Balancing policy with network management in the UK

Part Four in a series looking at how to solve the problem of invasive government surveillance. Click here to read the previous parts of this post on Engadget: Part One, Part Two or Part Three

Domestically, it is feasible that the outlines above could help shape policy, but Anderson's point about judicial commissioners knowledge boundaries and the constitution of national security make a point about the domestic ability to safeguard from outside actors. Jacob Appelbaum provides a nice soundbite to aid in understanding this difference, stating that:

His point here, whilst poignant, really only echoes the long running difference between domestic police and a foreign spy. It is an inescapable inevitability in the anarchic system, now only amplified by the size and nature of such a ubiquitous and global network. We are all at the behest of a dragnet surveillance regime we have no control over or any ability to exercise protest over. Legally, we can only hope to trust the law enforcement tasked with protecting us works, and that they will catch those who spy all of the time through the avenues discussed above, and not through their own blanket, dragnet surveillance.
In attempting to solve these murky problems though, it may not be best to look to politics but instead, to possible technological solutions. After all, as Appelbaum also states, really "the problem is not the NSA, the problem is that those capabilities exist at all" and involving engineers and people who write protocols in possibly solving this problem whilst crucially retaining all the things we love about the internet could prove useful.

In 2000, Lessig wrote on the inbuilt regulations of cyberspace, and the abilities for code to effectively change how we view these aspects of human privacy, trust and anonymity in the internet age stating that:

We live in a world where our citizens no longer live entirely within our territorially defined borders. If they use the internet today, they live outside of them every day, whether they choose to or not. Jeremy Burton, president of product and marketing at EMC, recently correctly pointed out that "these days, it's pretty standard to have corporate data triple replicated and geographically dispersed." This is simply because it's the only way to operate a reliable online business that works, wherever you are in world. The internet, whilst invented with the express desire of creating a decentralised and therefore, veritably indestructible military communications network in the face of all out nuclear war, is actually a lot more fragile than many would give it credit for. I even wrote about it for my Master's dissertation.

Geographically dispersing data around the world not only safeguards it from destruction, but also serves to provide faster and more reliable access to whomever wishes to access such data, regardless of their geographical position. For these reasons, we cannot request that every piece of data attaining to a citizen remains within the confines of their national territory. Even just implementing such a regime for metadata would cripple most services which utilise the ad-supported free business model we have all taken to.

Therefore, defending civilians privacy against threats from outside actors to the best of their abilities becomes increasingly difficult for States. Especially for those who do not posses any sort of sovereign hold on large scale social networks or providers of online services. This however, is replicative of Vint Cerf's "internet/mirror" narrative, whereby the Internet merely reflects or amplifies already existing problems in our society.

We live in a fairly hegemonic world, where certain States exert significantly more power than others in all aspects of global governance. Attempting to fix this decades long status quo with technological policy, or even just technology would be like plugging one hole in a colander. The best we can hope for is to leverage the international community, and the necessity for a Hegemon to maintain a level of trust from others, into a fairer, yet still unequal system of foreign surveillance capabilities. Essentially, we grant those who previously had no say in whether their citizens privacy was violated, a seat at the negotiating table.

This model also leaves the power for most states to retain some autonomy and a measure of control over their citizen's safety from "ring bearing" cerebro-superpowers. Of course, no "binding" international treaty is wholly enforceable, but for one: Democratic Western States have a much better track record of keeping to them and two: this would definitively draw a line under the legality and illegality of State sponsored surveillance actions for legal recourse within international institutions, and also define anything outside of this system as espionage. Anything after this fact is, as always, the prerogative of the State.

The only way to inhibit a strong State's ability to request data from a national firm on citizens outside of its borders is to make sure every request carries a burden of proof, and to have these services sign binding trade agreements with the States in which they operate, prohibiting them from giving up data on a citizen without certain undertakings, thus shifting law-enforcement surveillance into the cross-border policing model they have already been using for years when it comes to drugs, trafficking & international crime, and co-ordinating with the country in question. Then, if that brings no recourse and it can be proven to a judge that the avenue has been exhausted, but the request is still warranted, only then may data be requested by the home nation and legally given up by the service.

This addition of State treaties with large companies has worried many, and rightly so. Augmenting the power of a private entity whose sole end goal is their profit margins rather than the well-being of their users is a worrisome thing. It's at the core of the TTIP protest movement, but here, I wager that it is not a bad thing. Firstly, for free web services, the well-being of users can be equally as important as turning profit. It's well known that companies in the Valley can go years without making it into the black, relying on a constant stream of funding based on valuation and size. And secondly, it's actually something that other privacy advocates are calling for.

Julia Horwitz works in consumer protection for the Electronic Privacy Information Centre. Not only does she echo the sentiments of Mary Cummings when it comes to bringing about change with policy rather than technological change, she advocates for these exact legal frameworks I have explored above saying that "it shouldn't be up to the consumer to try to protect his or her own privacy."

This won't affect many countries. In fact, it's liable to really only affect the U.S. and its intelligence sharing allies. Best of all too, it likely won't stifle innovation as the last thing Silicon Valley and the US tech industry want is more regulation and more data requests at the end of the big government stick. Giving Facebook the legal ability to rebuke a request for swathes of data will not only make them happy, but also play well with their users across the globe. In the free business model, users do have power.

Everything above; that's my two cents. My hat in the ring. Take it or leave it. But as far as I can see, the government in charge of the UK at the moment doesn't look to be one seeking fair change. A "Snoopers' Charter" anything like the one laid out by the Conservatives before the latest general election would be a travesty, but it's likely that something like that will hit the floor before anything sensible taken from the likes of David Anderson or myself. Anderson has stated that a new Snoopers' Charter needs "a detailed operational case to be made out, and a rigorous assessment conducted of the lawfulness, likely effectiveness, intrusiveness and cost of requiring such data to be retained." As FFTF have pointed out, "So far the Government hasn't made such a case."

Instead, they have made a report which suggested a legal alternative top secret, pushed forward with the Transatlantic Trade and Investment Partnership "built for corporations and not citizens" and distanced themselves from Anderson's viewpoints on multiple occasions. They have stated that obeying the law does not exempt you from surveillance, attempted to criminalise encryption, cut benefits, redefined core aspects of democratic society and cut legal aid, minimising the ability of those who have been surveilled to acquire any sort of legal recourse.

But before I invalidate everything written up to now by pushing some blasé leftist opinion and find myself accidentally quoting Russell Brand, there may be some hope from the man who started this all off in the first place. When we think about Wittes and Liu's Privacy Paradox from Part Two, and their statement about 'only caring about privacy as it relates to those from whom we wish to keep information secret', we can possibly glean something about Snowden's betrayal, and the gambles he is willing to take for the prospect of change.

The crime in Snowden's betrayal: making information public that was necessarily secret due to the advantage it would provide an adversary, was not a crime perpetrated against the civilians of his nation or of the civilians of the world, it was against his nation's security services. (Although, as discussed above, these are rather entwined). The first thing many, including myself noted following Snowden's revelations was blatantly, "what did you expect the NSA and GCHQ were doing?" However, in exposing their actual cyber-capabilities, more than anything he provides outside nations or actors with crucial, pertinent and honest information, something incredibly difficult to come by within the intelligence community. But his intent was to bring a long suspected open secret into an open debate. After all, pre-Snowden, any debate we had about dragnet surveillance was purely hypothetical, and mostly only existed in dystopian fiction.

In essence, the US should only really have cared about the privacy of that information as it related to keeping it secret from State adversaries, not from its own citizens.

In trailing Snowden, the judge must really take into account Snowden's criminal intent, and whilst there is no doubt he has weakened the security of the nation's security services and the cyber capabilities he has exposed; in doing so, he has enlightened the populace to their overstepping and invasive practises, and if the populace does decide he was right in doing so, and they disagree with the practises of their own security services, his exposing may have legal basis for defence.

Possibly then, if any government were to change their surveillance laws before Snowden is trialled, they would be de-facto admitting he was right, and has this legal basis for recourse. I'm not saying that Snowden should or should not get prison time, but there is the possibility, given a new US president will be looking to make an impact in 2016, that if Snowden were to 'take one for the team' and serve a sentence, in the aftermath of doing so, he may instigate better change for having saved the US, and in turn, the UK, from losing face and admitting he was right. Perhaps real policy change can only be undertaken after Snowden gives himself up. Even Former US Attorney General Eric Holder has now stated that Snowden could strike a plea deal.

Like our privacy online though, our trust in governments and security services and our incessant uptake in new technology; it's one hell of a gamble, but we have to roll the dice now.

Click here to read the previous parts of this post on Engadget: Part One, Part Two or Part Three

This post also appeared as one on Medium

If you would like a printable, plaintext copy of this, I've made one here.

Ted Cullen, also confusingly known as Ed Peeters is an out of work politics graduate trying his luck at freelancing. Hire me/Phd me
You can find him on Twitter | The Web | Email | Facebook