In the first article ( Guilt by Association ) I listed three factors that people tended to miss when advocating more powers for the security services and police. The third was the impact of Big Data.
The first point to grasp is that current technology allows access to any large database containing information about a substantial number of the citizens. So the security services might access:
(1) someone’s communications data, ie a list of which phone numbers they called, when, how long the call lasted, and who is listed (if anyone) as the owner of that number;
(2) their email records, ie a list of which email addresses they sent emails to (or got emails from), when, how long the email was, and who is listed as the owner of that email address;
(3) their browsing history, ie a list of the urls they browsed and when, and who is listed as the owner of that url;
(4) their bank records. For example, the security services could pick up real-time whenever someone uses a card at a cashpoint, where the cashpoint is located. They could set a flag either on the card number or the associated bank account number, and could search across all UK banks to pick up all accounts linked to that individual;
(5) their Oyster card records. For example, the security services could pick up real-time whenever someone uses a particular Oyster card/Freedom Pass/season ticket inside the M25 (on a tube, bus, train or tram). Again they could search to find out all cards linked to an individual to set the necessary flags;
(6) most of the CCTV cameras inside the M25, again real-time;
(7) the GPS data from your mobile phone (assuming you have not disabled it), or failing that other tracking information from your mobile phone (such as that from WiFi, or the position of the base station to which you are currently connected).
So suppose I am a PC working in SO15 (the Counter Terrorism Command at the Met). I suspect you of being a terrorist and I wish to follow you across London. Sending a team out to follow you the old-fashioned way is extremely manpower-intensive, and hence expensive. The famous video of Jean Charles de Menezes going down the escalator at Stockwell tube showed dozens of police and security types following him – more than half the people on the crowded down-escalator were following him. But even in a less extreme case, it needs maybe three shifts of half-a-dozen people if you are serious about not losing a fairly determined professional.
But a workable alternative, for a case which is less critical is to sit at a terminal and press a few buttons. The first step is to establish the target’s mobile number(s) and card numbers. Then you set some flags to alert you whenever he makes a payment, uses a cash machine, or uses any form of public transport – items (4) and (5) above. If he is unwise enough to have left the GPS or even WiFi on his phone switched on then you can track the position of his phone real-time – (7) above.
Using this alert/tracking information, you can then pull up the feeds for any CCTV in his vicinity – (6) above.
Meanwhile you can pore through his browsing history and phone call history, probably using special contact tracing software to trace several links deep.
So you start by showing contacts where he called (or was called by) someone direct. Then you look at the calls to/from each of those contacts. Then maybe at their contacts. The software would automatically pull in material from the Police National Computer on all those people, and maybe also from MI5/GCHQ databases, so you could see if your suspect was linked to any other terrorism suspects.
Now I have no idea exactly which of (1)-(7) are currently used or exactly who in the security services and police has the equipment on their desks to use them. But I would be amazed if for each of (1) – (7) there were not large numbers of people able to call up the data or request the alerts/feeds with a few keystrokes. Suppose for the moment that anyone in SO15 can do all of them.
You may be delighted. In these dangerous times we need the state to protect us. But, as I pointed out in the first article, the times are not actually that dangerous, so we probably don’t.
There is another consideration. If you are a halfway competent professional terrorist – and the only really dangerous terrorist is precisely the competent professional – then you know all about (1) – (7), so you take certain basic precautions. You leave your phone behind in your flat, or maybe you lend it to some innocent acquaintance, who carries it around with them and makes their routine calls on it. If you really need to make a phone call on your trip, you buy a cheap basic pay-as-you-go phone (cost maybe £30 including airtime) for cash, only switch it on when you need it and ditch it before going home, or as soon as you have used it to call anyone important.
You don’t use any cards and pay cash for everything. If you are really fussed about image recognition (still computationally expensive, so probably not yet used routinely on CCTV feeds, most of which are anyway too low in quality to be useful for face recognition), then you dress as a woman with full burka.
When you need to communicate with others, you probably use encrypted stego. In other words, you upload an image on some agreed site which contains a concealed message which is encrypted, using your cell’s own stego software to avoid the possibility that the readily available software out there on the internet has an easily detectable signature.
Provided you are disciplined about all that, the security services do not really have much choice but to assign a team to follow you around, and even that is far from foolproof.
On the other hand, those with the access will have no difficulty in carrying out fishing expeditions on what ordinary citizens are up to. So the questions are:
(A) what facilities should be in place on the PC’s terminal in SO15;
(B) whose authorisation should be required for the PC to use them;
(C) and do you care if the authorisation procedure is perfunctory?
The Snowden revelations show clearly that any authorisation procedure is most unlikely to be effective. Once you give the magic terminals to thousands or tens of thousands of people, they will end up doing vast numbers of searches which even Theresa May or Robert Hannigan would find impossible to defend before a sufficiently well-informed and sceptical Commons Committee.
But few people seem to grasp the issues and few of those seem interested in protecting civil liberties. Whether innocently or not, Theresa May seems determined to have a false debate – making the battle-ground the question of how rigorous the judicial approval system is for the intercepting the content of communications and what, if anything, we can do to curb or undo the encryption of content.
I guess we have to wait for another Sara Keays type case where communications data is abused in a case where the victim appeals to the public.