This was originally published on 22nd September by Computer Weekly, the world’s longest-running IT magazine.
If some campaigners against the UK’s Investigatory Powers (IP) Bill are to be believed, the use of bulk powers (or mass surveillance) by UK intelligence agencies is not only bad for your privacy, but the powers are also ineffective.
Like all plausible arguments, this has elements of truth. Intelligence agencies are struggling to cope with data volumes. And missed intelligence leads have resulted in successful terrorist attacks. However, the argument’s conclusion – that these issues and failures are a direct consequence of a bulk data collection approach – is flawed.
This is primarily due to the conflation of a range of issues. Conflation between the National Security Agency (NSA) and the UK agencies; between collection and analysis; between metadata and content; and, most importantly, between the past and the present.
GCHQ today is very different from the NSA left behind by noted critic of the IP Bill, William Binney, in 2001. Similarly, six-year-old leaked documents don’t “prove” the flaws of a bulk data approach in 2016. And the importance of bulk data to UK agencies is not invalidated by the questionable value of one domestically focused US collection programme.
If UK intelligence analysts are “overwhelmed by data”, there is little to suggest this is a symptom of bulk powers. Instead, it reflects the extent of the challenges faced by the UK government – there are too many intelligence targets. And, fundamentally, the reality of life in 2016 – multiple communications devices, permanent connectivity, and data generation on an unprecedented scale.
So how do the UK intelligence agencies use bulk data in 2016? As part of the IP Bill process, the government commissioned a review to find out. The central conclusion of the review is clear – bulk data collection and analysis (at least in the UK context) works. Despite Binney’s claims to the contrary, there is a “clear operational case”.
However, effectiveness should not be the only criterion on which these powers are judged. Apart from the critical privacy and proportionality questions, are there alternative but less intrusive methods that could be equally successful?
Again, the review was categorical. While alternative methods could sometimes be used, they would often be “less effective, more dangerous, more resource-intensive, more intrusive or slower”.
This conclusion points to bulk data’s unique value compared with other intelligence approaches.
It can be used in parts of the world where deploying a human intelligence asset would be too risky. It allows intelligence agencies to respond quickly – both to new and emerging threats and to the never-ending challenge of identifying or re-acquiring communications devices or individuals of interest. And, importantly, to do so without intrusively targeting dozens of potential suspects in a resource-intensive way.
What the argument against bulk powers also misunderstands is the correlation between collection and analysis. Intelligence agencies can’t and don’t want to analyse this data in its entirety.
Which is why bulk datasets should not overwhelm intelligence analysts. Rather like the evolution in search engine capability, bulk collection has allowed intelligence analysts to ask smarter questions. And to do so with greater confidence, knowing they are querying a broader and more comprehensive dataset.
Although these bulk powers are only now being formalised in legislation, they are not new powers taking time and resources away from established methodologies. They lie at the heart of how the UK intelligence community functions in the internet age.
So while the issues of privacy and proportionality will rightly be debated in Parliament over the next few weeks, we should be clear about what is at stake – removing or constraining bulk powers will reduce the UK intelligence agencies’ ability to counter a range of threats.
David Wells worked for UK and Australian intelligence agencies between 2005 and 2014, specialising in counter-terrorism.