—CHECK AGAINST DELIVERY—
Thank you to Demos for hosting today’s event. And to Carl Miller, the co-founder of the Centre for the Analysis of Social Media at Demos, who along with Jamie Bartlett are leading innovative work on the impact of the digital revolution on our privacy, our society and our economy.
A field where the pace of change has been phenomenal. Communication and information sharing on a scale we could never have imagined even a few years ago. Families sharing photos on Facebook. Selfies from the Oscars tweeted over 2 and a half million times. Teenagers chatting with friends on whatsapp from their bedrooms. Grandparents skyping grandchildren a continent away. Commuters shopping from their iPhones on the train home. And multi billion pound businesses based on information and customers data.
Clicking onto a newspaper website recently I found the side of my screen full of half-naked women. It was mildly irritating – but perhaps more so because it appeared to be my fault. Shopping for Marks and Spencers’ underwear online a few weeks before meant enough information was known about my shopping and reading habits to bombard me with lingerie adverts while I checked the latest news. Probably there were cookie buttons I could have pressed to protect my privacy. But like most of us, I found that was far too much hassle.
Had you asked me ten years ago if I’d been comfortable with mainstream private companies holding and recording so much information on my shopping, leisure or reading habits I might have been a little uneasy. But this is the world we increasingly take for granted.
This digital revolution brings liberation, but also new challenges. Alongside the wonderful opportunities for communication, knowledge and business, come new forms of abuse and crime. And alongside the explosion in access to knowledge come new questions about data storage, privacy and access. Attitudes are changing too. Public debate, corporate practice, the law and government policy are all struggling to keep up with the pace of change.
I want to talk today about some of the reforms that are needed to keep up with that new technology.
In the face of growing online crime and abuse, and the use of online communications by criminals and extremists, the police, intelligence and security agencies need to be able to operate more effectively against online crime and abuse to keep us safe. But for them to do so, we also need stronger safeguards and limits to protect our privacy and sustain confidence in their vital work. The oversight and legal frameworks are now out of date. And there are difficult wider challenges about privacy, data and the private sector, and how we protect British citizens’ interests in a global internet where everyone follows different rules.
But above all we need the Government to engage in a serious public debate about these new challenges and the reforms that are needed. The Government can’t keep burying its head in the sand and hoping these issues will go away – they are too important for that, for our liberty, our security, the growth of our economy and the health of our democracy too.
New challenges in the digital age
Consider the pace of technological change – and new digital dilemmas raised - in the last twelve months alone.
In the month of December people across the globe spent over $1 billion and downloaded 3 billion apps from Apple - almost all of them used to transfer data and information. Online sales from mobile devices for the UK’s leading retailers increased 138% in a year. A third of the world is now online.
But for a start, new crimes are growing. Which? the consumer watchdog say half of us have been targeted by online scams. Recorded online fraud is up thirty percent - but that’s the tip of the iceberg, because most of it is never reported to the police. Two million passwords for social media and email accounts have been released online by hackers.
Perhaps most serious of all has been the growth in online child abuse. Last year the Child Exploitation and Online Protection agency received 18,887 reports of child abuse – an increase of 14% on the year.
Both police and private sector have been increasingly challenged by the public on their role in keeping the internet safe. Last summer both Twitter and the police came under sustained criticism for their delays in responding to rape threats. Facebook were forced to u-turn in their policy of allowing videos of beheadings to be shared. And Google have changed their algorithms to prevent searches for child abuse images in response to public and political pressure.
At the same time the police and security services are expected to understand the way criminals and terrorists may be using the internet, and to be able to respond. They were asked last year to explain why they didn’t know more about the murderers of Drummer Lee Rigby, and why more is not being done to disrupt the use of the internet by violent extremists looking to radicalise young people.
Meanwhile mass data storage and transfer is raising new questions about personal privacy in the private and public sector.
Persistent tweaks of privacy settings on Facebook have aroused user concerns. The new NHS database has just stalled due to public and GP anxiety about the privacy safeguards. And last summer Theresa May’s Communications Data Bill finally ran into the ground after it lost the confidence of the all-party Joint Committee set up to scrutinise it.
And – with perhaps the widest ramifications of all – former NSA contractor Edward Snowdon leaked hundreds of thousands of US intelligence documents and 58,000 British intelligence documents – raising serious concern about the impact on national security and about the scale of activity of intelligence agencies all at the same time.
These issues – online crime, intelligence operations, data storage and privacy – are often treated as separate. Yet all raise the same fundamental questions about how we sustain both liberty and security in a digital age.
There are genuine questions we need to debate and consider:
First; what kind of role online do we expect the British police, intelligence and security services to play in order to keep British citizens safe?
Second; what safeguards do we want against inappropriate surveillance or invasions into our privacy and liberty by the British police and agencies?
Third; what wider framework of law and social responsibility should operate online? What are the rights and responsibilities over privacy and safety of individuals and companies online.
Fourth; And how do we make any of this effective in a global internet, where different countries play by different rules;
Today I plan to concentrate primarily on the first two questions which pose immediate challenges for the British Government and on the direction of reform I think that is required, though I will touch on the third and fourth wider and more difficult questions too.
But first we should be clear why this debate is needed.
Debate is needed
Because so far the Government’s response has been to limit rather than promote debate.
For example Ministers have avoided engaging in the debate on the NHS database, failing to ensure a proper public discussion about the benefits and the required safeguards to build consent. Their interventions on online crime have been limited.
Most significantly they have tried to stifle any debate on the role online of the police, intelligence and security agencies, and the legal framework that governs this work.
For example, the Home Secretary repeatedly refused to provide proper information about the purpose of the Data Communications Bill leaving the Joint Committee to conclude “meaningful consultation can take place only once there is clarity as to the real aims of the Home Office and clarity as to the expected use of powers under the Bill.”
That Bill was far too widely drawn, giving the Home Secretary unprecedented future powers, and with too few checks and balances, and has rightly been stopped. But since then there has been no further Government led debate about how it will instead address the challenge for the police from changing technologies – leaving the police in limbo about future plans.
Nor have they provided a proper response to the Snowdon leaks. The NSA’s loss of over 58,000 secret intelligence documents shared with them by GCHQ has caused damage to national security and serious concern for the intelligence and security agencies. But it has also raised big questions for the public about the role of the agencies here and in the US, their access to data, and the protections for privacy.
Yet so far Ministers have provided neither reassurance nor reform. They have simply asserted that the British agencies are abiding by the law. They haven’t explained what the law does, what the privacy safeguards are, whether they are sufficient, whether the law is still up to date, or why the work the agencies do is important. Neither Prime Minister, Deputy Prime Minister, Home Secretary nor Foreign Secretary have provided any leadership or response.
In contrast in the United States, President Obama commissioned an independent review, and has set out areas for reform to protect US citizens’ privacy and civil liberties, whilst also robustly defending the purpose and work of the security and intelligence agencies.
So in the US the debate is moving on. But here in Britain, it’s barely started. That’s not sustainable.
As Douglas Alexander, Shadow Foreign Secretary has said “there is need for a wider debate here in the UK.”
The Government acts as if any debate about the police and agencies operating online is unhelpful - and in part I understand why. The concern has always been that any discussion of the agencies work undermines their effectiveness. When Bletchley Park started in the second world war, no one wanted the Axis forces to know our capability at code breaking.
Clearly much of what the agencies do must remain secret. As Andrew Parker the head of the Security Service has said, “the reason why things are secret is not because …we want to keep them from the public. It is because we need to keep them from the people that we are investigating …the terrorists, spies and proliferators.”
So of course that means it isn’t possible to have an open debate about operational capabilities. But that can’t be an excuse for Government to avoid debate altogether. People understand that the debate has to be conducted in a thoughtful way that protects secret intelligence – but they don’t want to be patronised or ignored.
Recent opinion polling shows the vast majority of the British public support the work of the intelligence and security agencies, and the police. But the sensible pragmatism most people have about the need for targeted surveillance to prevent terrorism and keep people safe also depends on trust, and it needs to be sustained not taken for granted.
And frankly while Ministers may get away with avoiding the debate in the short term, they are building up serious problems for the future.
For a start questions about privacy, data and online crime are not going to go away. These are no longer marginal issues. Online crime is not a minority problem, it’s the fastest growing national and international crime we face. Online communication is not a minority pursuit, and data gathering is not just something that happens to other people. Privacy is going to become a growing public concern.
Second the work of the agencies and police is so important that it is deeply unwise to allow public confidence in them to falter, and Government should never be complacent when it is challenged.
For the agencies to work effectively in a democracy they need public trust.
Our agencies do an incredibly difficult job with little public recognition, their successes and sacrifices hidden. Their very purpose is to defend our democracy and democratic values, but that means people need to be always confident that safeguards are in place to prevent those democratic values being undermined.
Third, any lack of public confidence in either the safety of the internet or the protection for privacy has significant economic and security consequences. Businesses and customers need to be able to trust the internet. Fears about the safety of data, communications or transactions will inhibit business growth. Likewise pressure from customers who are worried about surveillance by authorities, can drive companies to move abroad, increase encryption or restrict cooperation with the police or agencies even when they are pursuing clear criminal or terrorist threats.
So both the public - and the agencies themselves who work immensely hard to keep us safe and abide by the law as they do so - deserve a more honest debate about their role and the safeguards needed.
Liberty and Security
For centuries we have had vigorous public and Parliamentary debate about how we sustain both liberty and security in a democracy - from Churchill’s dispute with the Post Office over intercepting letters in 1911, to the row over TPIMs suspects absconding this year, there’s been plenty of controversy along the way. Successive Governments haven’t got everything right – and we didn’t over 90 days - but overall the debate has been healthy and has sustained a broad consensus behind our legal system, behind action to fight terrorism or prevent crime, and behind protection for individual rights.
We need that vigorous debate about online liberty and security too.
Liberty and security are both important in a democracy – and as I argued in a speech last year they depend on each other. We need to feel secure to have the freedom to get on with our daily lives. But security is never absolute – nor could it be without losing that very freedom we value in a democracy.
Where interventions are needed that infringe on individual liberty or privacy in the interests of all our security, they must always be only those necessary and proportionate to the problem. And strong powers need to be matched by strong checks and balances – to set limits and make sure they are not abused.
The principles are the same online. Few seek absolute privacy or absolute security. Most of us want to balance both. We want to be kept safe from fraudsters, stealing our identity and our money online. We want our children’s innocence kept safe from abusers, and paedophiles to be caught. But we also want to know that unless we are suspected of a crime or terrorism we have a right to protection for our information and privacy. To know that people won’t be reading our emails, or checking out where we’ve been surfing on the web. To know that there are fair up to date laws governing what government agencies, the police and private companies can do. And to know that there are safeguards, checks and balances in place to make sure those laws are upheld.
Role of the police agencies online in keeping us safe
So yes, that means that in a digital age the police, intelligence and security services need to be able to operate online to keep us safe – and indeed reforms are needed to make them more effective.
In future the police will need to do more not less to tackle online fraud. Currently there is no serious strategy, and fragmented forces lack the skills or organisational structure to be effective following up a fraud against a victim in Yorkshire, perpetrated by a gang elsewhere in the UK, or even the world. Reforms are needed – including greater skills, better organisation and cooperation with the private sector, and strengthening the law on identity theft.
The Security Service and GCHQ will need to do more not less to tackle growing numbers of cyber-attacks. That means building on their work with major public and private sector organisations to ensure they are resilient against hacking or a major onslaught online.
And far more still needs to be done to tackle online child abuse and the way a growing market for disturbed images is driving abuse of children worldwide. The Child Exploitation and Online Protection Unit do vital and valuable work. But even though the notifications of child pornography online are growing, the number of arrests has dropped significantly rather than increased since they were merged into the National Crime Agency.
CEOP’s work does mean they depend on the powers to require data from companies to track down where vile images were sent from, who owns the computer where the photos were first uploaded, and to follow any clues about where the child is to rescue them and keep them safe. The police have raised concerns that they have declining ability to do that because changing technologies mean their legal framework is out of date. At the same time the Prime Minister has also said that GCHQ and the NSA can do more to tackle child pornography on the dark net, to “decrypt encrypted files, and… find out what is going on”. A new strategy is needed to make sure the fight against online child abuse can keep up with new technology – including looking at the legal framework, resources, structures and the role for the private sector and internet service providers to do more.
Given the explosion in online communications, there is also no doubt that the police and the intelligence and security agencies need to continue to be able to use intercept or communications data in the right circumstances to solve crimes or prevent national security threats. Good intelligence prevents attacks, abuse and saves lives.
So for example in the immediate aftermath of the awful murder of Drummer Lee Rigby, the security service and police needed to discover urgently whether other co-ordinated threats across the UK might be imminent – in the way that they were on 9/11 or 7/7.
As Metropolitan Police head of counter terrorism Cressida Dick said soon after the attack, “a huge number of officers engaging through a variety of different methods-social media, telephone calls and face to face-with people” were deployed.
But it is exactly because we know that work online will be increasingly important that we also need to make sure there are increasing safeguards and limits so the privacy of innocent people is protected, and so the powers are not abused, and confidence is maintained.
But delivering those safeguards will require major reform to oversight and a serious review of the legal framework too – as both are out of date as a result of changing technology.
Oversight is currently provided mainly by the Intelligence and Security Committee of Parliamentarians and a system of independent oversight Commissioners – one for intercept (covering both the police and agencies), one for intelligence, one for surveillance. In addition the Independent Reviewer of Terrorism legislation examines the operation of the counter terror laws and keeps them under review.
As a member of the Intelligence and Security Committee between 1997 and 1999 I have long been impressed by the dedication and work done by the intelligence agencies to keep us safe. But I have also long argued that the oversight system needs to be stronger.
The digital challenges of the last twelve months make an even clearer case for reform.
None of the independent Commissioners have made substantial public statements in response to the Snowdon leaks. They are responsible for checking whether the agencies are abiding by the law. Yet in the face of allegations that GCHQ was breaking the law they have been silent – neither saying they would investigate, nor providing reassurance. The Interception of Communications Commissioner is undertaking a review of the legal framework, but few know it is happening and there is no opportunity for the public to submit views.
Nor have the ISC had the capacity to play the role expected of them on a wide range of issues this year. They did take evidence and make recommendations on the data communications bill last year. They do now have the power to investigate operational matters and they are rightly undertaking a serious investigation into the awful Woolwich attack. But they have only had time to do a brief report on the PRISM programme, concluding, “GCHQ has not circumvented or attempted to circumvent UK law.”
They are keen to do a further wider report into what the law does and whether it is up to date – but in practice that is in the early stages. And they have now been also asked to take over the Gibson inquiry into the treatment of detainees. In short, their capacity and resources are limited.
So reforms are needed. Indeed Sir David Omand, former director of GCHQ has said, “my feeling is that staff in the intelligence agencies would welcome deeper but more informed oversight, not least to protect their reputation”.
The ISC should be strengthened further – in particular they need permanent technological expertise, given the pace of technological change and sufficient investigative resources. Their legitimacy would be significantly strengthened by an Opposition chair, so that the Committee is not viewed as an extension of the Government.
But the ISC can’t do it all. No one expects the Home Affairs Select Committee to provide all the checks and balances on the police or the borders agency - substantial independent inspectorates and complaints organisations also oversee their work and report to Parliament.
We need a major overhaul of the system of independent oversight Commissioners. Those who work with the Commissioners commend them for their professionalism and integrity. But their role is constrained by legislation. Traditionally they are retired judges with extensive experience. But their oversight is mainly about legal compliance. They report to the Prime Minister and few people know who they are or what they do. They remain as much in the shadows as the agencies themselves – and that doesn’t create public confidence in oversight.
Substantial reforms are needed. It’s time we looked at alternatives. We must look at new models of oversight – including the possibility of an Inspector General along Australian lines with the resources to provide wide ranging and stronger oversight of all the agencies – and learn from inspection and oversight models in other fields. We should also look at how the Independent Reviewer David Anderson has created a more public facing form of oversight (doing media interviews, giving public evidence to Select Committees, announcing investigations in advance, providing more transparency about his role). Reform needs to be done sensibly so we don’t create inappropriate second guessing of operational decisions while they are underway, and so that the oversight system properly recognises and supports the vital and unusual work that our security and intelligence agencies need to do.
We need a system that can not only check current legal compliance, but can regularly review whether the law is keeping up - assessing when security is being put at risk, but also when our civil liberties are being jeopardised too. It needs to be flexible and independent, capable of assessing new technologies, fast enough to respond to new concerns and transparent enough in its processes to reassure the public that a good job is being done on its behalf.
And it is time to look again at the legal framework too – as the ISC have recognised.
The majority of the current legal framework resides in the Regulation of Investigatory Powers Act 2000 - introduced before the explosion in online communications and social media.
RIPA does provide restrictions and safeguards. Warrant requirements and restrictions are much stronger for the content of a phone call or email than they are for communications data on - for example - who has contacted who or when. Safeguards are also stronger for domestic communication than for foreign intelligence, and GCHQ’s main focus is on foreign intelligence. The restrictions on data gathering and storage are also stronger than in the US - where the Patriot Act allowed the National Security Agency to require US phone and internet providers to hand over all their data on every phone call by domestic customers for long term storage.
However significant questions remain about the way the legal framework operates and whether it is falling behind the pace of new technology.
For a start there is too little clarity about exactly what the safeguards and legal protections currently are. Ministers have repeatedly refused to explain what protection the law provides – but that just leaves confusion, misunderstanding and suspicion. They and the oversight bodies should provide clear explanation of which safeguards are currently in place.
But we also now need a full review of RIPA itself – as the pace of change has been so substantial since 2000.
For example, it should look again at how the distinction between content and communications data applies when it comes to new emerging methods of communication. What are the right levels of warrants, authorisation, scrutiny and safeguards for changing technologies? It must look at how different levels of safeguards and limits for domestic and foreign intelligence apply in the light of communication technologies which send domestic messages via international servers. We need to know whether the police and agencies still have the right legal framework to get them the information they need in serious criminal or counter terror investigations if a suspect is using new technologies. And perhaps most challenging of all, it needs to look at how we get national rules, warrants and safeguards to apply when companies and individuals are operating online from all over the world.
But what of the private sector and abroad
And that in the end is where some of the hardest questions lie – with companies and all over the world.
If the Government agrees to do it, I believe it is possible for us in Britain to have a mature debate about the role of the British police and agencies in a digital age, and the safeguards needed. Of course there will be disagreements and controversy, but I believe it will be possible to build a broad consensus on the role of the British state in protecting liberty and security in a digital age.
But the reality is that the British state is only a small part of the picture. Most of the biggest challenges involving digital liberty and security are international, and a large proportion of them are private sector too.
So the private sector has a vast and growing role in maintaining safety and security on the internet. Google’s changes to its search engines can have a major impact even though they don’t reach the dark internet. If a social media company based abroad decides to make it impossible for the police to identify account users who are making death threats or harassing with racist abuse, then there’s a limit to what the British police can do.
Private sector organisations now have the capacity to hold huge amounts of data about us. They already use it to target advertising, fund services, drive innovation and research and develop new products.
Demos’ Jamie Bartlett has said: “It is perfectly legal for companies to spy on us, and it is very lucrative. Some analysts estimate we’re each giving away up to £5,000 worth of data every year. As the saying goes: if you’re not paying, you’re the product.”
But the debate has barely started on what the ethical framework should be for private sector data use – how customers privacy should be protected, who the data should belong to, and how to ensure power is not abused.
All countries will have to wrestle with the problem of international jurisdiction. Whatever we decide the rules should be here in Britain, however much protection we want for our data – either from private or public sector – or whatever our demands are on private companies to work with the police on crime or security issues – there is a limit to the jurisdiction of the British state over companies, transactions and communications that continually cross borders. Other countries and other governments take different views too – and may be less inclined to respect the privacy of our citizens.
We can debate and reform the limited things that British democracy has control over – and we can do so in a way that sustains our democracy – keeping us safe and free at the same time. And now is the time to do so. But we need to be honest about those limits too.
The digital age generates every second new and amazing opportunities that we should seize. But we cannot duck our responsibilities to face up to the difficult challenges it poses too – to make sure that the digital age serves the public and our democracy, and not the other way round