Shutterstock/Nonnakrit. Some rights reserved.
In a recent report, the UK Intelligence and Security Committee (ISC) asserted that the one piece of information that could have enabled intelligence agencies to prevent the murder of Lee Rigby was a conversation on Facebook between Michael Adebowale, one of the killers, and a jihadist five months before the attack. Adebowale expressed his desire to murder a soldier. The ISC devoted much effort to examining why the agencies were not aware of this earlier and whether the attack might have been prevented if they had been. Much was made of this issue in the press statement and briefings when the report was published.
A careful reading of the report indicates that the ISC’s argument is highly speculative, although very convenient for the government's current efforts to secure greater access to internet communications. A number of Adebowale’s Facebook accounts had already been closed by the company’s automatic procedures for detecting terrorist-related sites but it only became aware of the specific content of this communication after the murder.
If Facebook had located this among the 150,000 messages sent each minute and passed the information on to NSA or GCHQ who, in turn, had informed the Security Service and had increased Adebowale’s priority for intrusive investigation, would this have made a difference? Very conceivably, poor communication between police and security agencies, the sheer number of investigations competing for scarce surveillance resources would have led to no different outcome. The conclusion that inaction by a Communications Services Provider (CSP) – here Facebook - was more consequential than the various possible missteps by the state agencies is simply a non sequitur.
The state-corporate symbiosis
Yet, in identifying the interaction of state and corporate sectors in security provision, the ISC has hit the nail of current security governance on the head. The key material and ideological interdependencies between them amount to symbiosis. States cannot provide security other than through private corporations, even if the relationship is fraught with competing interests. Private Security Companies (PSCs) are often contracted by states to provide services they cannot provide for themselves, or choose not to for reasons of deniability, while the manufacturers of hardware and software work closely with those to whom they will sell their products.
CSPs will respond to legally authorised requests for information or volunteer for patriotic or financial reasons; if they do not, they may find themselves subject to interception. While many CSPs share with state agencies a business model that depends on the collection and analysis of personal data, they will suffer reputational damage if they are unable to protect that data from unauthorised state intrusion. If US and UK governments respond to Snowden’s leaks by requiring CSPs to retain more data, rather than storing it themselves, then this interdependence will only intensify.
This is the context within which any challenge to ‘mass surveillance’ as revealed in the leaked NSA/GCHQ documents takes place. No-one has expressed any opposition to the idea that agencies must have the ability to intercept the communications of those targeted because of significant suspicion that they may be engaged in illegal activities such as trafficking, child abuse or terrorism - but the core of the problem is the stated ambition of the agencies to ‘collect everything’. In the fraught post-9/11 security panic the agencies have insisted that effective intelligence requires them not just to target the ‘knowns’ but also to track their communications across multiple channels and to find those currently ‘unknown’. Hence the fear of mass indiscriminate surveillance.
The key questions are, first, whether these activities are governed by clearly expressed laws and subject to robust democratic control and oversight and, second, whether they do increase security or, rather, are the equivalent of a child’s security blanket that simply results in a massive overload of information. Yet, this controversy raises more profound questions of political economy and peoples’ subjection to power (public and private) via surveillance than simply the traditional question of the citizen’s privacy rights vis-à-vis the state.
For example, some officials have argued that CSPs present the greater threat to privacy. This may sound like special pleading but a UK poll indeed found that 55% were very/fairly concerned about the activities of search engines such as Google and 60% about social media while 43% were equally concerned about monitoring and information collection by British agencies (and 46% by US agencies). Yet social media is not being abandoned: the rate of increase in users of Facebook did not slow after Snowden’s revelations in June 2013.
But major questions of efficacy and propriety remain, requiring legal, economic, political and technological answers. Law is more significant in intelligence governance than it used to be: establishing legal mandates, standards and controls has been central to the democratisation of intelligence in former authoritarian regimes. Yet law empowers as much as it restricts. It has become clear, certainly in the UK, that the relevant law – Regulation of Investigatory Powers Act (RIPA) – is both obscure and highly permissive of what the agencies can do, as long as they possess a ministerial warrant. Therefore it is not surprising that the Investigatory Powers Tribunal has just determined that current GCHQ systems do not breach articles 8 (privacy) and 10 (expression) of the European Convention of Human Rights (ECHR). Transnational intelligence cooperation (largely informal and secret) is even less amenable to legal remedies.
Complex interdependence and how to challenge it
Economically, the business model for states and some corporations requires them to access individual data in order to achieve objectives (be it tax collection, profit seeking, or granting security). Meanwhile, other corporations and state agencies such as CSPs, banks or medical services rely on data protection to maintain their reputations; so we find contradictory postures regarding data protection. What is urgently required is an audit of the effectiveness or otherwise of ‘bulk collection’ in order to break the mutual reinforcement between the demand-side (from governments anxious to be seen to ensure security) and supply-side (from corporations anxious to sell the latest hardware and software) whether or not its value is proven.
Potential technological solutions to governance challenges include audit logs for checking both effectiveness through tracking agencies’ validation of information and also for the abuse of privacy. Sharing agreements between agencies must be made available to oversight bodies and breaches of caveats attached to shared information should be notified similarly.
Politically, the symbiosis between state and non-state actors means that regulation cannot simply be unidirectional from the former to the latter. The regulation of the corporate sector is always subject to negotiation and the impact may be very different from the symbolic language in which rules are often framed. The range of bodies involved in intelligence governance will include official internal bodies such as Offices of Professional Responsibility, inspectors general (who may be internal or external to the agencies), parliamentary committees, expert bodies such as the Belgian and Dutch committees, civil society individuals (academics, journalists, researchers) and organisations both national and international such as Amnesty International or Human Rights Watch.
Cooperation between official and unofficial bodies can be difficult because they have different agendas and may not trust each other but the former must recognise the crucial contribution of the latter in publicising intelligence failures, scandals and corruption. Governance of state-corporate networks relies largely on corporate social responsibility; the Geneva-based code of conduct for private security providers is a step in the right direction but it is too early to determine its effectiveness.
The barriers to increased democratic control are many: the informality of cooperation, national security ‘trumping’ all, secrecy adding to the inherent ambiguity of knowledge in the intelligence ‘wilderness of mirrors’, oversight lacking resources, access or political will and resistance by insiders. Law must be clarified so that people understand when surveillance may be used rather than designed for maximum obscurity of ‘sources and methods’; official oversight systems must be overhauled for greater effectiveness; and cross-national institutions such as Council of Europe, European Parliament and hybrid bodies concerned with internet governance such as NetMundial must be developed.
Establishing democratic governance of intelligence is a constant process which must be pursued in order to resist authoritarianism. The role of civil society is especially crucial given that state/corporate interdependence is the core challenge to democratic control.
Read more from our 'Closely observed citizens' series here.