Sunday, December 25, 2005

On the lookout - a conference discussing the state of global surveillance

SUPREMELY dangerous or supremely fragile? This was the question considered from conflicting viewpoints at the London School of Economics on September 22, when Privacy International convened a day-long conference to discuss the state of global surveillance.

On the danger side, you have Echelon, the global surveillance system whose existence seems to be less in dispute every month. A European Parliamentary committee, currently spending a year debating Echelon, has already had preliminary hearings.

There is the RIP bill. There is the Cybercrime bill, whose scope is still unknown (at the conference, US Department of Justice representative Betty Shave made it sound supremely reasonable, but the problem is that parts of the document are still undefined. Shave reminded the conference that the period for consultation is still open and urged everyone to submit their comments).

On a related subject, you have efforts to restrict access to public documents. In the US this summer, according to the Electronic Information Privacy Centre's Wayne Madsen, a bill was introduced into Congress that would amend the Freedom of Information Act so that companies such as banks could share information on security issues for networks and systems with the government without the fear that the information would wind up being accessible to the public.

Within Europe, according to Stephen Wright of the Manchester-based Omega Foundation, public access to documents is also being whittled away. You can now only ask for documents if you know they exist. Furthermore, access to policy documents which are not secret themselves, but which make reference to secret documents is now restricted by law. "These changes are happening in Europe without any democratic process," complained Wright.

Efforts like RIP are not restricted to Britain. Madsen, who is a former National Security Agency analyst, noted that the NSA's goal was always "total hearability." Not, as many people's most paranoid imaginings would have it, that the NSA should listen to "everything", but that in case of need the NSA should be able to listen to "anything". More interesting was Maurice Wessling's discussion of interception in the Netherlands, where the practice is allowed under the Telecoms Act of 1998, with bugging covered in the Special Investigatory Powers act, passed in February 2000.

Based on a report from the scientific department of the Dutch Department of Justice, which is hard to verify, there were 3,000 telephone taps in the Netherlands in 1996, exploding to 3,000 ordinary telephone taps and 7,000 GSM taps in 1998 - more than the US, the UK, or Germany. "So we are the self-proclaimed champions of tapping."

Everyone was amazed by this statistic, not least Boris Pustinsev, of Citizens Watch in Russia, "I am amazed you could find out how many taps the government was responsible for in a period of time," he said. "You would never know in Russia." Under new laws, the Russian intelligence agency is allowed to snoop on all internet traffic and eavesdrop on cell phone and pager communications without users' consent or knowledge; a situation the civil rights groups describe as a return to Soviet-style surveillance.

As much as that makes the world sound like a giant, inescapable antenna hard-wired into the secret services, there is still the fragile side. The technical inventiveness of the security services is being harder pressed than ever before. For one thing, specialists in arcane areas like cryptography, who 15 years ago would have had no choice but to work for a government security agency, are now in huge demand elsewhere.

The Internet industry offers more money and the chance for their work to have a wider impact. Academia, as Jon Crowcroft pointed out during a break, may not pay better but it allows people to publish their work and get credit for it. Look, for example, at the difference between the lives of indefatigable conference speaker Whitfield Diffie, whose name is on the patent for public key encryption and the faceless GCHQ personnel who were eventually given credit for having the idea first. Academics also, counterintuitively, have more generous funding via corporate grants with less quibbling and redrafting of proposals.

If that weren't enough, the security agencies are getting pushed by the development of new, cheap technology inspired by their own surveillance efforts. The Canadian company Zero Knowledge is a case in point. For $49.95 its software protects the different pieces of your identity from creating a single digital trail. In the physical world, for example, your library doesn't need to know your driver's licence number or the Inland Revenue doesn't need to know what books you read. Zero Knowledge aims to divide up online data trails so the online world mirrors this type of fragmentation. Similarly, Starium is offering a $100 telephone scrambling system of a grade previously only available to governments to render wiretapping useless.

The big question is whether these products can succeed in the mass market. So far, the one thing that's been clear is that most people will gladly sell their privacy in return for a relatively small amount of money-equivalent (for example, loyalty points) or convenience. If you'd rather use credit cards, mobile phones, and rack up the air miles instead of carrying cash, using a phone booth, and paying a little more, you're typical of the population at large.

Finally, the security agencies are pressed by sheer volume. Crowcroft, who is a member of the Internet Engineering Task Force, did some basic maths. Communications volumes and capacity are growing much faster than computing power and storage space. Ergo, it is not possible to store all network traffic in case it's needed to solve a crime someday. "Sprint's core network is doubling its speed every five months. Its income exceeds the NSA's budget." Even so, Europe's (including Britain's, with RIP) approach to interception is fundamentally wrong-headed, he argued, because it still thinks of wiretapping as it was in the circuit-switched - that is, old telecommunications - world instead of the internet's packet-switched world. The consequence: ISPs will move elsewhere.

So, the upshot: there is more balance, technologically, than we might have imagined between individual citizens and the capabilities of law enforcement, with the balance continuing to tip toward the citizens. But the legal system seems to be tipping the other way.

The struggle continues.