The new head of GCHQ, the UK’s electronic listening station, has started his tenure with controversy by stating that ‘privacy is not an absolute right’, and tech firms must cooperate with authorities. His controversial remarks are however rooted in precedence.
Robert Hannigan took over as head of GCHQ at the beginning of November 2014. He started the job with a bang. Writing in the Financial Times with provocative title ‘The web is a terrorist’s command and control network of choice’, Hannigan pointed out that modern terrorists, citing the example of ISIS, are au fait with social media and use technology in a variety of innovative ways both for spreading propaganda and for communications. He also claimed them to be much more security aware. The main point Hannigan had was that the large technology companies that dominate our modern internet experience need to be receptive to new ways of working with agencies like GCHQ.
The article has not been well received. Technology companies, privacy groups and others have been falling over themselves to criticise Hannigan, accusing him of being divisive and of attacking service providers. His argument that ‘privacy has never been an absolute right’, has attracted particular ire.
Hannigan is not the first security chief to criticise American technology companies in recent weeks. FBI Director James Comey, has spoken out against Apple and Google for enabling full encryption in their respective mobile operating systems without providing the capability for law enforcement to gain access. This means data on an Android or Apple phone which is properly password-protected would be beyond the reach of law enforcement, or anyone else.
However, Hannigan’s article did not mention encryption, nor did he call for additional powers. He recognised that privacy is a divisive area and called for dialogue and co-operation. Hannigan also acknowledged that GCHQ needs to enter the public debate and demonstrate their accountability and ultimately regain trust lost the wake of the Snowdon leaks.
Was There Ever Complete Privacy?
It might seem surprising, but the ability to communicate entirely privately at a distance is a new phenomena — it is only with the advent of widely available and easy to use encryption that it has been a possibility. Whilst telephone calls may have felt private, they have never been protected by encryption (when using a mobile the data is protected between your handset and the mobile tower, but no further). Messages sent through the post can be opened and read. So the ability to have a conversation at a distance which is completely beyond the ability of any third party to read it is genuinely new. We accepted in the past, probably without giving it much thought, the ability the authorities had to access our private communications.
The information disclosed by Edward Snowdon showing the capabilities the intelligence agencies had for bulk collection of data has undermined that acceptance. The leaks have also spawned more and better tools that provide for encryption of communications, and at the same time perceived overreaches by the intelligence agencies have pushed technology companies to ensure greater levels of protection of customer data. All of this has apparently made the work of GCHQ a lot harder.
Hannigan was a lot less explicit in his calls for co-operation than Comey, who openly criticised the encryption capabilities Apple and Google provided for the users of their own devices. Comey’s accusations certainly seem overblown — it seems reasonable for an owner of a device to have absolute confidence in the encryption that his or her device provides. Knowledge of a ‘back door’ for law enforcement would undermine confidence in the security of the device, and also make it challenging for Google and Apple to sell to overseas customers. Additionally it was previously possible for individuals to use third party encryption products to secure their data — the changes made by Apple and Google have made this easier to do, but it is not an unprecedented situation.
When it comes to using a service however the argument seems less clear cut. We require that telephony providers in the UK make customer information, including actual voice data, available to law enforcement and intelligence agencies with the appropriate authorities.
Ten years ago a warrant for interception of a mobile phone would have been sufficient to know what a target was saying and who they were saying it to. However, now all such warrants might reveal is that the target uses Skype and WhatsApp (an internet messaging service), and nothing else. Getting details on contacts, and then voice or message content, requires separate requests to the messaging providers and presumes they are able to provide the information at all. And as Hannigan says in the article there are now many more messaging and secure voice service providers.
To be clear I am not an advocate of warrantless interception, and I don’t know what the answers are to some of these questions. The Regulation of Investigatory Powers Act (RIPA) is outdated and needs a thorough review, and the Intelligence and Security Committee (ISC) needs overhauling to provide the public with greater confidence in its vital oversight work. However it is undeniable that the world has changed, and we have gone from using a small number of services providers (BT, Royal Mail), of which we accepted intrusion was permitted under certain circumstances, to a enormous diversity of choices and an apparent expectation of total privacy.
Robert Hannigan’s opinion piece, far from an attack on internet companies, seems like a welcome first step into the debate by GCHQ.
Robert Pritchard is an Associate Fellow at RUSI and a Cyber-Security specialist.
Associate Fellow, Cyber