Following the announcement that emergency powers to ensure police and security services can continue to access phone and internet records are being rushed through Parliament, questions are being asked about whether governments should interfere with communications, or whether they are breaching human rights.
It’s certainly not a new debate, though. Go back to the mid-point of the Second World War and Winston Churchill argued that ‘to save democracy, one had to destroy a little part of democracy’. The fact is that, despite the truth, security and privacy often appear on opposing sides of the argument.
On the one hand, the primary imperative of government is to assure the security of the nation and its society. Yet, at the same time, particularly in a post-Snowden context, there is a strong consensus that too much privacy has been sacrificed; both wittingly for free services such as those in the social media realm, and unwittingly in the pursuit of security from terrorism and crime.
>See also: UK businesses cannot ignore the EU’s data protection reforms
As is often the case, the extreme opposing positions can make constructive debate hard and the establishment of consensus even harder. That’s why there are some key factors that must be considered before a conclusion can be reached.
We can no longer separate the physical and cyber domains when considering crime.
The internet, mobile networks and other capabilities that collectively become cyberspace are an essential part of modern society. But virtual society isn’t restricted to the ‘good guys’; increasingly it is being used as base for organised crime and terrorism.
In other words, it is no longer possible to treat the physical and cyber domains as separate entities. This is why we should not deny our legitimate law enforcement agencies the ability to draw evidence from cyberspace in the same way they can in the physical world. Of course, proper authorisation is still essential.
The scope of evidence that can be collected and used should be the subject of informed debate. Yet, even taking the first position, there is still a broad spectrum to choose from when framing legislation.
Firstly, we should not hide the facts and implications of the type of evidence that is collected. A common argument used by the agencies is that they are only using metadata and there is little personal value in it.
This is highly disingenuous, and the use of modern computers enables the analysis of a large sample of metadata to tell a very rich story. The efficiencies delivered through this type of analysis mean it is far more feasible to draw hidden insight from metadata than it would be through the analysis of the recordings of each and every conversation.
This doesn’t make the use of metadata wrong, but it be should recognised that its use has significant power whether used in an honest or a malign context.
There is also disagreement over whether all data should be collected and retained on an ongoing basis, as is the topic of debate at the moment and disagreement by the European courts, or whether it should only be collected once a warrant or similar order has been issued.
It is my view that so long as the correct protections are put in place to prevent abuse, we should not deny our agencies the relevant historical evidence when conducting an investigation.
In the physical world, when a warrant is issued to search, the police collect largely historical evidence and I would have significant concerns if this weren’t the case in cyberspace as well.
But, as alluded to, there must be proportionately greater controls in place to prevent abuse because of the power that access can give.
Confidence in the state relies on confidence in the process. As a nation we have a strongly held belief in the separation of powers of the state and the judiciary. In the UK, we have recently changed the structure of our government in order to align more closely with this principle.
It is therefore surprising, and some might add, concerning, that the proposed legislation makes it a political rather than judicial decision over whether and how much data is rendered to investigators.
If we don’t have a process that society has confidence in, there will be a significant risk that it will be abused, or that there will be the perception of its abuse. How will we be confident that the proverbial fishing trip cannot be conducted over vast and unfocused data when agencies are unable to identify a clear suspect by other means?
We need to separate the debate between the investigation of crimes and preventative surveillance. The other difficulty with the debate is that it often confuses or interchanges the subject of investigating crimes that have already been committed, with the collection and analysis of intelligence in the interests of pre-emptively identifying threats of terrorism.
They are separate and distinct concepts that may require individual debates and potentially different legislative solutions. While they are blurred, it will be perceived by many to be an attempt to use the dark spectre of terrorism to justify a different and more insidious expansion of traditional policing.
>See also: The enterprise guide to preparing for the EU’s new data-protection legislation
The intent behind the proposed legislation is laudable; namely that contradictory legislation should be clarified and simplified. It isn’t an easy task and putting something new on the statute books cannot be the end of the story.
If the legislation is passed, we should use the time made available by a sunset clause to have a proper informed debate framed from both sides around driving consensus. It will require honesty and compromise.
If the topic remains polarised, we risk making Benjamin Franklin’s prophetic words a reality: “He who sacrifices freedom for security deserves neither.” And neither side of the debate would want to be responsible for that outcome.
Sourced from Tom Burton, director in KPMG’s cyber security practice