The Snowden revelations had nothing to do with Paris

Surveillance

Mass surveillance is simply about control, we should resist the calls to permit mass surveillance by our intelligence agencies. (Image c/o Frederico Cintra on Flickr used under CC-BY)

Encryption. It’s the weapon of choice for terrorist communications. At least, that’s what they say. Within days of the attack, the director of the CIA, John Brennan, complained about the hand-wringing over mass surveillance and claimed that the Snowden revelations about intelligence gathering had made it harder to identify figures involved in Islamic State. This was followed by FBI Director James Comey calling for “access to encrypted data” to detect terrorist threats. With the government’s attempts to legalise mass surveillance via the investigatory powers bill, the use of encryption technologies is once again on the agenda.

And yet…

In the wake of Paris it does not appear that encryption technologies were used by the terrorists in planning and organising the events that took place last week. Reports on Wednesday suggested that rather than using complex encryption technologies, the terrorists were simply communicating using SMS. Alongside the fact that at least one of the individuals was known to the intelligence agencies, it’s not clear what difference either mass surveillance or the beloved (and non-sensical) back-door to encryption would have made in this particular case.

This notion that encryption technologies provides a safe space for terrorists to plan their activities doesn’t hold up to much scrutiny. Of course Snowden gets the blame, he’s a “traitor” to the US specifically and the West in general (how dare a whistle-blower reveal that states are monitoring the internet activities of all their citizens), but there’s scant evidence that his revelations have made any difference at all. Much less that they have endangered anyone in any Western state.

A report recently published by Flashlight underlines the extent to which any suggestion by politicians, or intelligence agencies, that Snowden’s revelations have forced terrorists to adapt their communications strategies is complete garbage. Dedicated to gathering intelligence about online communities in the “deep and dark web”, they recently produced a report that suggests the Snowden revelations have had a limited impact. The primary findings from the report include:

  • The underlying public encryption methods employed by online jihadists do not appear to have significantly changed since the emergence of Edward Snowden.

 

  • Well prior to Edward Snowden, online jihadists were already aware that law enforcement and intelligence agencies were attempting to monitor them. As a result, the Snowden revelations likely merely confirmed the suspicions of many of these actors, the more advanced of which were already making use of – and developing –secure communications software.

The second of these is so obvious, it seems bizarre that it needs to be stated. Of course terrorists would have been aware that intelligence agencies would be attempting to monitor them and of course they would have been taking precautions. The Snowden revelations merely confirmed what they already suspected and, ultimately, reinforced that they were correct to make use of secure communications software.

This understanding of the use of encryption software by terrorists is not new. Before the Snowden revelations, in 2008, it was noted that encryption technologies were no more frequently used by terrorists than by the general population. Furthermore, that encryption technologies were more frequently discussed by intelligence agencies rather than by terrorists, primarily because of it is more “technically challenging” and therefore less appealing to use. Those that were technically able were, of course, would clearly have been using the technology back in 2008 – long before the Snowden revelations. If researchers were writing papers on the use of encryption technologies back in 2008, then of course terrorists who were seeking to hide their activities from the state would also be aware of the existence of such technologies. It would be breath-takingly naïve to believe that they weren’t aware of such technologies pre-Snowden. And no-one could reasonable accuse intelligence agencies of being naïve. They know that this is the case, but the political urge for mass surveillance is so strong, the will to talk up the threat of encryption technologies is so tempting and the desire to prevent future whistle-blowers revealing the undemocratic activities of the state, that of course they will link any terrorist attack to the information revealed by Snowden.

What we need to remember is that this is part and parcel of an effort to make Western democratic societies accept the need for mass surveillance. The facts don’t support it, but the desire to create a state in which everyone is monitored ultimately leads to a disciplined populace more easily controlled by the state (see Foucault). Encryption isn’t the problem. Mass surveillance isn’t the answer. As Paris showed, the information was there, the clues were present…mass surveillance or back doors to encryption wouldn’t have made one iota of difference in terms of the tragedy in Paris. As politicians and ignorant political commentators talk up the need for mass surveillance, we must not forget that one simple fact.

GCHQ and American attitudes to surveillance…

(Image c/o Christian Payne on Flickr.)

From Wired:

GCHQ’s hacking operations are conducted with little to no oversight and risk “undermining the security of the internet”, leading online privacy experts have warned. Even when oversight is required, GCHQ has revealed that ministers don’t have the technical knowledge to understand what it is doing. Privacy campaigners today described the issue as “a major scandal”.

Details of GCHQ’s hacking operations and attempts to weaken encryption were revealed in a parliamentary committee report into the UK’s surveillance capabilities. The Intelligence and Security Committee (ISC) review, published last week, revealed GCHQ makes the majority of decisions about hacking, and its operations to weaken encryption, internally and without telling ministers exactly what it is doing.

In a passage quoted by the Open Rights Group, the ISC review found that:

No additional Ministerial Authorisation is required for these activities. There are internal procedures: ***. There is no legal requirement to inform Ministers: however, GCHQ have said that they would ask the Foreign Secretary to approve a specific operation of this kind “where the political or economic risks were sufficiently high” (although, in practice, they manage their operations to avoid this level of risk). GCHQ told the Committee that:

The FCO is aware of the activity and the possible political risk, but individual legal authorisations are not required for each operation. The FCO could assess the political risk of a compromise, it is not well‐placed to assess the complex technical risk. Whilst not formally overseen by a Commissioner, the Intelligence Services Commissioner has been briefed on this type of activity where it relates to individual approved operations.

A very disturbing admission about the state of digital surveillance in the UK. And the timing of the statement from ORG could not be more apposite. Whilst we are only just starting to come to terms with the consequences of this, a study in the US has been published that explores the fall-out from the Snowden revelations in terms of how it has affected behaviours as well as how it has impacted upon the relationship between the state and the individual.

The Pew Research Center’s report, Americans’ Privacy Strategies Post-Snowden, provides a comprehensive and fascination exploration of how these revelations have affected US citizens. There is a lot to plough through, but a few things stand out on an initial reading (and, by the way, wouldn’t it be nice if someone in the UK produced the kind of reports that Pew produce on a regular basis, particularly with respect to the Snowden revelations). Top line stuff:

Overall, nearly nine-in-ten respondents say they have heard at least a bit about the government surveillance programs to monitor phone use and internet use. Some 31% say they have heard a lot about the government surveillance programs and another 56% say they had heard a little. Just 6% suggested that they have heard “nothing at all” about the programs. The 87% of those who had heard at least something about the programs were asked follow-up questions about their own behaviors and privacy strategies:

34% of those who are aware of the surveillance programs (30% of all adults) have taken at least one step to hide or shield their information from the government. For instance, 17% changed their privacy settings on social media; 15% use social media less often; 15% have avoided certain apps and 13% have uninstalled apps; 14% say they speak more in person instead of communicating online or on the phone; and 13% have avoided using certain terms in online communications. 

1 in 3 people changing their behaviours is quite significant, and would explain why there are increasing moves to shut down the methods by which people protect themselves. One might also ask how Cameron would deal with 14% of people speaking in person rather than communicating online (given he thinks no form of communication should be free from surveillance).


 

…the public generally believes it is acceptable for the government to monitor many others, including foreign citizens, foreign leaders, and American leaders:

82% say it is acceptable to monitor communications of suspected terrorists

60% believe it is acceptable to monitor the communications of American leaders.

60% think it is okay to monitor the communications of foreign leaders

54% say it is acceptable to monitor communications from foreign citizens

Yet, 57% say it is unacceptable for the government to monitor the communications of U.S. citizens.


In this survey, 17% of Americans said they are “very concerned” about government surveillance of Americans’ data and electronic communication; 35% say they are “somewhat concerned”; 33% say they are “not very concerned” and 13% say they are “not at all” concerned about the surveillance. Those who are more likely than others to say they are very concerned include those who say they have heard a lot about the surveillance efforts (34% express strong concern) and men (21% are very concerned).


 

Some quotes from those who argue that they are unconcerned about surveillance:

“Law-abiding citizens have nothing to hide and should not be concerned.”

“I am not doing anything wrong so they can monitor me all they want.”

“Small price to pay for maintaining our safe environment from terrorist activities.”

All of which, to my mind, underline a certain failure to grasp the nature of the state and its relationship with individuals. Of course, it is not individuals who determine whether what they are doing is wrong. The lie of “if you have done nothing wrong you have nothing to fear” seems to be one of the hardest to shift, despite its fairly obvious naivety about the state. It also underlines that state propaganda is very effective on large chunks of the populace (I’m not restricting that to the US by the way). So long as you keep talking about threats (which are minimal) and highlighting the importance of “protecting citizens” from “dangerous individuals”, some people will continue to believe that the state will protect them and that sacrifices to their rights must be made to ensure that protection. There’s nothing new in this, states have used that particular strategy for centuries: construct an external enemy, convince the populace that the state has the means to protect them, chip away at individual rights under the guise of protection etc etc.


 

Sophisticated tools and techniques are widely available and can help online Americans increase the privacy and security of their online activities and personal data sharing. However, thus far, fairly few have adopted these tools since learning about the programs. Among those who have heard about the government surveillance programs:

10% say they have used a search engine that doesn’t keep track of their search history.
5% have added privacy-enhancing browser plug-ins like DoNotTrackMe (now known as Blur) or Privacy Badger.
4% have adopted mobile encryption for calls and text messages.
3% have used proxy servers can help them avoid surveillance.
2% have adopted email encryption programs such as Pretty Good Privacy (PGP).
2% have used anonymity software such as Tor.
1% have used locally-networked communications such as FireChat.

It’s interesting that despite the fears and clear concern about the surveillance programme, many people are not using the most effective tools to protect themselves (I would include myself in that category if there were a UK equivalent study). This suggests there is a lot of work to do to inform the general public about how they can protect themselves online. I would guess that Barclays’ Digital Eagles probably won’t offer much help here. It seems to me that, and I probably would say this, librarians are well placed to provide this kind of assistance (see Library Freedom Project). Certainly given our professional ethics, this is an area that should concern us and that we should seek to provide solutions to for the general public. There is clearly a need as, looking at the figures, there is concern and a need to seek protection. One would assume that this would also be the case in the UK but, again, there is no such study at present.

I’d definitely recommend going through the Pew stats if you get the chance. There is a PDF report you can download, but lots of interesting stats are summarised over 5 web pages. Will such a study be conducted in the UK? It seems unlikely at this stage, but with the revelations about the activities of GCHQ and how ministerial oversight appears to be virtually non-existent, a study equivalent to Pew’s would be very welcome.