U.K. Government Points Finger Of Blame At Web Firms For Counter-Terror Failures

The U.K. government is once again amping up counter-terrorism rhetoric against Internet companies, with Prime Minister David Cameron telling Parliament yesterday that digital communications firms’ networks are “being used to plot murder and mayhem”, and asserting that web companies have a “social responsibility to act on this”.

“Terrorists are using the internet to communicate with each other and we must not accept that these communications are beyond the reach of the authorities or the internet companies themselves,” he added.

He was speaking following the publication of a report by Parliament’s Intelligence and Security Committee (ISC) into the killing in London in 2013 of British soldier Lee Rigby by two men who had espoused extremist views online.

The Prime Minister’s comments also came one day ahead of the publication of the government’s Anti-Terrorism and Security Bill, due to be published later today, which sets out new counter-terror measures — including requirements on ISPs and mobile operators to retain more user data.

The ISC’s report, which examines whether Rigby’s killing could have been prevented, details a series of failures on the part of the intelligence agencies, who did have both men on their radar prior to the killing. Indeed, the men had cropped up in agency investigations a total of seven times before the fatal attack on Rigby in broad daylight, outside his South London barracks.

However the ISC concludes that the only “decisive” possibility for preventing the attack involved an unnamed Internet company — since identified by the BBC as Facebook — whose platform had been used by Adebowale to communicate a graphic intent to murder a soldier.

The committee writes:

The one issue which we have learned of which, in our view, could have been decisive only came to light after the attack. This was an online exchange in December 2012 between Adebowale and an extremist overseas, in which Adebowale expressed his intent to murder a soldier in the most graphic and emotive manner. This was highly significant. Had MI5 had access to this exchange at the time, Adebowale would have become a top priority. There is then a significant possibility that MI5 would have been able to prevent the attack.

We have examined whether the Agencies could have discovered this intelligence before the attack, had they had cause to do so: it is highly unlikely. What is clear is that the one party which could have made a difference was the company on whose system the exchange took place. However, this company does not regard themselves as under any obligation to ensure that they identify such threats, or to report them to the authorities. We find this unacceptable: however unintentionally, they are providing a safe haven for terrorists.

The PM seized on the committee’s report to once again tighten the security screw on Internet companies, arguing they should take a more active role in anti-terror surveillance by doing more to identify extremist content on their networks and bringing it to the attention of the security agencies.

(It should be noted that Facebook does have anti-terrorist content policies in place already and shuts down accounts where it identifies such content. The firm told the BBC in a statement: “We do not allow terrorist content on the site and take steps to prevent people from using our service for these purposes.” The BBC also has a good analysis of what Facebook is doing now, and whether it could do more.)

Earlier this month Cameron talked up an agreement secured with the U.K.’s major ISPs to introduce stricter filtering for extremist material online, including introducing a public reporting button for terrorist and extremist content online. Giving a speech at the time he said he was intent on getting Internet companies to be “more pro-active” in the filtering of the content on their platforms.

The PM’s comments also follow a public appeal to Internet companies by Robert Hannigan, the new chief of U.K. spy agency GCHQ, earlier in November, urging web firms to co-operate with intelligence services to hand over user data. The firms in question are predominantly U.S. based, with Hannigan specifically name-checking Facebook, Twitter and WhatsApp as conduits being used by ISIS to communicate and spread their extremist propaganda.

Digital scapegoats

Why is the U.K. government so vehemently targeting foreign Internet companies to adopt a more active counter-terror role? In part it draws attention away from the intelligence failures of the U.K.’s own security services, and by implication the U.K. government’s failures. While the imperative for this political rhetoric is of course ISIS and its success at appropriating Western social media channels to spread extremist propaganda.

Making a moral case for Internet companies to act applies political pressure to firms that lie outside the government’s direct sphere of control — albeit GCHQ does tap undersea cables and can and does spy on some Internet traffic this way. But the agency told the ISC its surveillance abilities from this type of indiscriminate intercept method are “limited”. Which, incidentally, sounds like a really good argument against digital dragnets.

(Paragraph 410 of the ISC report details some of the U.K. spy agencies’ current digital snooping capabilities, noting that “GCHQ is able to collect communications on the internet through a variety of direct collection techniques: as they are transported across [redacted] internal networks; as they are sent from a Subject of Interest’s (SoI’s) computer or device; or as they traverse the internet”, and “as they move over the internet via the major internet cables”. It further notes the latter as providing a capability to intercept “a small proportion of internet traffic”.

However the report also notes GCHQ’s claim that its capabilities to gather this type of data are “limited”, and a further claim that the likelihood the agency could have unearthed the aforementioned Facebook communication via its own capabilities as “minimal”.

From the report:

GCHQ also has access to communications as they move over the internet via the major internet cables. This provides the capability to intercept a small proportion of internet traffic: in theory, GCHQ can access around [redacted]% of global internet traffic and approximately [redacted]% of internet traffic entering or leaving the UK. However, the resources required to process the vast quantity of data involved
mean that, at any one time, GCHQ can only process approximately [redacted] of what they can access. This means that the odds of collecting the content of the communications of an individual who is not specifically being targeted are [redacted] – even if their communications have met other selection criteria they are [redacted]. If GCHQ had unknowingly ‘picked up’ the exchange between Adebowale and FOXTROT using this collection capability, the fact that neither Adebowale nor FOXTROT were under active investigation at the time means that the communication would not have been selected for further analysis. [redacted].)

The wider context here is that the U.K.’s coalition government tried and failed to legislate for the more expansive digital surveillance powers which would have enabled security agencies to compel companies to hand over more user data. So it’s having to apply moral and political pressure instead.

Snoopers’ charter

That bill — called the Communications Data Bill but dubbed the “snoopers’ charter” by critics — would have enabled the government to compel Internet companies to capture and retain data on users even when not required by their business imperative — including records on users’ web browsing activity, social media usage, mobile phone messaging apps, Internet gaming and so on.

It failed when the coalition’s Lib Dem junior partner pulled out of supporting it. However Cameron and his Conservative Home Secretary, Theresa May, are evidently not letting the idea slide. Hence all the public finger-pointing at Internet companies.

Speaking on Sunday ahead of introducing the new Anti-Terrorism and Security Bill, the Home Secretary said the digital measures including in the bill do not, in her view, go far enough and again argued that security agencies and the police need the more expansive capabilities to retain Internet comms data that were set out in the earlier Bill.

The new anti-terrorism bill does include a requirement for Internet companies to perform IP-matching — in a bid to identify which individuals are using an Internet connection. This measure has been backed by the Lib Dems, despite the inherent limitations of trying to link IP addresses to particular individuals.

The government argues IP-matching will help counter-terror and organized crime investigations, as well as help identify cyber bullies, hackers, child sex offenders who are using the Internet to communicate and even pick up vulnerable individuals using social media to discuss suicide.

So while the bill is clad in counter-terrorism justifications, the scope of its digital surveillance measures are intended to be applied more widely. And that type of ‘function creep’ for surveillance powers is something we’ve seen before — with measures ostensibly intended to bolster security service capabilities used to spy on journalists, for instance. And infringe on lawyer/client privilege.

Speaking today, ahead of the bill’s publication, May said: “We are in the middle of a generational struggle against a deadly terrorist ideology. These powers are essential to keep up with the very serious and rapidly changing threats we face.

“In an open and free society, we can never entirely eliminate the threat from terrorism. But we must do everything possible in line with our shared values to reduce the risks posed by our enemies.”

At the same time, telescoping out to the international level, a United Nations panel yesterday approved a draft resolution that would have its general assembly call on states to respect and protect the right to privacy in the digital age.

Back in July a UN report noted that governments are increasingly replying on the private sector for surveillance and warned of the threats posed by these practices to individuals’ privacy.

The new UN draft resolution includes a reference to metadata in the context of digital surveillance, noting that it can be used to compile personal profiles of individuals. The main sponsors of the resolution are Germany and Brazil.

“Without the necessary checks, we risk turning into Orwellian states, where every step of every citizen is being monitored and recorded in order to prevent any conceivable crime,” said Germany’s UN Ambassador Harald Braun on Tuesday.