THE BLOG

Surveillance Bill: A Cyber Security Expert's View

06/11/2015 09:41 GMT | Updated 05/11/2016 09:12 GMT

The Bill sees the tree and misses the Amazonian rainforest.

It will not make our country safer as it does not address the fundamental issues of investigative analysis.

Looking at the vast set of data GCHQ gathers and analyses to try and find potential terrorists is the equivalent of looking for fish in the Pacific Ocean using a sonar scanner. It shows you where large shadow mass movements are that may or may not be fish, you, then, need to go there and try to find out whether that shadow is actually fish or something else. The Surveillance Bill effectively adds the Indian Ocean next to the Pacific Ocean when in reality you need more people to go fishing in the areas you have already identified, not have more potential targets.

The problem with the mining of large data and looking for needles in haystacks the size of Ben Nevis is that you never have enough people to do the investigation of all possible locations. The result is that you use automated tools to sift through the haystack for you and they come up with alerts that you then need to investigate. A lot of the successes do come down to luck besides hard graft, to an analyst that had a particular bright day, was well rested, noticed an anomaly in one alert that she decided to investigate further and something came up. If that analyst was slightly ill or off top form for any reason then she may have missed the clue. Adding more data for her to sift through won't help her.

A lot of it comes down to how you configure the tools and what they do. For this, you need exceptionally bright people that code and design within these tools the equivalent of a chess game between grand masters. Not many people are capable of this. Increasing the amount of data they have to search or trawl through will not make successes any more likely. Training more bright people will.

By all means, GCHQ must have the ability to read Whatsapp or Facebook messages if there is a genuine concern that person is a potential terrorist. This though must come after a warrant, after the investigative work of the existing data has provided enough evidence that allows a judge to have sufficient confidence that the threat to security overrides the individual's right to privacy. No records should be handed, no information disclosed, before there is sufficient reason to do so. The current approach is too heavy-handed, trumps individual liberties and will not actually result in much improvement in security.

The double-lock that is being put in place as a safeguard asks two people to give consent from the political and judicial class and make a decision between individual liberty and national security. I can promise you that they will always choose national security. It will not be their fault as true to this government's style, no one will have given them the necessary training and information they need to make an informed decision. It is a political gimmick that will waste judges' time in a period when they are already stretched and will not amount to much. Proper oversight comes in day-to-day operations in which there are independent auditors checking what GCHQ does. My guess would be that there aren't many of them and they do not have sufficient resources to monitor GCHQ activities properly.

If the government really wanted to make a difference in our national security, it should provide GCHQ and the police with more resources, money and people to fight cyber-crime and cyber-terrorism. This would make a material difference and show cyber- crime doesn't pay. On the contrary it is planning on cutting the budget for police forces across the country. The result will be that the additional powers provided to them will amount to nothing since no one will be there to use them.

If the government really wanted to make a difference, it would properly penalise companies that underinvest in security and lose people's information with little to no impact. It would not ask them to increase the data they are holding about individuals. Holding more data about individuals will make subsequent data losses catastrophic to their everyday lives.

The Bill is good in that it exposes to the public GCHQ's underhand practices that have been going on for years. It does not make them good, acceptable or justifiable though. The whole Bill enshrines in law dubious practices currently performed by GCHQ. There has been little debate or challenge as to whether these are appropriate.

The Surveillance Bill is a massive politicking gesture that will amount to nothing. It will allow the government to claim that they are interested in security and have done something about when crimes rates inevitably go up because of the cuts in police budgets and the chronic underinvestment in cyber security. It provides an unprecedented assault to individual liberties and the right to privacy without much to show for it.