Facebook, Microsoft, Google, Twitter, and Yahoo are the latest technology and communications companies to express their concern at the UK government’s plans to extend surveillance of private communications, and at the ramping up of cloud-enabled surveillance worldwide.
The five have joined Apple – which spoke out against the UK plans before Christmas – to form a new coalition called Reform Government Surveillance (RGS), which also includes LinkedIn, cloud collaboration provider Dropbox, and digital workspace provider, Evernote.
The IT giants are worried that the UK’s revised Investigatory Powers Bill would force companies to give up the keys to the encrypted services on which many of their customers rely, and that it would impede the free flow of information, damage the world digital economy, and bring governments into conflict with each other.
RGS has released a joint statement,which says: “Consistent with established global norms of free expression and privacy and with the goals of ensuring that government law enforcement and intelligence efforts are rule-bound, narrowly tailored, transparent, and subject to oversight, we hereby call on governments to endorse the following principles and enact reforms that would put these principles into action.”
The coalition’s proposed five-point code of conduct is as follows:
• Limiting governments’ authority to collect users’ information
Governments should codify sensible limitations on their ability to compel service providers to disclose user data that balance their need for the data in limited circumstances, users’ reasonable privacy interests, and the impact on trust in the Internet. In addition, governments should limit surveillance to specific, known users for lawful purposes, and should not undertake bulk data collection of Internet communications.
• Oversight and accountability
Intelligence agencies seeking to collect or compel the production of information should do so under a clear legal framework in which executive powers are subject to strong checks and balances. Reviewing courts should be independent and include an adversarial process, and governments should allow important rulings of law to be made public in a timely manner so that the courts are accountable to an informed citizenry.
• Transparency about government demands
Transparency is essential to a debate over governments’ surveillance powers and the scope of programmes that are administered under those powers. Governments should allow companies to publish the number and nature of government demands for user information. In addition, governments should also promptly disclose this data publicly.
• Respecting the free flow of information
The ability of data to flow or be accessed across borders is essential to a robust 21st century global economy. Governments should permit the transfer of data and should not inhibit access by companies or individuals to lawfully available information that is stored outside of the country. Governments should not require service providers to locate infrastructure within a country’s borders or operate locally.
[This point is especially significant for technology providers, as if similar proposals were to be adopted by other governments, providers would be obliged to build national data centres in every country, effectively breaking apart the internet into local, heavily policed fiefdoms. While vendors are naturally concerned about the cost implications for themselves, they are right to imply that surveillance programmes would, in the long run, effectively lead to the dismantling of the internet and the principles of the World Wide Web as we know it.]
• Avoiding conflicts between governments
In order to avoid conflicting laws, there should be a robust, principled, and transparent framework to govern lawful requests for data across jurisdictions, such as improved mutual legal assistance treaty — or ‘MLAT’ — processes. Where the laws of one jurisdiction conflict with the laws of another, it is incumbent upon governments to work together to resolve the conflict.
There is certainly a rising tide of opposition within the IT community. In the run-up to Christmas, telecoms providers Vodafone, 3, o2, BT, and EE told British MPs that they were unsure if the surveillance proposals were even technically feasible. They also voiced concerns over the cost implications of the revised Investigatory Powers Bill, which they believe the government has seriously underestimated. (At just £178 million, Whitehall’s estimates are obvious nonsense.)
These are serious issues for both the UK’s and the world’s digital economy, not to mention for civil liberties. October 2015’s hack of mobile provider TalkTalk demonstrated that although telcos, ISPs, and other service providers would be in the front line of citizens’ data security if the proposals go ahead, they are currently under no obligation – ironically – to encrypt customer data.
In December, the UK government announced an enquiry into national data security in the wake of this and other attacks – something it should have done long before contemplating ramping up national surveillance and placing a mishmash of competing private companies, some based overseas, in the vanguard of a national data-gathering programme.
However, as previously reported on UCInsight, one MP believes that it is already too late to scupper the plans. The Greens’ Caroline Lucas, MP for Brighton Pavilion, told joint editor Chris Middleton: “Judging by the response to the Home Secretary’s announcement, very few MPs will be opposing the government – all the other opposition parties spoke in support of the new powers and said they were justified in the fight against terrorism.”
Lucas’ comments followed Apple’s own intervention in the debate. Before Christmas, Apple said: “We believe it is wrong to weaken security for hundreds of millions of law-abiding customers so that it will also be weaker for the very few who pose a threat.” It added that the revised Investigatory Powers Bill could also weaken data encryption, interfere with Apple’s and other companies’ products, and force non-UK enterprises to break the laws of the countries in which they are incorporated: a significant objection in a global technology and telecoms market.
For example, 3 is owned by Hong Kong incorporated CK Hutchison Holdings, o2 (ultimately) by Spanish telecoms giant Telefonica, and EE by Orange (France) and Deutsche Telekom. Inevitably, therefore, the plans would bring the UK into conflict with its political partners in Europe and elsewhere.
On this point, the Bill’s remit and purpose is unclear. On the face of it, the revised provisions do not require non-UK-based companies to retain bulk datasets or to remove encryption. However, this would appear to make a nonsense of the proposals, given that some ISPs’, telcos’, or cloud platforms’ customers would be protected from surveillance within the UK’s borders, while others would not. Most customers use a mix of services, platforms, and providers, only some of which – again, on the face of it – would be required to hand over data. Common sense suggests that this alone would create a colossal waste of police resources.
UCinsight has said this before, but it bears repeating: the government must step back from its plans and reconsider them rather than attempt rush them through Parliament in the coming weeks. The proposals cannot succeed without the support of the technology and communications sectors, and it is clear that that support does not exist.
• You can find Chris Middleton’s in-depth personal critique of the UK’s surveillance plans here.