIPA) was rushed through as emergency legislation in June 2014. It revived earlier provisions of the defunct Communications Data Bill, reinstated repealed Data Retention rules and now there is a further anti-terrorism bill on the table. This panoply of legislation is counter to the EU Court of Justice ruling concerning the Data Retention directive, repealed on the basis of articles 7, 8 and 52(1) of the Charter of Fundamental Rights of the European Union. Controversially, DRIPA allows the UK government to request any company external to the UK to provide communications data without reference to a specific individual, time or place. As most internet communications pass through servers overseas, as the campaign group Liberty has pointed out, this potentially leaves every UK citizen’s communications vulnerable to interception.
In addition to human rights issues, it is the reliance of these laws on the private sector to conduct mass surveillance on the government’s behalf which could prove to be their undoing. The laws compel Internet service providers (ISPs) and other private sector organizations to collect communications data en masse from their networks. Prior to the legislation, ISPs did not routinely store communications data.
During evidence heard for the Communications Data Bill (ISPs) made it clear how much of a practical and legal challenge this was going to be. They needed guidance on what the security services wanted to see, when, how, and with what safeguards. They also wanted to know how these new rules conflicted with their existing legal obligations, such as to national and international data protection standards.
Very few answers were provided. This legislation did not engender the codes of practice which accompanied, for example, the Proceeds of Crime Act 2002, and were used by the financial services industry to guide their anti-money-laundering and counter-terror finance activities. Because the regulations compelled ISPs to store data, huge investment in on shore storage facilities was required. However, up to 25% of the data which travelled across ISP networks was encrypted - making it useless for security purposes. Without encryption keys and barring any ‘back door’ arrangements between companies and the government, nobody could read the data.
Commercial propriety mitigated against the sharing of keys between ISPs and other service providers unless a close business relationship already existed. Concerns about competitive advantage, the customer relationship, supply chain relationships, technical capabilities, data storage, regulatory specificity and the distribution of the costs associated with compliance make these regulations an expensive prospect for ISPs and their associates. Blanket state surveillance sits very awkwardly over the complex, multi-layered and heavily infrastructuralised business networks which make up an industrial sector.
Mass surveillance is unworkable
This is not the first time that the UK government has proposed unworkable mass surveillance regulations involving the private sector. And it is not the first time that the mere practicalities of implementing such regulations, as well as human rights, stand to trump them altogether. The eBorders programme, mandated by the Immigration, Asylum and Nationality Act 2006, has been quietly abandoned because of both practical and legal difficulties surrounding its implementation. The scheme mandated air carriers to collect and transfer to government all passport data relating to their passengers within 24 hrs and 30 minutes of departure. The information was then held for five years in an active government database and another five years in an archive with access on a case-by-case basis.
eBorders was conceived in 2003 after several governmental initiatives to improve the UK’s electronic border control. In November 2004, the then UK Border Agency launched a pilot scheme called Project Semaphore on a number of routes into the UK. After a Regulatory Impact Assessment in 2005, the eBorders ‘roll out’ began in 2009. When industry representatives were invited to state their concerns to the Home Affairs Select Committee, the matters raised were similar to those raised by the communications industry in relation to the Communications Data Bill. Commercial airlines – national legacy carriers such as British Airways, charter operators (e.g. Tui or Monarch) and low cost airlines (e.g. Easyjet) – each voiced their opposition because of the cost implications and its impact on their business models. The Board of Airline Representatives UK argued that airlines needed to spend £450 million over the first 10 years of eBorders in order to make their internal systems compliant. Problems afoot in ‘Trusted Borders’, the consortium of companies appointed to deliver the government side of the project, resulted in the main contractor, Raytheon, being sacked in July 2010[i]. No permanent replacement has been appointed.
Trusted Borders also ignored industry advice about data collection infrastructure, creating an uneven playing field in the air travel sector and disadvantaging charter carriers. The data transfer protocol adopted was one which was different to and far more costly than the charter industry standard. Furthermore charter and some low cost airlines were not listed on the Airline Global Distribution Systems, which enabled the sale of air seats and the easy collection of passport information. New customer websites, self-service kiosks in airports and help lines needed to be set up at the retail operators’ expense to collect data from customers and make them aware of the new requirements. Because charter operators rented ground handling systems in airports, they had no way of extracting the data in time to check whether the passengers they had checked in matched those on the plane.
While these issues were clear in 2005, the Home Affairs Select Committee stated, ‘the lessons learned from the pre-cursor Semaphore project had not been fed through to the contractors responsible for the eBorders Programme.’ The infrastructure was full of holes. Furthermore, within industry supply chains, and as with the encryption issue in relation to DRIPA, competitive relationships were destablised. Tour operators and travel agents were reluctant to send customers to an airline’s website to fill in passport information, and so took on the role themselves, creating extra work and extra anxiety.
The airlines even advised that legal issues were likely to arise. Early in 2010, the European Commission informed the British Government that eBorders compromised European citizens’ rights to freedom of movement. The scheme also breached Belgian, French and German Data Protection Law. The Information Commissioner suggested that citizens could opt out, but airlines across the sector then faced an enormous cost of amending systems to incorporate the opt-out. Systems were designed around mandatory passport data collection. The result was a legal stalemate and patchy data collection from the countries where eBorders was legal. The total cost of eBorders, now abandoned, was £750 million, £60 million over budget.
Towards another approach?
The current government has decided to revive aviation security in the new anti-terrorism bill, hoping the eBorders debacle will go away. Borders, alongside other abandoned mass surveillance programmes such as the Identity Card Scheme and ContactPoint point to the huge waste of public and private money leveraged to the end of blanket data collection.
It is possible, desirable and respectful of human rights to conduct targeted surveillance on identified suspects at particular times and places with independent judicial oversight. It is possible to give succinct, clear guidelines to private sector partners and issue interception warrants which relate to specific individuals in specific places. It doesn’t appear to be particularly feasible, however, to collect information on everything and everyone en masse from complex corporate networks with diverse technical operating standards, supply chains and business strategies. It is certainly not in compliance with internationally recognised human rights legislation.
The current scenario around DRIPA and the new Counter Terrorism and Security Bill demonstrates a spectacular lack of reflexivity on the part of the UK government. The Home Secretary has proposed surveillance legislation so wide that everyone is a potential target, human rights concerns are ignored, independent judicial oversight is sidelined. Businesses are burdened with regulation which is opaque, technically challenging and commercially compromising. Recently the Prime Minister appealed to companies’ sense of ‘social responsibility’ to make them engage with national security. Perhaps he should consider leading by example and take a look at his 2010 election promises.
The Private Security State? Surveillance, Consumer Data and the War on Terror by Kirstie Ball, Ana Canhoto, Elizabeth Daniel, Sally Dibb, Maureen Meadows and Keith Spiller is out next year, published by Copenhagen Business School Press.
[i] Kollewe, J. (2010). Home office strips Raytheon Group of border control contract. The Guardian. 23rd July.
Read more from our 'Closely observed citizens' series here.