Role of law enforcement, SIAs & others

And some sumsNew Web Surveillance Powers: ensuring public safety and catching criminals in the digital age

Public Policy ExchangeGrange Wellington Hotel, London

Ray Corrigan, The Open University

12 January 2016

Obama review groupLiberty and Security in a Changing World: Report and Recommendations of The President’s Review Group on Intelligence and Communications Technologies -Undermining comms infrastructure not function of govtShould, on contrary, be securing itDefence not offence

SecurityComputersNetworksSmart metersCarsBarbie DollsMedical devicesInternet of thingsSoftware remote updatesEvery inhabited space will have cloud connected video & mics

IP Bill power to subvertHome Secretary gets power to subvert security of all theseWorld is not “going dark”We’re swamped in electronic noise & Vast new sources for SIAs and LEs

HackingBut when SIAs & LE hack –• Integrity of digital forensics may be compromised• Unintended consequences e.g. Stuxnet got out into the wild• Compromising digital security products through standards setting• Life or death with medical or transport equipment • Infrastructure at risk eg Russian attacks on Estonia, North Korea Sony

Hack, China v US, GCHQ v Belgacom• Compelling UK industry to act as accomplices undermines trust

DenmarkAbandoned mass data retention (session logging – source & destination IP address, port nos. & session types TCP/UDP, timestamp retained for every 500th packet) 2012LE could not produce single example of where had been useful in 7 yearsSIAs said of limited use

CourtsECJECrtHRHigh Courts in Romania (2009), Germany (2010), Bulgaria (2010), the Czech Republic (2011) and Cyprus (2011)

- question legality of bulk data retention

Get the guilty not the innocent?William Blackstone: the law holds it better that 10 guilty persons escape than that one innocent party sufferBen Franklin: it’s better that 100 guilty should escape than that one innocent should sufferOtto von Bismark, Pol Pot and Dick Cheney took the opposite view: better that innocents suffer than one guilty person escapeIP Bill essentially about creating intimate digital dossiers of every connected UK resident amongst others May be ok or not: Franklin v Cheney?

The maths – reversal of burden of proof

Assume giant digital terrorist catching machine is:99% effective at pointing out a terrorist if the person it is watching really is a terrorist (1% false negative rate)Unfortunately, your 99% catch-a-terrorist machine has a down side - also shows false positive results, sometimes labelling innocents as terroristsIt better it is at catching real terrorists, the more likely it will also label innocents as suchBut assume the false positive rate is also 1% (99% chance of correctly identifying innocent person)

The maths continuedYour machine watches 60 million in UKAssume 6000 are terrorists (only 0.1% or 1 in a 1000 but a number used by successive governments)

It will identify 5,994 terrorists (99%)Of the remaining 59,994,000 innocents it will identify 599,940 of these as terroristsA 99% ‘reliable’ terrorist catching machine catches 5,994 terrorists but falsely accuses 599,940 innocentsIt approximately accuses 1000 innocents per terroristYour 99% effective machine is only really 0.1% effectiveAnd six terrorists still escape

SIA & LE resourcesIf I had £750 million I’d be spending it recruiting and training police and SIA staff rather than a complex, distributed bulk surveillance sigint apparatus

Reversal of presumption of innocence a central, if unspoken and somewhat unnoticed, tenet of the Draft Investigatory Powers Bill

RecommendationTargeted rather than bulk communications surveillanceMore & digitally trained LE